The French Conseil d’Etat has overturned the decision by the French Data Protection Authority which had refused to authorise the tracking of peer-to-peer (P2P) users by music societies. The societies will now re-apply and almost certainly be granted authorisation for their automated program of P2P monitoring.

On May 23, the Conseil d’Etat, the French Supreme Court in administrative matters, overturned the decision by the French Data Protection Authority (Commission nationale de l'informatique et des libertés, hereafter "CNIL" (see website in English) which had refused to authorise music collecting societies to implement a scheme of automated surveillance of P2P networks to monitor and collect evidence of music copyright infringements.

The scheme involved the processing of personal data and thus needed to be authorised by the CNIL (1). The authorisation was refused on the grounds that the proposed scheme was disproportionately intrusive when compared with the threat posed by piracy (2). The Conseil d’Etat has quashed this decision (3), opening the way for collecting societies to monitor P2P networks (4).

1. The scheme initially proposed by the collecting societies
The scheme proposed by four collecting societies (*) involved processing personal data with two aims. First, to detect copyright infringements made on P2P networks. Then to send warning messages to minor offenders informing them of the legal sanctions they faced and to launch legal actions against the worst offenders.

Monitoring and data collection of illegal file-sharing activities
The collecting societies would use software to monitor the exchanges of music files belonging to a sample of 10,000 music titles they had selected from their catalogues. The first phase would have consisted in a 24 hour monitoring period to identify regular file-sharers.

Warning messages for minor offenders
P2P users who made available less than 50 files would receive a warning message informing them of the legal consequences of copyright infringement. The identification of users would have been achieved through the collection of their IP address.
The collecting societies would then transmit a list of personalised messages (citing which titles had been made available and when) to the relevant ISPs, asking them to forward the messages by email to the customers behind the collected IP addresses, within 24 hours.

Further monitoring and legal actions against the worst offenders
Users who had made available more than 50 files would have been subject to a more thorough surveillance during a 15-day “advanced targeting” phase. Those having made available between 500 and 1000 music files would have been brought before a civil court, those having made available more than 1000 music files would have been subject to criminal prosecutions.

2. The CNIL’s refusal to authorise this tracking program
Under the French Data Protection Act 1978 (**) collecting societies are allowed to put in place systems for processing personal data relating to acts of copyright infringement (Article 9-4). However, the law also provides that any such operation must be authorised by the CNIL (Article 25-3°).

Accordingly, the collecting societies sought the CNIL’s approval. On October 18, 2005, however, the CNIL refused to grant the authorisation on the grounds that both the sending of educational messages by email and the scale of the surveillance breached data protection laws.

2.1 Educational messages: the need for judicial oversight to identify internet users
The CNIL ruled that ISPs were not allowed to retain internet users’ connection data for the purpose of sending educational messages on behalf of third parties. The CNIL also ruled that the data collected during monitoring can only be linked to an internet user’s identity through the judicial process and not by ISPs linking IP addresses to their customer database.

2.2 Fighting piracy: a disproportionate scheme
The CNIL held that the proposed scheme to collect evidence was “disproportionate” to the aim of combating piracy “since it did not put in place a system of one-off actions strictly limited to the needs of fighting [piracy] but could lead, on the contrary, in a mass collection of online personal data and in an extensive and constant surveillance of P2P networks.”

The CNIL also said that “the decision on whether internet users would be liable for civil or criminal action was based on purely quantitative criteria whose relevancy was not established and which [collecting societies] had reserved the right to modify unilaterally at any moment.”

3. The Conseil d’Etat rules that the scheme is not disproportionate
One of the collecting societies (the SCPP) appealed this decision before the Conseil d’Etat. In its decision the Conseil d’Etat quashed part of the CNIL’s decision.

The Conseil d’Etat agreed with the CNIL that ISPs were not entitled to use their customers’ personal data to send educational messages on behalf of collecting societies. However, the Conseil d'Etat said that the system proposed to collect evidence of illegal file-sharing was not disproportionate, given the importance of digital piracy.

The Conseil d’Etat pointed to the fact that the scheme would only involve the monitoring of some of the P2P networks and that though the scheme involved the monitoring of 10,000 music titles this was only a fraction of the titles managed by the societies and “of the hundreds of million files shared on P2P networks.” As a consequence, with regards to those facts, the CE concluded that “that the proposed scheme did not amount to a constant and extensive surveillance of files on P2P networks and could not therefore be considered disproportionate to the goal pursued.”

4. What next?
Predictably, the collecting societies have welcomed the decision of the Conseil d’Etat. However, it does not mean that they can start implementing the original scheme straight away. They still will have to obtain the authorisation of the CNIL. Though it is not yet clear when a new scheme will be submitted or what will be its precise characteristics, the collecting societies will be able to rely on the decision of the Conseil d’Etat to have it authorised. In a press release the CNIL, acknowledged the decision and adopted a conciliatory tone saying that its aim was to “balance the protection of copyright with the respect for the private life of internet users.”

(*) La Société des Auteurs, Compositeurs et Editeurs de Musique (SACEM) ; la Société pour l’administration du Droit de Reproduction Mécanique (SDRM) ; la Société Civile des Producteurs Phonographiques (SCPP) ; la Société civile des Producteurs de Phonogrammes en France (SPPF).

(**) The Data Protection Act of 1978 in English (Loi n° 78-17 du 6 Janvier 1978 relative à l'informatique, aux fichiers et aux libertés)

SOURCES

Texts
- The Data Protection Act of 1978 in English (Loi n° 78-17 du 6 Janvier 1978 relative à l'informatique, aux fichiers et aux libertés)
- CNIL, Délibération 2005-235 du 18 octobre 2005 see decision on Legifrance
- Conseil d’Etat, 23 mai 2007 . From Legalis.net.
- CNIL - Communiqué du 25 mai 2007 : Surveillance des réseaux peer to peer : la CNIL prend acte de la décision du Conseil d’Etat.

Articles
In English
- Philippe Gillieron , French p2p users submitted to tracking. IpPhil, May 24, 2007.
- French State Council allows tracing P2P users. EDRI-gram - Number 5.11, 6 June 2007.
In French
- Arnaud Devillard, La lutte automatisée contre les pirates à nouveau d'actualité. 01net., 23 mai 2007.
- Peer-to-peer: le Conseil d'État dit oui à la chasse aux pirates. ZDNet France , 23 mai 2007.
- Guillaume Champeau , Piratage : le Conseil d'Etat annule la décision de la CNIL ! Ratiatum.com, 23 mai 2007.
- Christophe Guillemin , P2P: comment va s'organiser la traque des internautes. ZDNet France, 24 mai 2007.
- Le Conseil d’Etat censure la Cnil sur le peer to peer. Legalis.net , 24 mai 2007.
- Le Conseil d'Etat relance la traque automatisée pour lutter contre la piraterie musicale. L’Atelier BNP Paribas , 24 mai 2007.
- Yann , La décision du Conseil d'Etat : vers un nouvel élan dans la traque à l'internaute? Brèves de Propriété Intellectuelle et de Droit de la Culture, 25 mai 2007.
- Christophe Guillemin , P2P: la Cnil et les sociétés d'auteurs vont discuter d'un disposif de surveillance. ZDNet France, 25 mai 2007.
- Hélène Puel , Piratage : l'industrie musicale à nouveau sur le pied de guerre. 01net., 25 mai 2007.
- Peer-to-peer, Surveillance des réseaux « peer to peer » : la Cnil prend acte de la décision du Conseil d'État. Dépêches JurisClasseur , 28 mai 2007.
- Piratage: la Spedidam dénonce le cocorico anachronique de la SCPP. Ratiatum.com , 30 mai 2007.
- Yann Tesar (Gazette du Net) , Le Conseil d'Etat s'oppose à la CNIL sur la surveillance des réseaux P2P par les sociétés de gestion collective. Juriscom.net, 25 mai 2007.

Illustration :

From Haider Rizvi, Bush presses for stepped-up Internet surveillance. Finalcall.com , Feb 4, 2004.

Please report any technical, legal or linguistic error. You can do that through the contact section. It would be very helpful. Many thanks.

Name

Email

Website

Title

Comment

smaller | bigger

Subscribe via email (Registered users only)

Add Comment