CJEU - C‑470/21 - La Quadrature Du Net And Others: Balancing Personal Data Protection With Counterfeiting Combat Measures

Citil Attorney Partnership


Since its founding in 2010, Citil Attorney Partnership has been delivering consulting and litigation services to its clients doing business on a worldwide scale. Citil Attorney Partnership has conducted operations from its Istanbul headquarters and its staff comprises nearly 50 members. Through the “business partnership model” we have established and contacted partner offices in Asia, North America, and EMEA. By integrating a comprehensive understanding of Turkish jurisprudence and international law, we formulate legal and practical resolutions that effectively address the dynamic requirements of our clients with international goals. International investments and trade, data protection and cybersecurity law, real estate, international arbitration, corporate law, contracts law, litigation and dispute resolution services, international crimes and white collar offenses, intellectual property, and administrative law are among our particular areas of expertise.
The fight against online counterfeiting requires access to data that can identify individuals in counterfeiting activities.
Turkey Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

The fight against online counterfeiting requires access to data that can identify individuals in counterfeiting activities. However, this must be balanced with protecting individual privacy and adhering to legal standards. This blog analyzes La Quadrature du Net and Others (C-470/21) , which set the legal requirements that ensure public authorities can access civil identity data linked to IP addresses lawfully and proportionately.

The CJEU examines whether Article 15(1) of e-Privacy Directive, which allows national legislation to authorize a public authority to access civil identity data linked to IP addresses, prevents national legislation from authorizing such access.

IP addresses are considered both traffic data under e-Privacy Directive and personal data under GDPR. The collection of IP addresses by right holder agents is not covered by e-Privacy Directive but must comply with GDPR. Downstream processing by telecommunication service providers falls under e-Privacy Directive as it involves providing electronic communication services.

This case involves two data processing stages by Hadopi, an independent public authority responsible for safeguarding copyrighted works and related rights from online infringements. The case focuses on the downstream processing of data, not the initial collection of IP addresses by right holder agents.

General and indiscriminate retention of IP addresses for general criminal offences by electronic communication services: Less sensitive but only possible with safeguards

The CJEU highlighted that the storage of IP addresses by electronic communications service providers is regarded as less sensitive than other traffic data, yet it still constitutes an less serious interference with fundamental rights, taking into account the following factors. It is imperative for national laws to unambiguously establish the terms for retaining data, guaranteeing that each type of information is stored separately and in a secure manner. Access to linked data requires an efficient technical procedure that ensures the division is maintained, and a public authority must periodically assess the dependability of this division. If the legislation of a Member State fulfils these stringent criteria, the retention of IP addresses for the purpose of combating criminal offences can be deemed justifiable, as long as the retention period is restricted to the absolute minimum required and measures are implemented to prevent misuse and unauthorised access.

The CJEU sets the requirements for public authorities to access data linked to an IP address to a civil identity retained by electronic communications providers for combating criminal offenses. Access can only be justified by objectives of combating serious crime or preventing serious threats to public security due to significant interference with fundamental rights under Articles 7 (right to privacy), 8 (right to data protection), and 11 (freedom of expression and information) of the Charter. However, if the data cannot be associated with the communications made, thus not allowing precise conclusions about private life, the access may be justified for general criminal offenses.

The retention of IP addresses must adhere to specific criteria: it should only preserve data that is essential for marketing, billing, or value-added services, and it must be both necessary and proportionate. The legislative measure must guarantee a strict segregation of data categories to avoid drawing accurate inferences about an individual's personal life. It is imperative for national laws to unambiguously establish the rules regarding the retention of IP addresses, with the specific purpose of using them solely for identifying individuals suspected of copyright or related rights infringement. The access should be restricted to specific data and should not permit monitoring of the individual's online activities.

Data access by Hadopi for civil identity of possible infringers of IP rights: Possible with strict safeguards

Hadopi, the public authority in question, only accesses civil identity data to identify the holder of an IP address used for unlawful activities, not to monitor online activity of the holder of IP address. The legislation must ensure that officials who access this data maintain confidentiality, not disclosing information or using it for other purposes. The access to civil identity data associated with IP addresses must also align with the principles established in the case-law concerning the 'right of information' in intellectual property infringement cases (see Promusicae, C‑275/06), balancing the protection of privacy and the need for effective criminal investigation.

The French Government has verified that the retrieval of civil identity data is predominantly automated as a result of the extensive number of fraudulent cases identified on peer-to-peer networks. The main task of Hadopi officials is to verify if the reports include all the necessary information. This process is then supplemented by reviews conducted by individuals to guarantee accuracy and compliance with legal standards. To mitigate the potential risks of false positives and unauthorised use of personal data by external entities, it is imperative that Hadopi's data processing system undergoes periodic independent evaluations. These evaluations are crucial to ensure the system's reliability and effectiveness in preventing abuse and unlawful access, as well as in accurately identifying repeated offences that may involve gross negligence or counterfeiting.

The CJEU decided that the processing of personal data by Hadopi must comply with Law Enforcement Directive (2016/680) (LED Directive), which sets out the safeguards for protecting individuals concerning the processing of personal data by competent authorities for law enforcement purposes. This is because Hadopi is recognized as a public authority involved in preventing, investigating, detecting, or prosecuting criminal offenses according to Article 2(1) of the LED Directive.

Individuals involved in the graduated response procedure must enjoy substantive and procedural safeguards, including rights of access, rectification, and erasure of their personal data processed by Hadopi. They should also have the possibility of lodging complaints with an independent supervisory authority and seeking judicial remedies where appropriate.

Hadopi's access to civil identity data must be strictly limited to identifying individuals suspected of copyright infringement, with the use of such data being targeted and limited to necessary information to avoid undue intrusion into individual privacy. These safeguards aim to balance the need for combating online counterfeiting offenses with the protection of individual privacy rights, ensuring that access to personal data is justified, proportionate.


Ultimately, the CJEU ruling in the case of La Quadrature du Net and Others (C-470/21) underscores the significance of striking a delicate equilibrium between safeguarding personal data and implementing strategies to combat online counterfeiting. The court underscores the importance of ensuring that access to civil identity data associated with IP addresses is both legal and proportionate, and that robust measures are in place to safeguard individual privacy. If national legislation satisfies stricter criteria, such as clearly defining retention protocols and implementing safeguards against abuse and unlawful access, the retention of IP addresses for combating criminal offences can be justified. Public authorities, such as Hadopi, have the ability to access civil identity data. However, they are required to maintain confidentiality, comply with legal standards, and undergo periodic independent evaluations to ensure the reliability and efficiency of their data processing systems. Those participating in the process should have access to substantial and procedural protections, including the rights to view, correct, and delete their personal information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More