Peer to peer: do infringement investigations fall under the Data Protection Act ?
The processing of personal data relating to offences, whether automatic or not, is subject to the prior authorization of the CNIL, the French Data Protection Authority. In a decision of May 2008, a French Court of Appeal considered that IP addresses were personal data and that their collection for the purpose of search or counterfeiting offences had to receive the prior authorization of the CNIL. The report made by an investigating agent was therefore considered as null and void.
In January 2009, the Supreme Court ruled, however, that certain investigation methods should not be considered as data processing operations falling under the scope of the Data Protection Act. In the case at stake, an investigation agent under oath merely carried out “operations which any Internet users could carry out,” underlines the court: he used a computer and peer-to-peer software to “manually” search available files of a given musical piece and he selected the downloading offer made by another Internet “peer.” Under the file’s section “run the host,” he found the IP address of the peer, as well as a list of all the works this peer was willing to share with others. He then made some downloads and merely searched the contact details of the ISP who provided the generous peer’s IP address, which he indicated in his report. It is only at a second stage that the SACEM, society of authors, provided this report to the police department in order for them to identify the infringing peer.
Had the agent used an automated processing of surveillance, the court decision seems to indicate that it would have ruled otherwise.
This decision comes right in the middle of the debate on the French bill Creation and Internet, the main purpose of which establishes a procedure of “graduated riposte” against people illegally downloading from the Internet