IAPP-GDPR Web Banners-300x250-FINAL

By Eduardo Ustaran and José-Luis Piñar Mañas

Promusicae v. Telefonica: Intellectual Property Rights and Data Protection

This case landed on the ECJ following a referral from a Spanish national court. This is a common procedure for cases where EU national courts deal with cases that involve European law principles that may be subject to different interpretations. When this happens, national judges normally prefer to ask the ECJ to take a view on the relevant European law principle so that the outcome is consistent with what the European legislation originally intended.

In 2005 Promusicae (a Spanish non-profit-making organisation of producers and publishers of musical and audiovisual recordings) asked that Telefónica (a Spanish provider of Internet access services) be ordered to disclose the identities and physical addresses of certain persons whom it provided Internet access services. According to Promusicae, who knew the IP addresses used by these individuals at specific points in time, Telefonica's customers had used the KaZaA file exchange program to allow unauthorised access to files in which members of Promusicae held exploitation rights. Promusicae claimed before the national court that the users of KaZaA were engaging in unfair competition and infringing intellectual property rights. It therefore sought disclosure of the above information in order to be able to bring civil proceedings against the persons concerned.

At the end 2005, a Madrid civil court ordered the preliminary measures sought by Promusicae. However, Telefonica appealed against the order contending that under Spanish law, the communication data requested by Promusicae could only be made available in the context of a criminal investigation or for the purpose of safeguarding public security and national defence. As this case only related to civil proceedings, Telefónica argued that the order to disclose was not lawful.

Back to the Spanish court, the matter was halted pending a decision by the ECJ. The Spanish court asked the ECJ to confirm whether EU law allowed member states to limit the duty of operators of electronic communications networks and services to retain and make available connection and traffic data relating to their customers only for the purposes of criminal investigations or to safeguard public security and national defence, and not for civil proceedings.

Balancing Exercise

The question raised before the European Court was whether Community law, in particular Directives 2000/31, 2001/29 and 2004/48, in light of Articles 17 and 47 of the Charter, must be interpreted as requiring member states to lay down an obligation to communicate personal data in the context of civil proceedings in order to ensure effective protection of copyright.

But while the court said the e-privacy directive did not prevent EU member states from laying down an obligation to disclose personal data in the context of civil proceedings, the ECJ acknowledged that EU member states faced a balancing exercise in allowing the disclosure of connection and traffic data beyond criminal cases. As the ECJ put it, the case referred by the Spanish court raised the need to reconcile the requirements of the protection of different fundamental rights — the right to protection of property and the right to respect for private life.

EU Countries Free to Decide

Unfortunately, the ECJ decision making process stopped there because, instead of taking a view as to which of the two rights should prevail in this case, it passed the ball back to the national courts and legislators by urging countries to strike a fair balance between the various fundamental rights protected by EU law. So in the end, it was a draw and the Spanish court must now decide who will win the data disclosure match.

Given that the Madrid court had already ordered the preliminary measures requested by Promusicae and that the ECJ was not particularly categorical in its decision, one can consider that the most likely outcome in Spain could be a decision in favour of the rights-holders. However, the ECJ has reminded us of a key aspect of European privacy and data protection law: The right to respect for private life is a fundamental right, and the standards to interfere with that right are very high.

Eduardo Ustaran is the Head of the Privacy and Information Law Group at Field Fisher Waterhouse LLP, based in London. He is a member of the IAPP Education Advisory Board, co-chair of KnowledgeNet London, editor of Data Protection Law & Policy and co-author of E-Privacy and Online Data Protection. He may be reached at eduardo.ustaran@ffw.com.

José-Luis Piñar Mañas, Ph.D. is an attorney at Piñar Mañas & Asociados Law Firm, and a professor of administrative law. He also is the former Director of the Spanish Agency for Data Protection and former Vice-Chairman of the Article 29 Working Party and Honorific President of the Ibero-American Network of Data Protection. He can be reached at jlpinar@pmasociados.com.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»