EU law provides individuals with rights including rights to data protection, privacy and property. EU law also provides freedoms, such as the freedom to conduct business and provide services. None of these rights and freedoms are absolute; rather they have to be balanced with one another. This balance is reflected in the EU’s new General Data Protection Regulation, which begins by reciting that the “right to the protection of personal data is not … absolute.” The GDPR then goes onto recite its purposes: to ensure “a consistent and high level” of data protection within the EU”; to create “ … the trust that will allow the digital economy to develop across the internal market," and “… remove the obstacles to flows of personal data within the Union."
The GDPR thus enables the harmonisation of data protection law within the EU. This harmonisation now allows the EU Commission to bring a variety of new proposals forward that endeavour to enhance the EU’s Digital Single Market. One such proposal is the Free Flow of Data Initiative, which “…will tackle restrictions to data location and access to encourage innovation." The EU Commission is also proposing increased ICT standardisation in areas such as eHealth, card/internet and mobile payments, e-government, electronic identification and trust services including e-Signatures, Radio Frequency Identification (RFID), Internet of Things (IoT), network and information security and ePrivacy.
These proposals and the GDPR itself give an indication of where the EU’s Commission and legislature think the balance between data protection and other rights and freedoms should lie. The next step will be to see where the EU’s Court of Justice (CJEU) thinks that balance should lie. An indication of the CJEU view was given in the recent judgment in McFadden v Sony. The applicant in that case was the owner of a business in Munich, Germany, who offered “… anonymous access to a wireless local area network free of charge in the vicinity of his business." This was not an accident or security lapse, but done deliberately “… in order to draw the attention of customers of near-by shops, of passers-by and of neighbours” to his business. Somewhat unsurprisingly, one of those users made copyright protected works “… available on the internet free of charge to the general public without the consent of the rightholder.” Sony, the rightholder in question, formally asked that McFadden respect its rights. He refused and launched a court challenge which made its way to the CJEU.
Judgment was given in September. The CJEU reiterated that where “… several fundamental rights protected under EU law are at stake, it is for the national authorities or courts … to ensure that a fair balance is struck between those rights.” In order to protect the respondent’s intellectual property, the CJEU considered that “ … a measure consisting in password-protecting an internet connection may dissuade the users of that connection from infringing copyright or related rights, provided that those users are required to reveal their identity in order to obtain the required password and may not therefore act anonymously.”
The significance of McFadden v Sony should not be overstated. The CJEU was careful to note that McFadden’s Wi-Fi network constituted “ … only one of several means of accessing the internet.” So the CJEU was not generally requiring that every network operator identify their users. Nor was it formally requiring that McFadden should do so. It was a matter for McFadden to decide how to comply with an order requiring that he “ … prevent third parties from making a particular copyright-protected work or parts thereof available to the general public from an online (peer-to-peer) exchange platform via an internet connection.” However the CJEU acknowledged that in this case his “ … choice is limited to a single measure," preventing anonymous use of his network.
McFadden v Sony does not formally end internet anonymity in the EU, but it cannot be ignored. There is nothing in the judgment to suggest that network operators other than Mr. McFadden cannot be effectively forced to identify their users. McFadden v Sony issued after the GDPR has entered into force, although before it applies in May 2018. The judgment does not discuss the GDPR directly, but it would be surprising if it were inconsistent with how the CJEU thinks the GDPR should be interpreted after it applies. Of greatest significance may be that judgement issued before the EU Commission has published its proposal for replacement for the ePrivacy Directive. The EU Commission may therefore take McFadden v Sony into account when deciding where its proposal should set the balance between the right to data protection, internet anonymity and other rights such as the right to own property and conduct a business. Publication of the new proposal is anticipated by the end of 2016.
The ECJ’s thinking on data protection may continue to evolve in the meantime. The next stage in that evolution may occur Wednesday, October 19, when the CJEU gives judgment in Breyer. The CJEU has been asked to consider whether “… an Internet Protocol address (IP address) which a service provider stores when his website is accessed already constitutes personal data … if a third party (an access provider) has the additional knowledge required in order to identify the data subject?” Judgment may clarify the definition of personal data. Judgment may also give further insight into how the ECJ thinks the rights of data subjects, service providers and others should be balanced. The opinion of Advocate General Sánchez-Bordona was that this is largely a matter for the German court that referred the case to the ECJ; it remains to be seen what the judgment of the ECJ will be.