The Data Retention Directive does not contain terms that prevent internet protocol (IP) addresses that ISPs must store under the terms of the law from being used by rights holders in civil legal proceedings to identify alleged copyright infringers, the Court said.
It said that other EU laws on privacy and electronic communications (e-Privacy Directive) and the enforcement of intellectual property rights (IPR Directive) read together allow member states to form national laws that provide a means for rights holders to obtain disclosure of personal data about alleged illegal file-sharers subject to the condition that courts in those countries can determine the legitimacy of disclosure on a case-by-case basis.
"[The Data Retention Directive] must be interpreted as not precluding the application of national legislation based on [the IPR Directive] which, in order to identify an internet subscriber or user, permits an internet service provider in civil proceedings to be ordered to give a copyright holder or its representative information on the subscriber to whom the internet service provider provided an IP address which was allegedly used in an infringement, since that legislation does not fall within the material scope of [the Data Retention] Directive," the ECJ ruled.
"The [e-Privacy Directive] concerning the processing of personal data and the protection of privacy in the electronic communications sector and [the IPR Directive] must be interpreted as not precluding national legislation ... [which] enables the national court seised of an application for an order for disclosure of personal data, made by a person who is entitled to act, to weigh the conflicting interests involved, on the basis of the facts of each case and taking due account of the requirements of the principle of proportionality," it said.
The Data Retention Directive was established in 2006 to make it a requirement for telecoms companies to retain personal data for a period determined by national governments of between six months and two years. The Commission decided to regulate following terrorist attacks in Madrid in 2004 and London in 2005.
Under the Directive telecoms firms are required to retain identifying details of phone calls and emails, such as the traffic and location, to help the police detect and investigate serious crimes. The details exclude the content of those communications.
A court in Sweden had asked the ECJ whether the terms of the data retention laws prevented the data stored by telecoms companies from being disclosed for the purposes of civil copyright infringement cases. The publishers of audio books in Sweden want the Swedish court to force ePhone – an ISP in the country – to disclose the IP address "from which it is assumed" that copies of their works were sent without consent in April 2009. The publishers wish to use the IP address to identify the alleged illegal file-sharer.
The ECJ said that the terms of the Directive do not bar ISPs from handing over details of customers' IP addresses in order to allow copyright holders to identify individuals they believe have engaged in illegal file sharing as part of civil legal action, rejecting ePhone's argument to the contrary.
However, the Court said that a balance of the rights of internet users to privacy of personal data under the e-Privacy Directive had to be weighed against the rights holders' right to enforce their copyright under the IPR Directive before determining whether national legislation that allowed the data to be handed over was legitimate.
It said national laws that give rights holders the right to obtain personal data of alleged copyright infringers are legitimate under the terms of the two Directives providing courts can rule on whether disclosure should be granted based on the facts of each case.
"The Court has already held that [the IPR Directive], read in conjunction with [the e-Privacy Directive], does not preclude Member States from imposing an obligation to disclose to private persons personal data in order to enable them to bring civil proceedings for copyright infringements, but nor does it require those Member States to lay down such an obligation," the ECJ said in its ruling.
"However, the Court pointed out that, when transposing ... [the e-Privacy and IPR Directives] into national law, it is for the Member States to ensure that they rely on an interpretation of those directives which allows a fair balance to be struck between the various fundamental rights protected by the European Union legal order," it said. "Furthermore, when implementing the measures transposing those directives, the authorities and courts of Member States must not only interpret their national law in a manner consistent with them, but must also make sure that they do not rely on an interpretation of them which would conflict with those fundamental rights or with the other general principles of European Union law, such as the principle of proportionality."
"In the present case, the Member State concerned has decided to make use of the possibility available to it ... to lay down an obligation to communicate personal data to private persons in civil proceedings. It must be noted that the national legislation in question requires ... that, for an order for disclosure of the data in question to be made, there be clear evidence of an infringement of an intellectual property right, that the information can be regarded as facilitating the investigation into an infringement of copyright or impairment of such a right and that the reasons for the measure outweigh the nuisance or other harm which the measure may entail for the person affected by it or for some other conflicting interest," it said.
"Thus, that legislation enables the national court seised of an application for an order for disclosure of personal data, made by a person who is entitled to act, to weigh the conflicting interests involved, on the basis of the facts of each case and taking due account of the requirements of the principle of proportionality. In those circumstances, such legislation must be regarded as likely, in principle, to ensure a fair balance between the protection of intellectual property rights enjoyed by copyright holders and the protection of personal data enjoyed by internet subscribers or users," the ECJ ruled.
Under the EU's Charter of Fundamental Rights there are several competing rights that the ECJ has previously weighed up in two key copyright rulings published in recent months.
In November and February respectively the ECJ recently ruled that national courts cannot order ISPs or social networks to introduce broad monitoring and filtering mechanisms to identify and prevent illegal file-sharing by their customers.
In both cases the ECJ assessed EU laws on copyright and the enforcement of intellectual property rights as well as laws on the liability of service providers, data protection and privacy in communications. It also weighed the fundamental rights to the protection of intellectual property against the rights to privacy, free speech, the freedom to conduct business, and protection of personal data. It said that, on balance, it would be unfair if courts could force ISPs or social networks to monitor for illegal file-sharing.
The ECJ's ruling in this case ensures that the Swedish court will have to weigh up those rights when it comes to determining whether it is right to force ePhone to disclose the IP address to the audio books rights holders.
In a recent UK High Court ruling Mr Justice Arnold said that flaws in using IP addresses as a means to identify infringers would lead to some people being wrongly identified.