CJEU, 5th chamber, June 17, 2021, No C-597/19
COURT OF JUSTICE OF THE EUROPEAN UNION
Judgment
PARTIES
Demandeur :
Mircom International Content Management & Consulting (M.I.C.M.) Limited
Défendeur :
Telenet BVBA, Proximus NV, Scarlet Belgium NV
COMPOSITION DE LA JURIDICTION
President of the Chamber :
E. Regan
Judge :
M. Ilešič (Rapporteur), E. Juhász, C. Lycourgos, I. Jarukaitis
Advocate General :
M. Szpunar
Advocate :
Me Toremans, Me Hügel, Me Haouideg, Me Debaene, Me Van Asbroeck, Me De Moortel, Me Hechtermans
THE COURT (Fifth Chamber)
1 This request for a preliminary ruling concerns the interpretation of Article 3(1) and (2) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (OJ 2001 L 167, p. 10), of Article 3(2), and of Articles 4, 8 and 13 of Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights (OJ 2004 L 157, p. 45, and corrigendum OJ 2004 L 195, p. 16), and of point (f) of the first subparagraph of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1), read together with Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 (OJ 2009 L 337, p. 11) (‘Directive 2002/58’).
2 The request has been made in proceedings between Mircom International Content Management Consulting (M.I.C.M.) Limited (‘Mircom’), a company incorporated under Cypriot law, the holder of certain rights over a large number of pornographic films produced by eight undertakings established in the United States and Canada, and Telenet BVBA, a company established in Belgium, providing, inter alia, internet access services, concerning the latter’s refusal to provide information enabling its customers to be identified on the basis of several thousand IP addresses collected, on behalf of Mircom, by a specialised company, from a peer-to-peer network, where certain Telenet clients, by using the BitTorrent protocol, have allegedly made available films from Mircom’s catalogue.
Legal context
European Union law
Intellectual property law
– Directive 2001/29
3 Recitals 3, 4, 9, 10, 23 and 31 of Directive 2001/29 are worded as follows:
‘(3) The proposed harmonisation will help to implement the four freedoms of the internal market and relates to compliance with the fundamental principles of law and especially of property, including intellectual property, and freedom of expression and the public interest.
(4) A harmonised legal framework on copyright and related rights, through increased legal certainty and while providing for a high level of protection of intellectual property, will foster substantial investment in creativity and innovation …
…
(9) Any harmonisation of copyright and related rights must take as a basis a high level of protection, since such rights are crucial to intellectual creation. Their protection helps to ensure the maintenance and development of creativity in the interests of authors, performers, producers, consumers, culture, industry and the public at large. Intellectual property has therefore been recognised as an integral part of property.
(10) If authors or performers are to continue their creative and artistic work, they have to receive an appropriate reward for the use of their work, as must producers in order to be able to finance this work. The investment required to produce products such as phonograms, films or multimedia products, and services such as “on-demand” services, is considerable. Adequate legal protection of intellectual property rights is necessary in order to guarantee the availability of such a reward and provide the opportunity for satisfactory returns on this investment.
…
(31) A fair balance of rights and interests between the different categories of right holders, as well as between the different categories of right holders and users of protected subject matter, must be safeguarded. …’
4 Article 3 of that directive, entitled ‘Right of communication to the public of works and right of making available to the public other subject matter’, provides:
‘1. Member States shall provide authors with the exclusive right to authorise or prohibit the making available to the public, by wire or wireless means, in such a way that members of the public may access them from a place and at a time individually chosen by them.
2. Member States shall provide for the exclusive right to authorise or prohibit the making available to the public, by wire or wireless means, in such a way that members of the public may access them from a place and at a time individually chosen by them:
…
(c) for the producers of the first fixations of films, of the original and copies of their films;
…
3. The rights referred to in paragraphs 1 and 2 shall not be exhausted by any act of communication to the public or making available to the public as set out in this Article.’
– Directive 2004/48
5 Recitals 10, 14 and 18 of Directive 2004/48 are worded as follows:
‘(10) The objective of this Directive is to approximate legislative systems so as to ensure a high, equivalent and homogeneous level of protection in the Internal Market.
…
(14) The measures provided for in Articles 6(2), 8(1) and 9(2) need to be applied only in respect of acts carried out on a commercial scale. This is without prejudice to the possibility for Member States to apply those measures also in respect of other acts. Acts carried out on a commercial scale are those carried out for direct or indirect economic or commercial advantage; this would normally exclude acts carried out by end-consumers acting in good faith.
…
(18) The persons entitled to request application of those measures, procedures and remedies should be not only the rightholders but also persons who have a direct interest and legal standing in so far as permitted by and in accordance with the applicable law, which may include professional organisations in charge of the management of those rights or for the defence of the collective and individual interests for which they are responsible.’
6 Article 2 of that directive, entitled ‘Scope’, provides, in paragraphs 1 and 3(a):
‘1. Without prejudice to the means which are or may be provided for in Community or national legislation, in so far as those means may be more favourable for rightholders, the measures, procedures and remedies provided for by this Directive shall apply, in accordance with Article 3, to any infringement of intellectual property rights as provided for by Community law and/or by the national law of the Member State concerned.
…
3. This Directive shall not affect:
(a) the Community provisions governing the substantive law on intellectual property, Directive 95/46/EC [of 24 October 1995 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31)] …’
7 Chapter II of Directive 2004/48, entitled ‘Measures, procedures and remedies’, comprises Articles 3 to 15. Article 3 of that directive, entitled ‘General obligation’, provides:
‘1. Member States shall provide for the measures, procedures and remedies necessary to ensure the enforcement of the intellectual property rights covered by this Directive. Those measures, procedures and remedies shall be fair and equitable and shall not be unnecessarily complicated or costly, or entail unreasonable time limits or unwarranted delays.
2. Those measures, procedures and remedies shall also be effective, proportionate and dissuasive and shall be applied in such a manner as to avoid the creation of barriers to legitimate trade and to provide for safeguards against their abuse.’
8 Under Article 4 of Directive 2004/48, entitled ‘Persons entitled to apply for the application of measures, procedures and remedies’:
‘Member States shall recognise as persons entitled to seek application of the measures, procedures and remedies referred to in this chapter:
(a) the holders of intellectual property rights, in accordance with the provisions of the applicable law,
(b) all other persons authorised to use those rights, in particular licensees, in so far as permitted by and in accordance with the provisions of the applicable law,
(c) intellectual property collective rights management bodies which are regularly recognised as having a right to represent holders of intellectual property rights, in so far as permitted by and in accordance with the provisions of the applicable law,
(d) professional defence bodies which are regularly recognised as having a right to represent holders of intellectual property rights, in so far as permitted by and in accordance with the provisions of the applicable law.’
9 Article 6(2) of that directive, that article being headed ‘Evidence’, provides:
‘Under the same conditions, in the case of an infringement committed on a commercial scale Member States shall take such measures as are necessary to enable the competent judicial authorities to order, where appropriate, on application by a party, the communication of banking, financial or commercial documents under the control of the opposing party, subject to the protection of confidential information.’
10 Article 8 of that directive, entitled ‘Right of information’, provides:
‘1. Member States shall ensure that, in the context of proceedings concerning an infringement of an intellectual property right and in response to a justified and proportionate request of the claimant, the competent judicial authorities may order that information on the origin and distribution networks of the goods or services which infringe an intellectual property right be provided by the infringer and/or any other person who:
(a) was found in possession of the infringing goods on a commercial scale;
(b) was found to be using the infringing services on a commercial scale;
(c) was found to be providing on a commercial scale services used in infringing activities; or
(d) was indicated by the person referred to in point (a), (b) or (c) as being involved in the production, manufacture or distribution of the goods or the provision of the services.
2. The information referred to in paragraph 1 shall, as appropriate, comprise:
(a) the names and addresses of the producers, manufacturers, distributors, suppliers and other previous holders of the goods or services, as well as the intended wholesalers and retailers;
(b) information on the quantities produced, manufactured, delivered, received or ordered, as well as the price obtained for the goods or services in question.
3. Paragraphs 1 and 2 shall apply without prejudice to other statutory provisions which:
(a) grant the rightholder rights to receive fuller information;
(b) govern the use in civil or criminal proceedings of the information communicated pursuant to this Article;
(c) govern responsibility for misuse of the right of information; or
(d) afford an opportunity for refusing to provide information which would force the person referred to in paragraph 1 to admit to [his/her] own participation or that of [his/her] close relatives in an infringement of an intellectual property right; or
(e) govern the protection of confidentiality of information sources or the processing of personal data.’
11 In accordance with Article 9(2) of Directive 2004/48, entitled ‘Provisional and precautionay measures’:
‘In the case of an infringement committed on a commercial scale, the Member States shall ensure that, if the injured party demonstrates circumstances likely to endanger the recovery of damages, the judicial authorities may order the precautionary seizure of the movable and immovable property of the alleged infringer, including the blocking of his bank accounts and other assets. To that end, the competent authorities may order the communication of bank, financial or commercial documents, or appropriate access to the relevant information.’
12 Under Article 13 of that directive, entitled ‘Damages’:
‘1. Member States shall ensure that the competent judicial authorities, on application of the injured party, order the infringer who knowingly, or with reasonable grounds to know, engaged in an infringing activity, to pay the rightholder damages appropriate to the actual prejudice suffered by him as a result of the infringement.
When the judicial authorities set the damages:
(a) they shall take into account all appropriate aspects, such as the negative economic consequences, including lost profits, which the injured party has suffered, any unfair profits made by the infringer and, in appropriate cases, elements other than economic factors, such as the moral prejudice caused to the rightholder by the infringement;
or
(b) as an alternative to (a), they may, in appropriate cases, set the damages as a lump sum on the basis of elements such as at least the amount of royalties or fees which would have been due if the infringer had requested authorisation to use the intellectual property right in question.
2. Where the infringer did not knowingly, or with reasonable grounds to know, engage in infringing activity, Member States may lay down that the judicial authorities may order the recovery of profits or the payment of damages, which may be pre-established.’
– Directive 2014/26/EU
13 Article 39 of Directive 2014/26/EU of the European Parliament and of the Council of 26 February 2014 on collective management of copyright and related rights and the grant of multi-territorial licences for music rights for online use in the internal market (OJ 2014 L 84, p. 72), entitled ‘Notification of collective management organisations’, provides:
‘By 10 April 2016, Member States shall provide the Commission, on the basis of the information at their disposal, with a list of the collective management organisations established in their territories.
Member States shall notify any changes to that list to the Commission without undue delay.
The Commission shall publish that information and keep it up to date.’
Provisions concerning the protection of personal data
– Directive 95/46
14 In Chapter II, Section II, of Directive 95/46, entitled ‘Criteria for making data processing legitimate’, Article 7(f) of that directive provided:
‘Member States shall provide that personal data may be processed only if:
…
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection under Article 1(1).’
15 Article 8(1) and (2)(e) of that directive was worded as follows:
‘1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
2. Paragraph 1 shall not apply where:
…
(e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.’
16 Article 13(1)(g) of that directive provided:
‘Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6(1), 10, 11(1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard:
…
(g) the protection of the data subject or of the rights and freedoms of others.’
– Regulation 2016/679
17 Article 4 of Regulation 2016/679, entitled ‘Definitions’, states in paragraphs 1, 2, 9 and 10:
‘For the purposes of this Regulation:
(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
…
(9) “recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. …’
(10) “third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.’
18 Article 6 of that regulation, entitled ‘Lawfulness of processing’, provides in point (f) of the first subparagraph of paragraph 1 and the second subparagraph:
‘Processing shall be lawful only if and to the extent that at least one of the following applies:
…
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.’
19 Article 9 of that regulation, entitled ‘Processing of special categories of personal data’, provides, in paragraph 2(e) and (f), that the prohibition on the processing of certain types of personal data revealing in particular data concerning the sexual life or sexual orientation of a natural person does not apply where the processing relates to personal data which are manifestly made public by the data subject or is necessary, in particular, for the establishment, exercise or defence of a right in legal proceedings.
20 Article 23 of Regulation 2016/679, entitled ‘Restrictions’, provides in paragraph 1(i) and (j):
‘Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as in Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
…
(i) the protection of the data subject or of the rights and freedoms of others;
(j) the enforcement of civil law claims.’
21 Under Article 94 of Regulation 2016/679, entitled ‘Repeal of Directive [95/46]’:
‘1. Directive [95/46] is repealed with effect from 25 May 2018.
2. References to the repealed Directive shall be construed as references to this Regulation. …’
22 Article 95 of that regulation, entitled ‘Relationship with Directive [2002/58]’, states:
‘This Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive [2002/58].’
– Directive 2002/58
23 Article 1 of Directive 2002/58, entitled ‘Scope and aim’, provides in paragraphs 1 and 2:
‘1. This Directive provides for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community.
2. The provisions of this Directive particularise and complement Directive [95/46] for the purposes mentioned in paragraph 1. …’
24 The second subparagraph of Article 2 of Directive 2002/58, entitled ‘Definitions’, contains the following provision in point (b):
‘The following definitions shall also apply:
…
(b) “traffic data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof.’
25 Article 5 of the directive, entitled ‘Confidentiality of the communications’, provides:
‘1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.
2. Paragraph 1 shall not affect any legally authorised recording of communications and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication.
3. Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive [95/46], inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’
26 Article 6 of that directive, entitled ‘Traffic data’, provides:
‘1. Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication without prejudice to paragraphs 2, 3 and 5 of this Article and Article 15(1).
2. Traffic data necessary for the purposes of subscriber billing and interconnection payments may be processed. Such processing is permissible only up to the end of the period during which the bill may lawfully be challenged or payment pursued.
3. For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process the data referred to in paragraph 1 to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his or her prior consent. Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time.
4. The service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of such processing for the purposes mentioned in paragraph 2 and, prior to obtaining consent, for the purposes mentioned in paragraph 3.
5. Processing of traffic data, in accordance with paragraphs 1, 2, 3 and 4, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities.
6. Paragraphs 1, 2, 3 and 5 shall apply without prejudice to the possibility for competent bodies to be informed of traffic data in conformity with applicable legislation with a view to settling disputes, in particular interconnection or billing disputes.’
27 Article 15 of Directive 2002/58, entitled ‘Application of certain provisions of Directive [95/46]’, provides, in paragraph 1 thereof:
‘Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive [95/46]. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.’
Belgian law
28 Under the fourth subparagraph of Article XI.165(1) of the Wetboek Economisch Recht (Code of Economic Law), the author of a literary or artistic work alone has the right to communicate it to the public by any means, including by making available to the public in such a way that members of the public may access them from a place and at a time individually chosen by them.
The dispute in the main proceedings and the questions referred for a preliminary ruling
29 On 6 June 2019, Mircom brought an action before the Ondernemingsrechtbank Antwerpen (Companies Court, Antwerp, Belgium) seeking, inter alia, that Telenet be ordered to produce the identification data for its customers whose internet connections had been used to share, on a peer-to-peer network by means of the BitTorrent protocol, films from the Mircom catalogue.
30 Mircom claims to have thousands of dynamic IP addresses recorded on its behalf, thanks to the FileWatchBT software, by Media Protector GmbH, a company established in Germany, at the time of the connection of those Telenet customers using the Bit-Torrent client sharing software.
31 Telenet, supported by two other internet access providers established in Belgium, Proximus NV and Scarlet Belgium NV, oppose Mircom’s action.
32 In the first place, in the light of the judgment of 14 June 2017, Stichting Brein (C‑610/15, EU:C:2017:456), which concerned communication to the public, within the meaning of Article 3(1) of Directive 2001/29, by the operators of an internet sharing platform in the context of a peer-to-peer network, the referring court asks whether such a communication to the public may be made by individual users of such a network, called ‘downloaders’, who, by downloading pieces of a digital file containing a copyrighted work, simultaneously make those pieces available for uploading by other users. Those users, belonging to a group of persons who download, called the ‘swarm’, thus themselves become ‘seeders’ of those pieces, like the undetermined initial seeder, who is at the origin of the first provision of that file in that network.
33 In that regard, the referring court states, first, that the pieces are not mere fragments of the original file, but autonomous encrypted files which are unusable in themselves, and, second, that, because of the way in which BitTorrent technology functions, the uploading of the pieces of a file, known as ‘seeding’, is, in principle, automatic, as that characteristic can be eliminated only by certain programs.
34 However, Mircom claims that even downloads of pieces representing together a proportion of at least 20 % of the underlying media file should be taken into account, since, on the basis of that percentage, it becomes possible to obtain an overview of that file, although fragmentary and of highly uncertain quality.
35 In the second place, the referring court doubts whether an undertaking, such as Mircom, can enjoy the protection conferred by Directive 2004/48, in so far as it does not actually use the rights assigned by the authors of the films at issue, but merely claims damages from alleged infringers, a model which resembles the definition of a ‘copyright troll’.
36 In the third place, the question also arises as to the lawfulness of the manner in which the IP addresses were collected by Mircom, in the light of point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679.
37 It was in those circumstances that the Ondernemingsrechtbank Antwerpen (Companies Court, Antwerp) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) (a) Can the downloading of a file via a peer-to-peer network and the simultaneous provision for uploading of parts thereof … (which may be very fragmentary as compared to the whole) (‘seeding’) be regarded as a communication to the public within the meaning of Article 3(1) of Directive 2001/29, even if the individual pieces as such are unusable?
If so,
(b) is there a de minimis threshold above which the seeding of those pieces would constitute a communication to the public?
(c) is the fact that seeding can take place automatically (as a result of the BitTorrent client settings), and thus without the user’s knowledge, relevant?
(2) (a) Can a person who is the contractual holder of the copyright (or related rights), but does not himself exploit those rights and merely claims damages from alleged infringers – and whose economic business model thus depends on the existence of piracy, not on combating it – enjoy the same rights as those conferred by Chapter II of Directive 2004/48 on authors or licence holders who exploit copyright in the normal way?
(b) How can the licence holder in that case have suffered “prejudice” (within the meaning of Article 13 of Directive 2004/48) as a result of the infringement?
(3) Are the specific circumstances set out in Questions 1 and 2 relevant when assessing the correct balance to be struck between, on the one hand, the enforcement of intellectual property rights and, on the other, the rights and freedoms safeguarded by the [Charter of Fundamental Rights of the European Union], such as respect for private life and protection of personal data, in particular in the context of the assessment of proportionality?
(4) Is, in all those circumstances, the systematic registration and general further processing of the IP-addresses of a “swarm” of “seeders” (by the licence holder himself or herself, and by a third party on his or her behalf) legitimate under Regulation [2016/679], and specifically under Article 6(1) [first subparagraph] (f) thereof?’
Consideration of the questions referred
The first question
38 It should be noted as a preliminary point that, in the procedure laid down by Article 267 TFEU providing for cooperation between national courts and the Court of Justice, it is for the latter to provide the national court with an answer which will be of use to it and enable it to determine the case before it. To that end, the Court may have to reformulate the questions referred to it. The Court has a duty to interpret all provisions of EU law which national courts require in order to decide on the actions pending before them, even if those provisions are not expressly indicated in the questions referred to the Court by those courts (judgment of 19 December 2019, Nederlands Uitgeversverbond and Groep Algemene Uitgevers, C‑263/18, EU:C:2019:1111, paragraph 31 and the case-law cited).
39 To that end, the Court can extract from all the information provided by the national court, in particular from the grounds of the order for reference, the points of EU law which require interpretation in view of the subject matter of the dispute in the main proceedings (judgment of 19 December 2019, Nederlands Uitgeversverbond and Groep Algemene Uitgevers, C‑263/18, EU:C:2019:1111, paragraph 32 and the case-law cited).
40 In the present case, by its first question, the referring court asks the Court, in essence, whether the concept of ‘communication to the public’, referred to in Article 3(1) of Directive 2001/29, covers the sharing, on a peer-to-peer network, of sometimes very fragmentary pieces of a media file containing a protected work. However, as the Advocate General observed in point 34 of his Opinion, in so far as, in the main proceedings, the rights of film producers are concerned, it appears that, in the present case, it is rather Article 3(2)(c) of that directive which could apply.
41 In that context, since the EU legislature did not express a different intention, the expression ‘making available to the public’, used in Article 3(1) of Directive 2001/29 as a form of authors’ exclusive right to authorise or prohibit any ‘communication to the public’, and the identical expression in Article 3(2) of that directive, designating an exclusive right belonging to the holders of related rights, must be interpreted as having the same meaning (see, by analogy, judgment of 2 April 2020, Stim and SAMI, C‑753/18, EU:C:2020:268, paragraph 28 and the case-law cited).
42 In the light of those considerations, it is necessary to reformulate the first question to the effect that, by that question, the referring court asks, in essence, whether Article 3(1) and (2) of Directive 2001/29 must be interpreted as meaning that the uploading, from the terminal equipment of a user of a peer-to-peer network to such equipment of other users of that network, of pieces, previously downloaded by that user, of a media file containing a protected work, although those pieces are usable in themselves only as from a certain download rate and that, because of the configurations of the BitTorrent client sharing software, that uploading is automatically generated by that software, constitutes making available to the public, within the meaning of that provision.
43 First of all, it must be noted that, as the Advocate General observed in point 48 of his Opinion, those pieces are not parts of works, but parts of the files containing those works, used for transmitting those files under the BitTorrent protocol. Accordingly, the fact that the pieces which are transmitted are unusable in themselves is irrelevant since what is made available is the file containing the work, that is to say the work in digital format.
44 In that regard, as the Advocate General observed in point 49 of his Opinion, the operation of peer-to-peer peer networks does not differ, in essence, from the operation of the internet in general or, more specifically, from the World Wide Web, where the files containing a work are divided into small data packages, which are routed between the server and the client in a random order and by different channels.
45 In the present case, as is apparent from the order for reference, any user of the peer-to-peer network can easily reconstruct the original file from pieces available on the computers of users participating in the same swarm. The fact that a user does not succeed, individually, in downloading the entire original file does not prevent him or her from making available to his or her peers the pieces of that file which he or she has managed to download onto his or her computer and that he or she thus contributes to the creation of a situation in which, ultimately, all the users participating in the swarm have access to the complete file.
46 In order to establish that there is ‘making available’ within the meaning of Article 3(1) and (2) of Directive 2001/29 in such a situation, it is not necessary to prove that the user concerned has previously downloaded a number of pieces representing a minimum threshold.
47 In order for there to be an ‘act of communication’, and consequently, an act of making available, it is sufficient, in the final analysis, that a work is made available to a public in such a way that the persons comprising that public may access it, from wherever and whenever they individually choose, irrespective of whether or not they avail themselves of that opportunity (see, to that effect, judgment of 7 August 2018, Renckhoff, C‑161/17, EU:C:2018:634, paragraph 20). The concept of an ‘act of communication’ refers, in that regard, to any transmission of the protected works, irrespective of the technical means or process used (judgment of 29 November 2017, VCAST, C‑265/16, EU:C:2017:913; paragraph 42 and the case-law cited).
48 Therefore, any act whereby a user, in full knowledge of the consequences of what he or she is doing, gives access to protected work is liable to constitute an act of communication for the purposes of Article 3(1) and (2) of Directive 2001/29 (see, to that effect, judgment of 9 March 2021, VG Bild-Kunst, C‑392/19, EU:C:2021:181, paragraph 30 and the case-law cited).
49 In the present case, it appears that any user of the peer-to-peer network at issue, who has not deactivated the upload function of the BitTorrent client sharing software, uploads onto that network the pieces of media files that he or she has previously downloaded onto his or her computer. Provided that it is apparent, which it is for the referring court to determine, that the relevant users of that network have subscribed to that software by giving their consent to its application after having been duly informed of its characteristics, those users must be regarded as acting in full knowledge of their conduct and of the consequences which it may have. Once it is established that they have actively subscribed to such software, the deliberate nature of their conduct is in no way negated by the fact that the uploading is automatically generated by that software.
50 If it follows from the foregoing considerations that, subject to factual verification which it is for the referring court to carry out, the conduct of the users concerned is capable of constituting an act of making available a work or other protected subject matter, it is then necessary to examine whether such conduct constitutes making available to ‘the public’ within the meaning of Article 3(1) and (2) of Directive 2001/29.
51 In that regard, it must be recalled that, in order to come within the concept of ‘making available to the public’, within the meaning of that provision, works or other subject matter must in fact be made available to a public, that making available referring to an indeterminate number of potential recipients and involving a fairly large number of persons. Moreover, that making available to the public must be communicated using specific technical means, different from those previously used or, failing that, to a new public, that is to say, to a public that was not already taken into account by the rightholder of any copyright or related right when he or she authorised the initial communication of his or her work or of other protected subject matter to the public (see, to that effect, judgment of 9 March 2021, VG Bild-Kunst, C‑392/19, EU:C:2021:181, paragraphs 31 and 32 and the case-law cited).
52 As regards peer-to-peer networks, the Court has already held that the making available and management, on the internet, of a sharing platform which, by means of indexation of metadata referring to protected works and the provision of a search engine, allows users of that platform to locate those works and to share them in the context of such a network constitutes a communication to the public within the meaning of Article 3(1) of Directive 2001/29 (judgment of 14 June 2017, Stichting Brein, C‑610/15, EU:C:2017:456, paragraph 48).
53 In the present case, as the Advocate General found, in essence, in points 37 and 61 of his Opinion, the computers of those users sharing the same file constitute the peer-to-peer network itself, called the ‘swarm’, in which they play the same role as the servers in the operation of the World Wide Web.
54 It is common ground that such a network is used by a considerable number of persons, as is apparent, moreover, from the high number of IP addresses registered by Mircom. Moreover, those users can access, at any time and simultaneously, the protected works which are shared by means of the platform.
55 Consequently, that making available is aimed at an indeterminate number of potential recipients and involves a fairly large number of persons.
56 Furthermore, in so far as the case concerns works published without the authorisation of the rightholders, it must also be considered that those works are made available to a new public (see, by analogy, judgment of 14 June 2017, Stichting Brein, C‑610/15, EU:C:2017:456, paragraph 45 and the case-law cited).
57 In any event, even if it were found that a work has been previously posted on a website, without any restriction preventing it from being downloaded and with the consent of the rightholder of any copyright or related rights, the fact that, through a peer-to-peer network, users such as those at issue in the main proceedings have downloaded parts of the file containing that work on a private server, followed by those pieces being made available by means of uploading those pieces into the same network, means that those users have played a decisive role in making that work available to a public which was not taken into account by the rightholder of any copyright or related rights in that work when he or she authorised the initial communication (see, by analogy, judgment of 7 August 2018, Renckhoff, C‑161/17, EU:C:2018:634, paragraphs 46 and 47).
58 If such making available, by uploading a work, without the rightholder of the copyright or related rights over it being able to rely on the rights laid down in Article 3(1) and (2) of Directive 2001/29, constitutes it being made available, the consequence would be that the need to safeguard a fair balance, referred to in recitals 3 and 31 of that directive, in the digital environment between, on one hand, the interest of the holders of copyright and related rights in the protection of their intellectual property, guaranteed in Article 17(2) of the Charter of Fundamental Rights (‘the Charter’) and, on the other hand, the protection of the interests and fundamental rights of users of protected subject matter, in particular their freedom of expression and information guaranteed in Article 11 of the Charter, as well as the public interest, would be disregarded (see, to that effect, judgment of 9 March 2021, VG Bild-Kunst, C‑392/19, EU:C:2021:181, paragraph 54 and the case-law cited). Disregard of that balance would, moreover, undermine the principal objective of Directive 2001/29, which, as is apparent from recitals 4, 9 and 10 thereof, is to establish a high level of protection for rightholders, enabling rightholders to obtain an appropriate reward for the use of their protected works or other subject matter, in particular when they are made available to the public.
59 In the light of the foregoing considerations, the answer to the first question is that Article 3(1) and (2) of Directive 2001/29 must be interpreted as meaning that the uploading, from the terminal equipment of a user of a peer-to-peer network to such equipment of other users of that network, of pieces, previously downloaded by that user, of a media file containing a protected work, even though those pieces are usable in themselves only as from a certain download rate, constitutes making available to the public within the meaning of that provision. It is irrelevant that, due to the configurations of the BitTorrent client sharing software, that uploading is automatically generated by it, when the user, from whose terminal equipment that uploading takes place, has subscribed to that software by giving his or her consent to its application after having been duly informed of its characteristics.
The second question
60 By its second question, the referring court asks, in essence, whether Directive 2004/48 must be interpreted as meaning that a person who is the contractual holder of certain intellectual property rights, who does not however use them himself or herself, but merely claims damages from alleged infringers, may benefit from the measures, procedures and remedies provided for in Chapter II of that directive.
61 That question must be understood as covering three parts, namely, first, that relating to the legal standing of a person such as Mircom to seek the application of the measures, procedures and remedies provided for in Chapter II of Directive 2004/48, secondly, the question whether such a person may have suffered prejudice within the meaning of Article 13 of that directive and, thirdly, the question concerning the admissibility of his or her request for information, pursuant to Article 8 of that directive, read in conjunction with Article 3(2) thereof.
62 As regards the first part, relating to Mircom’s legal standing to bring proceedings, it must be borne in mind that the person seeking the application of the measures, procedures and remedies provided for in Chapter II of Directive 2004/48 must fall within one of the four categories of persons or bodies listed in Article 4(a) to (d) thereof.
63 Those categories include, first, holders of intellectual property rights, secondly, all the other persons authorised to use those rights, in particular licensees, thirdly, intellectual property collective rights management bodies which are regularly recognised as having a right to represent holders of intellectual property rights, and, fourth, professional defence bodies which are regularly recognised as having a right to represent holders of intellectual property rights.
64 However, unlike the holders of intellectual property rights referred to in Article 4(a) of Directive 2004/48, in accordance with recital 18 of that directive, the three categories of persons referred to in Article 4(b) to (d) thereof must also have a direct interest in the defence of those rights and the right to be a party to legal proceedings in so far as permitted by, and in accordance with, the applicable legislation (see, to that effect, judgment of 7 August 2018, SNB-REACT, C‑521/17, EU:C:2018:639, paragraph 39).
65 In the present case, the possibility that Mircom may be a collective management body or a professional defence body within the meaning of Article 4(c) and (d) of Directive 2004/48 should be ruled out from the outset. As the Advocate General observed in points 92 and 93 of his Opinion, Mircom does not, as it itself states, have the task of managing the copyright and related rights of its contractual parties or of ensuring the professional defence of the latter, but seeks solely to obtain compensation for prejudice resulting from infringements of those rights.
66 In that context, it should be noted that the activities of those bodies are harmonised within the Union by Directive 2014/26. Mircom’s name does not appear on the list of collective management bodies published by the European Commission in accordance with Article 39 of that directive.
67 As regards the status of holder of intellectual property rights, within the meaning of Article 4(a) of Directive 2004/48, in so far as that provision does not require such a rightholder to actually use his or her intellectual property rights, that right cannot be excluded from the scope of that provision on account of the non-use of those rights.
68 In that regard, it should be noted that the referring court classifies Mircom as a person who is contractually the holder of copyright or related rights. In those circumstances, Mircom should be granted the benefit of the measures, procedures and remedies provided for by Directive 2004/48 notwithstanding the fact that it does not use those rights.
69 A company such as Mircom could, moreover, be considered, in any event, to be another person authorised to use intellectual property rights within the meaning of Article 4(b) of that directive, it being understood that that authorisation also does not presuppose an actual use of the assigned rights. The fact of being classified as an ‘other person’, within the meaning of Article 4(b) of that directive, must, however, as noted in paragraph 64 above, be verified in accordance with the provisions of the applicable legislation, that reference having to be understood, in the light of Article 2(1) of that directive, as referring both to the relevant national legislation and, as the case may be, to EU legislation (see, to that effect, judgment of 7 August 2018, SNB-REACT, C‑521/17, EU:C:2018:639, paragraph 31).
70 As regards the second part of the second question, it concerns, in particular, the fact that, in the present case, Mircom does not use and does not appear to have any intention of using the rights acquired over the works at issue in the main proceedings. According to the referring court, that non-use of the assigned rights casts doubt on the possibility of such a person suffering prejudice within the meaning of Article 13 of Directive 2004/48.
71 That question concerns the actual identity of the injured party who has suffered, here, prejudice, within the meaning of Article 13 of that directive, as a result of the infringement of intellectual property rights, namely whether the prejudice at issue was suffered by Mircom or by the producers of the films concerned.
72 It is true that holders of intellectual property rights, referred to in Article 4(a) of Directive 2004/48, and the persons authorised to use those rights, referred to in Article 4(b) of that directive, may be harmed, in principle, by infringing activities, in so far as, as the Advocate General noted, in essence, in point 70 of his Opinion, those activities may hinder the normal use of those rights or diminish their revenue. However, it is also possible that a person, while having intellectual property rights, may merely recover, in his or her own name and on his or her own behalf, damages in respect of claims assigned to him or her by other holders of intellectual property rights.
73 In the present case, the referring court appears to take the view that Mircom merely acts, before it, as assignee, providing the film producers at issue with a service for the collection of claims for damages.
74 It must be held that the fact that a person referred to in Article 4 of Directive 2004/48 merely brings such an action as assignee is not such as to exclude him or her from the benefit of the measures, procedures and remedies provided for in Chapter II of that directive.
75 Such an exclusion runs counter to the general objective of Directive 2004/48, which is, as is clear from recital 10 thereof, to ensure a high level of protection of intellectual property in the internal market (see, to that effect, judgment of 18 January 2017, NEW WAVE CZ, C‑427/15, EU:C:2017:18, paragraph 23).
76 It should be noted, in that regard, that an assignment of claims cannot, in itself, affect the nature of the rights which have been infringed, in the present case, the intellectual property rights of the film producers concerned, in particular in the sense that that assignment has an effect on the determination of the court having jurisdiction or on other procedural aspects, such as the possibility of seeking measures, procedures and remedies, within the meaning of Chapter II of Directive 2004/48 (see, by analogy, judgment of 21 May 2015, CDC Hydrogen Peroxide, C‑352/13, EU:C:2015:335, paragraphs 35 and 36 and the case-law cited).
77 Consequently, if a holder of intellectual property rights chose to outsource the recovery of damages to a specialised undertaking by assigning claims or another legal act, he or she should not suffer less favourable treatment than another owner of such rights who would choose to assert those rights personally. Such treatment would undermine the attractiveness of that outsourcing from an economic point of view and would ultimately deprive holders of intellectual property rights of that possibility, which is moreover widespread in various fields of law, such as that of protection of air passengers, provided for in Regulation (EC) No 261/2004 of the European Parliament and of the Council of 11 February 2004 establishing common rules on compensation and assistance to passengers in the event of denied boarding and of cancellation or long delay of flights, and repealing Regulation (EEC) No 295/91 (OJ 2004 L 46, p. 1).
78 As regards the third part of its second question, the referring court harbours doubts, in essence, as to the admissibility of Mircom’s request for information, made under Article 8 of Directive 2004/48, in so far as that company does not make serious use of the rights which it has acquired from the film producers at issue in the main proceedings. Furthermore, it must be understood that, by referring to the possibility of classifying Mircom as a ‘copyright troll’, the referring court raises, in essence, the question of the existence of a possible abuse of rights by Mircom.
79 In the first place, the referring court appears to be doubtful as to whether Mircom intended to bring an action for damages, in so far as there is strong evidence that, generally, it merely proposes an amicable settlement with the sole aim of obtaining a lump sum of damages of EUR 500. In accordance with Article 8(1) of Directive 2004/48, a request for information must be made in the context of proceedings relating to an infringement of an intellectual property right.
80 As noted by the Advocate General in point 113 of his Opinion, it must be held, in that regard, that seeking an amicable solution is often a prerequisite for bringing an action for damages in the strict sense. Consequently, it cannot be considered that, in the context of the system for the protection of intellectual property established by Directive 2004/48, that practice is prohibited.
81 The Court has already held that Article 8(1) of Directive 2004/48 must be interpreted as applying to a situation in which, after the definitive termination of proceedings in which it was held that an intellectual property right was infringed, an applicant in separate proceedings seeks information on the origin and distribution networks of the goods or services by which that intellectual property right is infringed (judgment of 18 January 2017, NEW WAVE CZ, C‑427/15, EU:C:2017:18, paragraph 28).
82 It is appropriate to apply the same reasoning in relation to a separate procedure preceding an action for damages, such as that at issue in the main proceedings, in which, under Article 8(1)(c) of Directive 2004/48, an applicant requests an internet service provider, such as Telenet, which has been found to be providing, on a commercial scale, services used in infringing activities, the information enabling its customers to be identified with a view, specifically, to being able usefully to bring legal proceedings against the alleged infringers.
83 The right to information, provided for in Article 8 of the Charter, seeks to apply and implement the fundamental right to an effective remedy guaranteed in Article 47 of the Charter, and thereby to ensure the effective exercise of the fundamental right to property, which includes the intellectual property right protected in Article 17(2) of the Charter by enabling the holder of an intellectual property right to identify the person who is infringing that right and take the necessary steps in order to protect it (judgment of 9 July 2020, Constantin Film Verleih, C‑264/19, EU:C:2020:542, paragraph 35).
84 Consequently, it must be held that a request for information such as that made by Mircom during a pre-litigation stage cannot, for that reason alone, be regarded as inadmissible.
85 In the second place, according to Article 8(1) of Directive 2004/48, such a request must be justified and proportionate.
86 It must be stated, in the light of the considerations set out in paragraphs 70 to 77 above, that that may be the case where the request referred to in Article 8(1), is submitted by a company which is contractually authorised in that regard by film producers. It is, however, for the referring court to determine whether the request, as specifically formulated by such a company, is well founded.
87 In the third place, referring to the expression ‘any unfair profits made by the infringer’, used in point (a) of the second subparagraph of Article 13(1) of Directive 2004/48, and to the condition laid down in Article 6(2), Article 8(1) and Article 9(2) thereof, that infringements must be carried out on a commercial scale, the referring court considers that the EU legislature had in mind here the situation requiring structural action against the spread of counterfeiting on the market, and not the fight against individual infringers.
88 In that regard, it should be noted, first, that, in accordance with recital 14 of Directive 2004/48, the condition that infringements must be carried out on a commercial scale need to be applied only to measures relating to the evidence provided for in Article 6 of that directive, to the measures concerning the right to information provided for in Article 8 thereof and to the provisional and protective measures provided for in Article 9 of that directive, without prejudice to the possibility for Member States also to apply those measures to acts which are not carried out on a commercial scale.
89 That condition does not apply to the injured party’s claims for damages against an infringer referred to in Article 13 of Directive 2004/48. Consequently, under that provision, individual infringers may be ordered to pay the owner of the intellectual property rights damages appropriate to the actual prejudice suffered by him as a result of the infringement, provided that the infringer knowingly or with reasonable grounds to know engaged in the infringing activity.
90 Furthermore, in the context of a request for information under Article 8(1) of Directive 2004/48, the condition that the infringements must be committed in a commercial context may be satisfied in particular where a person other than the alleged infringer ‘was found to be providing on a commercial scale services used in infringing activities’.
91 In the present case, Mircom’s request for information is, as stated in paragraph 82 of the present judgment, directed against an internet service provider, as a person found in the process of providing, on a commercial scale, services used in infringing activities.
92 Consequently, in the dispute in the main proceedings, Mircom’s request against Telenet, which provides, on a commercial scale, services used in infringing activities, appears to satisfy the condition referred to in paragraph 90 of the present judgment.
93 Furthermore, it is for the referring court to ascertain, in any event, whether Mircom has abused measures, procedures and remedies within the meaning of Article 3 of Directive 2004/48 and, if necessary, to refuse that company’s request.
94 Article 3 of Directive 2004/48 imposes a general obligation to ensure, inter alia, that the measures, procedures and remedies necessary to ensure the enforcement of the intellectual property rights covered by that directive, including the right of information referred to in Article 8, are fair and equitable and applied in such a way as to provide for safeguards against their abuse.
95 The possible finding of such abuse falls entirely within the scope of the assessment of the facts in the main proceedings and, therefore, within the jurisdiction of the referring court. That court could in particular, to that end, examine Mircom’s operating method, by evaluating the way in which Mircom offers amicable solutions to alleged infringers and by ascertaining whether it actually brings legal proceedings in the event of a refusal to reach an amicable solution. It could also examine whether, in the light of all the particular circumstances of the present case, Mircom is in fact attempting, under the guise of proposing amicable solutions to alleged infringements, to extract economic revenue from the very membership of the users concerned in a peer-to-peer network such as the one at issue, without specifically seeking to combat the copyright infringements caused by that network.
96 In the light of the foregoing considerations, the answer to the second question is that Directive 2004/48 must be interpreted as meaning that a person who is the contractual holder of certain intellectual property rights, who does not however use them himself or herself, but merely claims damages from alleged infringers, may benefit, in principle, from the measures, procedures and remedies provided for in Chapter II of that directive, unless it is established, in accordance with the general obligation laid down in Article 3(2) of that directive and on the basis of an overall and detailed assessment, that his or her request is abusive. In particular, as regards a request for information based on Article 8 of that directive, it must also be rejected if it is unjustified or disproportionate, which is for the referring court to determine.
The third and fourth questions
97 As a preliminary point, it should be noted that, in the case in the main proceedings, there are two different types of personal data processing at issue, namely one which has already been carried out, upstream, by Media Protector and on behalf of Mircom, in the context of peer-to-peer networks, consisting of the recording of the IP addresses of users whose internet connections were allegedly used, at a given time, for the uploading of protected works on those networks, and the other, which, according to Mircom, must be carried out downstream by Telenet, consisting, first, of the identification of those users by means of a match between those IP addresses and those which, at the same time, Telenet had allocated to those users for the purpose of carrying out that uploading and, second, of the communication to Mircom of the names and addresses of the same users.
98 In its fourth question, the referring court seeks an answer as to whether, in the light of point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679, only the first processing which has already been carried out is justified.
99 Furthermore, in its third question, it seeks to ascertain, in essence, whether the circumstances set out in its first and second questions are relevant for the purposes of assessing the fair balance between, on the one hand, the right to intellectual property and, on the other hand, the protection of privacy and personal data, in particular in the assessment of proportionality.
100 In the event that, on the basis of the Court’s answers to the first and second questions, the referring court finds that Mircom’s request for information satisfies the conditions laid down in Article 8 of Directive 2004/48, read in conjunction with Article 3(2) thereof, it must be understood that, by its third question, the referring court seeks to ascertain, in essence, whether, in circumstances such as those at issue in the main proceedings, point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679 must be interpreted as precluding the second downstream processing, as described in paragraph 97 of the present judgment, even though that request satisfies those conditions.
101 In the light of those considerations and in accordance with the case-law cited in paragraphs 38 and 39 of the present judgment, it is necessary to reformulate the third and fourth questions to the effect that, by those questions, the referring court asks, in essence, whether point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679 must be interpreted as precluding, first, the systematic registration, by the holder of intellectual property rights and by a third party acting on that holder’s behalf, of the IP addresses of users of peer-to-peer networks whose internet connections have allegedly been used in infringing activities and, second, the communication of the names and of postal addresses of those users to the rightholder or to a third party in order to enable him or her to bring a claim for damages before a civil court for prejudice allegedly caused by those users.
102 In the first place, as regards the upstream processing at issue in the main proceedings, it must be recalled that a dynamic IP address registered by an online media services provider when a person accesses a website which that provider makes accessible to the public constitutes personal data, within the meaning of Article 4(1) of Regulation 2016/679, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person (judgment of 19 October 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 49).
103 Consequently, the registration of such addresses for the purposes of their subsequent use in legal proceedings constitutes processing within the meaning of Article 4(2) of Regulation 2016/679.
104 That is also the situation of Mircom, on behalf of whom Media Protector collects the IP addresses, in so far as it has a legal means of identifying the owners of the internet connections in accordance with the procedure provided for in Article 8 of Directive 2004/48.
105 Under point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679, the processing of personal data is lawful only if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
106 Accordingly, that provision lays down three cumulative conditions so that the processing of personal data is lawful, namely, first, the pursuit of a legitimate interest by the data controller or by a third party; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, that the interests or freedoms and fundamental rights of the person concerned by the data protection do not take precedence (see, to that effect, as regards Article 7(f) of Directive 95/46, judgment of 4 May 2017, Rīgas satiksme, C‑13/16, EU:C:2017:336, paragraph 28).
107 Since Regulation 2016/679 repealed and replaced Directive 95/46 and the relevant provisions of that regulation have essentially the same scope as that of the relevant provisions of that directive, the Court’s case-law on that directive is also applicable, in principle, to that regulation (see, by analogy, judgment of 12 November 2020, Sonaecom, C‑42/19, EU:C:2020:913, paragraph 29).
108 As regards the condition relating to the pursuit of a legitimate interest and subject to verifications which it is for the referring court to carry out in the context of the second question, it must be held that the interest of the controller or of a third party in obtaining the personal information of a person who allegedly damaged their property in order to sue that person for damages can be qualified as a legitimate interest. That analysis is supported by Article 9(2)(e) and (f) of Regulation 2016/679, which provides that the prohibition on the processing of certain types of personal data, such as that revealing the sex life or sexual orientation of a natural person, is not to apply, in particular, where the processing concerns personal data which is clearly rendered public by the person concerned or is necessary for the establishment, exercise or defence of legal claims (see, to that effect, as regards Article 8(2)(e) of Directive 95/46, judgment of 4 May 2017, Rīgas satiksme, C‑13/16, EU:C:2017:336, paragraph 29).
109 In that regard, as the Advocate General stated, in essence, in point 131 of his Opinion, the recovery of claims in the prescribed manner by an assignee may constitute a legitimate interest justifying the processing of personal data in accordance with point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679 (see, by analogy, as regards Directive 2002/58, judgment of 22 November 2012, Probst, C‑119/12, EU:C:2012:748, paragraph 19).
110 As regards the condition relating to the necessity of processing personal data for the purposes of the legitimate interests pursued, it should be borne in mind that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (judgment of 4 May 2017, Rīgas satiksme, C‑13/16, EU:C:2017:336, paragraph 30). That condition could, in the present case, be satisfied since, as the Advocate General observed in point 97 of his Opinion, identification of the owner of the connection is often possible only on the basis of the IP address and the information provided by the internet service provider.
111 Finally, as regards the condition of balancing of the opposing rights and interests at issue, it depends in principle on the specific circumstances of the particular case (judgment of 4 May 2017, Rīgas satiksme, C‑13/16, EU:C:2017:336, paragraph 31 and the case-law cited). It is for the referring court to assess those particular circumstances.
112 In that regard, the mechanisms allowing the different rights and interests to be balanced are contained in Regulation 2016/679 itself (see, by analogy, judgment of 29 January 2008, Promusicae, C‑275/06, EU:C:2008:54, paragraph 66 and the case-law cited).
113 Moreover, in so far as the facts in the main proceedings seem to fall within both the scope of Regulation 2016/679 and that of Directive 2002/58, the IP addresses processed constitute, as is clear from the case-law cited in paragraph 102 of the present judgment both personal data and traffic data (see, to that effect, judgment of 6 October 2020, La Quadrature du Net and Others, C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 152), it must be ascertained whether the assessment of the lawfulness of such processing must take account of the conditions laid down by that directive.
114 As is apparent from Article 1(2) of Directive 2002/58, read in conjunction with Article 94(2) of Regulation 2016/679, the provisions of that directive specify and supplement that regulation in order to harmonise the national provisions necessary to ensure, in particular, an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, as regards the processing of personal data in the electronic communications sector (see, to that effect, judgments of 2 October 2018, Ministerio Fiscal, C‑207/16, EU:C:2018:788, paragraph 31, and of 6 October 2020, La Quadrature du Net and Others, C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 102).
115 In that regard, it should be noted that, under Article 5(1) of Directive 2002/58, Member States are to prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1) of that directive. Furthermore, under Article 6(1) of that directive, traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication without prejudice, in particular, to Article 15(1) of that directive.
116 Article 15(1) ends the list of exceptions to the obligation to ensure the confidentiality of personal data with an express reference to Article 13(1) of Directive 95/46, corresponding, in essence, to Article 23(1) of Regulation 2016/679, which now allows both EU law and the law of the Member State to which the controller or processor is subject to restrict, by means of legislative measures, the scope of the obligation of confidentiality of personal data in the electronic communications sector, where that restriction respects the essence of the freedoms and the fundamental freedoms and that it constitutes a necessary and proportionate measure in a democratic society to ensure, in particular, the protection of the rights and freedoms of others and the enforcement of civil law claims (see, to that effect, judgment of 29 January 2008, Promusicae, C‑275/06, EU:C:2008:54, paragraph 53).
117 Furthermore, the fact that Article 23(1)(j) of that regulation now expressly refers to the enforcement of claims under civil law must be interpreted as expressing the intention of the EU legislature to confirm the case-law of the Court according to which the protection of the right to property and situations in which authors seek to obtain such protection in civil proceedings have never been excluded from the scope of Article 15(1) of Directive 2002/58 (see, to that effect, judgment of 29 January 2008, Promusicae, C‑275/06, EU:C:2008:54, paragraph 53).
118 Consequently, in order for processing, such as the registration of IP addresses of persons whose internet connections have been used to upload pieces of files containing protected works on peer-to-peer networks, for the purposes of filing a request for disclosure of the names and postal addresses of the holders of those IP addresses, can be regarded as lawful by satisfying the conditions laid down by Regulation 2016/679, it is necessary, in particular, to ascertain whether that processing satisfies the abovementioned provisions of Directive 2002/58, which embodies, for users of electronic communications, the fundamental rights to respect for private life and the protection of personal data (see, to that effect, judgment of 6 October 2020, La Quadrature du Net and Others, C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 109).
119 In the absence in the order for reference of details relating to the legal basis for Mircom’s access to the IP addresses retained by Telenet, the Court is not in a position to provide the referring court with useful guidance as to whether processing such as that carried out upstream, consisting of the registration of those IP addresses, undermines those fundamental rights, in the light of the rules set out in Directive 2002/58 and the condition relating to the balancing of conflicting rights and interests. It will be for the referring court to analyse the relevant national legislation in the light of EU law, in particular Articles 5, 6 and 15 of Directive 2002/58.
120 In the second place, as regards Telenet’s downstream processing, which consists of identifying the holders of those IP addresses and communicating to Mircom the names and postal addresses of those holders, it should be noted that a request, in accordance with Article 8 of Directive 2004/48, limited to the disclosure of the names and addresses of users involved in infringing activities is consistent with the objective of striking a fair balance between the rights of intellectual property rightholders and the right of users to protection of personal data (see, to that effect, judgment of 9 July 2020, Constantin Film Verleih, C‑264/19, EU:C:2020:542, paragraphs 37 and 38 and the case-law cited).
121 Such data relating to the civil identity of users of electronic communications systems do not normally, in themselves, make it possible to ascertain the date, time, duration and recipients of the communications made, or the locations where those communications took place or their frequency with specific people during a given period, with the result that they do not provide, apart from the contact details of those users, such as their civil status, addresses, any information on the communications sent and, consequently, on the users’ private lives. Thus, the interference entailed by a measure relating to those data cannot, in principle, be classified as serious (see, to that effect, judgment of 2 March 2021, Prokuratuur (Conditions of access to data relating to electronic communications), C‑746/18, EU:C:2021:152, paragraph 34 and the case-law cited).
122 That said, in the case in the main proceedings, Mircom’s request for information presupposes that Telenet performs a match between the dynamic IP addresses recorded on behalf of Mircom and those allocated by Telenet to those users, who have allowed them to participate in the peer-to-peer network at issue.
123 Consequently, as is apparent from the case-law cited in paragraph 113 of the present judgment, such a request concerns the processing of traffic data. The right to protection of that data, which is enjoyed by the persons referred to in Article 8(1) of Directive 2004/48, forms part of the fundamental right of every person to have his or her personal data protected, as guaranteed by Article 8 of the Charter and Regulation 2016/679, as clarified and supplemented by Directive 2002/58 (see, to that effect, judgment of 16 July 2015, Coty Germany, C‑580/13, EU:C:2015:485, paragraph 30).
124 The application of the measures provided for by Directive 2004/48 cannot, in fact, affect Regulation 2016/679 and Directive 2002/58 (see, to that effect, judgment of 16 July 2015, Coty Germany, C‑580/13, EU:C:2015:485, paragraph 32).
125 In that regard, the Court has already held that Article 8(3) of Directive 2004/48, read in conjunction with Article 15(1) of Directive 2002/58 and Article 7(f) of Directive 95/46, does not preclude Member States from imposing an obligation to disclose to private persons personal data in order to enable them to bring civil proceedings for copyright infringements, but nor does it require those Member States to lay down such an obligation (see, to that effect, judgments of 19 April 2012, Bonnier Audio and Others, C‑461/10, EU:C:2012:219, paragraph 55 and the case-law cited, and of 4 May 2017, Rīgas satiksme, C‑13/16, EU:C:2017:336, paragraph 34).
126 It should be noted that, like Article 7(f) of Directive 95/46, neither point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679 nor Article 9(2)(f) of that regulation, although directly applicable in any Member State, by virtue of the second paragraph of Article 288 TFEU, imposes an obligation on a third party, such as an internet service provider, to communicate to private persons, as recipients, within the meaning of Article 4(9) of that regulation, personal data for the purpose of prosecuting copyright infringements before the civil courts, but merely regulate the issue of the lawfulness of the processing by the controller itself or by a third party, within the meaning of Article 4(10) of that regulation.
127 Thus, an internet service provider such as Telenet could be obliged to make such a communication only on the basis of a measure, referred to in Article 15(1) of Directive 2002/58, which limits the scope of the rights and obligations laid down, inter alia, in Articles 5 and 6 thereof.
128 In so far as the order for reference contains no information in that regard, the referring court will have to ascertain the legal basis both of Telenet’s retention of the IP addresses of which Mircom requests disclosure and of any access to those addresses by Mircom.
129 In accordance with Article 6(1) and (2) of Directive 2002/58, the retention of IP addresses by providers of electronic communications services beyond the period for which that data is assigned does not, in principle, appear to be necessary for the purpose of billing the services at issue, with the result that the detection of offences committed online may therefore prove impossible without recourse to a legislative measure under Article 15(1) of Directive 2002/58 (see, to that effect, judgment of 6 October 2020, La Quadrature du Net and Others, C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 154).
130 As the Advocate General observed, in essence, in point 104 of his Opinion, if the retention of IP addresses on the basis of such a legislative measure or, at the very least, their use for purposes other than those considered to be lawful in the judgment of 6 October 2020, La Quadrature du Net and Others (C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791), were to be regarded as contrary to EU law, the request for information in the main proceedings would become devoid of purpose.
131 If it were to follow from the investigations carried out by the referring court that there are national legislative measures, within the meaning of Article 15(1) of Directive 2002/58, which limit the scope of the rules laid down in Articles 5 and 6 of that directive and which could usefully apply to the present case, and on the assumption that it is also apparent, on the basis of the interpretative guidance provided by the Court in all of the preceding paragraphs of the present judgment, that Mircom has legal standing to bring proceedings and that its request for information is justified, proportionate and not abusive, the abovementioned processing must be regarded as lawful, within the meaning of Regulation 2016/679.
132 In the light of the foregoing considerations, the answer to the third and fourth questions is that point (f) of the first subparagraph of Article 6(1) of Regulation 2016/679, read in conjunction with Article 15(1) of Directive 2002/58, must be interpreted as meaning that it precludes in principle, neither the systematic recording, by the holder of intellectual property rights as well as by a third party on his or her behalf, of IP addresses of users of peer-to-peer networks whose internet connections have allegedly been used in infringing activities, nor the communication of the names and of the postal addresses of those users to that rightholder or to a third party in order to enable it to bring claim for damages before a civil court for prejudice allegedly caused by those users, provided, however, that the initiatives and the requests to that effect by that rightholder or such a third party are justified, proportionate and not abusive and have their legal basis in a national legislative measure, within the meaning of Article 15(1) of Directive 2002/58, which limits the scope of the rules laid down in Articles 5 and 6 of that directive.
Costs
133 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Fifth Chamber) hereby rules:
1. Article 3(1) and (2) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society must be interpreted as meaning that the uploading, from the terminal equipment of a user of a peer-to-peer network to such equipment of other users of that network, of pieces, previously downloaded by that user, of a media file containing a protected work, even though those pieces are usable in themselves only as from a certain download rate, constitutes making available to the public within the meaning of that provision. It is irrelevant that, due to the configurations of the BitTorrent client sharing software, that uploading is automatically generated by it, when the user, from whose terminal equipment that uploading takes place, has subscribed to that software by giving his or her consent to its application after having been duly informed of its characteristics.
2. Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights must be interpreted as meaning that a person who is the contractual holder of certain intellectual property rights, who does not however use them himself or herself, but merely claims damages for alleged infringers, may benefit, in principle, from the measures, procedures and remedies provided for in Chapter II of that directive, unless it is established, in accordance with the general obligation laid down in Article 3(2) of that directive and on the basis of an overall and detailed assessment, that his or her request is abusive. In particular, as regards a request for information based on Article 8 of that directive, it must also be rejected if it is unjustified or disproportionate, which is for the referring court to determine.
3. Point (f) of subparagraph 1 of Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read in conjunction with Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, must be interpreted as meaning that it precludes in principle, neither the systematic recording, by the holder of intellectual property rights as well as by a third party on his or her behalf, of IP addresses of users of peer-to-peer networks whose internet connections have allegedly been used in infringing activities, nor the communication of the names and of the postal addresses of those users to that rightholder or to a third party in order to enable it to bring a claim for damages before a civil court for prejudice allegedly caused by those users, provided, however, that the initiatives and requests to that effect of that rightholder or of such a third party are justified, proportionate and not abusive and have their legal basis in a national legislative measure, within the meaning of Article 15(1) of Directive 2002/58, which limits the scope of the rules laid down in Articles 5 and 6 of that directive, as amended.