CJEU rules that systematic gathering of IP addresses is lawful


In a decision handed down on June the 17th, 2021, the Court of Justice of the European Union ruled that the systematic gathering by a rights holder of the IP addresses of internet users taking part in peer-to-peer networks was compliant with the GDPR.

A company with film rights found that users were illegally downloading films on peer-to-peer networks. After collecting the IP addresses of the illegal downloads, the company submitted a request for information to the internet provider of these IP addresses in order to be provided with the identification data, which the provider refused.

In this context, the Belgian court which was relevant to hear the case, referred a number of questions to the CJEU for a preliminary ruling, one of which concerned the lawfulness of the gathering of IP addresses and the request for information aimed at obtaining the identity of the holders of these IP addresses from the rights holder company in the light of the General Data Protection Regulation 2016/679 (GDPR) and the Directive on “privacy and electronic commerce” 2002/58/EC.

Relying on Article 6(1)(f) of the GDPR, the CJEU recalled the three conditions for the processing of personal data:

(i) The pursuit of a legitimate interest;

(ii) Necessity for the achievement of the legitimate interest pursued;

(iii) The interests or fundamental rights and freedoms of the data subject must not prevail, in which case the processing will be unlawful automatically.

The CJEU applied these conditions to the case in point, considering first that the defence of property rights constitutes a legitimate interest. As such, the gathering of IP addresses and the subsequent request for information can be considered necessary insofar as “the identification of the holder of the connection is often possible only on the basis of the IP address and the information provided by the Internet service provider“. Finally, “the mechanisms for striking a fair balance between the various rights and interests involved are enshrined in Regulation 2016/679 itself.”

Furthermore, the CJEU considers that the GDPR is not incompatible with “the systematic recording, by the holder of intellectual property rights as well as by a third party on its behalf, of IP addresses of users of peer-to-peer networks whose internet connections have allegedly been used in infringing activities nor with the communication of the names and postal addresses of those users to that holder or to a third party in order to enable it to bring an action for compensation before a civil court for damage allegedly caused by those users, provided, however, that such initiatives and claims by the rights holder or such a third party are justified, proportionate and not abusive and have their legal basis in a national legislative measure, within the meaning of Article 15(1) of Directive 2002/58“.

This decision therefore establishes the principle of striking a balance between the protection of personal data and intellectual property rights.

By Xenia Bodiansky and the IP-IT team of UGGC Avocats

UGGC - Image 2


Cannes 2022: "Transposition of the AVMS Directive", with Anne-Marie Pecoraro, Corinne Khayat and Rodolphe Boissau

After a 73rd virtual edition because of Covid-19 and a 74th edition shifted in July to be organized in person despite the pandemic, the 75th edition of the Cannes Film…

The European Commission adopts a proposal for a Data Act

Watches, thermostats, lights, cameras, TVs, robots, scales… these objects all have in common that they present versions of themselves in so-called connected object versions; and the list is not exhaustive,…

The transfer of audiovisual catalogs

The law n° 2021-1382 of October 25, 2021 relating to the regulation and protection of access to cultural works in the digital era has brought some changes that reinforce the…