The Central Netherlands District Court recently handed Stichting Brein a major defeat. In summary proceedings, the court ruled that Ziggo is not obliged to send warning letters to subscribers who BREIN claims have downloaded illegally. In fact, Ziggo is not even allowed to do so. This is because Ziggo does not have a license from the Autoriteit Persoonsgegevens to process criminal data, and needs one.
BREIN Foundation is engaged in tackling copyright infringement. To combat illegal downloads, the foundation launched a warning campaign in 2020. For this, it collects IP addresses used to up- and download illegal content via BitTorrent. With just an IP address, however, you do not reach the infringer.
BREIN therefore needs the cooperation of ISPs in order to send a warning letter to the infringer. This is because ISPs can link the IP addresses to the subscriber's name and address information. BREIN has requested Ziggo to send a warning letter to the subscribers whose IP addresses BREIN has collected. Ziggo refused to cooperate, and so it happened that BREIN went to court.
First, the court cites standard case law from the European Court of Justice, confirming that IP addresses should be considered personal data. This means that the AVG applies to any processing of that data. Second, the court held that there was processing of criminal personal data here. After all, copyright infringement is a criminal offense, and according to the court, the fact that an IP address has been used for a criminal offense qualifies as data concerning a criminal offense.
That finding is important because processing of criminal personal data is prohibited unless a controller can invoke one of the grounds for exception laid out in Articles 32 and 33 UAVG.
The court then tested whether there was a lawful basis for the processing. BREIN can successfully invoke the ground for exception as laid down in Article 33 paragraph 2 subsection b UAVG. This ground relates to processing for its own benefit, for the protection of its interests, insofar as it concerns criminal offenses that have been or, based on facts and circumstances, are expected to be committed against it or against persons employed by it.
Ziggo argued that reliance on this ground is not possible, since the processing is done because of criminal offenses against those affiliated with BREIN and not against BREIN itself. The moment data are processed for the benefit of third parties, Article 33 (2) (b) UAVG does not apply and the ground of exception mentioned in Article 33 (4) UAVG must be invoked. You are then required to apply for a permit from the Autoriteit Persoonsgegevens. BREIN applied for this permit before it began its campaign. However, the Autoriteit Persoonsgegevens ruled that BREIN was not required to obtain a license because they do not process data for the benefit of third parties. The court went along with this and ruled against Ziggo on that point.
Furthermore, Ziggo itself is a processor of personal data under criminal law when Ziggo links the IP addresses to the name and address details of its customers and sends a warning letter. These letters are then sent under Ziggo's own responsibility, but on behalf of BREIN.
Therefore, unlike BREIN, Ziggo does have a license requirement to process criminal personal data. However, Ziggo does not have a license from the Autoriteit Persoonsgegevens , so there is no valid basis for the processing. The court ruled that Ziggo is therefore simply not allowed to send the letters.
The court further addressed the situation where Ziggo would have a license. Ziggo is then obliged to send the warning letters. The court assessed this on the basis of an assessment framework developed in case law. .. The illegal downloads are illegal and BREIN has a real interest in forwarding the warning letters in order to prevent future infringements.
Since BREIN does not obtain the name and address information from Ziggo, this is also still the most privacy-friendly way for the infringers in question. Furthermore, BREIN's interest in processing the data takes precedence over the interests of Ziggo and the infringers. Countering this form of copyright infringement proves very difficult in practice, and the campaign developed by BREIN is a fairly light means of addressing the problem. This is certainly the case now that Ziggo does not monitor the Internet behavior of its customers to any far-reaching extent.
This defeat may put a bomb under BREIN's plan regarding the warning letters. BREIN will not leave it at that and will appeal. On appeal, BREIN could argue that Ziggo is not a data controller at all, but merely BREIN's processor. The argument for this: While Ziggo possesses the data and resources needed to send the letters, BREIN determines the purpose of that processing. In doing so, Ziggo works only on behalf of BREIN.
BREIN can also argue that Article 32(d) applies. This provides that it is permissible to process personal data under criminal law when it is necessary for the establishment of a legal claim. BREIN must then explain why a warning letter is necessary in the context of bringing a legal action. After all, a warning letter only, I assume, warns.
BREIN will no doubt also send Ziggo a request to apply for the license as soon as possible. However, the question is whether an organization is required to apply for that license. We will keep you informed.
