According to him, the graduated response mechanism whose operation is entrusted to the administrative authority in charge of copyright protection in France is compatible with Union law requirements in the area of personal data protection.

Today's conclusion is related to the reopening of the proceedings in this case. Indeed, at the request of the Grand Chamber, the Court decided to refer the case to the full court and to ask questions with a view to answering them orally at the hearing on May 15 and 16, 2023. First Advocate General Szpunar delivered an initial opinion in this case on October 27, 2022 (see PC No. 172/22).

The French Haute autorité pour la diffusion des œuvres et la protection des droits sur Internet (High Authority for the Distribution of Works and Protection of Rights on the Internet, "Hadopi") 1 is tasked with ensuring that property rights are respected in France. When it is discovered that an Internet user has infringed copyright, Hadopi sends him a recommendation ordering him not to do so again. If the Internet user in question still infringes copyright again, a second warning follows. If the first two warnings are ignored and copyright infringement occurs for the third time, Hadopi may request the appropriate judicial authority to initiate criminal proceedings.

This "graduated response" mechanism can only work if Hadopi can find out who infringed copyright so that it can send those recommendations to that person. To this end, a decree adopted in 2010 allows Hadopi to request electronic communications service operators to provide it with details of the civil identity of the user to whom the IP address used to commit the infringement was assigned.

Four associations working for the protection of rights and freedoms on the Internet are challenging the adoption of that decree in court. The Conseil d'État (French raad van state) wants to know from the Court whether it is compatible with EU law for data on civil identity corresponding to IP addresses to be collected and processed in an automated manner to prevent the infringement of intellectual property rights, without prior control by a judicial or administrative entity.

In his Opinion today, First Advocate General Szpunar considers that EU law does not preclude electronic communication service providers from being required to retain IP addresses and corresponding civil identity data, nor does it preclude those data from being accessed by an administrative authority charged with protecting copyrights against the infringement of those rights on the Internet.

The Advocate General considers that the IP address, the civilian identity of the holder of the Internet connection and the information about the work in question do not make it possible to draw precise conclusions about the private life of the person suspected of copyright infringement. In fact, on the basis of these data, it is only possible to determine what content was consulted at a given time, which in itself does not make it possible to draw up a detailed profile of the person concerned.

The purpose of this measure is to enable the administrative authority to identify the holders of IP addresses suspected of copyright infringement and, if necessary, to take action against them. Moreover, there is no need for prior review of access to the data in question by a judge or independent administrative entity. Indeed, these data constitute the only investigative tool that makes it possible to identify the person to whom the IP address in question was assigned when the infringement was committed.

The Advocate General stresses that this is not a revision but a pragmatic further development of the existing case law, allowing a nuanced solution to be worked out in specific and very narrowly defined circumstances. In his view, this analysis - in accordance with the principle of proportionality - is the result of a balancing of the various interests involved, and justifies a refinement of the Court's case law on the retention and access to data such as IP addresses linked to civil identity data, in order to prevent systemic impunity for crimes committed exclusively online.