On 24 November 2011, the Court of Justice of the EU (the “ECJ”) handed down its judgment in case 70/10 Scarlet v. SABAM. In this case, the ECJ was requested to clarify whether national courts could order Internet Service Providers (ISPs) to implement filtering software blocking illegal filesharing in order to protect intellectual property rights (see, for a detailed discussion of the judgment, VBB on Belgian Business Law,, Volume 2011, No. 11, p. 3, available at www.vbb.com).
To answer this question, the ECJ had to strike a balance between the protection of the intellectual property right enjoyed by copyright holders on the one hand and other fundamental rights and freedoms of the parties concerned by the filtering measures. In this context, the ECJ confirmed that IP addresses are personal data as defined by Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. In particular, the ECJ considered that the filtering system in question may infringe the fundamental rights of the ISPs’ customers, namely their right to protection of their personal data. The ECJ held that users’ IP addresses are protected personal data “because they allow those users to be precisely identified”.
In Belgium, the ECJ judgment will not change the existing practice, as IP addresses are already treated as personal data. Indeed, this view has been taken by the Belgian Data Protection Authority (Commissie voor de bescherming van de persoonlijke levenssfeer / Commission de la protection de la vie privée) and confirmed by national courts. However, even though the Article 29 Working Party repeatedly advised that IP addresses should be regarded as personal data, especially in those cases where the processing of IP addresses is carried out with the purpose of identifying the users of the computer (for instance, by copyright holders in order to prosecute computer users for violation of intellectual property rights), this view has not been shared by all Member States. For instance, certain national courts have held that IP addresses should not be regarded as personal data. The present decision now imposes a harmonised interpretation of the concept of personal data in relation to IP addresses throughout the EU. Remarkably, the European Commission’s legislative proposal for a new data protection framework, which will be officially announced in January 2012, is likely to expressly provide that IP addresses constitute personal data.