Netherlands

[NL] Court rules ISP must provide user data to foreign rightsholders

IRIS 2020-7:1/16

Anne van der Sangen

Institute for Information Law (IViR), University of Amsterdam

On 30 April 2020, the District Court of The Hague (Rechtbank Den Haag) ruled that a US television provider is entitled to the names and addresses of Internet subscribers or users using an IP address from which it was presumed that an unlawful exchange of files containing protected works had taken place. The judgment was made against WorldStream, which is a Dutch-based Internet hosting provider.

The case revolved around Dish Network, which is a provider of paid television in the United States, and Internet hosting provider WorldStream. Dish Network has concluded licence agreements with the owners of several television channels and has exclusive rights to several channels and broadcasted programmes (the “protected content”). Pursuant to applicable US copyright law, Dish Network is also the copyright owner of the protected content, at least for the United States. Since access to the protected content via the television subscription is achieved on an authentication server with an IP address hosted by WorldStream, it was claimed that the copyrights of Dish Network were being infringed.

The court ruled that on a balance of interests, WorldStream is required to provide the data as requested by Dish Network. According to the court, WorldStream has a legal obligation to provide personal data to Dish Network if (i) there is a legitimate interest, (ii) the processing is necessary and (iii) the interests of Dish Network should prevail over the interests of the WorldStream customers concerned, referring to an earlier judgment of the Court of Appeal of Arnhem-Leeuwarden in Dutch Film Works v. Ziggo (see IRIS 2020-1/18). Dish Network’s rights prevailed, since Dish Network had sufficiently demonstrated that the WorldStream customers behind the specific IP address were infringing Dish Network copyrights.

Notably, Dish Network is a foreign organisation within the meaning of Chapter V of the General Data Protection Regulation (GDPR). This Chapter provides that transfers of personal data to third countries or foreign organisations (outside the European Union) are in principle only allowed under the conditions laid down in Articles 44 to 47 GDPR. The conditions of Chapter V GDPR are not met, but according to the court, Dish Network can invoke the exception under Article 49(1)(e) GDPR. Where the transfer is necessary for the establishment, exercise or defence of legal claims, it may also take place without an adequacy decision or appropriate safeguards. Dish Network needs the data for further legal actions. Even though there is no close link between the data transmission and a specific procedure relating to the situation in question, as required by the European Data Protection Board Guidelines 2/2018, in the specific circumstances of the present case, this provision is applicable according to the court. Additionally, it is of decisive importance that (i) the data transfer is necessary to be able to initiate a (future) case against the infringers and (ii) Dish Network has little to no other means at its disposal to bring the infringers to justice.

The court ordered WorldStream to provide Dish Network with the requested information about the customer(s) and to pay the costs of the proceedings.