France

[FR] CNIL Authorises Collection and Processing of Personal Data on the Internet to Counter Peer-to-peer Activities

IRIS 2005-5:1/12

Amélie Blocman

Légipresse

The Act of 6 August 2004 amending the Act of 6 January 1978 on information technology and data protection introduced a new Article 9-4 that enables the companies that collect and manage royalties and related rights and bodies that defend the profession's interests to process personal data relating to infringements, and more particularly those covered by the CPI (Code de la propriété intellectuelle - French intellectual property code). Under Article 30 of the original Act, this was not previously allowed. As the Constitutional Council recalled, the declared purpose of the new provision is to promote the processing of personal data, particularly data collected on the Internet, in order to organise and facilitate the fight against counterfeiting and peer-to-peer activities. Under the new Article 25-I(3) of the amended 1978 Act, such processing, whether automated or not, may not be carried out without first obtaining authorisation from the CNIL (Commission nationale informatique et libertés - French national data protection agency), which is an independent administrative authority.

Hence last December the SELL (Syndicat des éditeurs de logiciels de loisirs - union of recreational software editors) submitted to the CNIL a scheme intended firstly to send dissuasive messages to Internet users downloading and making available software copied illegally on peer-to-peer networks and secondly, in certain specific cases, to note the IP addresses of Internet users making unlawfully copied recreational software available on these networks. On 24 March, after thorough examination of the scheme, the CNIL authorised processing of this kind, considering that the assurances accompanying its implementation were such as to preserve the balance between protecting on the one hand the rights of the persons whose data was being processed, and on the other those of originators and their economic beneficiaries. The sole purpose of sending a dissuasive message to Internet users downloading or making available recreational software included in the catalogue of an editor whose interests are defended by the SELL would be to inform them that they were breaking the law and to tell them what penalties they could incur. The CNIL assured itself that information (and more specifically the IP address) would not be retained when the SELL sent such a message. The second part of the scheme involves collecting the IP addresses of Internet users making available recreational software included in the catalogue of an editor whose interests are defended by the SELL, and the CNIL checked that these would only be collected in a limited number of cases, depending on how serious the infringement was, and in order to draw up a record of the infringement. The only purpose of such collection would therefore be to provide the legal authorities with information. Names would only be put to the IP addresses as part of legal proceedings.

After the SELL, the SCPP (Société civile des producteurs de phonogrammes - society of phonogram producers) announced that it had made a similar approach to the CNIL for the automated processing of the detection of infringements of the CPI using the peer-to-peer networks.