Netherlands

[NL] Dutch Data Protection Authority finds processing of personal data for anti-piracy research lawful

IRIS 2016-5:1/23

Sarah Johanna Eskens

Institute for Information Law (IViR), University of Amsterdam

On 14 March 2016, the Autoriteit Persoonsgegevens (Dutch data protection authority, AP) declared that a plan to process the personal data of internet users for anti-piracy investigations is lawful. Stichting BREIN, a Dutch anti-piracy organisation, intends to collect and further process the IP addresses and user names of Dutch citizens engaging in file sharing via ‘BitTorrent’ networks. The purpose of the data processing is to investigate the involvement of these people in the unauthorised, large-scale uploading and downloading of copyright-protected works, such as films and music. The organisation notified the Dutch data protection authority of its plans.

Stichting BREIN sought to process personal data without data subjects being aware of that, and to process personal data relating to criminal matters. As required under Article 31 of the Dutch Data Protection Act, the data protection authority conducted a prior check to assess the lawfulness of the planned processing operations. The authority in particular assessed whether Stichting BREIN would provide sufficient safeguards to protect the rights and interests of the data subjects.

In principle, Article 34 of the Dutch Data Protection Act requires that a data controller inform data subjects of its identity and the purposes of the data processing. According to its proposal, Stichting BREIN would inform only those people it would select for further investigation. To do so, the organisation would obtain the users’ contact details via internet service providers. However, it would also process many user names and IP addresses without requesting the contact details of these people, and thus would be unable to inform these people individually. Instead, the organisation would inform internet users of its plans via general announcements on websites and in the media. The Dutch data protection authority concluded this solution satisfied Article 34.

Under Article 8 of the Dutch Data Protection Act, personal-data processing must be grounded on a legal basis, for example the legitimate interest pursued by the controller. Stichting BREIN stated that the purpose of the processing is to investigate whether BitTorrent users infringe the copyrights of rights holders represented by the organisation. The Dutch data protection authority found that this was a legitimate interest, but stipulated that the processing should also be necessary, and that Stichting BREIN’s interest should outweigh the interests of the data subjects. According to the Dutch data protection authority, these requirements implied the anti-piracy organisation should implement sufficient safeguards.

Stichting BREIN explained it would indeed provide for a range of safeguards. For example, the organisation described in more detail the type of files and users it would select for further investigation. Essentially, they would focus on Dutch works and the “big fish” - not on Hollywood productions or the occasional downloader. Stichting BREIN would immediately remove most of the IP addresses and user names after a first selection, as well as the personal data, that were selected but not further acted upon within six months.

The Dutch data protection authority concluded that the remaining requirements specified in the Dutch Data Protection Act were also fulfilled (among others, limited storage time and data security). Stichting BREIN may therefore execute its plans.