GHAL - 200.307.462: Difference between revisions

From GDPRhub
No edit summary
No edit summary
(6 intermediate revisions by 4 users not shown)
Line 4: Line 4:
|Court-BG-Color=
|Court-BG-Color=
|Courtlogo=Courts_logo1.png
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=GHARL
|Court_Abbrevation=GHAL
|Court_Original_Name=Gerechtshof Arnhem-Leeuwarden
|Court_Original_Name=Gerechtshof Arnhem-Leeuwarden
|Court_English_Name=Court of Appeal Arnhem-Leeuwarden
|Court_English_Name=Court of Appeal Arnhem-Leeuwarden
|Court_With_Country=GHARL (Netherlands)
|Court_With_Country=GHAL (Netherlands)


|Case_Number_Name=200.307.462
|Case_Number_Name=200.307.462
|ECLI=ECLI:NL:GHARL:2022:8676
|ECLI=ECLI:NL:GHARL:2022:8676


|Original_Source_Name_1=Rechstpraak.nl
|Original_Source_Name_1=Rechtspraak.nl
|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:GHARL:2022:8676
|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:GHARL:2022:8676
|Original_Source_Language_1=Dutch
|Original_Source_Language_1=Dutch
Line 51: Line 51:
|Party_Link_4=
|Party_Link_4=


|Appeal_From_Body=Rechtbank Midden-Nederland
|Appeal_From_Body=Rb. Midden-Nederland (Netherlands)‎
|Appeal_From_Case_Number_Name=C/16/531572 / KG ZA 21-672
|Appeal_From_Case_Number_Name=C/16/531572 / KG ZA 21-672
|Appeal_From_Status=
|Appeal_From_Status=
Line 64: Line 64:
}}
}}


A Dutch Court of Appeal held that an Internet service provider (ISP) could not be mandated to link IP addresses to the name and addresses of its users to send warnings about the illegality of uploading illegal content with Bittorrent because, pursuant to [[Article 10 GDPR]], the ISP lacked a legal basis for processing criminal data.  
The Dutch Court of Appeal of Arnhem-Leeuwarden confirmed an interlocutory injunction from the Court of First Instance, stating that a copyright watchdog could not force an Internet Service Provider to forward warning letters to alleged copyright infringers, because the ISP didn't have a legal basis for processing personal data relating to criminal conviction and offences.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Brein is a foundation that deals with infractions of IP rights. Its goal is to warn users of torrenting programs about the fact that uploading illegal content using bittorrent is illegal and fines will be enforced in the future.
Stichting Brein is a foundation involved in collectively counteracting and preventing copyright infringements. Ziggo is one of the largest internet service providers (ISPs) in the Netherlands. In December 2020, Brein started the "FLU-warning campaign". The aim of this campaign was to send warning letters to holders of IP addresses of which Brein, using special software, had found that they had uploaded copyright infringing material via BitTorrent for at least two times in a span of four weeks.  


Brein wanted to send warning letters to torrent users through their Internet Service Providers (ISPs). Brein would supply the IP addresses of people to the ISPs, who could link these addresses to the users name and physical address.
However, Brein did not possess the name and address details of the torrent users, but only their IP-adresses. Hence, it needed the cooperation of Internet Service Provider (ISP) to link an IP address to name and address details. With this information, Brein would be able to send the warning letters.


One of the ISP's did not want to help Brein voluntarily by combining the IP addresses with the names and addresses of its users in order to send them the warning letters. After this, Brein filed a submission at the first instance court to force the ISP to send the warning letters to the respective users. The first instance court rejected this and stated that the ISP didn't receive a permit from Dutch the DPA to process criminal personal data. This first instance court held that combining IP addresses and contact details entailed criminal processing (Article 10 GDPR). The first instance court also held that only Articles 32 and 33 UAVG (Dutch law for the implementation of the GDPR) contained 'appropriate safeguards' as stated in [[Article 10 GDPR]]. Processing under [[Article 10 GDPR]] is only possible under supervision of a government body. The ISP would need an approval from the Dutch DPA for this.
Ziggo, however, did not want to cooperate voluntarily. Therefore, Brein filed a submission at the Midden-Nederland Court of First Instance (''Rechtbank'') to force Ziggo to send the warning letters to the respective users. The first instance Court rejected this submission in a previous interim relief proceeding.


The court referred to the first instance court ruling ([https://gdprhub.eu/index.php?title=Rb._Midden-Nederland_-_C/16/531572_/_KG_ZA_21-672 ECLI:NL:RBMNE:2022:297]) for an extensive overview of the facts (2.1 - 2.11).  
This Court of First Instance held that combining IP addresses and contact details of ISP clients entailed the processing of personal data relating to criminal convictions and offences or related security measures (criminal data) pursuant to [[Article 10 GDPR]]. The ISP didn't receive a permit from Dutch the DPA to process criminal personal data, and therefore lacked a legal basis. The Court also held that Articles 32 and 33 UAVG (Dutch law for the implementation of the GDPR) were the only provisions which contained 'appropriate safeguards' as stated in [[Article 10 GDPR]]. Brein appealed this ruling.


=== Holding ===
=== Holding ===
The court of appeal held that it had to answer two questions: the first question was the fact if there was a legal basis that could force the ISP to cooperate with the request of Brein. The second question was the fact if the ISP was even allowed to process the data. The court held that both questions should be answered negatively. The court of appeal also confirmed that combining IP addresses and contact details lead to processing under [[Article 10 GDPR]]. Because of this, an legal basis was required. 
The Court of appeal held that it had to answer two questions: (1) if there was a legal basis that could force the ISP to cooperate with the request of Brein and (2) if the ISP was even allowed to combine the contact details and the IP addresses in the first place. The Court held that both questions should be answered negatively.  


<u>First question</u>: the first question was not a question regarding the GDPR. It concerned a balancing exercise in a Dutch provision (Article 6:162 BW) to determine if the ISP was obligated to supply the contact details of its users. After considering several factors derived from case law (Lyccos - {name} arrest), the court of appeal held that the controller could not be obligated to supply the information.
The Court of appeal started by confirming that combining IP addresses and contact details was indeed processing of criminal data under [[Article 10 GDPR]]. The ISP would need a legal basis for this processing, which had to be conducted under the control of official authority or had to be authorised by Union or Member State law, providing appropriate safeguards for the rights and freedoms of data subjects.


<u>Second question</u>: The second question was the fact if the ISP was even allowed to process the data under [[Article 10 GDPR]]. The court rejected an argument from Brein that 6:162 BW could be used besides Articles 32 and 33 UAVG to provide 'appropriate safeguards'. This argument was rejected by the court because nothing in this provision could substantiate the claim by Brein. Brein also stated several reasons why Articles 32 and 33 UAVG could be used as legitimate grounds for processing. The controller also rejected all of these claims by Brein. Therefore, the Appealing Court held that the ISP did not have a legal ground under [[Article 10 GDPR]] to process the criminal data. It could therefore not be mandated to process the IP addresses and contact details in order to send warning letters to its users. The court stated that Brein could have filed a request to force the ISP to get a licence from the Dutch DPA. However, since it didn't take this potential step, there was no legal basis for the processing of criminal data.
The first question was not a question regarding the GDPR. It concerned a balancing exercise in a Dutch provision (Article 6:162 BW) to determine if the ISP was obligated to supply the contact details of its users. The Court of appeal held that the ISP could not be obligated to supply the information.
 
The second question was the fact if the ISP was even allowed to process the data under [[Article 10 GDPR]]. The Court rejected an argument from Brein that article 6:162 BW could be used besides Articles 32 and 33 UAVG to provide 'appropriate safeguards'. This argument was rejected by the Court because nothing in this provision could substantiate the claim by Brein. Brein also stated several reasons why Articles 32 and 33 UAVG could be used as legitimate grounds for processing. The controller also rejected all of these claims by Brein. Therefore, the Appealing Court held that the ISP did not have a legal ground under [[Article 10 GDPR]] to process the criminal data. The ISP could therefore not be obligated by the Court to combine the IP addresses and contact details in order to send warning letters to its users.
 
The Court stated that Brein could have filed a request to force the ISP to get a licence from the Dutch DPA. However, since it didn't take this potential step, there was no legal basis for the processing in question.


== Comment ==
== Comment ==

Revision as of 09:13, 20 October 2022

GHAL - 200.307.462
Courts logo1.png
Court: GHAL (Netherlands)‎
Jurisdiction: Netherlands
Relevant Law: Article 10 GDPR
Decided: 11.10.2022
Published: 13.10.2022
Parties: Stichting Brein
Ziggo
National Case Number/Name: 200.307.462
European Case Law Identifier: ECLI:NL:GHARL:2022:8676
Appeal from: Rb. Midden-Nederland (Netherlands)‎
C/16/531572 / KG ZA 21-672
Appeal to: Unknown
Original Language(s): Dutch
Original Source: Rechtspraak.nl (in Dutch)
Initial Contributor: Enzo Marquet

The Dutch Court of Appeal of Arnhem-Leeuwarden confirmed an interlocutory injunction from the Court of First Instance, stating that a copyright watchdog could not force an Internet Service Provider to forward warning letters to alleged copyright infringers, because the ISP didn't have a legal basis for processing personal data relating to criminal conviction and offences.

English Summary

Facts

Stichting Brein is a foundation involved in collectively counteracting and preventing copyright infringements. Ziggo is one of the largest internet service providers (ISPs) in the Netherlands. In December 2020, Brein started the "FLU-warning campaign". The aim of this campaign was to send warning letters to holders of IP addresses of which Brein, using special software, had found that they had uploaded copyright infringing material via BitTorrent for at least two times in a span of four weeks.

However, Brein did not possess the name and address details of the torrent users, but only their IP-adresses. Hence, it needed the cooperation of Internet Service Provider (ISP) to link an IP address to name and address details. With this information, Brein would be able to send the warning letters.

Ziggo, however, did not want to cooperate voluntarily. Therefore, Brein filed a submission at the Midden-Nederland Court of First Instance (Rechtbank) to force Ziggo to send the warning letters to the respective users. The first instance Court rejected this submission in a previous interim relief proceeding.

This Court of First Instance held that combining IP addresses and contact details of ISP clients entailed the processing of personal data relating to criminal convictions and offences or related security measures (criminal data) pursuant to Article 10 GDPR. The ISP didn't receive a permit from Dutch the DPA to process criminal personal data, and therefore lacked a legal basis. The Court also held that Articles 32 and 33 UAVG (Dutch law for the implementation of the GDPR) were the only provisions which contained 'appropriate safeguards' as stated in Article 10 GDPR. Brein appealed this ruling.

Holding

The Court of appeal held that it had to answer two questions: (1) if there was a legal basis that could force the ISP to cooperate with the request of Brein and (2) if the ISP was even allowed to combine the contact details and the IP addresses in the first place. The Court held that both questions should be answered negatively.

The Court of appeal started by confirming that combining IP addresses and contact details was indeed processing of criminal data under Article 10 GDPR. The ISP would need a legal basis for this processing, which had to be conducted under the control of official authority or had to be authorised by Union or Member State law, providing appropriate safeguards for the rights and freedoms of data subjects.

The first question was not a question regarding the GDPR. It concerned a balancing exercise in a Dutch provision (Article 6:162 BW) to determine if the ISP was obligated to supply the contact details of its users. The Court of appeal held that the ISP could not be obligated to supply the information.

The second question was the fact if the ISP was even allowed to process the data under Article 10 GDPR. The Court rejected an argument from Brein that article 6:162 BW could be used besides Articles 32 and 33 UAVG to provide 'appropriate safeguards'. This argument was rejected by the Court because nothing in this provision could substantiate the claim by Brein. Brein also stated several reasons why Articles 32 and 33 UAVG could be used as legitimate grounds for processing. The controller also rejected all of these claims by Brein. Therefore, the Appealing Court held that the ISP did not have a legal ground under Article 10 GDPR to process the criminal data. The ISP could therefore not be obligated by the Court to combine the IP addresses and contact details in order to send warning letters to its users.

The Court stated that Brein could have filed a request to force the ISP to get a licence from the Dutch DPA. However, since it didn't take this potential step, there was no legal basis for the processing in question.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

COURT OF ARNHEM-LEEUWARDEN

location Arnhem, civil department

case number court of appeal 200.307.462

case number Central Netherlands court, location Utrecht, 531572

judgment in summary proceedings of 11 October 2022

in the case of

Brain Foundation

which is based in Amsterdam,

who has lodged an appeal

and who acted as plaintiff before the court,

hereinafter referred to as Brain,

represented by mr. I.C.M.A. Reinders Folmer,

against

Ziggo B.V.,

which is located in Utrecht,

that the defendant is on appeal and has lodged a cross-appeal,

and who acted as defendant before the court,

hereinafter referred to as Ziggo,

represented by mr. J.R. spawn.

1 The course of the appeal procedure

Following the judgment of 12 July 2022, an oral hearing was held at the Court of Appeal on 14 September 2022. An official report has been made of this which has been added to the file. After this, it has been determined that judgment will be rendered.

2 The heart of the matter

2.1.

Brein is a foundation that fights copyright infringements. She focuses, among other things, on illegally sharing copyrighted works (such as movies, series, books and music) via Bittorrent platforms, where users can exchange files that have been cut into small pieces by the Bittorrent software. This exchange takes place in a 'swarm'. The Bittorrent software ensures that a user who downloads immediately uploads the downloaded (part of the) file again for the benefit of other users. In this way the swarm is maintained.

In December 2020, Brein started a warning campaign called FLU, which stands for Frequent and Long-Term Uploaders. The purpose of that campaign is to warn those who illegally upload files via Bittorrents that enforcement may be in the future. To this end, it has drawn up (standard) warning letters. Brein randomly searches for people who have been found in at least two swarms or in one swarm for more than seven hours over a period of four weeks. Because the software with which it participates in Bittorrent swarms in the context of this campaign, Brein can retrieve the IP address, but not the name and home address (name and address details) of uploaders, it has asked the internet service providers (ISPs, also referred to as access providers) that manage the IP addresses of the infringers, to forward warning letters on its behalf. Ziggo, an isp, does not want to cooperate.

2.2.

For an extensive overview of the facts and background to the case, the Court of Appeal refers to considerations 2.1 to 2.11 of the contested judgment of 2 February 2022 (published under ECLI:NL:RBMNE:2022:297). Although Ziggo has raised a number of objections to this fact finding (it disputes the operation of the software that Brein uses described in 2.8.1, the deletion of IP addresses described in 2.8.3, which – as stated in 2.10 – is still often used. is made of illegal offers via Bittorrents and the finding in 2.11 that most of the violations found in the context of this campaign concern IP addresses managed by Ziggo), but these objections are not relevant to the outcome of the case and the court will so don't discuss.

2.3.

In these preliminary relief proceedings, Brein is claiming that Ziggo be ordered to forward Brein's warning letters to the relevant Ziggo customers, on pain of a penalty. The preliminary relief judge rejected these claims because Ziggo has not received a license from the Dutch Data Protection Authority (AP) for the processing of criminal personal data, which includes linking the IP addresses with the name and address details of its customers.

3 The judgment of the court

The court will affirm the decision rejecting the claims

3.1.

After a ruling on the urgent importance of this appeal, the Court of Appeal will first examine the question of whether there is a legal basis on the basis of which Ziggo is obliged to cooperate with Brein's request to forward warning letters (and whether it acts unlawfully if it does not). The court will then consider whether Ziggo may also process the criminal personal data. It has now been established as no longer disputed that Ziggo's linking of the IP addresses that Brein supplies to the name and address details of customers, in order to subsequently be able to send the warning letters, counts as the processing of criminal personal data. For this, Ziggo (as controller) needs a legal basis on the basis of Article 10 of the GDPR. The court will answer both questions in the negative. This means that there are two reasons why the Court of Appeal also comes to the conclusion that Brein's claims cannot be granted. Because there is no room for extensive evidence in these preliminary relief proceedings, the Court of Appeal will rule on the basis of the question whether the parties have substantiated their positions. Therefore, all judgments given below are provisional judgments.

Urgent interest

3.2.

Brein, authorized by the copyright holders to the works in respect of which it has found infringements in this campaign, has a sufficiently urgent interest in its claims. After all, infringements continue to take place, causing damage to copyright holders. Ziggo has not disputed Brein's stated urgent interest either.

No legal basis obliging Ziggo to send warning letters

3.3.

The preliminary relief judge has explained in considerations 3.31 to 3.41 that the basis on which Ziggo is obliged towards Brein to cooperate with its warning campaign lies in the assessment framework from the judgment of the Supreme Court in the case Lycos/[name1]1 . According to the preliminary relief judge, application of that assessment framework leads to the conclusion that not forwarding warning letters by Ziggo, a less drastic measure than providing name and address data, is unlawful towards Brein.

3.4.

The parties do not agree whether the application of Lycos/[name1] in this case leads to the conclusion that Ziggo is acting unlawfully by not cooperating. Brein has not put forward a different legal basis than the due care standard contained in Section 6:162 of the Dutch Civil Code (coloured by Lycos/[name1]) for its assertion that Ziggo has a legal obligation to cooperate, and the Court of Appeal does not see it either. The Court of Appeal will therefore only consider the question of whether Brein can rightly invoke this basis.

3.5.

Lycos/[name1] has ruled that a hosting provider is acting unlawfully if it does not provide the name and address details of a website owner to a third party in the event:

it is sufficiently plausible that the information that the website owner has placed on the website may be unlawful and harmful to the third party;

the third party has a real interest in obtaining the identifying data;

it is plausible that in this specific case there is no less drastic possibility to retrieve the identifying data;

The balancing of the interests of the third party, the service provider and the website owner is in favor of the third party.

3.6.

That case concerned an individual case, in which a person claiming to be treated unlawfully on a website only had a real opportunity to take action in civil court if the hosting provider provided him with the name and address details of the website owner. .

That is different here. In this case, it is not a question of Brein wanting to defend himself against specific unlawful conduct before a civil court. She wants to warn violators. The possible withholding of effective legal protection from a (legal) person who believes that he/she is being treated unlawfully is not an issue here.

3.7.

The question is whether it should nevertheless be judged that Ziggo is obliged to cooperate on the basis of a due care standard. The circumstances of the case are important for this, whereby the aforementioned Lycos/[name1] assessment framework can provide guidance in the assessment. It is not in dispute that it is plausible that the IP addresses from the sample are involved in unlawful acts vis-à-vis the copyright holders for whom Brein acts. This means that the a-ground of Lycos/ [name1] (see 3.5) needs no further discussion.

3.8.

Before discussing the other grounds of the Lycos/[name1] assessment framework, the Court of Appeal notes that Brein's assertion that Ziggo would be obliged on the basis of Lycos/[name1] to issue name and address details, Ziggo is also obliged until the lesser, namely the forwarding of warnings, does not apply. That statement fails to recognize that the purpose of the requested cooperation partly determines whether or not a due care standard that obliges to cooperate is adopted.

3.9.

The aim here is not the desire to be able to take legal action against infringers, but the desire to be able to send warning letters. Whether and which enforcement measures will follow depends on the decision that Brein will take after an investigation into the effect of the warning letters. Any enforcement will not focus on those whom Brein wants to send a warning letter. It is in fact the express intention of Brein to delete the IP addresses of those who come from the sample after sending the warning letters.

Although Brein has pointed out that the Dutch Data Protection Authority (AP) has expressed objections in the context of its previous Torrent2017 project (which focused on enforcement against uploaders who were found three or more times in a Bittorrent swarm in four weeks) about insufficient warnings. of infringing Bittorrent users for enforcement, but on the other hand is the fact that (including on the basis of Lycos/[name1]) name and address data can already be requested from individual infringers. According to Brein, these requests are usually granted. It is therefore unlikely that sending warning letters is a necessary step to be able to take civil action against (another group of) infringers. It is also not yet clear to what extent forwarding warning letters will lead to copyright infringements on a smaller scale in the future. The parties differ on this, but for the time being Brein has not substantiated sufficiently that it can be expected that that goal can be achieved with (this part of) the warning campaign.

All this means that the Court of Appeal is not convinced that Brein has a sufficiently real interest in Ziggo's forwarding of warning letters (compare the b-ground of Lycos/[name1]).

3.10.

The under 3.9. The facts and circumstances mentioned also contribute to the Court of Appeal's opinion that Brein's interests in sending warning letters do not outweigh those of Ziggo not to want to cooperate (compare the d-ground of Lycos/[name1] ). Ziggo would have to make various efforts that cost her money and time. For example, if a legal obligation to cooperate is assumed, it will first have to carry out a data protection impact assessment pursuant to Article 35 of the GDPR and, depending on the outcome, also have to consult the AP beforehand (Article 36 of the GDPR). In addition, as stated in the provisional opinion of the Court of Appeal and as will be explained below, in that case, if required, Ziggo will still have to apply for a license for the processing of criminal personal data pursuant to Article 33(4)(c) UAVG of the AP. If these various steps lead to confirmation of Ziggo's processing authority, Ziggo will have to link the IP addresses to the name and address details and send letters. All this has a significant impact on its business operations.

This interest of Ziggo not to cooperate with Brein's request is counterbalanced by Brein's interest in being able to determine its enforcement tactics on the basis of the warning letters and research that it can then have Kantar carry out into the effect. The fact that the letters do not clearly serve an (immediate) enforcement purpose and are not the only option for Brein to take action against infringers means that this interest does not outweigh Ziggo's interest in being deprived of the aforementioned impact on its business operations, especially because it is currently uncertain whether Ziggo will obtain a license within the meaning of Article 33(4)(c) of the UAVG.

3.11.

For the sake of completeness, the Court of Appeal also notes that in the UPC Telekabel Wien judgment of the ECJ EU2 it has been clarified that an internet provider that is authorized by court order (in that case imposed on the basis of Austrian law, which is the implementation of Article 8 paragraph 3 of Directive 2001/29 /EC) is prohibited from providing its customers with access to any website containing infringing material, can escape liability by demonstrating that it has taken all reasonable steps. This concerns a different framework than the one at issue here and, contrary to what Brein seems to argue, it cannot be read as a general obligation for ISPs to mean that they must always take all reasonable measures to prevent infringements. In the opinion of the Court of Appeal, this judgment cannot weigh in favor of Brein, even when weighing interests.

3.12.

The c-ground of Lycos/[name1] concerns a subsidiarity test. It was important to the Amsterdam Court of Appeal, and the Supreme Court following that, that the name and address details, which were necessary to be able to take civil action against alleged unlawful acts, could not be obtained in a less intrusive manner. .

As the Court of Appeal does not consider sufficiently plausible, as is apparent from the foregoing, that the real interest and an overriding interest of Brein are not sufficiently plausible, this subsidiarity test can be dispensed with. For the sake of completeness, the Court of Appeal does note that the comparison should not be whether warning letters are less drastic than the provision of name and address data (the comparison performed by the preliminary relief judge), but whether – assuming a real and overriding interest of Brein in warning offenders – there is no less drastic option than having Ziggo send the warning letters drawn up by Brein.

3.13.

The conclusion of the foregoing considerations is that it cannot be assumed that Ziggo has a legal obligation, arising from due care standards, to forward Breins warning letters to customers who hold an IP address from the sample. Although Brein's wish to warn offenders (and subsequently adjust its enforcement to the effect of those warnings) can be understood, this does not mean that Ziggo's refusal to cooperate does not make it unlawful and it is not liable. for possible resulting damage.

If only because Ziggo, due to the lack of a legal basis, is not required to cooperate in sending letters, the injunction requested by Brein cannot be granted. For the sake of completeness, the Court of Appeal will also address the question of whether Ziggo should be allowed to cooperate, given that this concerns the processing of criminal personal data.

No basis that allows Ziggo to process criminal personal data

3.14.

Pursuant to Article 10 of the GDPR, criminal personal data may only be processed under government supervision or if the processing is permitted by Union or Member State law provisions that provide appropriate safeguards for the rights and freedoms of the data subjects.

3.15.

Brein contests the judgment of the preliminary relief judge that only Articles 32 and 33 of the UAVG apply as provisions under Member State law with appropriate safeguards within the meaning of Article 10 of the GDPR. According to Brein, Article 6:162 of the Dutch Civil Code is also such a provision under Member State law and that article, with the elaboration given in Lycos/[name1], offers the required appropriate safeguard.

3.16.

The court does not follow Brein's position. Article 6:162 of the Dutch Civil Code does not stipulate anything about the processing of criminal data (other than in Articles 32 and 33 UAVG). It cannot therefore be said that the processing is permitted in Article 6:162 of the Dutch Civil Code. Moreover, neither Article 6:162 of the Dutch Civil Code nor Lycos/[name1] offers guarantees for the rights and freedoms of the data subjects. Article 6:162 of the Dutch Civil Code does not say anything about this and in Lycos/[name1] only the circumstances that could make the non-provision of name and address data unlawful have been judged.

The Court of Appeal therefore agrees with the preliminary relief judge that Ziggo may only carry out the processing of criminal personal data desired by Brein if an exceptional case as referred to in Articles 32 and 33 of the UAVG arises.

3.17.

According to Brein, the exception in Article 32 sub c UAVG applies to Ziggo because the participants in a swarm know that their IP address is visible to everyone in the swarm and they have thus apparently made that data public within the meaning of that provision. The court sees it differently. The IP address is only visible to others who are in the same swarm at the same time. That's only because the Bittorrent software works that way. The sharing of the IP address is automatic and is not a conscious choice of the participant. It is therefore not possible to deduce from this the intention of the data subject to disclose his IP address. In addition, the criminal personal data that Ziggo would process does not only concern the IP address, but in particular the linking thereof to the name and address data.

3.18.

Contrary to what Brein argues, Article 32 sub d UAVG also offers no basis for the processing of these criminal personal data by Ziggo. This provision provides an exception in case processing is necessary for the establishment, exercise or defense of legal claims. Leaving aside the fact that it is not Ziggo but Brein that may wish to institute legal claims in the future, in this case the data that should have been processed for the purpose of the warning letters will not be used for the establishment, exercise or substantiation of a legal claim. All this data will be properly destroyed. A subsequent legal action against other infringers, while it is also not clear that sending warning letters is a necessary intermediate step, is not covered by this provision.

3.19.

Brein further states that Article 33 paragraph 2 sub b UAVG provides the necessary basis. This stipulates that criminal personal data may be processed by the controller for its own benefit to protect its interests, insofar as it concerns criminal offenses that have been or are expected to be committed against him. Brein argues that, despite the fact that Ziggo is not a copyright owner, the infringements must be regarded as criminal offenses against Ziggo, because Ziggo does experience consequences – after all, it can be called upon by rightholders to take measures – and is therefore also a victim of it. This statement cannot be followed. The fact that Ziggo can suffer from copyright infringements in its business operations does not mean that there are criminal offenses against it. There are no criminal provisions at issue that are intended to protect Ziggo's rights.

3.20.

It has been established that the other grounds for exception referred to in Articles 32 and 33 of the UAVG do not provide a basis for the processing of these criminal personal data by Ziggo.

3.21.

With regard to the ground for exception referred to in Article 33(4)(c) of the UAVG (a license granted by the AP for processing for third parties), the Court of Appeal notes that Ziggo has not applied for that license and that, as it stated during the hearing before the court has stated, does not intend to apply for it for the time being. Brein has also argued that the preliminary relief judge misunderstands that Ziggo is obliged to make every effort to meet its obligations towards Brein. In Brein's view, the judge now leaves it entirely up to Ziggo's own choice whether or not to apply for a permit. During the oral hearing, Brein's lawyer answered questions from the court that the judgment that Ziggo needs a permit implies an order to Ziggo and does not preclude the grant of the claim. According to Brein, the lack of a permit manifests itself in an execution problem.

3.22.

The court considers as follows. Processing of these criminal personal data is only allowed if there is a legal basis for it. For the time being, this is not the case. Brein failed to file a claim to order Ziggo to apply for a license from the AP. That could have been an intermediate step in obtaining certainty about a processing basis for the advanced forwarding of warning letters. As long as there is no such basis, the claim cannot be allowed.

Other points of dispute remain undisclosed

3.23.

Because, as considered above, there are two separate reasons why the injunction claimed by Brein cannot be granted, the Court of Appeal will not discuss the other points in dispute. The parties have no interest in discussing this.

No proof

3.24.

Just because these preliminary relief proceedings are not suitable for the provision of evidence, the Court of Appeal disregards Brein's offer of evidence.

The conclusion

3.25.

The appeal fails and the judgment of the preliminary relief judge will be affirmed. Because Brein will be unsuccessful, the Court of Appeal will order Brein to pay the costs of the main appeal. In view of the rejection of the claims by the preliminary relief judge and the purport of the devolutive effect of the appeal, there was no need for Ziggo to file (conditional) incidental grievances against the judgment. On the basis of settled case law, the respondent who makes an appeal on an incidental basis in order to avoid uncertainty as to whether his defense will be discussed again, will not be ordered to pay the costs of the cross-appeal (if unnecessarily made or caused). Therefore, no costs order will be ordered in the cross-appeal.

4 The decision

The court:

4.1.

confirms the judgment of the preliminary relief judge in the District Court of Central Netherlands, location Utrecht, of 2 February 2022;

4.2.

orders Brein to pay the following legal costs (in the main appeal) of Ziggo:

€ 783 in court fees

€ 2,228 in salary of Ziggo's lawyer (2 procedural points x appeal rate II).

4.3.

declares the court order to be provisionally enforceable;

4.4.

rejects the more or otherwise advanced.

This judgment was given by mrs. L.J. de Kerpel-van de Poel, H.L. Wattel and G.R. den Dekker, and was pronounced in public by the role councilor in the presence of the clerk of the court on 11 October 2022.

1 Supreme Court 25 November 2005, ECLI:NL:HR:2005:AU4019

2 CJEU 27 March 2014, ECLI:EU:C:2014:192