Rb. Midden-Nederland - C/16/530061 / KG ZA 21-617

From GDPRhub
Rb. Midden-Nederland - C/16/530061 / KG ZA 21-617
Courts logo1.png
Court: Rb. Midden-Nederland (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 6(1)(f) GDPR
Article 10 GDPR
Article 35 GDPR
Article 31 UAVG
Article 32 UAVG
Article 33 UAVG
Decided: 09.06.2022
Published: 09.06.2022
Parties: Ziggo bv
Stichting BREIN
National Case Number/Name: C/16/530061 / KG ZA 21-617
European Case Law Identifier: ECLI:NL:RBMNE:2022:2198
Appeal from:
Appeal to: Pending appeal
Original Language(s): Dutch
Original Source: Rb. Midden-Nederland (in Dutch)
Initial Contributor: Jette

The biggest internet service provider in the Netherlands (Ziggo) is not obliged to send a warning letter to its customer(s) on behalf of Stichting BREIN regarding alleged copyright infringement.

English Summary

Facts

The controller is Ziggo bv. The data subjects are customers of Ziggo.

Ziggo is the largest internet service provider in the Netherlands. Stichting BREIN is dedicated to claims against copyright infringements on behalf of its members. BREIN states that more than 200 e-books are made available to the public through an 'open directory' with an IP-address made available by Ziggo. BREIN demands Ziggo to send a warning to the user to which the IP-address belongs for said copyright infringement. Ziggo refuses to send such a message. Alternatively, BREIN wants Ziggo to provide NAW-data (name, address and residence) of the user of the IP-address. This will enable BREIN to send the letter independently. BREIN also demands all of the above for every customer of Ziggo that infringes on the copyright of its members through an open directory in the future.

BREIN states that the copyright infringement in question is established. In addition, BREIN states that Ziggo does not need a permit from the Dutch DPA nor a DPIA for these actions. Ziggo disputes these notions.

Holding

The Court notes that it cannot establish that the user of the IP-address made the copyright infringement. In the hypothetical situation that an infringement would be established, the Court held that Ziggo would still need a permit from the DPA pursuant to Article 33(4)(c) UAVG. First, to connect the IP-address and NAW-data in order to send a warning and second, for the provision of NAW-data to BREIN. BREIN's argument that no personal data is processed by Ziggo on behalf of BREIN was disregarded by the Court, as Ziggo would use the IP-address provided by BREIN to connect the IP-address and NAW-data on behalf of BREIN.

Furthermore, the Court held that Ziggo would need a DPIA (Article 35 GDPR). The Court also dismissed BREIN's argument that this is not obligated because it only constitutes an IP-address and not the processing of large amounts of criminal data. The Court stated that the (possibly large) amount of personal data cannot be established yet. Moreover, BREIN itself demanded processing of personal data for all future infringements on the copyright of its members through an open directory.

The Court in preliminary relief dismisses BREIN's claims.

Comment

This desicion (named BREIN/Ziggo II) is the second dispute between BREIN and Ziggo. You can find BREIN/Ziggo I here.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

verdict

CENTRAL NETHERLANDS COURT

Civil rights

trading room

location Utrecht

case number / roll number: C/16/530061 / KG ZA 21-617

Judgment in summary proceedings of 9 June 2022

in the case of

the foundation

BRAIN FOUNDATION,

established in Amsterdam and with offices in Hoofddorp,

plaintiff,

lawyers mr. D.J.G. Visser and mr. P. de Leeuwe in Amsterdam,

against

the private company with limited liability

ZIGGO BV,

located in Utrecht,

defendant,

lawyers mr. J.R. Spauwen and mr. N.M. de Visser in Amsterdam.

The parties will hereinafter be referred to as BREIN and Ziggo.

1 The procedure

1.1.

The course of the procedure is apparent from:

†

the summons of March 18, 2022 with exhibits 1 through 14

†

the productions 15 to 17 inclusive received from BREIN on 12 May 2022

†

the production 1 . received from Ziggo on 13 May 2022

†

the productions 18 to 20 . received from BREIN on May 16, 2022

†

the productions 2 to 5 received from Ziggo on May 16, 2022

†

the oral hearing of 17 May 2022

†

BREIN .'s pleading note

†

Ziggo's pleading note.

1.2.

It has subsequently been determined that a judgment will be rendered on 7 June 2022. That day has been moved to June 9, 2022.

2 What is this case about?

2.1.

BREIN is involved in the collective fight against copyright infringement. It does this for the benefit of its affiliated performers, producers, broadcasters, publishers and distributors.

2.2.

Ziggo is the largest internet service provider in the Netherlands. Ziggo makes IP addresses available to its customers for a fee, which they use to gain access to the internet.

2.3.

According to BREIN, the following is happening: with one of the IP addresses that Ziggo has made available ( [IP address] ), more than 200 e-books are made accessible to the public via an “open directory”.

An open directory is a database that is stored on the user's computer or on a remote server. The user has made that database accessible to anyone through the IP address that the user uses to access the Internet.

Among the e-books in the database that is made accessible via the IP address [IP address] are works by Dutch authors. These books can be downloaded by third parties. New books are constantly being added to the database. This concerns illegal copies and legally purchased books that are made public without the permission of the rightholders. By making the e-books accessible via the open directory, copyrights are infringed.

2.4.

On September 20, 2021, BREIN informed Ziggo by e-mail of the alleged infringing acts via the IP address [IP address] and asked it to send a warning letter to the customer to whom this IP address was has been made available. In the warning letter, the customer is informed that he is infringing copyrights and is requested to stop this infringement (or have it stopped). Ziggo did not respond to this e-mail from BREIN, nor to a reminder e-mail dated September 30, 2021.

2.5.

On October 11, 2021, BREIN ordered Ziggo to either forward the warning letter to the customer or to provide BREIN with the name and address details of that customer, so that BREIN can send the warning letter itself. Ziggo has not responded to this either.

2.6.

Previous warning letters have resulted in open directories going offline.

2.7.

In these preliminary relief proceedings BREIN is claiming:

A. primarily that Ziggo:

- sends a warning letter by e-mail to the customer who uses the IP address [IP address] and to other Ziggo customers to be designated by BREIN in the future who also infringe copyright via an open directory, and if that is not the case has an effect;

- that it sends the warning letter by registered post, and if that also has no effect;

- that it provides BREIN with the name and address details of the customer(s) concerned;

- all under penalty of a penalty;

B. in the alternative, BREIN claims that Ziggo sends it the name and address details of the customer who uses the IP address [IP address] and of other customers of Ziggo to be designated by BREIN in the future who also infringe copyright via an open directory make, on pain of a penalty;

C. also claims that Ziggo be ordered to pay the full legal costs on the basis of Article 1019h DCCP.

3 How does the preliminary relief judge decide?

Reading Guide

3.1.

The preliminary relief judge rejects BREIN's claims. This is explained below. First a summary is given of a previous judgment between the parties, the link is made with the present case and it is stated how the judgment is in the present case. A substantive explanation of this judgment is then given for each subject.

Brain/Ziggo I

3.2.

On 2 February 2022, this preliminary relief judge rendered a judgment in another case between BREIN and Ziggo (hereinafter: Brein/Ziggo I, ECLI:NL:RBMNE:2022:297). In that case, it concerned a large-scale warning campaign by BREIN, in which it wanted Ziggo to forward warning letters on its behalf to customers who had been found by BREIN to be illegally downloaded via their IP address by using the BitTorrent protocol. For the forwarding of the warning letters, it is necessary that Ziggo links the IP addresses that BREIN passes on to it with the name and address data known to Ziggo that belong to that IP address.

3.3.

The preliminary relief judge ruled in BREIN/Ziggo I:

†

that the IP address used for illegal downloading is criminal personal data;

†

that BREIN and Ziggo – in the event that Ziggo forwards BREIN's warning letters to its customers – are both controllers with regard to that data;

†

that the processing by BREIN does not require a prior assessment by the Dutch Data Protection Authority (hereinafter: AP);

†

that BREIN and Ziggo must both have a legal basis for the processing: general and criminal. The general basis can be found in Article 6 paragraph 1 sub f AVG (BREIN), as completed by Lycos/ [name], Supreme Court of 25 November 2005, ECLI:NL:HR:2005:AU4019 (Ziggo). The criminal law basis for BREIN lies in 33 paragraph 2 sub b UAVG (processing to protect its interests), for Ziggo this is lacking. Ziggo needs a license from the AP and must first do a data protection impact assessment;

†

that there is no conflict with the purpose limitation principle from the GDPR;

†

that it is unlawful if Ziggo refuses to forward the warning the moment it has obtained a permit for this from the AP (Lycos/[name] key):

†

that forwarding the warnings does not violate the Telecommunications Act.

3.4.

In the judgment of 2 February 2022, the preliminary relief judge rejected BREIN's claims, because Ziggo does not (yet) have a permit from the AP. Ziggo therefore does not (yet) need to forward the warning letters. In order to provide the parties with as much clarity as possible, the preliminary relief judge has already ruled on the question of whether it is unlawful if Ziggo does not forward the warning letters if it does have a permit. The answer to that question is yes.

3.5.

An appeal has been lodged against the judgment of 2 February 2022 regarding BREIN/Ziggo I.

Relationship between BREIN/Ziggo I and BREIN/Ziggo II

3.6.

In the present case (hereinafter also: BREIN/Ziggo II), BREIN wants Ziggo to send a warning letter to a customer of Ziggo via whose IP address (according to BREIN) books have been illegally downloaded (and to do so in similar cases in the future). can also be done with other customers). If that warning does not yield sufficient results or if Ziggo is not ordered to forward the warning letters, BREIN wants Ziggo to provide Ziggo with the name and address details of that customer (and in similar cases in the future of other customers).

3.7.

In these preliminary relief proceedings, it is not in dispute between the parties that if copyright is infringed via an IP address, that IP address (and the name and address data to be linked to it) are criminal personal data and that both BREIN and Ziggo when processing of that data as the data controller.

3.8.

BREIN agrees with the opinion given in BREIN/Ziggo I that there is a general basis for processing (Article 6(1)(f) of the GDPR, whether or not in combination with Lycos/[name]) and that the purpose limitation principle and the Telecommunications Act do not apply to the forwarding warning letters. Ziggo does not agree with this, but does not defend it in this case.

3.9.

What does play a role in these summary proceedings is the following. BREIN does not agree that Ziggo needs a license from the AP. She puts forward all kinds of reasons why, in her view, this is not the case. Ziggo in turn disputes that there has been an infringement by its customer. The parties also disagree about whether it is unlawful if Ziggo does not forward the warnings or does not provide the name and address details. By way of primary defences, Ziggo raises the following preliminary questions: it argues that BREIN has no urgent interest in its claims and that its claim relating to the sending of warning letters or the provision of name and address details is inadmissible. future infringements.

Verdict BREIN/Ziggo II

3.10.

The preliminary relief judge is of the opinion that BREIN has an urgent interest in its claims and that it is admissible in its claim relating to infringements in the future.

3.11.

In these preliminary relief proceedings, the judge in preliminary relief proceedings cannot determine whether Ziggo's customer, who wants BREIN to be the first to warn Ziggo, is infringing the copyrights of those who are affiliated with BREIN.

3.12.

The preliminary relief judge is of the opinion that Ziggo (also now) needs a license from the AP to link the IP address to the name and address details and to send a warning letter or to provide those name and address details to BREIN.

3.13.

In BREIN/Ziggo I, the preliminary relief judge – unnecessarily and despite the fact that the claims were not admissible on the basis of the GDPR – nevertheless assessed on the basis of the applicable assessment framework (Lycos/[name] ) whether Ziggo acted unlawfully because of the warning letters. to send it as soon as it would have a license from the AP. In this judgment, the preliminary relief judge will omit this assessment. Now that not only does the GDPR form a barrier to the allocation of claims, but there is also uncertainty about whether Ziggo's customer is infringing, it would be going too far to judge the possible unlawfulness of Ziggo's actions in the event that she would have a license from the AP.

3.14.

BREIN's claims are rejected. The judgment on the preliminary questions, the infringement question and the GDPR is explained below.

Explanation judgment

Urgent interest

3.15.

According to Ziggo, BREIN no longer has an urgent interest in its claims, because the open directory will be closed from 12 May 2022. The judge sees it differently. At the moment the books cannot be downloaded via the IP address of the Ziggo customer, but it is not clear why this is the case and for how long this will be the case. BREIN has said – undisputed by Ziggo – that the directory had been closed briefly twice before, but was then opened again. This means that there is a threat of a new infringement and BREIN cannot await the outcome of proceedings on the merits. BREIN therefore has an urgent interest in its claims.

receptiveness

3.16.

According to Ziggo, BREIN's claims relating to future infringements are inadmissible on the basis of Article 111, paragraph 2, subsection d DCCP, because it has not substantiated these claims. The judge also sees this differently. In the summons, the specific case invoked by BREIN (of the open directory that can be reached via the IP address [IP address]) is extensively substantiated. It is also clear from the writ of summons that the claims pertaining to the future concern cases that are comparable to the case described in the writ of summons. That forms a sufficient basis for the claim relating to future infringements.

Is Ziggo's customer an infringer? That's not clear

3.17.

It is important to know whether the customer of Ziggo who uses the IP address [IP address] is infringing himself or inadvertently allowing a third party – who has indexed the Caliber library via Calishot and made it accessible to everyone – commits this infringement. For the weighing of interests in the context of the question of whether Ziggo is acting unlawfully by not forwarding the warning letter or by not providing the name and address details (see Lycos/[name]), it matters whether the customer is the infringer or not. In the first case, the balancing of interests will be more likely to work out to the disadvantage of Ziggo (and the customer).

3.18.

The customer is infringing if it makes unauthorized disclosure of the books in its Caliber library, whether those books were obtained legally or illegally. Making a work public (Article 12 Aw) means: making a work accessible to the public. This requires permission from the copyright owner. Failure to do so would constitute unauthorized disclosure. The fact that there is no permission from the rightholders is not in dispute here. However, it is in dispute whether the customer of Ziggo who uses the IP address [IP address] has and is still making the books public.

3.19.

"Disclosure" within the meaning of the Copyright Act requires that the person making the disclosure is aware of the consequences of his actions (or omissions). It must therefore be a deliberate act (or omission) with the aim of reaching a public that would not have had access to the works without that act (or omission) (cf. no. 35 CJEU 8 September 2016, ECLI:EU: C:2016:644, GS Media/Sanoma).

3.20.

It is not in dispute between the parties that the books in question are online in the Caliber library of Ziggo's customer and that access to that library is not protected by a password. According to Ziggo, this does not mean that everyone has access to the books as soon as the customer's URL is entered. According to Ziggo, it works like this:

If the customer uses the Calibre's home library (meaning the address associated with the IP address), that library will normally be protected by standard security. Only if the customer accesses the Caliber library from a location other than their home address (the injunction judge understands: using an unsecured network), a third party will be able to access the library by typing the customer's URL (hereinafter: direct route). A group called Calishot searches for these "holes" and can thus access the Calibre library of Ziggo's customer. There the option "index" is turned on. As a result, anyone can access the books in Ziggo's customer's Calibre library (hereinafter: indirect route) via the Calishot tool. BREIN has not disputed this, but has added that third parties or Calishot can also use the direct route if the user of the Caliber library uses a server (as the judge assumes, insufficiently protected) at home.

3.21.

In view of the variants outlined by the parties of the way in which access to the Caliber library is possible for third parties, the preliminary relief judge understands the following: (a) the customer has consciously created that access for third parties, whether or not using Calishot, or (b) a third party, outside the customer's control, has provided itself with access using the aforementioned 'hole situation' and, where appropriate, has also made that access possible for other third parties by using Calishot. In case (b), Ziggo's customer's actions only consist in not having secured his computer files and therefore also his Caliber library for a while.

3.22.

It is not immediately obvious that case (b) has occurred here, because this requires the third party to know the specific URL of the Ziggo customer and to use this to access the Ziggo library's Caliber library. customer (and whether or not Calishot uses Calishot), just when that access is also possible, because the customer is accessing that library from a location other than his home address. Nevertheless, the course of events surrounding case (b) outlined by Ziggo gives rise to too much doubt about the question of what exactly happened in this case, in anticipation of what will be decided in the main proceedings - now from BREIN's reading. to be assumed, namely that the above-mentioned case (a) occurs here. That is why it remains open that this is a “hole situation” (b). In that situation, it cannot be said that Ziggo's customer has made the contents of that library public by not protecting his computer files and therefore also his Caliber library for a while.

BREIN has based its claims on variant (a). Since this has not been established, those claims cannot therefore be allowed.

AVG: AP license necessary for Ziggo

3.23.

If it were sufficiently established that case (a) occurs here, then the AVG defenses put forward by Ziggo still had to be assessed and that assessment would stand in the way of BREIN's right. For the sake of completeness, the preliminary relief judge will consider these defenses here. In BREIN/Ziggo I, it was ruled that Ziggo must first obtain a license from the AP and a data protection impact assessment must be carried out before it can send warning letters. This applies all the more to the provision of name and address details, since this is a further processing than sending warning letters. BREIN puts forward seven arguments why Ziggo can also be held without a license from the AP and/or a data protection impact assessment to send warning letters or provide name and address details. Below is a description of why those arguments fail.

Argument 1

3.24.

In BREIN/Ziggo I, marginal 3.11 states: “On the basis of Article 10 AVG in combination with Article 31 UAVG, the processing of criminal personal data is only permitted in certain exceptional cases. These exceptional cases are referred to in Articles 32 and 33 of the UAVG”.

3.25.

BREIN counters this with the following. Criminal law personal data may be processed under Article 10 of the GDPR “under the supervision of the government or if the processing is permitted by (…) Member State provisions that provide appropriate safeguards for the rights and freedoms of the data subjects”. Pursuant to Article 10 of the GDPR in combination with Article 31 of the UAVG, the processing of criminal personal data is permitted in any case in the exceptional cases referred to in Articles 32 and 33 of the UAVG, but these are not the only exceptions. Article 6:162 of the Dutch Civil Code as applied in accordance with Lycos/ [name] also falls under the “provisions under Member State law”. In support of this position, BREIN refers to the conclusion of the AG in DFW/Ziggo, ECLl:NL:PHR:2021:83 (3.31-3.41), the judgment of the European Court of Justice of 24 September 2019, case C-136 /17, ECLl:EU:C:2019:773 and to the judgment of the Court of Appeal of The Hague of 24 December 2019, ECLl:NL:GHDHA:2019:3539 (grounds 4.6 - 4.7).

3.26.

According to Ziggo, it follows from the Explanatory Memorandum (hereinafter: EM) to article 31 of the UAVG that the exceptions mentioned in articles 32 and 33 of the UAVG are the only exceptions and that there is therefore a closed system.

The EM (Parliamentary Papers II 2017/18, 34851, no. 3) to Article 31 states: “Article 31 provides that the processing of personal data of a criminal nature is only permitted with due observance of Articles 32 and 33. (…). Articles 32 and 33 of the Implementing Act are an elaboration of the option offered by Article 10 of the Regulation to allow the processing of personal data of a criminal nature under Member State provisions that provide appropriate safeguards for the rights and freedoms of the data subjects.

3.27.

The preliminary relief judge is of the opinion that it indeed follows from this that Articles 32 and 33 of the UAVG exhaustively regulate the exceptions to Article 10 of the GDPR (except for processing under government supervision). This means that Article 6:162 of the Dutch Civil Code offers no additional ground for exception.

3.28.

That this is the case also follows from article 33 paragraph 5 UAVG. It states: “A license as referred to in the fourth paragraph, part c, [that is the license of the AP, addition of the preliminary relief judge] can only be granted if the processing is necessary with a view to an important interest of third parties and the implementation is provided in such a way that the privacy of the data subject is not disproportionately harmed. †

That phrase is in line with what is stated in Article 6(1)(f) of the GDPR: “the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where the interests or fundamental rights and freedoms of the data subject are require the protection of personal data, outweigh those interests (…).”

In the judgment in Lycos/[name], the Supreme Court ruled that if the conditions stated in that judgment are met, then Article 6(1)(f) of the GDPR has also been met.

The preliminary relief judge concludes from this that the AP grants a license provided that conditions similar to those stated in Lycos/[name] are met. It therefore in no way follows from this that a license from the AP is no longer required if the conditions of Lycos/[name] are met.

3.29.

The manual of the General Data Processing Regulation of the AP (pages 45 and 46) is in line with the conclusion drawn above that the exceptions to Article 10 GDPR are regulated exhaustively. In that manual, the AP provides a list of grounds for exception and that list appears to be conclusive.

3.30.

The statements quoted by BREIN do not lead to a different conclusion. In the DFW/Ziggo judgment it was not argued that the circumstance that it concerns personal data under criminal law prevents Ziggo from processing it (see paragraph 5.24 of that judgment). That judgment therefore says nothing about Article 10 AVG and the exceptions of Articles 32 and 33 UAVG. In addition, the AG writes in paragraph 3.35 of its conclusion that Article 6:162 of the Dutch Civil Code can apply as a national regulation on the basis of which an access provider must provide customer data to an IP rightholder, but provided that article can be interpreted and applied in a way that is compatible with, among other things, the GDPR.

The judgment of the CJEU also says nothing about the relationship between Article 6:162 of the Dutch Civil Code and Article 10 of the GDPR and the exceptional provisions of Articles 32 and 33 of the UAVG.

The judgment of the Court of Appeal in The Hague concerns Article 9 AVG instead of Article 10 AVG and Article 9 AVG does not apply to criminal personal data (see legal ground 4.23 and MvT to Article 22 UAVG).

Incidentally, the Lycos/[name] judgment itself does not deal with the processing of criminal personal data, but with personal data in general. The judgment in Lycos/[name] therefore also does not provide an answer to the question of how Article 6:162 of the Dutch Civil Code relates to Article 10 AVG and the exceptions of Article 32 and 33 UAVG.

Argument 2

3.31.

According to BREIN, there is the exception referred to in Article 32 sub c (the processing relates to personal data that have apparently been made public by the data subject). It is an open directory, so the IP address and port number have apparently been made public by Ziggo's customer, BREIN says.

3.32.

However, the processing that takes place is linking the IP address and port number to the name and address details of the Ziggo customer. The name and address details are therefore also processed and – regardless of whether the IP address and port number have apparently been made public, which Ziggo disputes – they have in any case not been made public. The fact that Ziggo is already familiar with the name and address details does not mean that they have apparently been made public. The fact that BREIN has a license (declaration of legality) for the transfer of personal data of a criminal nature to Ziggo does not alter the fact that Ziggo processes this data independently and it must therefore also have a basis for processing it and therefore also must be one of the exceptions. The exception of article 32 sub c UAVG does not apply to her.

Argument 3

3.33.

BREIN also states that the exception of Article 32 sub d UAVG applies (the processing is necessary for the establishment, exercise or defense of legal claims). After all, with these preliminary relief proceedings BREIN has instituted a legal action to counter the infringement. This exception also applies to Ziggo, because it does not have to be your own legal claim, according to BREIN.

3.34.

Ziggo argues that no legal action has yet been instituted, because BREIN (primarily) demands that warning letters be sent and BREIN/Ziggo I has ruled that the ground for exception of Article 32 sub d UAVG does not apply in that case. The (alternatively) claimed delivery of name and address details will probably also not lead to a legal claim, because, according to BREIN, sending a warning will usually have sufficient effect.

3.35.

The preliminary relief judge considers as follows. BREIN/Ziggo I involved a warning campaign after which – if that campaign failed to have sufficient effect – a separate process would be started to take legal action against any infringers (possibly preceded by a process to obtain the name and address details of those infringers). track down). The personal data of a criminal nature that would be processed in the context of the warning campaign were therefore not used for the establishment of an infringement action. That is a different situation from the one at issue here, now that the issue of name and address details is also required. In view of the text of Article 32 sub d UAVG (“institution, exercise or substantiation”), it does not have to concern an already instituted legal claim. In BREIN's view – and that is the norm here – these preliminary relief proceedings concern the run-up to legal proceedings, which she hopes will not have to be conducted. BREIN argues that it is sufficient that a legal action is pending, regardless of who will bring it. However, that reading of article 32 sub d UAVG is incorrect. It must, however, concern their own legal claim, as is apparent from the Explanatory Memorandum to Article 22 of the UAVG: “Under certain circumstances, private individuals cannot enforce their [emphasis by preliminary relief judge] rights in legal proceedings without having certain information about their counterparty at their disposal”. The processing of criminal personal data by Ziggo is therefore not permitted on the basis of Article 32 sub d UAVG because BREIN may institute a legal claim as referred to in that paragraph. Apart from that, as has already been ruled in BREIN/Ziggo I, the fact that BREIN stands up for the rights of those who are affiliated with it does not mean that it does not process the personal data for itself. In the opinion of the preliminary relief judge, this means that when BREIN institutes a legal claim on behalf of its affiliates, there is a legal claim in the sense in question with regard to its own processing of criminal personal data.

Argument 4

3.36.

BREIN invokes the ground for exception that is stated in article 33 paragraph 2 sub b UAVG:

“Personal data of a criminal nature may be processed by the controller who processes this data for its own benefit:

†

b. to protect his interests, insofar as it concerns criminal offenses that have been or, based on facts and circumstances, are expected to be committed against him or against persons employed by him.

†

According to BREIN, the copyright infringement also constitutes a criminal offense against Ziggo.

3.37.

In view of the legal text, this exception only applies if there is a criminal offense against Ziggo. The judge in preliminary relief proceedings explains this legal text in a limited way, now that the purpose of the GDPR is to safeguard privacy. This means that the point must be that Ziggo is affected in the interests that the criminal offense is intended to protect. The offense is the violation of the copyright in the books. Ziggo is not a copyright owner and does not represent the interests of copyright owners. The fact that Ziggo can suffer negative consequences from infringements that are committed via the internet access it provides and that it reserves the right to act against this in its general terms and conditions, does not mean that the infringement is committed against Ziggo. These negative consequences affect civil law (particularly contract law), not criminal law.

Argument 5

3.38.

Pursuant to Article 33(4)(c) of the UAVG, a license from the DPA is required when processing criminal personal data for a third party. According to BREIN, when sending warning letters, Ziggo does not process the data for BREIN, because the data is not shared with BREIN.

3.39.

This argument also fails. The processing is, among other things, the linking by Ziggo of the IP address that BREIN supplies to it, with the name and address data known to Ziggo. Ziggo does this processing for the benefit of BREIN, namely to prevent the infringement against those whose interests BREIN represents. It does not matter that the name and address details are not shared with BREIN. The fact that Ziggo contractually reserves the right to its customers to take action against misuse of the internet connection and that - according to BREIN - this is also in Ziggo's interest, does not mean that the specific processing involved in these preliminary relief proceedings is for the benefit of of Ziggo is carried out.

Argument 6

3.40.

BREIN takes the position that Ziggo does not need to carry out a data protection impact assessment (Article 35 GDPR), because there is no large-scale processing of criminal data, but the processing of a specific IP address in the context of a specific infringement. .

3.41.

Pursuant to the AP General Data Processing Regulation manual (page 58), a data protection impact assessment must be performed, inter alia, if there is processing of 1) sensitive data or data of a highly personal nature and 2) on a large scale processed data. The judge cannot assess whether the processing will be on a large scale. Here lies the concrete claim with regard to one customer of Ziggo and possible future claims. In contrast to the FLU campaign that played a role in BREIN/Ziggo I, there is no indication in these preliminary relief proceedings what the scope of future infringements will be.

Argument 7

3.42.

BREIN also says the following. Even if Ziggo has to carry out a data protection impact assessment and needs a license from the AP, Ziggo is obliged to cooperate in forwarding the warning letters. After all, in Brein/Ziggo I, it was ruled in the context of the FLU campaign that Ziggo is acting unlawfully if it does not forward the warning letters. This also applies to a customer who infringes via an open directory. In any case, Ziggo will have to make every effort to carry out that assessment and to obtain that permit. The data protection impact assessment carried out by Ziggo will have to turn out the same as the assessment carried out by BREIN, now that the risks in BREIN/Ziggo I have been found acceptable by the preliminary relief judge, all according to BREIN.

3.43.

In Brein/Ziggo I, it was ruled that Ziggo is acting unlawfully if it does not forward if it has a license from the AP. The preliminary relief judge does not have to rule on the question of whether Ziggo must do what is necessary to obtain a license from the AP and to carry out a data protection impact assessment, because this cooperation/effort was not demanded by BREIN.

Process costs

3.44.

BREIN is proven wrong and must therefore pay Ziggo's legal costs. According to Ziggo, a full court order for costs under Article 1019h DCCP is not at issue in this case. That is also the judgment of the preliminary relief judge. As in BREIN/Ziggo I, this is not a matter between the holder of an intellectual property right on the one hand and the alleged infringer on the other as to whether there is an (imminent) infringement. The infringement itself is not at issue here, but who the infringer is. That discussion will ultimately have to be settled between BREIN and the alleged infringer(s). This case revolves around the question of whether that infringement requires Ziggo to cooperate in sending warning letters or providing name and address details. That was different in the judgment quoted by BREIN. The preliminary relief judge will therefore apply the liquidation rates. On the basis of this, Ziggo's legal costs are estimated at:

- court fee € 676,00

- lawyer salary 1,016.00

Total €1,692.00

3.45.

The additional costs claimed by Ziggo will be allocated in the manner stated in “the decision”.

4 The decision

The preliminary relief judge

4.1.

rejects the claims,

4.2.

orders BREIN to pay the costs of the proceedings, estimated on the part of Ziggo to date at € 1,692.00,

4.3.

orders BREIN to increase the costs incurred after this judgment, estimated at € 163.00 in lawyer's salary, on the condition that BREIN has not complied with the judgment within 14 days of being notified and the judgment has subsequently been served, with an amount of € 85.00 in lawyer's salary and the writ costs of service of the judgment,

4.4.

declares the cost order provisionally enforceable.

This judgment was rendered by preliminary relief judge mr. R.A. Steenbergen, assisted by registrar mr. M. Braam, and pronounced in public on 9 June 2022.1

1MB (4209)