Rb. Midden-Nederland - C/16/531572 / KG ZA 21-672
|Rb. Midden-Nederland - C/16/531572 / KG ZA 21-672|
|Court:||Rb. Midden-Nederland (Netherlands)|
|Relevant Law:||Article 4(1) GDPR|
Article 5(1)(b) GDPR
Article 6(4) GDPR
Article 10 GDPR
Article 23(1)(d) GDPR
Article 35 GDPR
Article 1 Dutch GDPR Implementation Act (UAVG)
Article 31 Dutch GDPR Implementation Act (UAVG)
Article 32 Dutch GDPR Implementation Act (UAVG)
Article 33(2)(b) Dutch GDPR Implementation Act (UAVG)
Article 33(4)(c) and 33(5) Dutch GDPR Implementation Act (UAVG)
Articles 31, 32 and 33 of the Dutch Copyright Act (Auteurswet)
|National Case Number/Name:||C/16/531572 / KG ZA 21-672|
|European Case Law Identifier:||ECLI:NL:RBMNE:2022:297|
|Original Source:||uitspraken.rechtspraak.nl (in Dutch)|
|Initial Contributor:||Martijn Staal|
District Court Midden-Nederland ruled in a summary proceeding between copyright watchdog Brein and ISP Ziggo, that while both had a basis for processing IP-addresses of alleged copyright infringers, Brein could not order Ziggo to forward warning letters to these alleged infringers, solely because Ziggo does not have the required permit.
Stichting Brein is involved in collectively counteracting and preventing copyright infringement. Ziggo is one of the largest internet access provider in the Netherlands. In december 2020, Brein started the "FLU-warning campaign". In this campaign, Brein wants to send warning letters to holders of an IP address of which Brein has found that they have uploaded copyright infringing material via BitTorrent for at least 2 times in a span of four weeks, found in a random sample. Brein only has the IP-address of these uploaders, not their name and address details. Brein needs the cooperation of the internet access providers to link an IP-address to name and address details.
In this preliminary relief proceeding, Brein claimed that Ziggo should be ordered to forward Brein's warning letters to the relevant Ziggo customers.
In short, the court rejects the claim by Brein, because Brein and Ziggo are both responsible for the processing of personal data regarding criminal offenses and thus both need to have a basis for processing such data. Brein has this, but Ziggo does not. Ziggo would process the personal data on behalf of a third party (Brein) and may only do so if the Dutch DPA has issued it with a license to do so. Since Ziggo does not have such license, the claim cannot be awarded.
The court comes to this conclusion via the following argumentation.
Qualification as personal data
First, the court concludes on the basis of the Bayer-ruling and Mircom-ruling by the CJEU that in this case IP-addresses are personal data. Brein has the possibility to get a court order to force Ziggo to hand over name and address details related to a specific IP-address, and thus has the legal means enabling it to identify the person concerned.
Qualification as personal data regarding criminal offenses
Secondly, the court concludes that this personal data constitutes personal data regarding criminal offenses (article 1 Uitvoeringswet AVG / Dutch GDPR Implementation Act). Copyright infringement is a criminal offense (article 31-33 Auteurswet (Dutch Copyright Act)). Even though there is barely any prosecution on the basis of these offenses, the Dutch DPA ruled earlier in a decision about the online enforcement of copyright by Dutch Filmworks B.V. that processing of personal data of persons against whom there is a more or less well-founded suspicion of acts that infringe a copyright, must be regarded as the processing of personal data regarding criminal offenses.
Because IP-addresses of copyright holders thus constitutes personal data regarding criminal offenses, before Brein can process this data, it must do a data protection impact assessment (DPIA) according to article 35(3)(b) GDPR. According to Brein, the DPIA concluded that there were no high risks, and thus prior consultation of the Dutch DPA was not required (article 36(1) GDPR). Brein has a certain degree of discretion in this respect, so the court can only marginally test this conclusion.
Ziggo claims however that Brein could not come to this conclusion, because - amongst other arguments:
- The behaviour of people can be derived from the FLU project. The court agrees with this, but concludes that the behaviour is factually limited and Brein uses it for the justified purpose of fighting copyright infringement.
- It is possible that warning letters would be sent to users younger than 16 which are vulnerable data subjects. The court however concludes that the only way to completely eliminate the risk of sending warning letters to minors would be to not send them at all, which makes enforcement impossible and thus goes to far.
The court rejects these and other arguments and concludes, marginally testing, that Brein has been able to conclude with good reason that there is no question of high residual risks on the basis of which the Dutch DPA should be consulted prior to the intended processing.
Basis for processing personal data regarding criminal offenses
Following article 10 GDPR and article 31 of the Dutch GDPR Implementation Act, the personal data regarding criminal offenses can only be processed in the exceptional situations in articles 32 and 33 of the Dutch GDPR Implementation Act.
According to article 33(4)(c) of the Dutch GDPR Implementation Act, the Dutch DPA may give a permit to process personal data regarding criminal offenses on behalf of third parties, if the processing of this data is necessary in view of a substantial interest of third parties and in the execution such guarantees are provided that the privacy of the person involved is not disproportionally harmed.
Brein requested such a permit from the Dutch DPA, but the DPA decided that since Brein does not process this data on behalf of third parties, it does not need this permit. Brein can base their processing on the exception laid down in article 33(2)(b) Dutch GDPR Implementation Act, which allows for processing personal data regarding criminal offenses insofar as these offenses have or may be committed against the interests of the data controller.
If Ziggo would link the name and address details of their customers with the IP-addresses provided by Brein, Ziggo would process this data under its own responsibility, and not just as a processor. Ziggo must therefore also have a basis for processing personal data regarding criminal offenses. The court concludes that Ziggo may only do this if they have a permit based on article 33(4)(c) Dutch GDPR Implementation Act. Since Ziggo does not have this permit, it may currently not process this personal data regarding criminal offenses.
General basis for data processing (article 6 GDPR)
The court rules that that Brein can base its processing of these IP-addresses on article 6(1)(f) GDPR. Brein has a legitimate interest in fighting copyright infringement which is more important than the interests of the alleged copyright infringers.
The court concludes that Ziggo also has a legitimate interest according to the criteria set out by the Dutch Supreme Court in its Lycos-ruling. Furthermore, the court rules that the purpose limitation principle does not prevent the processing. Processing the name and address details for Brein's interest of fighting copyright infringement is further processing - since it was initially only collected for providing internet access - which is only allowed if it is within the boundaries set by article 6(4) and 23(1) GDPR. Not forwarding the letters if allowed would be unlawful by article 6:162 of the Dutch Civial Code (tort), which guarantees that infringement of the rights and freedoms of others will be prevented. This thus constitutes a restriction to rights provided in article 12-22, 34 and 5 of the GDPR allowed by article 23(1)(d) GDPR.
Thus, Ziggo also has a basis for processing this personal data, and is not restricted by the purpose limitation principe.
- Interesting to note is that the court concludes that Stichting Brein may process the personal data regarding criminal offenses on the basis of article 33(2)(b) Dutch GDPR Implementation Act, because based on the text of this article, one would assume it is only applicable when the interests involved are the interests of the data controller or their employees. However, Brein is an organization for protecting copyrightholderd affiliated with Brein, and not their own copyright interests. Ziggo argued this, but the court concluded that since the Dutch DPA ruled that Brein was not processing this data on behalf of third parties, it must be Brein's own interests.
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
verdict CENTRAL NETHERLANDS COURT Civil rights trading room location Utrecht case number / roll number: C/16/531572 / KG ZA 21-672 Judgment in summary proceedings of 2 February 2022 in the case of the foundation BRAIN FOUNDATION, established in Amsterdam and with offices in Hoofddorp, plaintiff, lawyers mr. D.J.G. Visser and mr. P. de Leeuwe in Amsterdam, in return for the private company with limited liability ZIGGO B.V., located in Utrecht, defendant, lawyers mr. J.R. Spauwen, mr. J.P. van den Brink and mr. N.M. Fisher in Amsterdam. The parties will hereinafter be referred to as Brein and Ziggo. 1 The procedure 1.1. The course of the procedure is apparent from: - the summons of December 31, 2021 with exhibits 1 to 22 - the statement of defense received from Ziggo on 7 January 2022 - the productions 1 to 7 inclusive received from Ziggo on January 11, 2022 - the productions 23 to 25 inclusive received from Brein on January 11, 2022 - the oral hearing of January 12, 2022 - Brein's pleading note - Ziggo's pleading note. 1.2. Subsequently, it was announced that a judgment would be handed down on January 26, 2022 or as much later as appears necessary. The parties have been informed that the judgment date has been postponed to February 2, 2022. 2 What is this case about? 2.1. Brein is involved in the collective fight against copyright infringement. It does this for the benefit of its affiliated performers, producers, broadcasters, publishers and distributors. 2.2. Ziggo is one of the largest internet service providers (hereinafter: ISPs) in the Netherlands. 2.3. In the Netherlands, copyrighted and neighboring rights protected works are still illegally offered and consumed, including via the BitTorrent protocol. The vast majority of files exchanged via BitTorrent are protected under IP law and are shared without the permission of the copyright owner. 2.4. The BitTorrent protocol works like this: 2.4.1. The BitTorrent protocol allows users (“peers”) to share (“fileshare”) files after downloading specific software (BitTorrent client). The files to be exchanged are cut into small pieces and are shared via the computers/servers of the peers. 2.4.2. In principle, a user who downloads (called a leecher) makes the downloaded (part of the) file immediately available to other users. A peer that has downloaded the entire file and made it available to third parties is called a “seeder”. 2.4.3. The files are exchanged via a “torrent” or “magnet link”, which contains information about how a file is divided and on which computers/servers the individual parts of the file can be found. Via the torrents/magnetlinks, a "tracker" keeps track of which peers are available to download a particular work. The torrents/magnetlinks are shared between users via BitTorrent platforms, such as The Pirate Bay and Popcorn Time. 2.4.4. The peers that exchange a particular file participate in a “BitTorrent swarm”. Via the BitTorrent client, a peer in the swarm can see which other peers are participating in that swarm at any given time, because the IP addresses (and port numbers) of the participants in that swarm are visible. 2.4.5. The participants in the swarm are usually not the initial source (“initial uploader”) of the illegal offer. The initial uploader is usually a person or persons ("release team") who uploads/places protected works on the Internet (in a swarm) under an alias on a large scale. After posting the works and the references to them, the initial uploader disappears from the swarm. This is therefore difficult to find. Once a work has been shared by the initial uploader, the peers ensure that the illegal offer remains available through the swarm. Without seeders who frequently and/or long-term share illegal offerings, the BitTorrent protocol will not function. 2.5. In December 2020, Brein started the FLU warning campaign. FLU stands for Frequent and Long-term Uploading. In this context, uploading means: making illegal offers available via BitTorrent. The FLU warning campaign was announced in the media via a press release and has since received various media attention. 2.6. The FLU campaign is aimed at sending a warning letter to the holder of an IP address of which Brein, using special software (AnalysisProgramme Frequent and Long-Term Uploaders, "AFLU") has randomly found that via that IP address in a During a period of four weeks, at least 2 illegal offers have been made available via BitTorrent. The letter mentions the works thus placed in the swarm and states that this is illegal and harmful. The holder is asked from now on to only use legal platforms and to take action if a third party misuses his internet connection. It is also said that in future infringements Brein can request the name and address details of the holder in order to agree a statement of abstention or to demand a court order. Brein expects that when the holders of an IP address are made aware of the illegal use of their internet account, that use will in many cases stop voluntarily. 2.7. After the FLU campaign, Brein will have market research agency Kantar carry out research into the effect of the warning letters. Brein has received a subsidy from the Ministry of Education, Culture and Science for this research. Based on the outcome of that investigation, Brein will determine whether it will continue with the warning campaign or whether it will take enforcement measures against the frequent and/or long-term uploaders. Any enforcement takes place with regard to new IP addresses to be collected by Brein on the basis of different, stricter, criteria than those that apply to the FLU warning campaign. The IP addresses collected as part of the FLU warning campaign are therefore not used for any subsequent enforcement. 2.8. The sample on the basis of which people are labeled as frequent and/or long-term uploaders is determined as follows: 2.8.1. AFLU is a BitTorrent client that allows Brain to join the BitTorrent swarm of a file being exchanged at a given time. Brain performs random checks with AFLU. An employee of Brein searches popular BitTorrent indexing sites for certain illegal works (partly) aimed at the Netherlands by its affiliates that are offered without permission. If such a work is found, Brain opens the torrent that references the work and thus participates in the BitTorrent swarm with which the work is exchanged. Brein can then find out the IP addresses and port numbers of the participants in the swarm. Brain stays so short in that swarm that she doesn't become a seeder. Brain does not place any works and thus does not create a new swarm. AFLU only collects IP addresses that are managed by a Dutch isp. 2.8.2. To qualify as a frequent and/or long-term uploader under this project, an infringer's IP address must be encountered at least twice in a swarm in a four-week period. That can be once in two different swarms or twice in the same swarm with a duration of at least 7 hours. Because this concerns a random sample, Brein assumes that this infringer commits infringements (much) more often. 2.8.3. The IP addresses that do not meet the criteria of FLU are deleted. The IP addresses of those who came out of the sample will also be erased after sending the warning letter. 2.9. The details of the holders of the IP addresses that come from the sample via AFLU are unknown to Brein. Brain only knows the IP address. The ISPs of the relevant IP address can link that IP address to their subscriber's name and address details. Brein therefore needs the cooperation of the ISPs to send the warning letters, in the sense that they forward Brein's letter to their subscribers. Brein will send a maximum of 1,000 forwarding requests per month to all ISPs jointly. 2.10. The FLU warning campaign is, among many other measures, one of the ways in which Brein tries to maintain the copyrights of its affiliated (legal) persons. Despite the measures taken by Brein, illegal offers are still often used. That is why Brein considers it an indispensable part of effective enforcement that awareness is created among people who frequently or long-term consume and exchange illegal supplies and that they are warned. According to Brein, the warning campaign is partly prompted by the fact that the Dutch Data Protection Authority (hereinafter: AP) has informed Brein in the past that it considers it very important that BitTorrent users are warned before enforcement is initiated. 2.11. Most illegal offers that Brein discovered in the context of the FLU warning project are made available via IP addresses that Ziggo manages. Brein therefore wants Ziggo to forward Brein's warning letters to its customers. Ziggo does not participate voluntarily in this. 2.12. In these preliminary relief proceedings, Brein is claiming that Ziggo be ordered to forward Brein's warning letters to the relevant Ziggo customers, on pain of a penalty. 3 How does the preliminary relief judge decide? Conclusion and reading guide 3.1. The preliminary relief judge rejects Brein's claim. Brein and Ziggo are both controllers of criminal personal data and both must have a legal basis for the processing thereof. Brain has one, but Ziggo doesn't. Ziggo processes the criminal personal data on behalf of a third party (Brain) and is only allowed to do so if the AP has issued it with a permit for this. That is not (yet) the case. Therefore, the claim cannot (yet) be granted. In order to provide the parties with as much clarity as possible, the preliminary relief judge will deal with all points of dispute between the parties in this judgment. Then it turns out that the only obstacle to allocation is that Ziggo still lacks a processing basis. It is explained below why the preliminary relief judge judges the way he does. Ziggo's defenses form the common thread here. 3.2. In outline, Ziggo has made the following defenses. - privacy: according to Ziggo, forwarding the warning letters is not compatible with the General Data Processing Regulation (GDPR); - the set-up of the project: according to Ziggo, the definition of the term FLU is too broad; - according to Ziggo there is no basis for the obligation to forward warning letters; - In addition, Ziggo finds the claim too broad and defends against the amount of the penalty and against the full order to pay the costs of the proceedings claimed on the basis of Article 1019h DCCP. GDPR Are the IP addresses personal data? Yes 3.3. Article 4 of the GDPR defines personal data as: “any information relating to an identified or identifiable person”. The parties agree that the IP address is personal data with regard to Ziggo, now that it has the information with which it can link that IP address to an individual user and can therefore be identified. The parties differ on whether an IP address also counts as personal data with regard to Brein. Brein thinks not and Ziggo does. The preliminary relief judge agrees with Ziggo on this point. 3.4. In the judgment of the European Court of Justice (CJEU) in Breyer (CJEU 19 October 2016, ECLI:EU:C:2016:779, ground 45-49), the European Court ruled that if a provider of an online media service has a (dynamic ) records IP address when a person visits a website that is made accessible to the public by that provider, that IP address constitutes personal data for that provider if that provider has legal means by which it can identify the person concerned to on the basis of additional information held by this person's Internet service provider. In the judgment regarding Mircom (CJEU 17 June 2021, ECLI:EU:C:2021:492) the European Court reiterated this. An IP address is therefore personal data for those who have legal options to link that IP address to a person using information from an isp. It seems to follow from the judgment that the concept of “legal options” is interpreted broadly by the European Court. After all, in the Breyer judgment, it was considered that these legal possibilities do not exist if the identification of the data subject is prohibited by law or is impracticable in practice, for example because - in view of the time, costs and manpower required - they effort, so that in reality the risk of identification appears insignificant. The preliminary relief judge therefore concludes that the option to request name and address details of the user of an IP address from the isp (whether or not through the courts) does fall under the legal means referred to in the Breyer judgment. That in the context of the warning campaign, Brein does not (yet) intend to request name and address data from Ziggo (and, if that remains unsuccessful, to claim it from Ziggo) and that it is not certain that – if it does – it also obtains that data, does not alter the fact that it does have that legal means, that the time, costs and manpower involved are not excessive in the aforementioned sense and that the IP addresses that Brein collects therefore also with regard to its counting as personal data. Is it criminal personal data? Yes 3.5. Subsequently, the parties dispute whether the IP addresses collected by Brein constitute criminal personal data. The answer to that question is important, because criminal personal data may only be processed under the GDPR in exceptional cases. 3.6. Article 1 of the AVG Implementation Act (UAVG) defines personal data of a criminal nature. It appears from that article that this is the case, among other things, when it comes to personal data “relating to criminal offences”. Copyright infringement is punishable under Articles 31-33 of the Copyright Act (Aw). In a decision on the online enforcement of intellectual property rights by Dutch Filmworks B.V., the AP has decided. (DFW) determined that the processing of personal data of persons against whom there is a more or less well-founded suspicion of acts that infringe a copyright should be regarded as the processing of criminal personal data (AP, Final decision on the declaration of the legality of online enforcement of intellectual property rights by Dutch Filmworks BV, z2017-02053, p.4). In this case, Brein collects the IP addresses with which copyright-protected works are downloaded and exchanged. The suspicion is justified that this downloading and exchange is done by the subscriber of Ziggo and/or his housemates. All of them therefore have a more or less well-founded suspicion of committing a copyright infringement. The judge in preliminary relief proceedings is therefore of the opinion that those IP addresses count as personal data under criminal law. The fact that the criminal provision from the Aw is not enforced in practice and that Brein does not yet know who the infringer is at this stage does not alter this. This act is simply punishable and there is sufficient concrete suspicion against all those involved. Does the AP have to be consulted beforehand? new 3.7. Since the processing of criminal personal data is involved, it must first be assessed – before doing so – what the effect is of the intended processing activities on the protection of personal data (Article 35 GDPR). Brain did that. She has conducted a Data Protection Impact Assessment (DPIA). If the data protection impact assessment of Article 35 GDPR (in this case the DPIA) shows that the intended processing of personal data poses a high risk and it is not possible to limit those risks by taking measures, the data controller (in this case, Brain) must consult the Data Protection Authority prior to processing (Article 36 GDPR). 3.8. According to Brein, it follows from the DPIA that there are no high residual risks. According to Ziggo, Brein estimates that incorrectly and there are. It follows from the system of the GDPR and the information on the website of the AP that Brein must carry out the data protection impact assessment (or have it carried out) and that it must assess whether there are high residual risks and therefore whether prior consultation is necessary. . Brein has a certain degree of discretion in this regard. This means that the preliminary relief judge will only marginally test Brein's conclusion from the DPIA (that there are no high residual risks). 3.9. In the following, Ziggo's arguments will be rejected: 1. According to Ziggo, people's behavior can be derived from the FLU project. The judge agrees with that. It is the intention of Brein to recognize certain behavior of downloaders. However, this behavior is actually limited (it only concerns the illegal downloading of a limited selection of protected works in a limited period), cannot be traced back to an identifiable individual for Brein and for a legitimate purpose (fighting copyright infringement). 2. Ziggo believes that Brein should also have mentioned other risks of data processing, namely: stigmatization, financial loss, economic or social disadvantage and that decisions can be made on the basis of those data that are (seriously) disadvantageous for the data subjects, such as criminal complaint or prosecution, civil proceedings or termination of the Internet subscription. However, these are all risks associated with criminal activity. That is not the risk of the intended data processing itself, but of its purpose (to prevent criminal acts). In other words: the risks that Ziggo mentions are the result of enforcing copyrights other than by sending warnings, and that is not the case at the moment. The situation is different for the risk of stigmatization/social disadvantage. This is already being realized, but this risk is justified. If people do something criminal, there is a chance that they will be held accountable for it. In this case, this can only be addressed by sending a letter to the subscriber of Ziggo, while there may be several users and there is a chance that housemates will become aware of each other's internet behavior. The subscriber and any other users of the internet access have accepted this risk by allowing others to access the internet or by using the internet access of another person. 3. Ziggo says that in many cases those involved will be surprised by the warning letter. A surprise effect cannot indeed be ruled out, but Brein has done what can reasonably be expected of her to prevent this. For example, she announced the FLU warning campaign in the media (which has been picked up by other media). In addition, an illegal downloader knows via BitTorrent that the IP address used for this purpose is visible in the swarm, or can know that. In addition, the surprise comes in the fact that someone is caught committing infringing behavior when they felt unseen. 4. Brein recognizes that it is possible that the warning letter will be sent to a certain address and that it appears that the BitTorrent user is younger than 16 years old. Ziggo points out that this group of minors, just like people aged 16 or 17, are considered vulnerable data subjects. Contrary to Ziggo's assertion, Brein sufficiently removes this risk by removing all data as soon as it discovers that it concerns a minor infringer. Here too, it is always possible that the holder of the IP address has roommates who can use his internet access and that it is not clear in advance whether this is the case, now that Brein does not know the identity of the holder. . Many Ziggo subscribers will have a family/roommates. The risk of minors being involved can therefore only be completely eliminated if a warning letter is not sent. That makes enforcement in this form impossible and that goes too far. 5. Finally, Ziggo mentions that the AFLU software, in its opinion, is not error-free and is not sufficiently secured. Ziggo mentions that there were bugs and that testing was done in a controlled environment. She also says that one user selected by Brein does not meet Brein's criteria to be classified as a frequent and/or long-term uploader. Brein submitted two expert reports as exhibit 21. One expert considers the software reliable and the other judges that the software meets the requirements that may be set for it. The fact that there have been bugs and that the environment was controlled does not mean that the conclusions of the experts cannot be relied upon without further explanation, which is lacking. Brein also explained that the user referred to by Ziggo does meet the criteria. This was not visible to Ziggo, because a Brein employee made a mistake when copying data. Brein explained that the collected data itself is not edited manually. So nothing can go wrong with that. Brein has thus sufficiently refuted Ziggo's objections. 3.10. All in all, the preliminary relief judge is of the opinion, marginally reviewing, that Brein was able to conclude justified that there are no high residual risks on the basis of which the DPA should be consulted prior to the intended processing. Is there a legal basis for the processing? For Brein yes, for Ziggo (partly) not. Basis for criminal data 3.11. Pursuant to Article 10 of the GDPR in combination with Article 31 of the UAVG, the processing of criminal personal data is only permitted in certain exceptional cases. These exceptional cases are mentioned in Articles 32 and 33 of the UAVG. a. Brain 3.12. Article 33(4)(c) of the UAVG states that criminal personal data may be processed for the benefit of third parties if the AP has issued a permit for this. Brein applied for such a permit (to be on the safe side) from the AP, but Brein did not consider this to be subject to a permit requirement, because according to the AP there was indeed processing of criminal personal data, but not for the benefit of third parties. This ground for exception therefore does not apply to Brein. 3.13. According to Brein, it can invoke the exception in Article 32(d) of the UAVG. This exception means that criminal data may (among other things) be processed if such processing is necessary for the establishment, exercise or defense of legal claims. At the moment, however, there is only talk of a warning campaign. The moment that Brein (following the evaluation of this campaign) later decides to take (other) enforcement measures and it is necessary to litigate for this, IP addresses will be collected again. The IP addresses collected in the context of the FLU alert campaign are not used for that purpose (see 2.7) and so their processing is not necessary in connection with a legal claim. 3.14. Brein can successfully invoke the exception stated in article 33 paragraph 2 sub b UAVG. That article provides that criminal personal data may be processed by the data controller for his own benefit to protect his interests, insofar as it concerns criminal offenses that have been committed or are expected to be committed against him. According to Ziggo, this concerns criminal offenses (copyright infringement) against those who are affiliated with Brein and not against Brein itself. However, the AP has ruled that Brein does not process the data for the benefit of third parties. It logically follows that it then does this for its own benefit and, now that Brein's aim is to prevent infringements of the rights of its affiliated members, it therefore logically follows that those infringements within the framework of the AVG shall be regarded as infringements against Brein. b. Ziggo 3.15. If Ziggo links the IP addresses that Brein supplies to the name and address details of its customers to address Brein's warning letter to the holders of those IP addresses, it will process these (this is a form of "use, collect and record" as stated in Article 4 of the GDPR in the definition of processing). Ziggo processes this data (although not on its own initiative and possibly under coercion by a judgement) under its own responsibility, so it is not just a processor, but an independent controller of personal data under criminal law. Ziggo must therefore also have a legal basis for its processing. That basis cannot be found in article 32 paragraph 1 sub a UAVG (consent of the data subject). It is true that article 17 of the general terms and conditions (GTC) of Ziggo states that it may take certain measures to stop irregular behavior (such as illegal downloading), but that does not mean that Ziggo's customers also expressly consent to agreeing these general terms and conditions. have given for the processing of their personal data in the way that Brein advocates. The only other possible processing basis is article 33 paragraph 4 sub c UAVG. Ziggo processes the criminal personal data on behalf of Brein. On the basis of Article 33(4)(c) of the UAVG, Ziggo may only do this if the AP has issued a permit for this, which is not (yet) the case. Ziggo therefore lacks (for the time being) a basis for processing criminal personal data. In addition, Ziggo will also have to carry out a data protection impact assessment (Article 35 GDPR). General basis 3.16. Also, apart from the additional requirements that apply to the processing of criminal personal data, there must also be a basis for the processing. This can be found in Article 6(1)(f) of the GDPR (legitimate interest). a. Brain 3.17. The basis of legitimate interest is met if: there is actually a legitimate interest; the processing is necessary to protect this interest; Brein's interests outweigh those of the (alleged) infringers. 3.18. With regard to Brein, these three conditions have been met. Preventing infringements is a legitimate interest. Brein wants to promote this interest by means of the warning campaign described earlier in this judgment. Brein has made it sufficiently plausible that this warning campaign is necessary in the range of measures it deploys against the very persistent and difficult to combat practice of illegal downloading, and that Ziggo's cooperation is required in this regard. The way in which the warning campaign is set up (Ziggo forwards the letters) ensures that Brein does not have access to the name and address details of the IP address holders/infringers. This means is less objectionable for those persons (and for Ziggo) than if Brein were to request the name and address details from Ziggo, whether or not through legal proceedings (on which the EU Court of Justice has ruled that Article 6(1)(f) of the GDPR) does not stand in the way of this, CJEU 17 June 2021, ECLI:EU:C:2021:492 Mircom/Telenet, ground 132). This means that the interests of Brein outweigh those of the IP address holders/infringers. b. Ziggo 3.19. In the judgment in Lycos/[name] (Supreme Court, 25 November 2005, ECLI:NL:HR:2005:AU4019) the Supreme Court ruled that if the conditions set out in that judgment are met, Article 6 paragraph 1 is also satisfied. sub f GDPR. In recitals 3.30-3.42 of this judgment it is held that the conditions of the Lycos/[name] judgment have been met. On this ground, Ziggo therefore has a legitimate interest in the processing of the data. Does the purpose limitation principle preclude processing? new 3.20. Pursuant to Article 5(1)(b) of the GDPR, there must also be a specific, clearly defined and legitimate purpose for the processing of the personal data – in addition to a processing basis – and that these may not be processed in a way that is not compatible with that purpose is compatible (purpose limitation principle). If the processing falls outside the purpose, it is referred to as “further processing”. Further processing is only permitted if it is compatible with the original purpose. When assessing whether this is the case, the factors listed in Article 6(4) GDPR must be taken into account. When a controller collects personal data from a data subject from that data subject, it must inform the data subject about the processing purposes (Article 13(1)(c) GDPR). 3.21. Article 6(4) GDPR reads: “Where the processing for a purpose other than that for which the personal data were collected is not based on the consent of the data subject or on a provision of Union or Member State law which, in a democratic society, constitutes a necessary and proportionate measure to ensure the protection referred to in Article 23, For the purposes referred to in paragraph 1, when assessing whether processing for another purpose is compatible with the purpose for which the personal data were initially collected, the controller shall take into account, inter alia: a. any connection between the purposes for which the personal data were collected and the purposes of the intended further processing; b. the framework in which the personal data are collected, in particular as regards the relationship between the data subjects and the controller; c. the nature of the personal data, in particular whether special categories of personal data are processed, in accordance with Article 9, and whether personal data related to criminal convictions and offenses are processed, in accordance with Article 10; d. the possible consequences of the intended further processing for the data subjects; e. the existence of appropriate safeguards, which may include encryption or pseudonymisation.” 3.22. Article 23 paragraph 1 GDPR reads: “The scope of the obligations and rights referred to in Articles 12 to 22 and Article 34, as well as in Article 5 may, insofar as the provisions of those Articles correspond to the rights and obligations referred to in Articles 12 to 20, be limited by provisions of Union or Member State law to which the controller or processor is subject, provided that such limitation does not affect the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to guarantee of: (…) d. the prevention, investigation, detection and prosecution of criminal offenses or the execution of penalties, including protection against and prevention of threats to public order and security; (…) i. the protection of the data subject or the rights and freedoms of others; (…)”. 3.23. According to Brein, the purpose limitation principle does not stand in the way of forwarding the warning letters. First of all, not, because forwarding the warnings falls within the processing purpose of Ziggo and therefore there is no further processing. Brein substantiates this as follows: Ziggo's general terms and conditions state that it can take more drastic measures than sending a warning letter in the event of copyright infringement. On the basis of Article 17 paragraph 2 AV, in the event of a serious suspicion of an infringement, whether or not after a summons, Ziggo has the right to deny the customer access to the internet, to remove the customer's content, to block the customer's data traffic. or take other measures that Ziggo deems appropriate to stop the infringement. Contractually, Ziggo can therefore take much stricter measures than that which Brein now requires of it and Ziggo also reserves the right to warn first. The Ziggo website also states that in copyright matters using Ziggo's computer systems, Ziggo will partly forward the complaint received by it to the relevant customer, because it is not responsible for the data traffic between users. The Notice-and-Take-Down (NTD) code of conduct, which Ziggo endorses, also stipulates that if it is not clear whether an infringement is being committed, the isp is obliged to inform the content provider of the notification about that possible infringement. with the request to remove the content or to contact the reporter. It is therefore customary for Ziggo customers to first receive a notification from Ziggo or a third party in the event of infringements. In the past, Ziggo has also forwarded warnings from Brein to its customers in the context of infringement via an open directory, according to Brein. 3.24. Insofar as further processing does take place, the forwarding of the warning letters is, according to Brein, not incompatible with the original processing purpose within the meaning of Article 6(4) GDPR. Cooperating in countering infringements is, of course, compatible. Moreover, the compatibility test is not necessary if there is a legal obligation for Ziggo for the processing, which is Article 6:162 of the Dutch Civil Code, says Brein. 3.25. According to Ziggo, linking the IP addresses supplied/still to be supplied by Brein to the name and address data known to it is not compatible with the purpose for which it has collected those name and address data: namely to make internet access available for the customer. The latter is also the processing purpose that Ziggo communicates to its customers. Ziggo also informs its customers that the content of the internet traffic is not processed by it. Ziggo does not inform its customers about linking data in the way that Brein now wants from it. There is no connection between the provision of the internet by Ziggo and the protection of the copyrights of those who are affiliated with Brein. Ziggo's customers will not expect the further processing that Brein wants from Ziggo. These customers depend on Ziggo for internet access and can expect that Ziggo will not watch if they use it. In addition, it concerns the processing of criminal personal data with potentially serious consequences. The security measures that Brein has taken do not outweigh those risks. Therefore, the processing is incompatible with the original processing purpose and the purpose limitation principle precludes the forwarding of the warning letters. In the past, Ziggo forwarded warnings from Brein once in the context of a different type of breach (via an open directory), but that was in violation of its internal policy and has not happened since. Brein is therefore not allowed to draw any conclusions from this. The text on Ziggo's website is not in line with its policy and will be revised. It cannot be inferred from this that Ziggo forwards warnings on request that are addressed to its customers. The NTD code of conduct is about internet content and has little to do with forwarding the warning letters referred to here, according to Ziggo. 3.26. The preliminary relief judge considers as follows. The name and address details of Ziggo's customers have been collected by it with the aim of facilitating an internet connection and to enable the legal relationship agreed in the relevant agreements to be performed in a regular manner. Pursuant to Article 17 AV of Ziggo, Ziggo's customers are obliged to not act in violation of the law when using the internet connection and Ziggo is entitled to take measures if they do so (including sending a demand to the customer). For that reason, the aforementioned collection purpose also includes the processing that takes place because Ziggo links the IP addresses to be supplied/supplied by Brein to the name and address details of its customers in order to address Brein's warning letter to those customers. It is important in this regard that it has not been stated or shown that the contractual authority to take measures only covers the case in which Ziggo itself discovers the illegal use of the internet connection. On the contrary: Ziggo has stated that it itself does not (may) take cognizance of the content of its customers' internet traffic and will therefore often learn of the cases of illegal use by its customers from third parties. The fact that Ziggo itself can choose (whether or not legally compelled to do so) to send out such a warning or to refrain from doing so, does not lead to a different opinion. In the event that the foregoing requires a different view, further processing is involved. 3.27. Such further processing is permitted under Article 6 of the GDPR, as the processing is based on a provision under Member State law which, in a democratic society, constitutes a necessary and proportionate measure to safeguard the objectives referred to in Article 23(1) of the GDPR. In this case, the processing by Ziggo will be based on Article 6:162 of the Dutch Civil Code (it is unlawful if it does not forward the warning letters, see 3.30-3.42), which guarantees that criminal acts and an infringement of the rights and freedoms of others (infringement copyright) is prevented. The obligation under Article 13 GDPR to inform the data subject prior to such further processing does not preclude this further processing. This is because the situation arises in which the further processing and the communication to the data subject cannot be separated from this intended further processing: in order to be able to tell a customer that Ziggo will continue to process his/her name and address details, Ziggo must already do. Otherwise, Ziggo will not know which customer to approach. If Ziggo receives a permit from the AP for this further processing, Article 13 GDPR should therefore not form an obstacle to carrying out that processing in these circumstances. Scope definition FLU too broad? new 3.28. According to Ziggo, Brein's definition of the frequent and/or long-term uploader is too broad. She says the following about this. If someone is found twice in a different swarm, it is an attempt to download a file twice. If someone is found twice in the same swarm, it's just a matter of downloading one file. This should not be regarded as frequent or prolonged uploading. In addition, many BitTorrent programs continue in the background after the program is closed by clicking the cross in the top right of the screen. This means that the vast majority of downloaders have the BitTorrent program open for 7 hours, probably without the downloaders even noticing, let alone having the intention to do so. As a result, in practice Brein does not focus on long-term and/or frequent BitTorrent users, but on virtually any random BitTorrent downloader and therefore on the downloading consumer. The latter is problematic for the AP, according to Ziggo. 3.29. The judge sees this differently. Brain wants to select BitTorrent users who can be found in one swarm or in at least two swarms for more than 7 hours. It is sufficiently plausible that this will also be possible with the AFLU software. In that case, Brain's definition does not refer to a one-time BitTorrent user or an ordinary consumer. Because this is a sample and only certain works are searched, according to Brein, if someone is found in two different swarms in a month, this indicates that this person uses BitTorrent much more often. If someone is found in one swarm for more than 7 hours, this person (partly) maintains that swarm and thereby makes the work available to others for a long time. Without these users, the BitTorrent platforms will not function. They therefore play an important role in the illegal exchange of files. The preliminary relief judge finds this explanation by Brein convincing. Basis for the mandatory forwarding of warning letters? Yes 3.30. In the foregoing, it has been ruled that there is an obstacle in the context of the AVG for the allocation of Brein's claim (AP license for Ziggo is missing). As mentioned, the preliminary relief judge will also deal with all other points of dispute put forward by the parties in order to give them as much clarity as possible. In that context, it is now being assessed whether, if Ziggo does have the required permit, there is a basis for condemning Ziggo to forward the warning letters. 3.31. There is, on the basis of the assessment framework used by the Supreme Court in the Lycos/[name] judgment (location: see 3.19). It is true that that judgment concerned the question whether an ISP acted unlawfully by not providing the name and address details of a website owner on whose website unlawful statements were made to the person who was the target, but the preliminary relief judge is of the opinion that this assessment framework is the most appropriate in the present case. This also concerns unlawful acts (in this case copyright infringement) via the services offered by the ISP. It is not about providing name and address details, but about forwarding warnings, a less drastic measure for the infringer. The judge in preliminary relief proceedings will take this into account in the following. However, that does not mean that the assessment framework cannot be applied to the present situation. 3.32. Lycos/[name] has ruled that a hosting provider is acting unlawfully if it does not provide identifying information of a website owner to a third party, in the event that: it is sufficiently plausible that the information that the website owner has placed on the website may be unlawful and harmful to the third party; the third party has a real interest in obtaining the identifying data; it is plausible that in this specific case there is no less drastic possibility to retrieve the identifying data; The balancing of the interests of the third party, the service provider and the website owner is in favor of the third party. The Supreme Court has also ruled that Article 8(f) of the Personal Data Protection Act (now Article 6(1)(f) of the GDPR) has been complied with. 3.33. Ziggo does not (specifically) dispute that this assessment framework can be used, it (only) says that in the situation between the parties, there is no question that Ziggo is acting unlawfully by not forwarding the warning letters. Ziggo argues, and the preliminary relief judge agrees, that no general obligation follows from Lycos/[name] for the provision of data, but that this may arise in concrete circumstances if it is socially unacceptable that otherwise unlawful conduct can be continued unimpeded. According to Ziggo, this does not occur here, because Brein can always request the name and address details of the infringers. The judge in preliminary relief proceedings sees this differently, as will be shown below. 3.34. The conditions mentioned in 3.32 will be discussed below, focusing on the situation between the parties. ad a 3.35. It is not in dispute between the parties that it is unlawful to download and upload IP-protected works of the Brein affiliates via BitTorrent platforms without their consent. It is also not in dispute that the IP addresses obtained from Brein's sample are used for this purpose. It is therefore sufficiently plausible that those IP addresses are involved in infringing acts. Ad b 3.36. Brein has a real interest in forwarding the warning letters: preventing future infringements. ad c 3.37. This is the least intrusive way for the infringer to counter the infringement. In the alternative, the name and address details of Ziggo's customer who holds the IP address will be handed over to Brein, so that it can enforce it. That is more serious. ad d 3.38. Balancing the interests of Brein, Ziggo and those involved is in Brein's favour. This is explained below. 3.39. According to Ziggo, the following interests play a role on its side and on the side of its customers. The en masse surveillance of BitTorrent users by Brein and subsequently warning those users is an intrusive limitation of their privacy and their right to the protection of personal data. The impact on Ziggo customers who receive a warning letter is significant; it is de facto a report of online behavior that housemates may see. The impact on Ziggo's business operations is also serious. It is a lot of work to manually link the IP addresses to the associated name and address data and then send the warning letters for an undefined period of time. That cannot be expected of Ziggo, according to Ziggo. 3.40. According to Ziggo, the following is happening on the part of Brein. The BitTorrent users can also be reached through information campaigns on television or via BitTorrent sites. Brain hasn't done that yet. In addition, the actual goal of the warning campaign is to restrict BitTorrent traffic, but Brain does not yet know whether this will succeed. That has yet to be investigated. In addition, according to Brein, the IP/DNS filters are effective and the question is to what extent BitTorrent is still relevant. Popcorn Time has already stopped and there are legal and illegal alternatives. The importance of Brein in sending the warning letters is therefore insufficiently clear, says Ziggo. Ziggo also argues that Brein wants to start enforcement immediately after forwarding the warning letters by requesting the name and address data associated with the "suspicious" IP addresses that have been selected from the swarm and it is insufficiently clear what that enforcement will entail exactly. According to Ziggo, this counts to its advantage, precisely because these are not systematic infringers. 3.41. The preliminary relief judge considers as follows. Brain has a great interest in sending the warning letters. It is plausible that a significant number of copyright infringements are still committed via BitTorrent sites (using internet access via Ziggo) and it has been found that these infringements are difficult to counter, despite a great deal of effort and costs (including legal proceedings) on the part of Brein. to go. This warning campaign may be able to make a positive contribution. The fact that the result of this is not yet certain does not alter the fact that Brein has an interest in trying this remedy. Moreover, the warning campaign intended by Brein is a lighter means than requesting name and address data for individual enforcement or blocking the BitTorrent platform. There is no question that the internet behavior of Ziggo's customers is monitored en masse by Brein. Brein only collects IP addresses from customers who come from a limited and carefully designed sample and for whom they illegally upload and download via BitTorrent platforms with some regularity and/or during a period of time of any size. The fact that these customers could actually feel watched over and that their illegal behavior may become known to housemates, is mainly the consequence of their own illegal acts, so that this interest does not carry much weight. With regard to Ziggo (as is also apparent from European case law, CJEU 27 March 2014, ECLI:EU:C:2014:192, Telekabel/Wien) it can be required to take all reasonable measures to prevent infringements. Ziggo has not substantiated why the maximum number of 1000 letters per month (for all ISPs jointly) set by Brein exceeds reasonableness, all the more so now that Brein has stated, without being contradicted, that in the eleven months prior to this lawsuit it requested a total of 507 forwarded a warning letter to Ziggo. The following applies with regard to the duration of the period in which Brein wishes to have its warning letters forwarded. Brein states (and explained in more detail at the hearing) that the first period of the FLU process lasts six months, that the evaluation by Kantar will take place after that period and that Brein will only decide to take further steps after taking note of and considering the evaluation outcome. . The preliminary relief judge therefore understands the claim in such a way that it is limited to the period from the start of the FLU process to six months after the date of this judgment. Based on this, a conclusive judgment would mean that a warning letter would have to be sent not only to the holders of the already “captured” IP addresses, but also to the holders of the IP addresses still to be “captured” in those six months. Understood in this way, there is no question of such a long period that the balancing of interests referred to must be to Brein's disadvantage on that ground. What Ziggo has argued about the expectation that Brein will quickly proceed with enforcement and that it is not clear what exactly that enforcement will entail, does not carry any weight here. After all, Brein has argued (uncontested) that, after Ziggo has forwarded the warning letters to the IP holders, it will destroy the list of those addresses. In the event of any further actions to combat illegal downloading and uploading of protected content (i.e. after the aforementioned six-month period), it will again start "blank" by mapping the IP addresses that were used for any subsequent infringements. involved. The IP addresses currently in question therefore play no role in the possible measures to be taken by Brein (and the question whether this is permitted by law). All in all, as stated, the balancing of interests is in Brein's favour. Conclusion 3.42. This means that if Ziggo were to have a license from the AP, as referred to in Article 33(4)(c) of the UAVG, it would act unlawfully by not forwarding the warning letters. 3.43. Article 11.2a Tw does not prevent Ziggo from forwarding the warning letters. That article provides that the provider of an electronic communications network or service may not “intercept, eavesdrop or otherwise intercept or monitor” communications sent over that network or service. This is not the case here. Ziggo links the IP addresses collected by Brein to the name and address details known to it. Insofar as this would fall under the above enumeration, it also follows from paragraph 2 of that article that this is permitted if and insofar as these actions are necessary to ensure the integrity and security of the networks and services of the provider concerned. to be guaranteed (sub b) or necessary for the implementation of a legal regulation or court order (sub d). The latter exception in any case includes compliance with a judgment until the warning letters are forwarded. 3.44. Now that Brein's claim has been rejected, the preliminary relief judge is not able to assess Ziggo's objections against the wording of the claim and the amount of the penalty. The preliminary relief judge would be too far ahead of things if he were to judge this excessively. Process costs 3.45. Brein is proved wrong and therefore has to pay Ziggo's legal costs. Ziggo claims that Brein should be ordered to pay the reasonable and proportionate legal costs it has incurred on the basis of Article 1019h DCCP. Article 1019h DCCP does not apply here, however. This is not a matter between the holder of an intellectual property right on the one hand and the alleged infringer on the other as to whether there has been an (imminent) infringement. The infringement is not up for discussion here and insofar as it can arise, it is between Brein and Ziggo's customers, who can be linked to the IP addresses that come from the sample and/or their housemates. In this case the question is "only" whether the established infringement (in this case) compels a third party, Ziggo, to cooperate in the mailing desired by Brein (and whether its refusal to do so constitutes an unlawful act against Brein). The preliminary relief judge will therefore apply the liquidation rates. On the basis of this, Ziggo's legal costs are estimated at: - court fee € 676,00 - lawyer salary 1,016.00 Total €1,692.00 3.46. The additional costs claimed by Ziggo will be allocated in the manner stated in “the decision”. 4 The decision The preliminary relief judge 4.1. rejects the claims, 4.2. orders Brein to pay the costs of the proceedings, estimated on the part of Ziggo to date at € 1,692.00, 4.3. orders Brein to increase the costs incurred after this judgment, estimated at € 163.00 in lawyer's salary, on the condition that Brein has not complied with the judgment within 14 days of being notified and the judgment has subsequently been served, with an amount of € 85.00 in lawyer's salary and the writ costs of service of the decision, plus the statutory interest as referred to in art. 6:119 of the Dutch Civil Code on the subsequent costs from the fifteenth day after the service of this judgment until the day of full payment, 4.4. declares this cost order provisionally enforceable, 4.5. rejects the more or otherwise advanced. This judgment was rendered by preliminary relief judge mr. R.A. Steenbergen, assisted by registrar mr. M. Braam, and pronounced in public on 2 February 2022.1 1MB (4209)