Hidden Content
Since 2010, France has monitored and stored data on millions of internet users as part of anti-piracy scheme featuring warning letters, fines, and ISP disconnections. Europe's highest court will soon decide whether the program is permissible under EU law. Digital rights groups insist that as a general surveillance and data retention scheme, it violates fundamental rights.

When the French government formed a new anti-piracy agency called Hadopi, the mission was to significantly disrupt BitTorrent and similar peer-to-peer file-sharing networks.

Hadopi was a pioneer of the so-called “graduated response” scheme which consists of monitoring a file-sharer’s internet activities and following up with a warning notice to deter their behavior. Any future incidents attract escalating responses including fines and internet disconnections. Between 2010 and 2020, Hadopi issued 12.7 million warning notices at a cost to French taxpayers of 82 million euros.

The program’s effect on overall piracy rates remains up for debate but according to French internet rights groups, Hadopi doesn’t just take citizens’ money. When it monitors citizens’ internet activities, retains huge amounts of data, and then links identities to IP addresses to prevent behavior that isn’t a “serious crime,” Hadopi violates fundamental rights.

Protecting Rights
Despite its authorization under the new law, the official launch of the Hadopi agency in 2009 met with significant opposition. File-sharers had issues with the program for obvious reasons but for digital rights group La Quadrature du Net, massive internet surveillance to protect copying rights had arrived at the expense of citizens’ fundamental right to privacy.

La Quadrature’s opposition to the Hadopi anti-piracy program focuses on the law crafted to support it. One of the implementing decrees authorizes the creation of files containing internet users’ IP addresses plus personal identification data obtained from their internet service providers.

According to the digital rights group’s interpretation of EU law, that is unlawful.

Legal Challenge in France
With support from the Federation of Associative Internet Service Providers, French Data Network, and Franciliens.net, in 2019 La Quadrature filed an appeal before the Council of State (Conseil d’État), requesting a repeal of the decree that authorizes the processing of personal information.

The Council of State referred the matter to the Constitutional Council and its subsequent decision gave La Quadrature the impression that Hadopi’s position was untenable. For their part, Hadopi and the government reached the opposite conclusion.

Legal Challenge Reaches CJEU
The Council of State heard La Quadrature’s appeal and then referred questions to the Court of Justice of the European Union (CJEU) for interpretation under EU law.

EU member states cannot pass national laws that allow for the general and indiscriminate retention of traffic and location data. As a “preventative measure” on a targeted basis, retention of traffic and location data is permitted, but only when the purpose of retaining the data is to fight “serious crime.”

In CJEU Advocate General Szpunar’s non-binding opinion issued last October, friction between privacy rights and the ability to enforce copyrights were on full display.

Hadopi vs. Fundamental Rights
AG Szpunar described Hadopi’s access to personal data corresponding to an IP address as a “serious interference with fundamental rights.” These data points may not be sensitive in isolation but when combined, a person’s identity finds itself attached to the IP address and the content that was accessed behind it.

However, in common with criminal cases where retention is permitted when an IP address is the only means of investigation, the AG concluded that the same should apply in Hadopi’s case, “short of accepting general impunity for offenses committed exclusively online.”

Faced with an opinion that recognizes difficulties faced by rightsholders but runs up against case-law, AG Szpunar proposed “readjustment of the case-law of the Court.” This would ensure that rightsholders retain the ability to enforce their rights, when an IP address is the only means by which an infringer can be identified.

The first hearing in the case took place on Tuesday with another legal opinion expected late September 2023.

The CJEU is expected to hand down its ruling before the end of the year.