As has been widely discussed in the Danish tech media, in 2016 several law firms, including OPUS og Njord, have sent out letters to potential violators of their clients’ copyrights. This is done by monitoring the most popular peer-to-peer network, logging the IP addresses that are sharing the works in question and then contacting the person behind the IP address with assistance from the service provider.
In this connection, under Danish law but probably also in other jurisdictions, two issues can be addressed. Firstly; are private individuals allowed to monitor networks, log other individuals’ IP addresses and approach them unsolicited? Secondly; is the service provider obliged to assist the copyrights owner by handing out the name and address of the person behind the IP address?
The second issue was addressed by the Court in Frederiksberg with an affirmative ruling on 13 July 2015, but the first issue is a part of a legal discussion that has not been given much attention.
The main question is whether the Danish Act on Processing of Personal Data even applies. This would be the case, if the data controller is established in Denmark.
The data controller is the one that decides the purpose of the processing of the information – in this situation, the collection of the IP addresses. In this connection, it is not important who is collecting the information as long as the IP addresses are collected on behalf of the data controller.
Consequently, the key issue is if the copyrights owner is established in Denmark, i.e. if they have a permanent establishment in the form of a subsidiary company/branch office in Denmark. If such a company exists and if this company is in charge of the legal proceedings and using the IP addresses for this purpose, then the Danish Act on Processing of Personal Data applies to the collection of the IP addresses.
According to Danish law, an IP address is personal data, i.e. that the collection of such data must have a legal basis. According to a recent ruling by the European Court of Justice, also dynamic IP addresses are personal data even if it requires extra work to find the individual behind.
When an IP address is linked to a potential infringement of copyrights, semi sensitive data regarding crimes is being processed.
According to Danish law, it is allowed to process semi sensitive data with the purpose of pursuing a legal entitlement which is the case here. But it is not sufficient to have legal basis for the processing – companies that are processing semi sensitive data must also have an authorisation from the Danish Data Protection Agency before prior to such processing. Previously, AntiPiratGruppen, an organisation form by a number of Danish right holders organisations, has been given authorisation in a similar matter with a number of conditions imposed.
Provided that the copyrights owners or their representatives have not been authorised prior to such collection of IP addresses, the collection is most likely not compliant with the Danish Act on Processing of Personal Data.
The Danish Data Protection Agency has not had the opportunity to decide on the matter yet, but has been made aware of the issue.
(I would like to thank associate Kamilla Pierdola Mondrup and junior associate Mathias Bartholdy for assisting with this blog entry.)