A French music collecting society did not breach data protection rules when it collected the internet protocol (IP) address of an internet user, according to the Paris Appeal Court. The IP address on its own did not count as personal data, the court said.
The question of whether and when IP addresses, which are assigned to devices when they connect to the internet, are personal data is a controversial one because European data protection laws control what can and cannot be done with personal data.
The Paris court has said that the IP address on its own could not identify an individual, and therefore that finding and using an internet user's IP address cannot breach data protection controls on the processing of personal data.
The Society of Composers, Authors and Music Publishers (SACEM), an agency that collects revenues on behalf of artists, conducted some anti-piracy investigations and located an internet user who was sharing music without permission on a peer to peer (P2P) network.
The SACEM agent was investigating P2P networks and tracked down some users of file-sharing network Limewire who were sharing music by Eminem. The agent noted the IP address of one and checked which internet service provider (ISP) provided that connection.
He sent that information to the police, who were able to order the ISP to identify the subscriber using the IP address at that time. It was found that a laptop belonging to the boyfriend of the subscriber had made the files available and had downloaded music.
That man, identified by the Court as Cyril S, said he was not aware the downloading was illegal.
Agents of bodies such as SACEM are allowed under French data protection law to process personal information, but only when that activity has been authorised beforehand by the National Commission for Information Technologies and Civil Liberties (CNIL).
That authorisation had not been received in this case, but the Paris court has said that the information he used was not personal data.
"He merely noted the IP address in order to locate the [infringer's] ISP … [which] does not constitute automatic processing of personal data relating these offenses," said the ruling, in an automated translation.
The Court said that the SACEM agent was "perfectly entitled" to behave as he did.
The Court ruling said that only the complaint to the police and the subsequent investigations and co-operation of the ISP identified the man behind the copyright violations, not the IP address in itself. In fact the owner of the IP address was the man's girlfriend, someone else entirely, it said.