CE - N. 433539

Summary

France's Supreme Administrative Court ruled that ARCOM's copyright enforcement system violated EU law by accessing subscriber identity data linked to IP addresses without sufficient safeguards. The court found the decree unlawful because it failed to require judicial or independent administrative authorization before a third data access request, which could reveal sensitive aspects of individuals' private lives. The court ordered repeal of the offending provisions while permitting data access for initial warnings and serious copyright cases.

Full text

Help CE - N. 433539: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 08:20, 12 May 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators38 edits Tag: submission [1.0] Latest revision as of 08:03, 13 May 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators38 editsTag: Visual edit Line 70: Line 70: }}}} The Court held that ARCOM’s copyright enforcement system could not access subscriber identity data linked to IP addresses without stronger EU-law safeguards, especially before a third identification request.The Supreme Administrative Court held that the copyright enforcement system used by the French authority for freedom of communications is unlawful and ordered the repeal of some provisions connected to the access of identity data linked to IP addresses. == English Summary ==== English Summary == Line 79: Line 79: Under this system, the French authority could receive IP addresses linked to alleged copyright infringements and request the corresponding subscriber identity data from electronic communications operators. This data could then be used to send warnings to subscribers and, in repeated cases, refer the matter to the public prosecutor.Under this system, the French authority could receive IP addresses linked to alleged copyright infringements and request the corresponding subscriber identity data from electronic communications operators. This data could then be used to send warnings to subscribers and, in repeated cases, refer the matter to the public prosecutor. The applicants argued that the decree allowed the French authority to access personal data linked to IP addresses without sufficient safeguards under EU law. The court had previously referred questions to the CJEU, which ruled in Case C-470/21 that such access may be allowed, but only under strict conditions.The applicants argued that the decree allowed the French authority to access personal data linked to IP addresses without sufficient safeguards under EU law. The court had previously referred questions to the CJEU, which ruled in Case [[CJEU - C‑470/21 - La Quadrature du Net and Others (Personal data and action to combat counterfeiting)|C-470/21]] that such access may be allowed, but only under strict conditions. Following the CJEU judgment, the court reviewed whether the French decree complied with EU law.Following the CJEU judgment, the court reviewed whether the French decree complied with EU law. Line 90: Line 90: The court found that French law did not require electronic communications operators to retain subscriber identity data and IP-related data under these conditions. Therefore, the decree was unlawful insofar as it allowed the French authority to process data that had not necessarily been retained in compliance with EU-law safeguards.The court found that French law did not require electronic communications operators to retain subscriber identity data and IP-related data under these conditions. Therefore, the decree was unlawful insofar as it allowed the French authority to process data that had not necessarily been retained in compliance with EU-law safeguards. Second, the court held that the French authority may access subscriber identity data linked to IP addresses to identify persons suspected of online copyright infringements. However, where the French authority has already linked the same person’s identity data with information about allegedly unlawful online content twice, a third access may reveal sensitive aspects of that person’s private life.Second, the court held that the French authority may access subscriber identity data linked to IP addresses in order to identify persons suspected of online copyright infringements and send the first two warnings under the graduated response procedure. However, the court distinguished the third access to such data. At that stage, the authority is no longer dealing with an isolated identification request: it has already linked the same person’s identity twice with alleged unlawful online activity and with the protected works concerned. A third access therefore allows the authority to build a more detailed picture of the person’s conduct and may reveal sensitive aspects of their private life. It also marks a more serious procedural stage, since it may lead to a registered letter and ultimately to referral to the public prosecutor. For that reason, EU law requires prior authorisation by a court or an independent administrative body before this third access takes place. The decree did not provide for such prior review, so the court held that it was unlawful to that extent. For this third access, EU law requires prior authorisation by a court or an independent administrative body. The decree did not provide for such prior review. The court therefore held that the decree was unlawful to that extent.For this third access, EU law requires prior authorisation by a court or an independent administrative body. The decree did not provide for such prior review. The court therefore held that the decree was unlawful to that extent. The court annulled the Prime Minister’s refusal to repeal the unlawful parts of the decree and ordered their repeal. It also held that the French authority must stop applying the unlawful provisions. However, the French authority may still access identity data for the first and second warnings, and may request access in serious copyright offence cases under the conditions set out in the judgment. The court annulled the Prime Minister’s refusal to repeal the unlawful parts of the decree and ordered their repeal. It also held that the French authority must stop applying the unlawful provisions. However, the French authority may still access identity data for the first and second warnings, and may request access in serious copyright offence cases under the conditions set out in the judgment. == Comment ==== Comment == Latest revision as of 08:03, 13 May 2026 CE - N. 433539 Court: CE (France) Jurisdiction: France Relevant Law: Article 15 (1) CEHRDirective 2002/58/EC Decided: 30.04.2026 Published: Parties: La Quadrature du Net French Data Network Franciliens.net Prime Minister of France National Case Number/Name: N. 433539 European Case Law Identifier: ECLI:FR:CECHR:2026:433539.20260430 Appeal from: Appeal to: Unknown Original Language(s): French Original Source: Conseil d'Etat (in French) Initial Contributor: bms The Supreme Administrative Court held that the copyright enforcement system used by the French authority for freedom of communications is unlawful and ordered the repeal of some provisions connected to the access of identity data linked to IP addresses. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Several digital rights organisations asked the Prime Minister to repeal Decree No. 2010-236 of 5 March 2010. The decree regulated an automated personal data processing system used by the French authority for freedom of communications (ARCOM, hereinafter the French authority) for France’s online copyright enforcement mechanism, known as the graduated response procedure. Under this system, the French authority could receive IP addresses linked to alleged copyright infringements and request the corresponding subscriber identity data from electronic communications operators. This data could then be used to send warnings to subscribers and, in repeated cases, refer the matter to the public prosecutor. The applicants argued that the decree allowed the French authority to access personal data linked to IP addresses without sufficient safeguards under EU law. The court had previously referred questions to the CJEU, which ruled in Case C-470/21 that such access may be allowed, but only under strict conditions. Following the CJEU judgment, the court revie

Entities