The Logistep ruling by the Federal Supreme Court was another subject which occupied us during the year under review. In particular, we highlighted how, in our view, private individuals can continue to process personal data with a view to tracking down cases of copyright infringement in a manner that complies with data protection rules even after the Supreme Court ruling.
In our 18th Annual Report 2010/2011, Section 1.3.5., we reported the ruling of the Federal Supreme Court in the case of Logistep (BGE 136 II 508). In the preamble to its decision, the Supreme Court expressed its unease with current legal regulations which it held to be clearly insufficient. In its 2010 Management Report (p.17), it also expressly called on the legislator «to take appropriate steps to guarantee copyright protection in the context of the new technologies.»
In the grounds for its decision, it seems to us that the Supreme Court reproaches Logistep, and consequently also its principal, for having taken advantage of the uncertainties created by the company itself in order to demand (excessive) civil damages; and for having done so before any copyright infringement had been certified by a criminal court in a manner commensurate with the requirements of the rule of law.
Based on the inquiries we conducted in 2008, the procedure adopted by other rightsholders in pursuing alleged copyright infringers differs from the Logistep case in this essential point. IFPI Switzerland (which is the umbrella organisation representing producers of phonograms and videograms) always waited for a definitive criminal conviction before suing copyright infringers for damages in a civil court. We informed IFPI Switzerland back in March 2008 that by proceeding in this manner, they had not, in our view, violated the Data Protection Act.
After the Logistep ruling, IFPI Switzerland and SAFE (the Swiss association for combating piracy) contacted us. Both associations assured us that they still proceed in the same manner as they described to us in the spring of 2008. We therefore informed them that we still believe that there is an overriding interest involved which would justify a violation of privacy rights as a result of the data processing, providing:
- that guarantees have been put in place to ensure that the collection and recording of data do not go beyond what is absolutely necessary in order to file a criminal complaint with the competent local authorities against the alleged copyright infringers;
- that it can be demonstrated that negotiations between the rightsholder and the alleged copyright infringers regarding claims for damages could only take place once the former had taken the initiative, or if an enforceable criminal conviction had been pronounced by the courts;
- that the rightsholders step up their efforts to ensure that the collection of personal data and the purpose of their processing is made as clear as possible to the persons concerned. For that to happen, they must ensure that on their websites they provide extremely clear and precise information in a place that is both easily accessible and easy to find, describing how they will proceed against suspected infringers (including the provision of detailed indications regarding the type and scope of the collected data). They must also make it clear that any claims for damages will be pursued only once there is an enforceable criminal conviction.
In addition, we have informed SAFE and IFPI that data files, which include highly sensitive data or personality profiles or personal data that are regularly processed or disclosed to third parties, have to be registered with us.
Under these conditions, we believe that copyright infringers on the Internet may continue to be prosecuted in a manner which respects data protection rules. However, as we do not have the legal powers to formally authorise data processing, a legally binding decision on data processing may only be pronounced by a competent court, as in the Logistep case.
A further point must be made in this context: if the criminal courts develop a body of case law according to which IP addresses which are collected by private individuals may not be admitted in criminal proceedings, we would have to revise our position. From a data protection perspective, the legal recording and disclosure of IP addresses by private individuals pursuing cases of copyright infringement would no longer be legally admissible. The collection of such data in these circumstances would be deemed inappropriate in view of the aim being pursued, and the processing of that data would therefore be disproportionate.