The facts underlying the dispute
The action was initiated by Dish Network, a US pay-TV provider, which holds the exclusive rights for the broadcasting and public exhibition in the United States of copyright-protected television programmes through means including satellite, OTT, IPTV and the Internet. The rights holder discovered that two IPTV were transmitting its own content without permission, through IP addresses owned by the provider WorldStream, which provides hosting services.
The rights holder sent the provider a series of cease and desist letters requesting the disabling of access to IP addresses linked to the illicit IPTV. WordStream provided the blocking as requested.
However, the dispute arose when the rights holder requested the provider to disclose information that would have enabled the identification of the users connected to the blocked IP addresses. In this regard, WorldStream stated that it could provide such information only upon a full discharge for any liability under GDPR granted by Dish Network. Not satisfied with WordStream’s proposal, Dish Network therefore sued this provider to be ordered to release the following information:
(A) Name and address of the users, including their e-mail address and, in the case of legal entities, their registration number in the business register of their home State;
(B) users’ phone numbers, date of birth and WorldStream user ID and, in the case of legal entities, all this information for their legal representative; and
(C) payment information, users’ traffic data, correspondence with WorldServe, other user IP addresses, as well as a range of additional information.

The decision of the District Court
The request of Dish Network was based on a general provision to access evidences, Article 843a of the Dutch Code of Civil Procedure – DCCP, in combination with Article 1019a DCCP, which implements Article 6 of the Enforcement Directive, according to which any person has the right to request evidence from his counterparty if he has a legitimate interest in obtaining it. The request concerns specifically identified evidences that are in the possession of the other party and relate to a legal relationship to which the claimant is a party.
The District Court found that, in the present case, Dish Network had a legitimate interest in obtaining the information and that it sufficiently demonstrated that its intellectual property rights were actually infringed by WorldStream’s customers to ensure its disclosure.
However, the District Court limited disclosure only to names, addresses, e-mail addresses and, in the case of legal persons, registration numbers (point A of Dish Network requests), while it rejected the request for disclosure of further information such as telephone numbers, dates of birth, payment information and other data. According to the Court, those additional data had not been sufficiently identified and, in any event, in application of the proportionality test, the information relating to names, addresses and e-mail addresses had been deemed sufficient to identify the users who had committed the infringement of the applicant’s rights. In view of the limited scope of the order, the District Court also found that WorldStream’s compliance did not constitute an excessive burden.
In relation to the question of the admissibility of the disclosure order under GDPR, the District Court stated that Article 6(1)(f) of GDPR allows the processing of personal data where this is “necessary for the purposes of the legitimate interests pursued … by a third party”. In the present case, the processing of personal data was considered necessary because Dish Network would have had no other means of tracing users and asserting its rights, thus considering the applicant’s interest in protecting its copyright prevailing over users’ privacy rights.

This decision is of particular interest because it is closely related to the case currently pending before the Court of Justice of the European Union (CJEU) in case C-264/19 Constantin Film Verleih [https://www.lexology.com/library/detail.aspx?g=5f7486e7-e73e-4cdc-81af-0a0e65de8cbe]. In the judgment before the CJEU, according to the Opinion of 2 April 2020 of Advocate General Saugmandsgaard Øe, the order of disclosure of data must not include e-mail addresses or telephone numbers, as the terms “names and addresses” in Article 8(2)(a) of the Enforcement Directive should be interpreted very narrowly. The decision of The Hague District Court, however, was based not only on the interpretation of Article 8 of the Directive but, as has been seen, on general national rules on access to evidence, which give the right holder the power to receive more complete information. This, moreover, in full compliance with the Enforcement Directive, which leaves open the possibility for Member States to provide rightholders with means of collecting more extensive information.
However, it is interesting to highlight the balance of rights made by the District Court, which considered necessary the access to data by the owner of the rights for a full protection of the same rights, that prevail over the right to privacy of users (only applicable to users who are natural persons and not also to legal persons, for whom it is not possible to speak about personal data).
The Dutch decision is similar in some aspects to the Milan and Roman decisions issued in 2019 [https://www.lexology.com/library/detail.aspx?g=5f7486e7-e73e-4cdc-81af-0a0e65de8cbe], which however appear – correctly – to be even more far-reaching. The decisions at issue have ordered some hosting providers to provide the rights holder with all the information relating to users and useful for their identification, such as name, surname, date of birth, place of birth and address, tax code, or name and registered office and identification number for tax purposes or registration in the business register, or similar, in the case of a legal person. This is allowed pursuant to articles 156bis and 156ter of Law no. 633/1941, which expressly provide for the right holder to request a discovery order for the counterfeiters’ data. Moreover, it should be noted that in many cases some of the data used by counterfeiters when using the hosting services are false and completely unsuitable for the actual identification of the counterfeiters themselves (such as name, surname, email address). Frequently, payment data are also of little use, since counterfeiters use anonymisation services. Consequently, it seems only fair that the infringing right holders should be able to access all the information available to the provider, and that the provider should provide maximum cooperation for identification, and that in the absence of such good faith behaviour an independent and direct liability can be incurred.

Margherita Stucchi