11 March 2021

fingerprint with digital numbers in the background

Article Series "Online Enforcement" (No. 7)

Swiss law has recently been revised in two respects. Both changes relate to data protection and have a direct impact on the prosecution of online infringements.

First, since 1 April 2020, IP addresses may (again) be processed for anti-piracy purposes. Secondly, as of 1 January 2021, no personal data is published any longer in the WHOIS with regard to .ch domain names. This article discusses the first change. The second change will be discussed in part 2.

Part 1: Stronger Anti-Piracy Means in Copyright Law at the Cost of Data Protection

Swiss copyright law legalizes the documentation of IP addresses of copyright infringers, giving rights owners stronger means to fight piracy. However, the new art. 77i CopA already lags behind today's (streaming) reality.

What It's All About

When prosecuting copyright infringements online, rights owners often face the difficulty that they detect an infringement, but cannot find out the infringer's identity. Often, the websites with the copyright-infringing material do not have an imprint (allowing for the identification and warning of the person responsible for the content) or warnings are simply ignored.

Similar difficulties arise where infringements do not take place via a website, but instead so-called peer-to-peer (P2P) networks (private computers networked directly with each other using specific software) are used to exchange content in a way that infringes copyright.

In these cases, the only way for rights owners to identify and prosecute the responsible parties is through criminal law.

The starting point for such identification is the internet protocol address (IP address). This address is assigned to devices connected to the internet, making them addressable and thus accessible. Static IP addresses are permanently assigned to a computer or server of a website, and as such are comparable to a person's fixed phone number or postal address. Dynamic IP addresses, on the other hand, can change constantly. A router that connects to the internet is assigned an IP address that is not used for any other purpose at that time. If a new connection is made later, it may (under certain circumstances) be assigned a different (at that point available) IP address. Internet service providers (ISPs) are required by law to log the assignment of IP addresses to their customers, which makes it possible to determine to whom an IP address was assigned at any particular time.

Because an ISP generally assigns a dynamic IP address to a private internet user, and this address changes regularly, law enforcement authorities do not only require the IP address associated with the infringement, but also information about the date and time of the infringement in order to identify the respective subscriber (and ultimately to prosecute a specific copyright infringement).

Therefore, for effective enforcement, rights owners must not only identify the infringed work, but also document the date and time of the infringement and the respective IP address.

However, this documentation has recently been fraught with uncertainties, and the legal instruments for fighting piracy contained in Swiss copyright law have been insufficient.

The "Logistep" Judgment of the Swiss Federal Supreme Court and the Concerns of the U.S. Trade Representative

According to Swiss Federal Supreme Court's judgment of 8 September 2010 (BGE 136 II 508 ff. [524], cons. 6.3.3, "Logistep"), the documentation of IP addresses by rights owners was until recently not compliant with the Swiss Federal Data Protection Act (DPA), and thus unlawful. As a consequence, the information obtained on the basis of this unlawful data processing could not be used in criminal proceedings. In the Logistep judgment, the Swiss Federal Supreme Court stated that the only way of bringing copyright law in line with new technologies would be by legislation, and not by case law.

With Article 77i of the Swiss Federal Copyright Act (CopA), the Swiss legislator has now created an explicit legal basis for the aforementioned data processing.

With the implemented measures to fight piracy, the Swiss legislator also addresses concerns expressed by the US Trade Representative in the Special-301-Report of 2016. This annual report on the worldwide protection of intellectual property rights contains, among other things, a so-called watch list which lists countries that, according to the USA, show deficiencies in the protection of intellectual property rights. At the request of the US copyright industry, Switzerland (in the context of online piracy mentioned in the same breath as China, Russia, Ukraine, India, Brazil and Canada) was placed on this watch list for the first time in 2016 and remained there until April 2020. Although this did not have any immediate legal, political or economic consequences, it certainly put a strain on bilateral relations between Switzerland and the USA. Switzerland has now been removed from said watch list in the latest Special-301-Report of 2020.

The New Legal Basis

With the new Article 77i CopA, the Swiss legislator provides a legal basis for the processing of personal data of copyright infringers. It reads as follows:

  1. The rights owners whose copyright or related rights are infringed may process personal data insofar as this is necessary for the purpose of filing a criminal complaint or reporting a criminal offence and they may lawfully access the data. They are also permitted to use this data for asserting civil claims to be joined to the criminal proceedings, or for asserting claims after the conclusion of criminal proceedings.
  2. They must disclose the purpose of the data processing, the type of data processed and the scope of the data processing.
  3. They may not link the personal data under paragraph 1 with data collected for other purposes.

Processing of Personal Data

Personal data pursuant to art. 77i para. 1 CopA is all information that relates to an identified or identifiable person (art. 3 letter a DPA). Insofar as IP addresses can be unambiguously assigned to a computer and thus allow for the identification of a specific user or a group of users, they are generally considered personal data.

The term "processing" is to be understood in the sense of art. 3 letter e DPA. It covers any handling of personal data, such as collection, storage, use, archiving or disclosure.

Personal Data May Still Be Processed for Other Purposes and for the Prosecution of Other Rights Infringements

Article 77i is a specific provision for the processing of personal data by rights owners "for the purpose of filing a criminal complaint or reporting a criminal offence in the event of infringement of copyrights and related rights". If the requirements of this provision are met, the violation of personal rights associated with the corresponding data processing is "justified by law" pursuant to art. 13 para. 1 DPA – there is therefore no need for weighing the interests at stake as provided for in art. 13 para. 2 DPA.

Conversely, this does not mean that processing of personal data for other purposes and for the prosecution of other rights infringements is thereby excluded – this (other) processing is simply governed exclusively by the DPA.

Lawful Data Collection

According to art. 77i para. 1 CopA, rights owners may only process personal data which they may "lawfully access".

This is not to be considered a reference back to processing of personal data under the DPA. Rather, it means that the personal data may not be collected through a violation of provisions of Swiss law (outside the DPA) that directly or indirectly aim at the protection of personality (such as hacking pursuant to art. 143bis Swiss Criminal Code [CC]).

Rights Owners

According to the wording of art. 77i para. 1 CopA, only "rights owners whose copyrights or related rights are infringed" may invoke this provision.

However, beyond this wording, a rights owner may delegate the processing to a third party processor (art. 10a DPA). Further, according to teleological interpretation (the purpose of the law is to effectively fight piracy), it must also be possible for legal representatives of rights owners – who are themselves (joint) data controllers in the sense of data protection law – to process personal data of copyright infringers.

Disclosure Obligation

According to art. 77i para. 2 CopA, the rights owners must "disclose the purpose of the data processing, the type of data processed and the scope of the data processing".

For the data subject, each type of data collection and further data processing must be evident. This means that data subjects expect data collection under the circumstances or that they are informed or educated accordingly.

According to Swiss Federal Council's Dispatch of 22 November 2017 on the amendment of the CopA and on the approval of two WIPO agreements and their implementation (German; English version not available; hereinafter "Dispatch CopA 2017"; p. 651), disclosure on the website of the data processor (namely as part of the privacy policy) should be sufficient. Whether the pirates will ever see this information (which the purpose of art. 77i para. 2 CopA would actually require) may be doubted.

Under the revised DPA (which is scheduled to enter into force in 2022), data controllers are subject to a more extensive obligation to provide information when collecting personal data (art. 19 revDPA). However, based on art. 19 para. 1 letter b revDPA, this information obligation does not apply in the case of processing of personal data processing pursuant to art. 77i CopA. Even in the case where personal data is being processed in the area of fighting piracy, but outside of art. 77i CopA, one could still argue that the information would defeat the purpose of the processing, and that therefore, there is no obligation to inform under art. 19 revDPA (art. 19 para. 3 letter b revDPA).

Principle of Proportionality

According to art. 77i para. 1 CopA, the processing of personal data must be "necessary for the purpose of filing a criminal complaint or reporting a criminal offence".

According to the Dispatch CopA 2017, rights owners may thus only process data "which they actually need and which is in reasonable proportion with regard to the purpose of the processing and the violation of personal rights".

First of all, it should be noted that this provision applies exclusively to the processing of personal data to be used in criminal proceedings. The processing of personal data outside of this purpose is governed by the DPA.

For instance, rights owners may collect IP addresses from P2P networks in order to document the copyright infringements committed and subsequently provide this data to the prosecution authorities.

Which data processing is still "necessary" in this sense (and which is not) will have to be seen in practice – it will ultimately be up to the prosecuting authorities/courts to carefully weigh the conflicting interests and decide on the proportionality (and thus on the utilization of the collected data in criminal proceedings). However, it seems clear that it should not matter whether or not the criminal authorities ultimately rely on the personal data in question in the course of their investigative activities. It also seems clear that the rights owners must limit their processing of personal data as far as possible to the alleged perpetrators.

Prohibition of Linking with Other Data

Art. 77i para. 3 CopA enshrines the principle of purpose limitation. Accordingly, right holders may not link the processed personal data with data collected for other purposes.

If a rights owner also collects data in the same context, but not with regard to criminal proceedings and associated civil claims, he must keep this data separate from the personal data processed under art. 77i CopA.

No basis for Processing Personal Data for Civil Law Purposes

The controversial processing of personal data by rights owners for purely civil law purposes was not included in the revised CopA. In this context, it would have been possible for rights owners to use personal data collected by them outside of criminal proceedings to identify persons through whose connection serious copyright infringements were committed. The utilization in the context of criminal proceedings is thus a prerequisite.

The background to this is that an additional or even pure civil law solution would require a breach of secrecy of telecommunications in order to enforce civil claims. Under current law, however, secrecy of telecommunications can only be breached to enforce claims under criminal law.

However, the use of processed personal data for the assertion of civil claims to be joined to the criminal proceedings, or for their assertion after the conclusion of criminal proceedings, is expressly permitted. The prerequisite is therefore always a relation to criminal proceedings, i.e. a tort law basis for the civil claim.

Problem (Only) Partially Solved

Art. 77i CopA provides additional leeway for the covert collection of personal data for anti-piracy purposes in the area of copyright law – however, only in connection with criminal proceedings.

When creating Art. 77i CopA, the legislator primarily had the "Logistep" judgment in the forefront of their minds, and thus the fight against copyright infringements in P2P networks.

However, the "Logistep" use case no longer corresponds to today's reality: even though P2P networks still exist, the distribution of illegal content nowadays takes place much more frequently via streaming servers and sharehosters.

In P2P networks, individual participants can be identified (via their IP addresses) and held responsible for copyright infringements. Conversely, when streaming or downloading via a one-click hoster, the users can largely hide behind the streaming servers or share hosters that hoard the IP addresses of the users. These servers/hosters are regularly far away from the Swiss jurisdiction and the respective providers have no interest in storing the IP addresses longer than necessary.

Nevertheless, there are other cases in which processing of personal data can be based on art. 77i CopA – for example, data processing in the context of fighting piracy by a private provider of digital forensics or by an industry association.

However, it is also a fact that it is becoming increasingly difficult for rights owners to identify infringers – not least as a result of the recent amendment to the law concerning the non-publication of personal data in the WHOIS (see Part 2 of this article – will follow).

Further Information:

Our series "Online enforcement" deals with particularities in the enforcement of rights on the Internet.

Other articles in this series:

Categories: Intellectual Property

You are currently offline. Some pages or content may fail to load.