The Dutch Protection Rights Entertainment Industry Netherlands, known as Brein, represents 52 media and entertainment companies and was investigating 42 people suspected of swapping song files. In order to obtain their IP addresses it hired a US company, MediaSentry.
MediaSentry spots piracy by scanning P2P networks for data that suggests infringing activity. It sent a collection of IP addresses of suspected infringers to Brein which then asked five ISPs – UPC, Essent, Tiscali, Wanadoo and KPN – for the identities of the file-swappers. But the ISPs refused to reveal the names.
Brein took its case to the civil court in Utrecht.
The judge, who acknowledged that he had the power to demand that the data be handed over by the ISPs, denied the request. His reasoning centred on the fact that Brein had used a US intermediary to collect the IP addresses.
The EU has a strict regime of data protection that is not shared by the US. But to facilitate flows of personal data between EU countries and the US, companies can sign up to a so-called "Safe Harbor" framework. The framework is voluntary but by certifying to the Safe Harbor, US companies will given an assurance of "adequate" privacy protection.
The Dutch court was critical of the fact that Brein had employed MediaSentry to find the IP addresses of the suspected file-sharers. It noted that MediaSentry had not signed up to the Safe Harbor framework. The judge said that "privacy is insufficiently protected in the United States".
Also, in looking for the IP addresses, MediaSentry's software scans all the content of the shared folder on the suspect's hard disk. In that process, the judge observed, "it may have accessed private files."
Since neither Brein nor MediaSentry could prove that no private files had been accessed during the trawl of shared files, the case was dismissed.
Brein has advised that it will appeal.
