Recently Stichting Brein asked the court to order ING to provide the name and address details of authorized representatives on a certain account number held with ING. Brain has become familiar with the account number because it is referred to on a website of FTD World, the alleged infringing party. For a full explanation of the facts complex, I would like to refer to a previous contribution from my former colleague Caroline de Vries.
According to the court, Brein’s claim can be awarded if it is sufficiently plausible that ING acts unlawfully in relation to Brein. In answering this question, according to the court, it comes down to a weighing of mutual interests. ING must attract the privacy interests of its customers. Brein’s interest lies in the fact that it must act against copyright infringements on behalf of its rightful claimants, according to the court.
No obligation to provide
In my contribution “The collision between IP and privacy rights. The end of the Lycos / Pessers era “in the magazine Information & Privacy, I have already argued that a judge in a case like the present – where NAW data at a third party are claimed by a copyright owner – should not at all come to a weighing of interests. According to European privacy legislation, a specific legal regulation is required for the payment of a request as in the present case, which is currently lacking in Dutch legislation. For that reason alone, the judge should have rejected Brein’s claim.
Purpose limiting principle from the Wbp
In addition, the judge, like the parties involved, seems to have incorrectly applied the relevant privacy legislation – in particular the Personal Data Protection Act (hereinafter referred to as “Wpb”) when weighing mutual interests. To illustrate this point of view the following.
The Wbp guarantees the right to respect for the right to the protection of privacy, in particular with regard to the automated processing of personal data. Article 7 of the Wbp stipulates that personal data of individuals may only be collected for specified, explicit and legitimate purposes. These purposes must determine what personal data is collected, how they may be used and to whom they may be provided. For legitimate processing of personal data, they must also have been communicated in advance to the persons concerned.
The purpose limitation principle (Article 9 Wbp) requires that a Responsible Party, in this case ING, is not allowed to process personal data in a way that is incompatible with the purposes for which they were obtained. Personal data are usually provided to the bank by private individuals for the purpose of opening an account and / or taking out other financial services and not with the aim of enabling a bank to provide this personal data to (third party) copyright holders.
Another purpose for which, according to the privacy statement it uses, ING collects personal data in order to meet legal obligations. Every legal requirement falls under a legal obligation. Both a law in formal and a law in the material sense is included below. But also directly applicable treaty provisions.
A provision on the basis of which a bank can be held to provide to a copyright owner name and address data of potentially infringing trading customers is lacking in this country. Brain could therefore not successfully argue that ING is free to provide the personal data of the infringers to it on the basis of this purpose. The other purposes included in the privacy statement used by ING do not provide any justification for granting the claim submitted by Brein.
There is therefore no need to add further that the payment of ING’s request by Brein will inevitably result in ING processing personal data in a way that is incompatible with the purposes for which ING has collected them. In that case ING would inevitably act contrary to the purpose limitation principle.
Nuance between article 8 and 43 Wbp
The foregoing does not detract from the fact that the judge – with parties – assumes that the purpose limitation principle can be set aside by invoking Article 8 (f) of the Wbp. This is wrong.
Article 8 of the Wbp exclusively and restrictively reinforces the grounds for justification on the basis of which a Controller may collect personal data for purposes previously determined by him and may further process them. As stated above, the provision of personal data to a third-party copyright owner is not such a predetermined purpose and communicated to the account holder. A violation of the purpose-limiting principle of Article 9 of the Wbp can therefore not be justified with a decision