Held, (1) In order for there to be an “act of communication” within the meaning of article 3(1) of Parliament and Council Directive 2001/29, and consequently, an act of “making available”, it was sufficient that a work was made available to a public in such a way that the persons comprising that public could access it, from wherever and whenever they individually chose, irrespective of whether or not they availed themselves of that opportunity. Where any user of the peer-to-peer network, who had not deactivated the upload function of the BitTorrent client sharing software, uploaded onto that network the pieces of media files previously downloaded onto his or her computer, they had to be regarded as acting in full knowledge of their conduct and of the consequences which it might have. Once it was established that they had actively subscribed to such software, the deliberate nature of their conduct was in no way negated by the fact that the uploading was automatically generated by that software. It was common ground that such a network was used by a considerable number of persons and those users could access, at any time and simultaneously, the protected works which were shared by means of the platform. Consequently, that making available was aimed at an indeterminate number of potential recipients and involved a fairly large number of persons. In any event, even if it were found that a work had been previously posted on a website, without any restriction preventing it from being downloaded and with the consent of the rightholder of any copyright or related rights, the fact that, through a peer-to-peer network, users downloaded parts of the file containing that work on a private server, followed by those pieces being made available by means of uploading those pieces into the same network, meant that those users had played a decisive role in making that work available to a public which was not taken into account by the rightholder of any copyright or related rights in that work when he or she authorised the initial communication. Accordingly, article 3(1) and (2) of Directive 2001/29/EC meant that the uploading, from the terminal equipment of a user of a peer-to-peer network to such equipment of other users of that network, of pieces, previously downloaded by that user, of a media file containing a protected work, even though those pieces were usable in themselves only as from a certain download rate, constituted “making available to the public”. It was irrelevant that, due to the configurations of the BitTorrent client sharing software, that uploading was automatically generated by it, when the user, from whose terminal equipment that uploading took place, had subscribed to that software by giving consent to its application after having been duly informed of its characteristics (judgment, paras 47, 49, 52, 54–55, 57, 59, operative part, para 1).

(2) If a holder of intellectual property rights chose to outsource the recovery of damages to a specialised undertaking by assigning claims or another legal act, he or she should not suffer less favourable treatment than another owner of such rights who would choose to assert those rights personally. Seeking an amicable solution was often a prerequisite for bringing an action for damages in the strict sense. Consequently, it could not be considered that, in the context of the system for the protection of intellectual property established by Parliament and Council Directive 2004/48/EC, that practice was prohibited. Article 8(1) of Directive 2004/48 applied to a situation in which, after the definitive termination of proceedings in which it was held that an intellectual property right was infringed, an applicant in separate proceedings sought information on the origin and distribution networks of the goods or services by which that intellectual property right was infringed. It was appropriate to apply the same reasoning in relation to a separate procedure preceding an action for damages in which, under article 8(1)(c) of Directive 2004/48, an applicant requested an internet service provider, which had been found to be providing, on a commercial scale, services used in infringing activities, the information enabling its customers to be identified with a view, specifically, to being able usefully to bring legal proceedings against the alleged infringers. A request for information made during a pre-litigation stage could not, for that reason alone, be regarded as inadmissible. In the context of a request for information under article 8(1) of Directive 2004/48, which had to be justified and proportionate, the condition that the infringements had to be committed in a commercial context could be satisfied where a person other than the alleged infringer “was found to be providing on a commercial scale services used in infringing activities”. Accordingly, Directive 2004/48/EC meant that a person who was the contractual holder of certain intellectual property rights, who did not use them himself or herself, but merely claimed damages for alleged infringers, could benefit, in principle, from the measures, procedures and remedies provided for in Chapter II of the Directive, unless it was established, in accordance with the general obligation laid down in article 3(2) and on the basis of an overall and detailed assessment, that the request was abusive. In particular, a request for information based on article 8, had also be rejected if it was unjustified or disproportionate, which was for the referring court to determine (judgment, para 77, 80, 81, 84, 90, 93, 96, operative part, para 2).

(3) Article 6(1)(f) of Parliament and Council Regulation (EU) 2016/679 laid down three cumulative conditions to ensure that the processing of personal data was lawful: (i) the pursuit of a legitimate interest by the data controller or a third party; (ii) the need to process personal data for the purposes of the legitimate interests pursued; and (iii) that the interests or freedoms and fundamental rights of the person concerned by the data protection did not take precedence. The interest of the controller or a third party in obtaining the personal information of a person who allegedly damaged their property to sue that person for damages could qualify as a legitimate interest. The recovery of claims by an assignee might constitute a legitimate interest justifying the processing of personal data in accordance with the first sub-paragraph of article 6(1)(f) of the Regulation. Moreover, in so far as the facts seemed to fall within both the scope of the Regulation and Parliament and Council Directive 2002/58/EC, the IP addresses processed constituted both personal data and traffic data and it had be ascertained whether the assessment of the lawfulness of such processing had to take account of the conditions laid down in that Directive. Under article 5(1) of the Directive, member states had to prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with article 15(1). Furthermore, under article 6(1), traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it was no longer needed for the purpose of the transmission of a communication without prejudice, in particular, to article 15(1). In order for processing, such as the registration of IP addresses of persons whose internet connections had been used to upload pieces of files containing protected works on peer-to-peer networks, for the purposes of filing a request for disclosure of the names and postal addresses of the holders of those IP addresses, could be regarded as lawful by satisfying the conditions laid down by the Regulation, it was necessary, in particular, to ascertain whether that processing satisfied the provisions of Directive 2002/58/EC, which embodied, for users of electronic communications, the fundamental rights to respect for private life and the protection of personal data. Data relating to the civil identity of users of electronic communications systems did not normally, in themselves, make it possible to ascertain the date, time, duration and recipients of the communications made, or the locations where those communications took place or their frequency with specific people during a given period, with the result that they did not provide, apart from the contact details of those users, such as their civil status, addresses, any information on the communications sent and, consequently, on the users’ private lives. Thus, the interference entailed by a measure relating to those data could not, in principle, be classified as serious. Consequently, such a request concerned the processing of traffic data, which formed part of the fundamental right of every person to have his or her personal data protected. An internet service provider could be obliged to make a communication only on the basis of a measure, referred to in article 15(1) of the Directive, which limited the scope of the rights and obligations laid down, inter alia, in articles 5 and 6 thereof. Accordingly, article 6(1)(f) of the Regulation, read in conjunction with article 15(1) of the Directive, did not preclude the systematic recording by the holder of intellectual property rights as well as by a third party on his or her behalf, of IP addresses of users of peer-to-peer networks whose internet connections had allegedly been used in infringing activities, nor the communication of the names and of the postal addresses of those users to that rightholder or to a third party in order to enable it to bring a claim for damages before a civil court for prejudice allegedly caused by those users, provided that the initiatives and requests to that effect of that rightholder or of such a third party were justified, proportionate and not abusive and had their legal basis in a national legislative measure, which limited the scope of the rules laid down in articles 5 and 6 (judgment, paras 106, 108, 109, 113, 115, 118, 121, 123, 127, 132, operative part, para 3).