4 June 2020

Hague District Court orders release of ISP user data

On May 6th, the Hague District Court handed down judgment in the case of Dish Network LLC v Worldstream BV (C/09/586304), regarding the type of information that can be requested under Directive 2004/48/EC (the Enforcement Directive) and the compatibility of such requests under the General Data Protection Regulation (GDPR).

Notably, the District Court’s ruling is interesting given the opinion of AG Saugmandsgaard Øe (recently covered here) in the much anticipated case of Constantin Film Verleih v Youtube LLC and Google Inc, currently being considered by the Court of Justice of the European Union. In his opinion, the AG found that ‘names and addresses’ in Art.8(2)(a) of the Enforcement Directive is exclusive of email addresses or phone numbers. However, in the present case, the District Court ordered Worldstream to disclose infringing users’ email addresses.


Dish Network (Dish), an American pay-TV services provider, holds the exclusive rights to broadcast in the United States copyright-protected television programmes by satellite, OTT, IPTV and the Internet. Dish discovered that users of Worldstream, which provides hosting services, were illegally streaming services which infringed the copyright which Dish held or licensed. Dish sent a series of cease and desist letters to Worldstream, requesting that the infringing IP addresses be disabled, and Worldstream blocked those addresses as requested.

However, an issue arose when Dish requested from Worldstream information in order to identify to users responsible for the infringing IP addresses. While Worldstream was willing to provide the requested information, it would only do so if Dish indemnified it for any resultant liability under the GDPR. Dish refused to do so, and initiated proceedings against Worldstream.  A similar issue  to the Constantin case, where film producer Constantin wants information regarding the uploaders of infringing content to Youtube. However, Constantin only requested from Youtube the relevant users’ email addresses, phone numbers and IP addresses, while Dish sought considerably more information.

Dish, already in possession of the infringing users’ IP addresses, requested from Worldstream the following user information:

  • Names, addresses and email addresses of the users, and where the user was a legal person, company registration numbers in their home corporate registry;
  • Dates of birth, phone numbers and Worldstream user IDs, and where a legal person, their legal representative’s information; and
  • User traffic data, correspondence, and payment information with Worldstream, any other IP addresses used, and certain further information.

One other difference is that Constantin is European whilst Dish is an American entity, and so questions on GDPR provisions relating to data transfers to third countries were also taken into consideration by the District Court.

Basis for requested information

Dish based their claim on a provision regarding a general access to evidence, in combination with Art. 6 of the Enforcement Directive, while Constantin’s claim was found in Art. 8 of the Enforcement Directive. Under Art. 6, any person has a right to request evidence from a counterparty if it has a legitimate interest in obtaining it, provided the request concerns specifically identified evidence which is in the other party’s possession, and which relates to a legal relationship to which the claimant is a party. This distinction is critical, as the District Court was not required to interpret ‘names and addresses’ as set out in Art. 8.

The Decision

In the District Court’s decision, it was found that Dish satisfied the Art. 6 conditions, as Worldstream users had violated their IP rights, and it had a legitimate interest in procuring the information sought, albeit only a portion of the information requested. The District Court limited disclosure only to names, addresses, email addresses and, in the case of legal persons, registration numbers. However, it rejected the further disclosure requested. It based this decision on two reasons.

First, it was determined that the additional information requested had not been sufficiently identified. This conclusion appears odd, as certain data requested was highly specified, such as correspondence between Worldstream and the infringing users, as well as their payment data.

Second, in applying the proportionality test, the name, address and email address information was deemed to be sufficient for the identification of the users who had infringed Dish’s copyright. Furthermore, in light of the limited disclosure order, the District Court found that Worldstream’s compliance did not constitute an excessive burden.

Regarding the question of admissibility of disclosure under the GDPR, the District Court stated that Art. 6(1)(f) GDPR permits the processing of personal data where it is ‘necessary for the purposes of the legitimate interests pursued…by a third party.’ Applying the proportionality and subsidiarity test, the processing of personal data was deemed necessary, as Dish had no other means of tracing the infringing Worldstream users or enforcing its IP rights. Furthermore, it was held that Dish’s interests in enforcing its IP rights prevailed over the users’ right to privacy.

A more reasonable approach

The District Court’s decision is encouraging for those who believe that AG Øe’s interpretation of ‘names and addresses’ was unduly narrow, particularly given his reliance on only one of a variety of everyday meanings of the two terms. This decision shows that a more practical approach is possible when seeking to enforce IP rights online, and now we wait to see how the CJEU determine the issue in Constantin. The short take away is the Enforcement Directive is providing a useful means of disclosure to aid in the pursuit of online infringers, and this must be welcome for rights holders.