Follow the money – Should banks identify copyright infringers?

For the Dutch journal Intellectueel Eigendomsrecht en Reclamerecht (Intellectual Property and Advertising law), I wrote a case note on the Dutch District Court of Amsterdam decision in Stichting BREIN v. ING Bank. This blog post is a short English summary of that case note.

The question that the District Court had to answer in this case was whether ING Bank (a bank) had a duty to release personal data about its customers to copyright owners or their representatives, in this case the Dutch Entertainment Industry Trade Association (BREIN). This case is part of a series of cases in which BREIN has tried to bring the unauthorized sharing of copyrighted protected content to a halt. See, for instance, my earlier blog posting on BREIN’s attempt to have access blocked to the Pirate Bay by Dutch internet access providers.

Now, what is the case of Stichting BREIN v. ING Bank about?

FTD World was a website on which links to NZB-files could be found, that in turn referred to files in Usenet-groups that often contain copyright protected materials. BREIN had tried to identify the people responsible for this website through the domain name registrar and the Russian hosting service provider, but was unsuccessful in its attempts.

However, in order to make donations to the owner(s) of the website, the website listed a bank account number with ING bank, and the name of the holder of the account. Through the records of the municipality of Amsterdam, BREIN had found out that the bank account belonged to a woman that had moved to Suriname in 2009 and was born in 1927. Not your average internet pirate.

BREIN had asked ING Bank to release personal data about the account holder and other financial data that related to the bank account. ING Bank responded by saying that next to the account holder, there was a another person authorized to use the bank account. However, the bank did not want to disclose personal data about this authorized person. BREIN nevertheless wanted this information and went to court and claimed the disclosure of personal data about the authorized person.

Not-disclosing personal information as a tort

The District Court assessed the claim in the context of tort law. In the classic case of Lycos v. Pessers, the Dutch Supreme Court had held that the general duty of care can be breached (a tort) by not disclosing identifying data about someone who publishes information of which it is sufficiently plausible that it is unlawful. The general duty of care is often referred to as an ‘open norm’. This means that there are no clear-cut directions in the Dutch Civil Code on how to assess whether certain conduct breaches the duty of care. It is therefore up to the courts to fill in the blanks and determine what conduct is a wrong and should be remedied. Not disclosing personal information of someone who publishes ‘unlawful information’ may, under certain conditions, thus be a breach of the duty of care and hence a tort.

In the case of Lycos v. Pessers, the Supreme Court adopted the following criteria for such tortious conduct:

  1. The possibility that the information, on its own merits, is unlawful against a third-party and harmful to a third-party is sufficiently plausible;
  2. the third-party has a real interest in receiving the name, address and city;
  3. it is plausible that, in a specific case, there are no less intrusive options to discover the name, address and city;
  4. the weighing of the interests of the third-party, the service provider, and the website owner (to the extent that they are known) leads to the conclusion that the interests of the third-party need to prevail

Unlike the case of Stichting BREIN v. ING Bank which is about the duties of a bank in relation to the infringement of copyrights, the Lycos v. Pessers-case was about a hosting service provider who hosted a website with defamatory statements. Although the Supreme Court stated that its judgement was tailored to the particular facts of the case, lower courts have applied the Lycos v. Pessers-standard to hosting service providers when their customers were involved in the infringement of copyrights. The Lycos v. Pessers-case therefore has become the leading case on the release of personal data of copyright infringers by hosting providers and other internet and online service providers.

Where to draw the line? 

Because the case of Stichting BREIN v. ING Bank is about the bank’s duty to disclose information about copyright infringers, the question arises: where to draw the line? Does the Lycos v. Pessers-standard and the case law based on it, also apply to banks and other financial service providers? The answer of the District Court in this case is: no. It did not find the bank liable for non-disclosure of personal data about the alleged infringer.

The District Court refuses to apply the Lycos v. Pessers-standard in this particular case because there is no conditio sine qua non-relationship between the bank and the infringement. In other (English) words, without the bank, the infringement would have taken place anyway, and therefore the bank also has no duty to disclose the identity of the alleged infringer to the copyright holder. This argument is part of a broader balancing of interests of the parties. It is thus not the only argument to not hold the bank liable. Other circumstances that the Court finds relevant in not granting BREIN’s claim are the fact that the infringements take place outside of the bank’s range of view, and the fact that the bank is not in a position, and has no expertise, to judge on the the alleged copyright infringements. Other elements in the balancing of interests of BREIN and ING include the sufficiency of BREIN’s attempts to identify the infringers itself, and the trust that customers put in their banks when it comes to handling their personal data.

The question can be raised whether hosting providers and other service providers are also not in a position to judge over alleged copyrights infringements. Although in an absolute sense the infringements are committed through their services, in a relative sense infringements are just as far outside their range of vision due to the high level of automatization of their services. Nonetheless, these service providers are often required to release personal information about infringers. In my view, the distinction made between banks and hosting service providers is a weakness in the District Court’s decision. However, the criterium of the conditio sine qua non is a welcome novum in Dutch case law on the release of personal data. It may help to draw a line between what type of service providers can be obligated to release identifying information, and what type of service providers can not. Only the service providers that are such a conditio for the copyright infringement, can be required to release personal data about the infringer. As such, the criterium could serve as a gateway to keep service providers that have nothing to do with the copyright infringement out of tort law’s reach.

This case is in no way the final word on a bank’s duty to release personal data as BREIN has announced that it will appeal the decision. Moreover, the German Bundesgerichtshof recently asked the European Court of Justice for guidance on whether a bank should be able to reject requests for the release to personal data due to banking secrecy or whether the right to be able to effectively enforce trade mark rights should prevail. See the IPKat for more on this case.

Also see Huťko´s Technology Law Blog for a post on the case of Stichting BREIN v. ING Bank.