The anti-piracy efforts of the content industry in France recently resulted in a warning from French authorities that, when policing online piracy through use of a third-party contractor, privacy must be respected and enforced.
The French agency entrusted with fighting online copyright infringement, the HADOPI, sends warning letters to suspected online infringers after receiving IP addresses collected by right holders. Right holders use a service provider, TMG, to collect these IP addresses. Before putting the system in place, right holders obtained an authorization from the French data protection authority, the CNIL, allowing them to collect IP addresses for this purpose.
May 16, 2011, a third party notified the CNIL of a data security breach at TMG. This triggered a security audit by the CNIL, which vulnerabilities in the TMG system, including insufficient procedures for updating computer facilities, faulty physical security measures, and the absence of any formal procedure for ensuring that security rules are applied in practice. The CNIL also found that TMG had failed to comply with its obligations to make notifications to the CNIL and had not put into place procedures to limit the period of time during which data are retained.
The CNIL issued a formal warning, giving TMG three months to correct all the measures of non compliance identified during the audit. The CNIL issued a press release on July 6, 2011 announcing the TMG audit and security deficiencies. The CNIL indicated in its press release that it had also issued a formal warning to the right holders who had entered into the contract with TMG. The right holders are the “data controllers” and are responsible for ensuring that their subcontractor TMG complies with data security obligations under French law. The CNIL has substantially increased the number of audits it conducts, and the audits are often triggered after a third party notifies the CNIL of security breaches.