A Dutch Court of Appeal held that an Internet service provider (ISP) could not be mandated to link IP addresses to the name and addresses of its users to send warnings about the illegality of uploading illegal content with Bittorrent because, pursuant to Article 10 GDPR, the ISP lacked a legal basis for processing criminal data.
Brein – a foundation that deals with infractions of IP rights- wanted to send warning letters to torrent users through their Internet Service Providers (ISPs). Brein would supply the IP addresses of people to the ISPs, who could link these addresses to the users name and physical address.
One of the ISP’s did not want to help Brein voluntarily by combining the IP addresses with the names and addresses of its users in order to send them the warning letters. After this, Brein filed a submission at the first instance court to force the ISP to send the warning letters to the respective users. The first instance court rejected this and stated that the ISP didn’t receive a permit from Dutch the DPA to process criminal personal data.