Filtering for Copyright Enforcement in Europe after the Sabam cases

This paper examines whether two landmark Court of Justice of the European Union (CJEU) decisions—Scarlet v Sabam (C-70/10) and Sabam v Netlog (C-360/10)—are genuinely “good news” for fundamental rights in Europe, particularly privacy and freedom of information. The central research question is essentially normative and doctrinal: when the CJEU rejects broad injunctions requiring internet intermediaries to install copyright-filtering systems, does that rejection meaningfully protect users’ fundamental rights, or does it mainly shift the legal landscape without delivering substantial rights gains?

The question matters because the Sabam cases concerned a request by a collective rights management organisation for intermediaries to implement a system that would identify, evaluate, and block the exchange of copyright-protected works. Such systems typically require large-scale monitoring and technical inspection of network traffic. In the broader European context, the paper situates these judgments within the EU regime governing intermediary liability and enforcement of intellectual property rights. That regime is described as a “patchwork” of directives and national implementations, with the E-Commerce Directive providing liability limitations for certain intermediary roles (mere conduit, caching, hosting), while the Information Society Directive and the Enforcement Directive allow rights holders to seek injunctions even against intermediaries.

Methodologically, the paper is a legal analysis rather than an empirical study. It proceeds by (1) reconstructing the factual and legal structure of the Sabam cases, (2) mapping those decisions onto the EU intermediary-liability framework (especially Articles 12–15 of the E-Commerce Directive), and (3) evaluating the CJEU’s treatment of fundamental rights using the Charter of Fundamental Rights and related EU and Strasbourg jurisprudence. The author also engages with the reasoning of the Advocate General and with privacy regulator guidance, notably the Article 29 Working Party.

On the legal mechanics, the paper explains that in Scarlet, Sabam sought an injunction requiring the internet access provider Scarlet to install a filtering system with four steps: (i) identify peer-to-peer traffic among all communications; (ii) identify within that traffic files corresponding to works claimed by rights holders; (iii) determine which of those files are shared unlawfully; and (iv) block unlawful file sharing. Netlog involved a similar obligation imposed on a social network provider; the paper treats Netlog as largely reinforcing Scarlet, while adding an important point about intermediary classification. In Netlog, the CJEU held that the social network platform stores user profile information on its servers and thus qualifies as a hosting service provider within Article 14 of the E-Commerce Directive.

The paper’s key doctrinal finding is that the CJEU’s rejection of Sabam’s requested filter obligations is grounded in the E-Commerce Directive’s prohibition on general monitoring obligations. The author emphasizes that the CJEU characterized the requested filtering as a complicated, costly, and permanent system imposed at the intermediary’s expense, and as involving monitoring of all data from all customers for an unlimited time. The paper also stresses that the CJEU’s approach limits what injunctions under the Enforcement and Information Society Directives can require: measures must be “fair and equitable,” not unnecessarily complicated or costly, and not entail unreasonable time limits. In addition, Article 15(1) of the E-Commerce Directive prohibits imposing a general obligation to monitor.

However, the paper’s main evaluative conclusion is that the judgments deliver only limited protection for privacy and freedom of information. The CJEU’s fundamental-rights discussion is described as brief and incomplete. The CJEU relies primarily on the freedom to conduct a business and the right to intellectual property, treating intellectual property as a fundamental right but not absolute. The paper notes that the CJEU considered the filter obligation a “serious infringement” of the ISP’s freedom to conduct its business because it would require a complicated, costly, permanent system at the ISP’s own expense. This balancing, in the author’s view, comes at the expense of a more thorough engagement with users’ rights.

Regarding users’ rights, the CJEU addresses only two Charter rights in detail: data protection and freedom to receive information. The author argues that the freedom of information analysis is underdeveloped: the Court notes the filter could “potentially” limit freedom of information because it may not adequately distinguish legal from illegal content, leading to blocking of communications with legal content, but does not conduct a deeper proportionality assessment. For data protection, the CJEU holds that the filtering system would involve systematic analysis of all content and collection/identification of users’ IP addresses, and that IP addresses are personal data because they allow users to be precisely identified. The paper criticizes the Court for not fully explaining why the Data Protection Directive does not provide a legal basis for processing without consent. The author also highlights that the CJEU’s reasoning appears to lean on privacy regulator opinions (Article 29 Working Party), while still leaving gaps in the legal justification.

The paper further argues that the CJEU did not sufficiently address other fundamental-right dimensions that would be central to a comprehensive rights analysis. Notably, it does not discuss secrecy of communications or respect for private life (Charter Article 7). The author contrasts this with European Court of Human Rights (ECtHR) skepticism toward interception and surveillance systems, including traffic-data monitoring. The paper also points out that the CJEU does not engage with the E-Privacy Directive’s confidentiality protections, even though the filtering system Sabam requested would entail deep packet inspection (automatic inspection of communications). The E-Privacy Directive requires confidentiality of communications and related traffic data, prohibiting interception/surveillance by persons other than users without consent, except where legally authorized. While the paper acknowledges that Promusicae allows exceptions to confidentiality obligations to enable copyright enforcement, it argues that proportionality and fundamental-right constraints must still be carefully assessed.

Limitations of the paper follow from its design: it is not an empirical evaluation of actual filtering deployments, error rates, or privacy harms. Instead, its limitations are those typical of doctrinal scholarship: conclusions depend on the completeness and reasoning style of the CJEU judgments and on the author’s interpretation of proportionality and rights balancing. The paper also notes that some aspects of the IP-address personal-data debate may not be settled, especially for parties that do not have the ability to tie IP addresses to identities.

In practical terms, the paper’s implications are aimed at policymakers, courts, and rights-holders. It suggests that even after Scarlet and Netlog, filtering may still occur through narrower judicially imposed obligations or through voluntary arrangements between intermediaries and rights holders. The author warns that such paths could bypass robust judicial control and potentially erode users’ rights. It also cautions that the balancing outcome may change over time as filtering technology becomes cheaper or easier, reducing the weight given to intermediaries’ freedom to conduct business. Ultimately, the paper concludes that while the CJEU reached reasonable decisions in these cases, little is won for privacy and freedom of information because the fundamental-right analysis is not sufficiently thorough and leaves key questions unanswered—especially regarding freedom of information, confidentiality of communications, and private life.

Who should care? Internet service providers and social network operators should care because the judgments constrain broad monitoring injunctions but do not eliminate the possibility of narrower filtering obligations or private arrangements. Rights holders and collective management organisations should care because the legal route to enforcement is shaped by intermediary-liability limits and injunction proportionality requirements. Courts and regulators should care because the paper identifies doctrinal gaps in how proportionality and fundamental-rights impacts are assessed, potentially affecting future litigation and compliance strategies across Europe.