THE BOTTOM LINE
- High Bar for Data Disclosure: Third-party data holders (like a trade register) are not automatically required to reveal user identities, even if their services are tangentially linked to a defamatory campaign against your business.
- Facilitation is Key: A company can only be compelled to disclose user data if its platform was used to directly facilitate the unlawful act (e.g., hosting defamatory content). Simply providing lawful, public information that is later misused is not enough.
- No “Fishing Expeditions”: Demanding user data to unmask an anonymous attacker requires strong evidence that the requested information will actually identify the wrongdoer, not just an unrelated account holder. Courts are wary of approving speculative data requests.
THE DETAILS
This case began when a Dutch healthcare group and its executives were targeted by a hostile “dossier” filled with serious accusations of fraud, corruption, and self-enrichment. This defamatory document, which also contained private photos, was widely distributed to media and political figures. Attached to the dossier were 39 official extracts from the Dutch Chamber of Commerce (KvK). Seeking to identify their anonymous attacker, the healthcare group sued the KvK, demanding it disclose the account details of the person who had downloaded the extracts. A lower court initially sided with the company, but in a significant reversal, the Arnhem-Leeuwarden Court of Appeal has now ruled in favor of the KvK.
The central legal question was whether the KvK’s refusal to provide the data constituted an unlawful act (tort). The court drew a critical distinction between the KvK’s role and that of a service provider like a web host. Unlike a hosting company that provides the platform for defamatory content (as seen in the landmark Dutch Lycos case), the KvK did not facilitate the harmful act itself. The information it provided—standard company extracts—was lawful and public. The act of distributing the defamatory dossier via email was entirely separate. The court concluded that the KvK’s role was too remote to create a legal duty to assist. It also weighed the risk of wrongly implicating an innocent business account holder and the potential “chilling effect” that such disclosures could have on the legitimate use of the public trade register.
The court also dismissed the company’s claim based on a “right of inspection.” While Dutch law allows a party to request documents relevant to a legal dispute, the link must be direct. The company argued it had a legal relationship (a tort claim) with the anonymous attacker. However, it failed to convince the court that the holder of the KvK account was necessarily the same person or entity responsible for creating and distributing the dossier. Since the extracts were pulled using a corporate account, a direct link to the individual wrongdoer was not established. The court viewed the request as an unsubstantiated “fishing expedition” and ruled that without a stronger connection, the KvK’s duty to protect its users’ data outweighed the company’s interest in obtaining it.
SOURCE
Source: Gerechtshof Arnhem-Leeuwarden (Arnhem-Leeuwarden Court of Appeal)
