Lifting online anonymity: identifying cybercriminals for the purposes of criminal proceedings.

The creator economy has emerged in just a few years as a fully-fledged economic sector. According to convergent data from platforms and sector observatories, several million individuals in France now derive all or part of their income from producing content distributed on online public communication services.

This professionalisation mechanically exposes its actors to targeted cybercrime: clone channels, fake profiles, fraudulent capture of audiences, unlicensed samples, coordinated waves of hatred, deepfakes. In practice, litigation is rarely hindered by the material identification of disputed content. Technical evidence-gathering tools (bailiff reports under AFNOR standard NF Z67-147, reports on the basis of Article 145 of the Code of Civil Procedure) now make it easy to preserve evidence.

The difficulty shifts downstream: the perpetrator most often remains anonymous, or more accurately is protected by an alias and by the platforms' general registration terms. Yet, without identifying the author, no criminal sanction is possible, and consequently no serious civil compensation can be envisaged.

The order issued by the urgent applications service of the Paris Court on 17 April 2026 under general docket number 26/52518 provides a useful illustration, in this respect, of how the French anonymity-lifting mechanism operates. An influencer with 1.55 million subscribers and the production company she runs obtained from Google LLC and Google Ireland Limited the disclosure, within ten days, of declarative data, payment information linked to the AdSense account, and above all the IP addresses used to create the Google account, the [YouTube](/en/avocat-youtube) channel and the AdSense account, as well as those used to upload fifteen videos specifically listed in the operative part.

The decision, although unprecedented, deserves attention: it confronts in exemplary fashion the procedural mechanism of Article 145 of the Code of Civil Procedure with the substantive framework derived from European case law on data retention. This articulation raises a central question, which will run throughout this commentary: under what conditions does Article 145 CPC enable content creators effectively to lift the anonymity of the perpetrators of online offences of which they are victims, and what, among the catalogue of conceivable offences, is the criminal threshold that genuinely opens access to technical identification data?

The analysis requires us first to revisit the regulatory architecture governing the lifting of anonymity (I), before examining the recurring offences which, in firm practice, trigger the mechanism (II), and finally to draw the operational lessons of the order under review (III).

I. The regulatory architecture of anonymity-lifting.

A. The procedural instrument: Article 145 of the Code of Civil Procedure.

Article 145 of the Code of Civil Procedure, as drafted by Decree No. 2025-619 of 8 July 2025 which entered into force on 1 September 2025, lays down a principle that has remained substantively unchanged: "_If there is a legitimate reason to preserve or to establish before any trial the evidence of facts on which the resolution of a dispute may depend, legally permissible investigative measures may be ordered at the request of any interested party, on application or in summary proceedings._"

The text classically imposes two cumulative conditions: a legitimate reason and a legally permissible measure. Case law adds a third, judge-made requirement, namely the proportionate nature of the measure. The judge, when faced with a challenge on this point, must verify that the measure is necessary for the exercise of the applicant's right to evidence and proportionate to the competing interests at stake. These conditions are recalled by the order under review, which makes an orthodox application of them.

The legitimate reason is assessed in light of the usefulness of the measure for gathering elements likely to determine the resolution of a potential dispute. The applicant does not have to demonstrate the merits of the substantive claims: it suffices to justify elements that make the alleged facts credible and to establish that the potential dispute is not manifestly doomed to fail.

The legally permissible measure assumes that the data whose disclosure is sought exist, are still held by the defendant, and may be disclosed without contravening a mandatory provision. It is precisely on this last point that the entire debate on digital anonymity-lifting is concentrated. A request for the disclosure of data which, by hypothesis, should not have been retained, or which could only be disclosed for specific purposes, will run into the requirement of substantive lawfulness. This is the meaning of the legislative lock arising from European case law and codified in Article L34-1 of the Postal and Electronic Communications Code.

B. The substantive instrument: Article L34-1, II bis, of the Postal and Electronic Communications Code.

Following the CJEU rulings _Digital Rights Ireland_ and _Tele2 Sverige_, which had invalidated Directive 2006/24/EC for disproportionate interference with the right to privacy and data protection, the French legislator profoundly overhauled, in 2021, the regime for data retention by electronic communications operators. The framework was subsequently consolidated by the _La Quadrature du Net II_ ruling of 30 April 2024, by which the Court of Justice, sitting in plenary, confirmed the lawfulness of the French system.

Article L34-1, II bis, of the CPCE, in its version in force since 15 June 2025, now distinguishes three categories of data and three retention and access regimes, structured according to the sensitivity of each category with regard to privacy.

_First level: civil identity data._ Operators are required to retain surnames and first names, dates and places of birth, associated postal addresses, email addresses and telephone numbers, until the expiry of a period of five years from the end of the contract or service's validity. The purpose of access is broad: this data is accessible "for the purposes of criminal proceedings, the prevention of threats to public security and the safeguarding of national security". No particular gravity requirement attaches to this first category. A simple criminal procedure suffices.

_Second level: other declarative information and payment information._ The identifier used, any pseudonyms, the data intended to enable verification of the password, as well as the type of payment, the reference, the amount and the date of operations, are retained for one year from the end of the contract or the closure of the account, for the same broad purposes as those of the first level.

_Third level: technical connection and equipment data._ The IP address allocated to the source of the connection, the associated port, the user identifier number, the terminal identification number and the telephone number originating the communication are retained only for one year from the connection or the use of the terminal equipment. Above all, their disclosure is permitted only "for the purposes of combating serious crime and serious delinquency, preventing serious threats to public security and safeguarding national security". This is where the criminal lock plays its role: without the qualification of serious delinquency, access to IP addresses is in principle refused.

The detail of the data retained under each of these three categories is specified by Article R. 10-13 of the CPCE. It is on this grid, and only on this grid, that the order of 17 April 2026 ruled.

II. Recurring offences opening access to technical data.

Identifying a cybercriminal from the platform alone often results in fanciful or usurped declarative data, as exemplified by the ruling Cass. 1re civ., 26 February 2025, no. 23-16.762. In that case concerning the YouTube channel "Les dossiers Monaco", Google Ireland was only able to provide fanciful data obtained behind a NordVPN VPN, rendering any adversarial debate illusory and leading the court to correct in equity the scope of Article 6-I.8 of the LCEN. The lesson is clear: only technical data makes identification reliable. Such access must still be possible. Six families of recurring offences in the creator economy open this access.

A. Common criminal law offences directly targeting creators.

_1. Digital identity theft._ Article 226-4-1 of the Criminal Code, created by the law of 14 March 2011 known as "LOPPSI II", punishes by one year of imprisonment and a 15,000 euro fine the act of usurping the identity of a third party or making use of one or more data enabling identification, with a view to disturbing the person's peace or harming their honour or reputation, the offence being "punishable by the same penalties when committed on an online public communication network". Practice has made it the reference offence for clone channels, fake Instagram accounts, mirror profiles on TikTok or X.

_2. Fraud._ Article 313-1 of the Criminal Code punishes by five years' imprisonment and a 375,000 euro fine the use of a false name or false capacity intended to induce a victim to hand over funds, valuables or a service. The text covers the full range of cyberfraud affecting creators: fake product placements carried out under the influencer's identity, fake dropshipping operations, fake crypto investments wrongly attributed to the creator, and paid subscriptions captured improperly, as in the DOLLSPLS case where the usurper had activated the "channel subscription" feature.

_3. Cyber-harassment._ Article 222-33-2-2 of the Criminal Code, in its version in force since 23 March 2024, punishes harassment by repeated remarks or behaviour intended to or having the effect of degrading the victim's living conditions resulting in an alteration of their health. The penalty is increased to two years and 30,000 euros when the offence is committed "by the use of an online public communication service or by means of a digital or electronic medium". The text now expressly covers the "digital raid": remarks imposed on a same victim by several persons, either in concert or successively with knowledge of the repetition. The offence is the favoured weapon against waves of hatred targeting female creators, athletes or journalists.

_4. Invasion of privacy and image rights._ Articles 226-1 and 226-2 of the Criminal Code punish by one year of imprisonment and a 45,000 euro fine, the penalty being increased to two years and 60,000 euros in case of aggravating circumstances, the capture, recording, transmission or dissemination without consent of words, images or location data of a person. These offences complement civil liability based on Article 9 of the Civil Code and on image rights.

_5. Misleading editing and deepfakes._ Law No. 2024-449 of 21 May 2024 aimed at securing and regulating the digital space, known as the SREN law, profoundly renewed the criminal arsenal. Article 226-8 of the Criminal Code now expressly punishes the dissemination without consent of "visual or audio content generated by algorithmic processing and representing the image or words of a person", when it is not obvious that it is algorithmically generated content. The penalty, increased to two years and 45,000 euros when dissemination occurs online, reaches three years and 75,000 euros for sexually explicit deepfakes disseminated online under Article 226-8-1, created by the same law. This framework is directly adapted to the fake pornographic content generated by [artificial intelligence](/en/avocat-ia) of which female creators are regularly victims.

B. The litigation specific to intellectual property.

Infringement of [copyright](/en/avocat-droit-dauteur) and related rights constitutes the second pillar of offences capable of supporting the qualification of serious delinquency. Article L335-3 of the Intellectual Property Code, which defines infringement as "_any reproduction, performance or dissemination, by any means whatsoever, of a work of the mind in violation of the author's rights_", covers videos reposted without authorisation, pillaged Reels and Shorts, pirate uploads on parasitic channels, and more generally any unauthorised exploitation of an original work.

Article L335-4 of the same code, which punishes the unauthorised fixation, reproduction, communication or making available of a performance, phonogram or videogram, completes the framework on the ground of related rights of performers and producers. The penalty is severe: three years of imprisonment and a 300,000 euro fine in simple form, and up to seven years and 750,000 euros in organised gangs.

C. The blind spots: press offences.

Not all offences cross the threshold of serious delinquency. Press offences, governed by the law of 29 July 1881 on freedom of the press, occupy a particular position in this respect. Public defamation against an individual (Article 32, paragraph 1) and public insult against an individual (Article 33, paragraph 2) are punishable by fines, without imprisonment as a principal penalty. Only the discriminatory versions of these offences, committed on grounds of origin, religion, sex or sexual orientation, carry custodial sentences.

The practical consequence is significant: classic press offences are not systematically qualifiable as serious delinquency within the meaning of Article L34-1, II bis, 3°, of the CPCE, and access to IP addresses is therefore not guaranteed by their citation alone. This is precisely what the Court of Cassation illustrated in the aforementioned ruling of 26 February 2025, where the debate shifted from anonymity-lifting to the proportionality of content removal.

III. Lessons from the order of 17 April 2026.

The order under review is, on the substance, in rigorous line with this regulatory architecture. The court's reasoning specifically confronts the facts with the three levels of Article L34-1, II bis, of the CPCE and the four categories of Article R10-13. Three aspects deserve attention.

_First, the characterisation of serious delinquency._ The court merely notes that the facts likely fall within the offences of identity theft, fraud and infringement of copyright and related rights, and that "_it is not disputed that these fall within serious delinquency within the meaning of the aforementioned Article L34-1, II bis_". The undisputed nature of this qualification clearly lightened the applicants' burden of proof. A warning should be drawn from this: had Google challenged this point, the decision could have been tighter, particularly as regards the qualification of infringement as "serious delinquency" within the meaning of European case law, a question which is not unanimously settled by doctrine.

_Secondly, the rejected requests._ The court rejected the request for the five-year retention of data linked to other YouTube channels or Google accounts associated with the same AdSense or administered from the same IP addresses, on the ground that this request was "_insufficiently linked to the aforementioned facts and, consequently, disproportionate to the objective pursued_". The reminder is useful: proportionality review requires the measure to be confined to the accounts, data and time windows strictly necessary for the identification sought. Tentacular requests for mapping wider ecosystems will, as a rule, be rejected.

Likewise, the request for disclosure of the "identification data of the beneficiary payment account" was refused as exceeding the framework of Article R. 10-13, III, of the CPCE, which only authorises the disclosure of information relating to payment (type, reference, amount, date), excluding bank details themselves. The distinction is important for practitioners: other avenues will have to be used (prosecutor's requisitions on the basis of Articles 60-1 and 77-1-1 of the CPP once the complaint is registered, rogatory commission after the opening of an investigation) to access the beneficiary bank accounts.

_Thirdly, the periodic penalty payment and costs._ The court refused the periodic penalty payment, which is explained by Google's displayed cooperation, but theoretically deprives the applicant of an enforcement lever should the defendants fail to deliver within ten days. The costs were borne by the applicants, despite the success of their main claim. This is a signal worth recalling to clients during preliminary consultations: the operation costs, even when won.

Conclusion.

The order of 17 April 2026 confirms that Article 145 of the Code of Civil Procedure, articulated with Article L. 34-1 of the CPCE and the European case law stabilised by the _La Quadrature du Net II_ ruling of 30 April 2024, now constitutes the central instrument of digital anonymity-lifting for the benefit of content creators. Three practical lessons emerge.

First, the criminal qualification must be worked on upstream. Mere reliance on defamation or public insult is not enough to unlock access to technical connection data. It is the articulation of qualifications, as close as possible to the facts, which opens the arsenal.

Secondly, swiftness conditions the effectiveness of the framework: technical data is retained for only one year, and each month of waiting mechanically reduces the identification window.

Thirdly, the measure must be circumscribed: proportionate requests are granted, tentacular requests are rejected.

There remains, in perspective, the impact of the Digital Services Act and the coordination with criminal proceedings. Regulation (EU) 2022/2065 creates a unified European framework whose articulation with the LCEN remains imperfect. The Court of Cassation will, in the coming months, have to clarify its contours. Content creators will be the primary beneficiaries.