The Court of Appeals –by reversing a decision issued in 2010 by the Court of First Instance which sentenced the three Google executives to a six-month suspended conviction for unlawful data processing –clearly ruled that no duty to monitor on the content they store can be imposed on Internet Service Providers (ISPs), pursuant to Article 15 of the E-commerce Directive (2000/31/EC) and its Italian implementing provisions (Legislative Decree No 70/2003 – E-commerce Decree).
This ruling is the last in a long line of Italian decisions which debated the issue on whether, and to what extent, ISPs should be liable for third-parties’ infringements carried out via their systems, akin to newspapers and television stations, or instead they may rely on the liability exemptions under the E-commerce Decree.
The ‘Google Vividown’ case
In 2006 a video showing four students at a Turin school teasing an autistic boy was uploaded to Google Video.
Three Google executives were charged with defamation and unlawful data processing. According to the public prosecutor, Google acted as content provider in connection with the processing of the boy’s sensitive personal data (his health condition), because Google allegedly handled the boy’s data and profited from the disputed video due to the sponsored links appeared on it.
The Court of First Instance acquitted the defendants on the defamation charge, stating that a general duty to monitor uploaded content does not apply to ISPs.
However, the Court of First Instance found the executives liable for unlawful data processing pursuant to Section 167 of the Italian Data Protection Code since the privacy notice for data subjects made available on the Google Video platform provided no information about the need to obtain the express consent of third parties appearing on any uploaded video before the upload.
The Milan Court of Appeals disagreed with the Court of First Instance and ruled that:
- ISPs are not required to undertake preventive monitoring of the information and content that users upload to their platforms, in accordance with the relevant provisions under the E-commerce Directive and the E-commerce Decree. Similar activity would be impossible from a technical standpoint and could undermine freedom of expression;
- failure to provide data subjects with a proper privacy notice does not result in unlawful data processing, punished as a crime under section 167 of the Italian Data Protection Code, and is punished with an administrative fine ranging between €6,000 and €36,000;
- the uploaderof the disputed video was data controller with regard to the sensitive data contained therein. Therefore, it was up to the uploader – and not to Google – to obtain the boy’s parents’ consent before the upload to Google Video;
- no sponsored link appeared on the disputed video, therefore Google had no intent to profit from it. Further, Google executives did not act with ‘willful intent’ since they were not aware of the content of the disputed video before it was uploaded. Therefore, both the profit and the ‘willful intent’ requirements, which shall exist to be found liable for unlawful data processing under the Italian Data Protection laws, were not met in the case at hand.
Whilst the Court of Appeals decision provides a comprehensive overview of Italian case law regarding ISPs’ liability for third-parties’ infringements, certain issues are still unclear. For example the Court does not clarify Google’s role under a data protection standpoint, nor does it explain why handling a video (eg, storing or deleting it) is not tantamount to a processing of personal data.
Distinction between active and passive ISPs
Italian case-law on ISPs’ liability for copyrighted content uploaded by users to video sharing websites held that the latter cannot be considered as either hosting providers or as content providers within the meaning provided by the E-commerce Directive and by the E-commerce Decree implementing it.
From this perspective, Italian courts have introduced a new classification and apply different criteria for liability exemptions, depending on the role performed by the ISPs in question:
- ‘passive’ hosting providers, which merely provide technical/hosting services without having any active role in managing the information stored on the relevant websites;
- ‘active’ hosting providers, which play an active role in the organisation and management of content through their platforms (eg, by indexing and selecting content; inserting promotional messages associated to the content posted by users on their services; etc).
Only ISPs that are deemed ‘passive’ can rely on the liability exemption under the E-commerce Directive: therefore, ‘passive’ ISPs are not liable for contents posted by users until they receive a removal order issued by the competent authority, and they may be considered liable only in the event of non-compliance with such order.
On the contrary, ‘active’ hosting providers can be held liable under general principles of tort law for the information or contents of their customers if, having been made aware of the unlawfulness of such information or contents through a detailed notice sent by the right holders, or if they become aware of the unlawfulness of the contents by other ways (eg, through the carrying on of autonomous investigations), do not promptly remove or disable the access to the relevant information or content, even in absence of a specific order issued by the competent public authority.
The distinction between ‘active’ and ‘passive’ hosting providers has been drawn by the Court of Milan in the occasion of proceedings brought by RTI, Italy’s main private broadcaster and part of the Mediaset Group, for copyright infringement in respect of TV programmes that were uploaded and displayed on Yahoo! Italia’s and Italia Online’s online video-sharing platforms. In these cases, the Court held that the liability exemptions for hosting providers under the E-commerce Decree did not apply to the platforms, as they played an ‘active’ role in organising their services and the videos uploaded to their platform with a view to commercial benefit, and they had been provided by the copyright holder with sufficiently detailed notices.1
The same distinction has been further acknowledged by the Court of Rome in a decision handed down on 20 October 2011, which found that a company which merely provided hosting services to a video-sharing website was not liable for the copyright infringing content uploaded to the video-sharing website by website users or directly by the website owner. On the contrary, the Court found directly liable the company that operated the video-sharing website in question as ‘active’ hosting provider, which was deemed aware of the unlawfulness of the relevant content.2
The Court of Rome’s decision is all the more important in that, for the first time in Italian case law, it has been clarified that the duty to remove infringing content for ‘passive’ hosting providers may derive only from a specific order from the competent authority. Therefore, according to the Court, a notice from a rights owner − even if it contains adequate details − is insufficient to require a ‘passive’ hosting provider to remove the content in question.
The debate on ISPs’ liability for third-party infringing activities seems certain to continue with the Italian courts handing down decisions on the matter. The debate should concentrate on how to reach a ‘fair balance’ between all interests involved (including protection of intellectual property rights, freedom of expression, data protection, etc), as clarified on several occasions by the European Court of Justice.
1 Court of Milan, decision of 20 January 2011, RTI v ItaliaOnline Srl; decision of 19 May 2011, RTI v Yahoo! Italia Srl.
2 Court of Rome, decision of 20 October 2011, RTI v VBBCOM.LIMITED, Choopa LLC.
This article was first published in Convergence, June 2013, and is reproduced by kind permission of the International Bar Association, London, UK. © International Bar Association.
Download the articleDownload the article