ISPs are not under the duty to disclose users’ identity
The Court of Rome recently rejected requests for injunctions bought by a German record company and a Polish computer game producer (the “Copyright Holders”) against two Italian Internet Service Providers (the “ISPs”). The injunctions sought to obtain details of users’ identities.
The Copyright Holders noticed that a number of users were regularly exchanging music files and video games in peer-to-peer networks without paying copyright fees. The Copyright Holders used a service offered by a non-EU IT company to discover the IP address and GUID (Global Unique Identifier) of users involved in the illegal activities. The IT company would obtain the IP address and GUID of the Users by taking part in file-sharing activities itself and using a specific software to “snatch” IP addresses and Users GUID. Using this technology it was also possible to identify the ISPs used by each user. Identifying the ISP was crucial as the ISPs are the only entities that can link IP addresses and GUIDs to users’ names. On the basis of Legislation No. 633/1941, (Section 156 bis), which allows urgent action to be brought against copyright violations where a copyright holder has evidence available to support his claim, the Copyright Holders requested an injunction to force the ISPs to disclose the users’ identities.
The court’s decision to reject the Copyright Holders’ request for an injunction has been viewed as an unexpected change in the court’s approach. Only a few months prior to this decision, in similar proceedings brought by the same Copyright Holders, the Court allowed this type of injunction enabling the copyright holder to threaten legal action against 4,000 users unless they paid €330 in compensation to the copyright holder.
What made the Court change its view on the matter?
The pressure placed on the Court by Italian consumer associations (i.e., Codacons, Adiconsum, Altroconsumo, Aduc) and the intervention of the Italian Data Protection Authority (the “Garante”) is understood to have played a crucial role in the Court decision.
The main arguments put forward by the ISP and the Garante are set out below, These arguments focused on the view that users’ data protection rights should have priority over the Copyright Holders’ economic interests.
The first argument brought related to the principle of confidentiality of communications found in Article 5 of the Directive on Privacy and Electronic Communications (2002/58/EC). This Article prohibits interception or surveillance of communications and related traffic data without the consent of the users concerned unless it is necessary for the prosecution of criminal offences. The Garante argued that civil offences fall outside the exception in Article 5 and that users’ IP address and personal data are included in the definition of traffic data. The Garante also argued that the way ISP databases searched and stored users’ traffic data and communicated this data to third parties is generally prohibited under the principle of confidentiality of information.
The second argument brought by the Garante was that both the Directive on the Enforcement of Intellectual Property Rights (Directive 2004/48/EC) and the Directive on Harmonisation of Copyright (Directive 2001/29/EC) codified the priority of data protection rights over commercial interests.
The third argument brought was that the monitoring activities of the IT company had been carried out in breach of the Italian data protection code (Legislative Decree 196/2003). Under Sections 37 and 13 of the Data Protection Code data processing should not have been carried out without: a) prior notification to the Garante, and b) the prior consent of the data subjects. It was stressed that under Section 11 (2) of the Data Protection Code, data obtained through unlawful processing activities cannot be used further.
The Garante concluded by arguing that the legislation, which allows copyright holders to seek an injunction, should be read in light of the general principles of the Italian legal system. The principles of freedom and confidentiality of communications laid down in Sections 2 and 15 of the Italian Constitution can only be curtailed to prevent criminal offences, not civil offences. This interpretation also ties in with the provisions in Sections 123 and 132 of the Data Protection Code which state that traffic data “shall be erased or made anonymous when they are no longer necessary for the purpose of transmitting the electronic communication”, such data can however be kept for longer in order to make the information available to a competent Authority prosecuting a criminal offence.
The legal reasoning
The arguments presented by the Garante were accepted and confirmed by the Court of Rome, which rejected the Copyright Holders’ request for injunctions.
The Court stated that the Copyright Holders had unlawfully collected users’ data (their IP addresses and GUIDs). The Copyright Holders argument that they did not need consent because they were establishing or defending a legal claim (under Section 24 (f) of the Data Protection Code) was rejected. The Court’s view was that personal data could only be processed without consent to establish or defend a legal claim if the information was already in the right holder’s possession and had been previously collected lawfully. In this case Users’ IP addresses and GUIDs had been obtained through unlawful processing activities and therefore could not be used further. The implication of this was that the data could not be used as grounds to establish that the Copyright Holders had “reasonably available evidence” to allow the injunction against the copyright breach.
The Court argued that there were other reasons for rejecting the Copyright Holders’ request for injunctions. The Court’s view was that the constitutional principles of freedom and confidentiality of communications set out in the Italian Constitution, can only be restricted to the investigation and the prevention of particularly serious criminal offences. Copyright Holders’ economic interests are not sufficient considerations to limit the users’ freedom and confidentiality of communications.
The Court concluded by stressing, as a general principle, the priority of data protection over intellectual property rights. The Court referred to Section 8 (3) of Directive 2004/48/EC which expressly states that in the context of proceedings concerning infringements of intellectual property rights, a request for information on the origins of goods or services does not override statutory provision regarding data protection.
Even though the grounds for some of the legal arguments may be debatable, especially when looking at the general statements as opposed to the fact-specific elements of the decision, the decision represents a significant set-back for copyright holders’ in their fight against illegal online file-sharing activities. For the first time, an Italian Court set out the illegality of using data obtained by private investigations aiming to find ‘pirates’ in peer-to-peer networks. Copyright holders will therefore face more difficulties in defending their economic interests and will have to identify other potential ways of combating a breach of their copyright.
 Section 156 bis of the Law No. 633/1941 implemented Article 6 of the Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the Enforcement of Intellectual Property Rights.
 At the moment, Italian traffic data must be kept until 31 December 2007, as part of the “exceptional measures” to fight Terrorism. By March 2008 the Data Retention Directive will be implemented into Italian law.