Portolano case

This is an interesting case as it concerns ISPs, filesharing and data protection. Here are the facts (from Mondaq):

"On April 2007, Peppermint Jam Records GmbH (hereinafter "Peppermint"), a German music label, sent out 3,636 notices of copyright infringements to alleged Italian file-sharers informing them that they have been found guilty of uploading copyrighted songs.

The notices, sent by an Italian Law Firm, requested the 3,636 Italian swappers to stop persisting in their infringements of copyright laws and requested them to immediately remove from their PCs all songs belonging to the Peppermint label. In particular, each user has been specifically charged of sharing only a single song.

The notices also invited users to wire transfer EUR300.00 to the Italian Law Firm’s bank account within May 14, 2007, if they wanted to avoid a criminal and/or a civil lawsuit brought against them. The amount represented a symbolic compensation for damages caused by sharing that song, including legal and investigation expenses. Attached to the notices Italian users also received a draft settlement agreement, to be signed and returned to the Italian Law Firm in case of acceptance.

As mentioned above, the notices stated that the acceptance of the draft settlement agreement as well as payment of the requested amount, would avoid users from being subject to a criminal judgement for copyright infringements. This statement, however, is not exactly true. In fact, Italian file sharers could be subject to a criminal proceeding although they have paid the above amount and signed the settlement agreement. This is because, under Italian law, the crime of copyright infringement is prosecuted ex officio....

Italian Supreme Court‘s Recent Decision on File Sharing Practices

In the Peppermint’s case, the Court did not take any positions on the legality of file sharing practices.

According to a recent Italian Suprem Court’s decision, however, the copyright infringement deriving from file sharing – if not aimed at making profit - is not punishable.

The decision of the Italian’s Supreme Court, dated January 9, 2007, no. 149, concerned a specific case happened on 1999, when two Italian students made some copyrighted materials available for download on a University bulletin board. The students, according to the Supreme Court’s view, were not punished as their behavior was not aimed at making profit, and, therefore, it was not criminally punishable but it constituted only a civil offense that could be pursued for alleged damages.

Data Protection Issues Involved in the Case

In the Peppermint’s case the Court of Rome ordered to the ISP to disclose its clients’ personal data. This has triggered many criticisms as this disclosure was deemed to be an infringement of Italian Data Protection Law.

What has been criticized, however, is not the fact that the Court ordered the ISP to provide such data, as Italian Data Protection Law expressly allows that personal data disclosure in a judicial proceeding. What has triggered many discussions in Italy is whether Peppermint’s and Logistep’s activities aimed at collecting information of users were carried out infringing Italian Data Protection Law.

As to Peppermint’s activities, regardless the fact that the company has its registered offices in Switzerland, Italian Data Protection law should apply according to Section 5 of the Legislative Decree no. 196 of 30 June 2003, (hereinafter "Italian Data Protection Code" or " the Code"), under which the Code applies (i), to the processing performed by any entity established in Italy, including when data are held abroad and (ii) to the processing performed by an entity located in the territory of a non EU country (such as Switzerland) where said entity makes use, in connection to the processing, of equipment situated in the Italy.

Many commentators said that, in the case at hand, the Code applies to processing carried out in Italy (a) at the time personal data were collected from users’ PCs located in Italy (although this is an arguable position) (b) when users’ personal data were transferred to the Italian Law Firm, and were processed for the purposes of sending them the notices on the basis of the data collected from the Italian ISP.

As to Logistep’s activities, some argued that Section 122 of the Code should apply, under which an electronic communication network shall not be used to gain access to information stored in the terminal equipment of a subscriber or user or to store information or monitor operations performed by any user. This is also an arguable position, however, as users’ information are normally processed by P2P platforms with such users’ consent or, in any event, upon request of such users.

Furthermore, some commentators pointed out that Section 37, letter d) of the Code should also apply, under which the data controller shall notify to the Data Protection Authority the processing of personal data concerning data processed with the help of electronic means aimed at profiling the data subject or monitoring use of electronic communications services. This is also arguable, as Logistep’s activity was only aimed at collecting the IP addresses of Italian users: a stand alone IP address is not able to identify or profile users."

Source: http://www.mondaq.com/article.asp?articleid=50310

Although the Italian Data Protection Authority is investigating whether the Data Protection Code has been breached when collecting IP addresses, there are a number of cases that are beginning to emerge that deals with filesharing, IP addresses and data protection:

• Hong Kong Yahoo case (pdf) 14 March 2007
• French Supreme Court: P2P May 2007
  
• Germany: Offenburg Local Court
  
• Swedish Anti-Piracy Bureau

Finally, we should not forget the Art. 29 Working Party's recent opinion on Personal data.