Italy: Peppermint‘s Case: Lawful Copyright Protection Or Data Protection Breach ?

On April 2007, Peppermint Jam Records GmbH (hereinafter "Peppermint"), a German music label, sent out 3,636 notices of copyright infringements to alleged Italian file-sharers informing them that they have been found guilty of uploading copyrighted songs.

The notices, sent by an Italian Law Firm, requested the 3,636 Italian swappers to stop persisting in their infringements of copyright laws and requested them to immediately remove from their PCs all songs belonging to the Peppermint label. In particular, each user has been specifically charged of sharing only a single song.

The notices also invited users to wire transfer EUR300.00 to the Italian Law Firm’s bank account within May 14, 2007, if they wanted to avoid a criminal and/or a civil lawsuit brought against them. The amount represented a symbolic compensation for damages caused by sharing that song, including legal and investigation expenses. Attached to the notices Italian users also received a draft settlement agreement, to be signed and returned to the Italian Law Firm in case of acceptance.

As mentioned above, the notices stated that the acceptance of the draft settlement agreement as well as payment of the requested amount, would avoid users from being subject to a criminal judgement for copyright infringements. This statement, however, is not exactly true. In fact, Italian file sharers could be subject to a criminal proceeding although they have paid the above amount and signed the settlement agreement. This is because, under Italian law, the crime of copyright infringement is prosecuted ex officio.

The Peppermint case, began during the year 2006, when Peppermint sued an Italian Internet Service Provider (hereinafter the "ISP") before the Special IP Section of the Court of Rome in order to obtain the name and addresses of users who allegedly shared the file whose copyright belonged to Peppermint. In particular, Peppermint filed a claim pursuant to article 156 bis of Copyright Law, as amended by the Decree 140/2006, implementing the EU Directive 2004/48/EC, along with an investigation report carried out by Logistep, a monitoring file-sharings network, which showed – by providing a list of IP addresses – that Peppermint copyrighted songs were offered via Internet by means of file-sharing programs.

The Court of Rome, based on the evidence provided by Logistep’s report, issued an interim relief by which it ordered to the ISPto provide Peppermint with the complete personal details of its clients.

By matching the data provided by the ISP with the results of Logistep’s report, Peppermint decided to send the notices to the Italian file –sharers instead of beginning a proceeding towards all the infringers.

The decision of the Court of Rome is based on section 156 ter of Copyright Law, under which copyright holder who has presented reasonably evidence to support its claims, has the right to request the Court to order the defendant to provide documents or information. In particular, under section 156 ter the Court is entitled to request for information relating to infringed goods and services not only to the infringer, but also to any person found to be in possession of counterfeit goods or using or providing services infringing an IP right and any person indicated by such individuals as being involved in the production or distribution of counterfeit goods.

As a consequence, the Court of Rome deemed it possible that the copyright holder sue in a civil proceeding not the infringer of the copyrights, but, when the latter is unknown, any person involved in the infringement, such as the Italian ISP.

In the Peppermint’s case, the Court did not take any positions on the legality of file sharing practices.

According to a recent Italian Suprem Court’s decision, however, the copyright infringement deriving from file sharing – if not aimed at making profit - is not punishable.

The decision of the Italian’s Supreme Court, dated January 9, 2007, no. 149, concerned a specific case happened on 1999, when two Italian students made some copyrighted materials available for download on a University bulletin board. The students, according to the Supreme Court’s view, were not punished as their behavior was not aimed at making profit, and, therefore, it was not criminally punishable but it constituted only a civil offense that could be pursued for alleged damages.

Data Protection Issues Involved in the Case

In the Peppermint’s case the Court of Rome ordered to the ISP to disclose its clients’ personal data. This has triggered many criticisms as this disclosure was deemed to be an infringement of Italian Data Protection Law.

What has been criticized, however, is not the fact that the Court ordered the ISP to provide such data, as Italian Data Protection Law expressly allows that personal data disclosure in a judicial proceeding. What has triggered many discussions in Italy is whether Peppermint’s and Logistep’s activities aimed at collecting information of users were carried out infringing Italian Data Protection Law.

As to Peppermint’s activities, regardless the fact that the company has its registered offices in Switzerland, Italian Data Protection law should apply according to Section 5 of the Legislative Decree no. 196 of 30 June 2003, (hereinafter "Italian Data Protection Code" or " the Code"), under which the Code applies (i), to the processing performed by any entity established in Italy, including when data are held abroad and (ii) to the processing performed by an entity located in the territory of a non EU country (such as Switzerland) where said entity makes use, in connection to the processing, of equipment situated in the Italy.

Many commentators said that, in the case at hand, the Code applies to processing carried out in Italy (a) at the time personal data were collected from users’ PCs located in Italy (although this is an arguable position) (b) when users’ personal data were transferred to the Italian Law Firm, and were processed for the purposes of sending them the notices on the basis of the data collected from the Italian ISP.

As to Logistep’s activities, some argued that Section 122 of the Code should apply, under which an electronic communication network shall not be used to gain access to information stored in the terminal equipment of a subscriber or user or to store information or monitor operations performed by any user. This is also an arguable position, however, as users’ information are normally processed by P2P platforms with such users’ consent or, in any event, upon request of such users.

Furthermore, some commentators pointed out that Section 37, letter d) of the Code should also apply, under which the data controller shall notify to the Data Protection Authority the processing of personal data concerning data processed with the help of electronic means aimed at profiling the data subject or monitoring use of electronic communications services. This is also arguable, as Logistep’s activity was only aimed at collecting the IP addresses of Italian users: a stand alone IP address is not able to identify or profile users.

As of today, the discussion on the Peppermint/Logistep case is far from being concluded. In the last weeks, there have been some developments that can impact on the case and lead to different solutions.

First of all, following the discussions raised by this case in Italy, the Italian Data Protection Authority has filed a brief in the proceeding pending before the Court of Rome between Peppermint and the Italian ISP, in order to evaluate whether Peppermint ‘s and Logistep’s behaviours breached the Code.

Secondly, as a consequence of this case, a Polish company, Techland, a computer game developer, followed Peppermint ‘s approach and sued two Italian ISPs (Tiscali and Wind Infostrada), before the Court of Rome, filing an investigation report carried out by Logistep.

Finally, an Italian Consumers Association sent a letter to the Italian Bar Association to denounce a breach of the Italian Bar Association’s Code of Conduct by Peppermint’s counsels. The same Association filed a complaint before the Italian Data Protection Authority, requesting the Authority to verify whether there have been breaches of the Code by any of the companies involved in the case.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.