On liability of Internet Service Provider: between the absence of a general surveillance obligation and Law & Economic views

On liability of Internet Service Provider: between the absence of a general surveillance obligation and Law & Economic views

Abstract: The ISP, qualified as a legal entity, becomes personally liable for the content of such services in the event that, having received a special request by the judicial or administrative authority, which has supervisory functions, not readily prevent access to illegal content. This paper aims to provide some thought on a topic, such as that of the responsibility of the provider incase of tort, much debated and, in some ways, still far from finding a fulfilling response. The search engine is an online service aimed at the retrieval of data and information provided by Internet Service Provider, or a broker who acts as provide users with specific transport services, temporary and permanent storage of the information transmitted on the network.

Summary: 1. The legal framework – 2. The simple transport activity: mere conduit – 3. The activity of automatic, intermediate and transient storage: caching – 4. On the absence of a general surveillance obligation – 5. Conclusions

 

It can be seen how the legislator has introduced a general framework on the liability of ISPs, distinguishing them by type of function. In this way, the different allocations of the risk of non-fulfillment or of liability in the sense of the intermediary are distinguished, as well as the conditions which integrate the intermediary’s liability on the basis of the role actually played in the offence. Added to this is that no regulation provides for the provider to have either a general ex ante obligation to monitor the information it transmits or stores, nor, even less, a preventive obligation to research the facts or circumstances that indicate the presence of illegal activities.

The ratio of the discipline under analysis – as mentioned – is the result of a careful legislative policy, aimed at not mortifying the activity of the intermediary, on the one hand, who would be exposed to a preventive obligation and the relative costs that exceed the maximum diligence desirable for such a complex economic-social activity; on the other, there is a desire to protect the rights guaranteed by the ECHR and by the Constitution, such as ex multis the right to privacy, to name and to be forgotten. The same is, however, required to inform – promptly – the judicial or administrative authority, having a supervisory function, if he is aware of alleged illegal activities or information concerning one of his recipients of the service and to provide this authority, where required ,

Therefore, the choice to exempt the provider from the general obligation of surveillance does notit is certainly devoid of meaning on the level of the politics of law. In balancing the community’s interest in being able to enjoy the advantages of the network and the interest in preventing crimes from being committed on the network, the former is certainly valued. Therefore, it is a question of implementing measures to safeguard the sacrificed interest with the prevailing interest. In this sense, the economic analysis of law represents a matrix of the utmost importance: the cost of liability – in this perspective – is allocated in an optimal way (so-called Pareto optimal)[1]. It is a situation of efficient resource allocation. When the same occurs, it is not possible to improve well-being – understood as the utility of a subject or associate – without worsening the well-being of the other subjects.

The regulatory reference for qualifying the liability regime of providers is Legislative Decree 9 April 2003, no. 70, issued in implementation of Directive 2000/31/EC, “relating to certain legal aspects of information society services in the internal market, with particular reference to electronic commerce” and in particular articles 14 to 17. These last provisions, in particular, differentiate the conditions integrating the liability of the intermediary based on the role effectively performed in the context of the offence. Before examining the individual profiles of responsibility in detail, it is appropriate to dwell briefly on the text of the law[2]. Legislative Decree no. 70/2003 transposed Directive 2000/31/EC with the intention of regulating the liability of intermediary operatorsin a unitary way, overcoming the divergent national regulations and the different interpretations of the territorial judges[3]. In the Community Directive 2000/31 and, therefore, in the legislative decree n. 70/2003, a general principle is introduced on the basis of which the providers (providers) do not have a specific obligation regarding the surveillance or active research of facts or circumstances that indicate the presence of illegal activities in relation to the transmission or storage information provided by third parties[4]. The providers are, however, required to promptly inform the public authorities of any alleged illicit activities or materials of the recipients of their services of which they become aware or, again, to communicate to the competent authorities themselves, at their request, the information that allow the identification of recipients with whom they have data storage agreements. The judge will therefore be called to assess whether the operation on the information is a mere technical operation, or whether there is an intention to influence the information itself. Only in the latter case will we speak of the provider’s liability, defined in a negative sense, ie only if the conditions referred to in the decree itself exist. The intermediary therefore operates within a clear and careful design of legislative policy, in which checks and balances are modeled in terms of “risks” and “costs” of integration of civil liability: the same is not responsible for the offenses committed by users using its services; if, on the other hand, the provider does not comply with the rules, he becomes responsible for it (liability for specific fault, i.e. for violation of the law), pursuant to art. 2055 of the civil code, jointly with the perpetrator of the offence.

Before the entry into force of Legislative Decree no. 70/2003, the non-contractual liability on the internet was mainly attributable to the providers, this to guarantee the injured party the identification of a responsible subject against whom to assert the interests in compensation[5]. The new discipline, on the other hand, introduced a liability system based on prevalenceslowly on the omission fault of the ISPs. In other words, it is foreseen that in general the provider of a service is not responsible for the information processed and for the operations carried out by those who use the service, provided that he does not intervene in any way on the content or on the performance of the operations themselves. However, lenders are obliged to some information duties[6]and operational procedures that introduce responsibilities for the intermediaries, while not entailing the obligation to preventively examine the information transmitted on one’s own machines in order to evaluate its possible harm to third parties[7]. The liability of the providers is governed by considering the activity actually carried out and justifying the same whenever they perform simple technical intermediation activities without active participation in the commission of the offence. The choice made by the legislator, in providing for the exemption from liability of the ISP, is exceptional, compared to the general system of civil liability. For this reason, the cases indicated in Legislative Decree no. 70/2003 must be considered absolutely mandatory and subject to restrictive interpretation[8].Specifically, reference is made to three distinct cases, or rather activities of simple transport service providers (mere conduit), temporary storage service providers (caching) and information storage service providers (hosting)[9].

2. The simple transport activity: mere conduit

The art. 14 of Legislative Decree no. 70/2003 regulates the so-called mere conduit activity,consisting in transmitting, on a communication network, information that is not its own (i.e. given by the recipient of the service) or in providing access to the network. Specifically, in the provision of simple information transmission services or in providing access to the communication network (mere conduit or simple transport), the provider is not responsible for the information transmitted, provided that the same does not initiate the transmission, does not select the recipient of the transmission and do not select or modify the information transmitted. The law establishes the principle of division between mere access services and content supply and/or production services; the reference legislation tends not to attribute liability to the service provider who behaves as a mere access provider, .It is clear that the exemption from liability exists sincewhen the lender is in a position of absolute neutrality with respect to the information conveyed . Paragraph 2, of the aforementioned article 14, then establishes that the activity of transmission and provision of access referred to in paragraph 1, include the automatic, intermediate and transitory storage of the information transmitted, provided that this serves only for the transmission on the communication and that its duration does not exceed the time reasonably necessary for this purpose.

This operation does not alter the qualification of the ISP’s activity and, therefore,the configuration of his responsibility as long as he maintains a third party position. Storage of the information transmitted for a period longer than that necessary for the transmission, to be obviously verified in practice, will, on the other hand, result in the loss of the favor legis from which the mere conduit provider benefits, with consequent compensation obligations .

The storage of information must be strictly instrumental totheir transmission in the telematic network, having to be removed as soon as the purpose of storage has been achieved. Despite the inevitable vagueness of the formula used by the legislator (“time reasonably necessary” to achieve the purpose of the transmission), it will be the technology and not the standard that will have to “dictate the times” and mark the boundary between the “neutral” activity of the provider and that of interference in the transmission of information.

And finally, the last paragraph provides that the judicial authorityo the administrative one, having supervisory functions, can demand, even urgently, that the service provider, in carrying out the activities referred to in paragraph 2, prevents or puts an end to the violations committed. This provision, to be connected to that of art. 17 of the same decree, incorporates a mere faculty left to the discretion of the Member States to provide that a judicial or administrative authority (“having supervisory functions”) requires the provider to prevent or put an end to a violation (art. 12, paragraph 3, Directive 2000/31/EC) . The immediate intervention of the competent authority will therefore have the advantage of preventing the violation from the outset or, in any case, of circumscribing the negative and prejudicial effects .

3. The activity of automatic, intermediate and transient storage: caching

The following article 15, legislative decree n. 70/2003, regulates caching activities -i.e. automatic, intermediate and temporary storage – establishing that in the provision of an information society service, consisting in the transmission, over a communication network, of information provided by a recipient of the service, the provider is not responsible for the automatic, intermediate storage of such information carried out for the sole purpose of making the subsequent forwarding to other recipients more effective, provided that it does not modify the information, complies with the conditions of access to information and with the rules for updating information, indicated in a widely recognized way and used by enterprises in the industry, does not interfere with the lawful use of technology widely recognized and used in the industry to obtain data on the use of information.

Furthermore, it is required that the ISP takes prompt action to remove the information it has stored, or to disable access, as soon as it becomes aware that the information has been removed from its original location on the network or that access to the information has been disabled or that a court or administrative authority has ordered the removal or disabling of access. The difference between the memorization activity performed by the caching provider and that referred to in the previous article (mere conduit) is clear; in the latter case we speak of an automatic, intermediate and transitory memorization, while, with reference to the assetscaching ty, the storage is defined by the legislator, as well as automatic and intermedaily, temporary .

The terminology used allows us to identify in the longer period of time expressed by the concept of temporariness with respect to that inherent in transience, a distinguishing elementtive. Even the doctrine – almost unequivocally – identified the discrimen in the manner described above. The caching system has the purpose of increasing the efficiency of the network, by keeping the information to which the users of the service have access at the provider’s server for a limited period of time, in order to facilitate access to the same information by other recipients who request it, without the need to go back to the original source.

The favor legis reserved for the provider that carries out caching activities is more limited than that guaranteed for the mere conduit activity, due to a series of far more stringent conditions which must be complied with in order to be exempt from liability towards of third parties.

Therefore, it requires the obligation to promptly remove the stored information, or to disable access to such information, as soon as it actually becomes aware of the fact that the information has been removed from the place wherewere originally on the network or that access to the information has been disabled, or that a court or administrative authority has ordered their removal or disabling. For this purpose, it detects the moment of effective knowledge on the part of the provider, or of the communication of the person who has requested the removal of the contents.

It is up to the judge not only to ascertain whether the information has been temporarily stored, thus configuring the caching activity, but also to evaluate the “timeliness” of the removal intervention; in this case, the provider is required to demonstrate that it has acted promptly according to the criterion of professional diligence (art. 1176, paragraph 2, of the civil code) .

4. The business of storing information: hosting

The provision of whichin article 16, legislative decree n. 70/2003 regulates the hosting activity. That is, it consists of the provider’s activity which can range from the mere management of the site on the server, with memorization of the web pages, to the keeping of the customer’s computer archives, with conservation of the log files.

In accordance with the standardmentioned, the provider is not responsible for the information stored at the request of a recipient of the service provided that he is not actually aware of the fact that the activity or information is illegal and, as regards claims for damages, is not aware of facts or circumstances which make manifest the illegality of the activity or information and as soon as knowledge of such facts, on communicationauthorities, take immediate action to remove the informationor to disable access.

The hosting business is a form of storagetend to be long-lasting. Given the above in general terms, it is necessary to underline the distinction between criminal liability, for which effective knowledge of the illicit activities or information is required, to be understood strictly in accordance with the principles of criminal imputability, from civil liability, with respect to which the assessment of guilt due to negligence of the service provider is required against the allegation of substantial knowledge of facts or circumstances which make the illegality of the activity or information manifest, without this implying the execution of a thorough check on the contents conveyed, in the absence of specific reports from third parties . Also in this context there is a “general” exemption from liability; however, this does not apply if the intermediary, as soon as he becomes aware of illicit facts, upon express communication from the competent authorities, does not immediately take steps to remove the illicit information or to disable access to it, or, for the purposes of civil liability, if the provider, informed of facts or circumstances which make manifest the illicit or prejudicial nature of any of the activity or information, fails to inform the competent authority. The obligation to monitor does not therefore arise automatically. An effort would be required of the server manager which would exceed the maximum diligence and, moreover, would mortify the activity of the intermediary. This provision is the result of a balancing of interests put in place by a legislative policy careful to protect the constitutionally guaranteed rights, on the one hand, including those of privacy and freedom of expression and, on the other, the intention not to mortify the activity of intermediaries. The exemption does not apply if the recipient of the service acts under the authority or control of the provider (Article 16, paragraph 2). In this case, the hosting provider will be liable for the tort of others pursuant to art. 2049 of the civil code, jointly with the perpetrator of the offence, in all cases in which the latter, acting under the control and/or supervision of the corporate organization of the hosting provider, carries out actions harmful to the rights of third parties . In a nutshell, it can be stated that if there is no surveillance obligation there is no criminal liability and if there is correct behavior with the supervisory authorities there is no civil liability.

4. On the absence of a general surveillance obligation

Finally, particularly significant is the art. 17 regulation of closure of the accountability systemstability which establishes the general absence of an obligation to monitor.

The provider, in the provision of mere transport services (art. 14), caching, (art. 15) and hosting (art. 16), is not, in fact, subject to a general obligation to monitor the information which it transmits or stores, nor to a general obligation to actively seek out facts or circumstances which indicatethe presence of illegal activities (Article 17, paragraph 1) . However, the provider is required to inform the judicial or administrative authority with supervisory functions without delay, if he is aware of possible illegal activities or information concerning a recipient of the information society service. It must provide without delay, at the request of the competent authorities, the information in its possession that allows the identification of the recipient of its services with whom it has data storage agreements, in order to identify and prevent illegal activities (Article 17, paragraph 2 ).

To give rise to the obligation to be paid by the provider, therefore, the actual is requiredknowledge of the illegality of the content in question. Obviously, the obligation to communicate the information “in its possession” does not imply any obligation to check the truthfulness of the data provided by the user when subscribing to the service, in the absence of Community regulations which make it the responsibility of the provider to identify certain users. The intention was thus to relieve the provider of a series of control obligations which would jeopardize the very activity of the ISPs, effectively blocking the development of the network, while inserting an obligation to inform in the event of knowledge of illicit activities. There is, therefore, an exclusion of liability of the service provider as long as he does not intervene with an active and conscious conduct in the introduction of illicit contents or with a facilitation or participation in a possible crime.

However, in the event that the lender, having received a request from the judicial authorityor administrative authority with supervisory functions, does not act promptly to prevent access to unlawful contents, or if, having become aware of the unlawful or prejudicial nature of a third party of the content of a service to which it ensures access, it has not proceeded to inform, timely, the competent authority becomes civilly responsible for the content of these services (Article 17, paragraph 3). The provision in question identifies the balance between the freedom of the provider and the protection of any injured parties in the establishment of information obligations to the authorities, charged to the provider itself, in relation to alleged illegal activities or information of which it has become aware, also in order to allow the identification of those responsible.

By disposing of this, the legislator intended to establish the assumptions of the liability of the Provider owns the effective knowledge of the data entered by the user and any inaction in the removal of information known by him as illegal.

Therefore, the way has been opened to a jurisprudential orientation on the liability of providers, with a line that sees the exemptionof the mere site manager who does not produce content and limits himself to making the virtual space available to users . On this point, a recent jurisprudential ruling is particularly significant, which affirmed the principle according to which “no rule provides that there is a general obligation for the provider, whether it is also a hosting provider, to monitor the data entered by third parties on the site managed by it ; nor does the provider have any criminally sanctioned obligation to inform the person who entered the data (uploader) of the need to apply the legislation relating to the processing of the data contained in the so-called Privacy Code (legislative decree no. 196/ 2003)”. The Supreme Court arrives at this conclusion starting from the analysis of the definitions of “treatment” and “data controller”, specifying that the specificity of the second corresponds to the breadth of the first concept.

5. Conclusions

It can be seen howthe legislator has introduced a general framework on the liability of ISPs, distinguishing them by type of function. In this way, the different allocations of the risk of non-fulfillment or of liability in the sense of the intermediary are distinguished, as well as the conditions which integrate the intermediary’s liability on the basis of the role actually played in the offence. Added to this is that no regulation provides for the provider to have either a general ex ante obligation to monitor the information it transmits or stores, nor, even less, a preventive obligation to research the facts or circumstances that indicate the presence of illegal activities.

The ratio of the discipline under analysis – as mentioned – is the result of a careful legislative policy, aimed at not mortifying the activity of the intermediary, on the one hand, who would be exposed to a preventive obligation and the relative costs that exceed the maximum diligence desirable for such a complex economic-social activity; on the other, there is a desire to protect the rights guaranteed by the ECHR and by the Constitution, such as ex multis the right to privacy, to name and to be forgotten. The same is, however, required to inform – promptly – the judicial or administrative authority, having a supervisory function, if he is aware of alleged illegal activities or information concerning one of his recipients of the service and to provide this authority, where required ,

Therefore, the choice to exempt the provider from the general obligation of surveillance does notit is certainly devoid of meaning on the level of the politics of law. In balancing the community’s interest in being able to enjoy the advantages of the network and the interest in preventing crimes from being committed on the network, the former is certainly valued. Therefore, it is a question of implementing measures to safeguard the sacrificed interest with the prevailing interest. In this sense, the economic analysis of law represents a matrix of the utmost importance: the cost of liability – in this perspective – is allocated in an optimal way (so-called Pareto optimal) . It is a situation of efficient resource allocation. When the same occurs, it is not possible to improve well-being – understood as the utility of a subject or associate – without worsening the well-being of the other subjects.

 

 

 

 

 


[1]TRIMARCHI, Civil liability: unlawful acts, risk, damage, Giuffrè, 2021; NICITA. and SCOPPA, Economics of Contracts, Cacucci Editore, 2005; FRANZONI – MARCHESI, Economics and economic policy of law, Il Mulino, 2006; POSNER, Economic Analysis of Contract Law after Three Decades: Success or Failure?, The Yale Law Journal Vol. 112, No. 4, 2003, 829-880. See in particular, the Court of Justice of the EU, section III, 3 October 2019, n. 18/2018 stated that directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 (so-called “directive on electronic commerce”), in particular its art. 15(1) must be interpreted as meaning that it does not prevent a judge of a Member State from being able to: b) order a hosting service provider to remove the information stored by it and the content of which is equivalent to that of information previously declared illegal or to block access to the same, provided that the surveillance and search of the information object of that injunction are limited to information that conveys a message the content of which remains substantially unchanged from that which gave rise to the illegality finding and which contains the elements specified in the injunction and the differences in the wording of that equivalent content with respect to that which characterizes the information previously declared illegal are not such as to force the hosting service provider to carry out an independent assessment of this content; c) order a hosting service provider to remove or block access to the information subject to the order worldwide, under relevant international law
[2] The decree currently, inter alia, provides for: (i) the obligation of the ISP to take immediate action to remove from its site the information revealed to be illegal or to disable access to it, following a specific communication from the competent authorities (cf. Article 16), and (ii) the absence, on the part of the ISP, of a general obligation to supervise the information transmitted or stored, as well as the absence of the obligation to actively search for facts or circumstances which indicate the presence of illegal activities (cf. art. 17).
[3] ALPA, New figures of civil liability of community origin, in this Review, 1999, 5 ss.; BUGIOLACCHI, Principles and open questions on the non-contractual liability of Internet providers. A summary of comparative law, in Dir. inf. inform., 2000, 865; DE CATA, The civil liability of the Internet service provider, Milan, 2010, 186; DI CIOMMO, Technological evolution and civil liability rules, Naples, 2003, 239; GAMBINI, The civil responsibilities of the internet service provider, Naples, 2006; ZENO ZENCOVICH, The relationship between civil liability and criminal liability in communications on the Internet (preliminary reflections), in Dir. inf. inform., 1999, 1050.
[4] On the subject LEOCANI, The EU directive on electronic commerce: introductory notes, in Europe dir. priv., 2000, 652; SANTAROSSA, The European directive on electronic commerce, in CeI/Europe, 2000, 857 ss.; ANDREOLA, Civil liability profiles of the search engine, in Nuova giur. civ. comm., 2012, 129
[5] DI CIOCCO-SARTOR, Computer law issues, Turin, 2011, 93. See also DI MAJO, The provider’s responsibility between prevention and removal, in Corr. jur., 2012, 553
[6] The comparability of the provider to the director of the newspaper was affirmed, hence the obligation also for the former to avoid and not facilitate illicit behavior by its users. An attempt has been made to recognize objective liability on the part of the ISP, pursuant to art. 2050 of the civil code, equating the provider to the dangerous activity operator with theconsequent aggravation of the burden of proof for the same, called to answer for the unlawful act of any web user, if he is unable to prove that he has taken all the appropriate measures to avoid the damage: DE LUCA-TUCCI, op. cit., 1215 ff.
[7] The basic assumption is that the ISP, providing useful services to the community, cannot be subjected to one”objective” responsibility which would paralyze, or certainly slow down, the development of the new economy and the net generation: DE LUCA-TUCCI, op. cit., 1215 ff. The liability of the provider therefore takes the form of a subjective liability: culpable when the service provider, aware of the presence of suspicious material on the site, refrains from accepting its illegality and, at the same time, from removing it; fraudulent, when he is also aware of the illegality of the user’s conduct and, once again, fails to intervene: NIVARRA, (voice) Responsibility of the provider, in Dig. disc. priv., section civ., adj., 2003, 1198.
[8] As stated if at first yesthere is an attempt to assimilate the provider to the figure of the manager of a magazine, applying the regulation of crimes involving the press, for which the owner of the publication and the publisher, on the other hand, subsequently attempted to recognize an objective liability connected to the ISP in accordance with art. 2050 of the Civil Code, however, this approach did not convince as it is evident that the activity carried out by the provider does not objectively and intrinsically appear to be a source of danger. The setting based on the configurability on the part of the ISPs of an objective liability for culpa in vigilando, would determine the paralysis of the network: DE LUCA-TUCCI, op. cit., 1215 ff.
[9] ALPA, New figures of civil liability of community origin, in this Review, 1999, 5 ss.; BUGIOLACCHI, Principles and open questions on the non-contractual liability of Internet providers. A summary of comparative law, in Dir. inf. inform., 2000, 865; DE CATA, The civil liability of the Internet service provider, Milan, 2010, 186; DI CIOMMO, Technological evolution and civil liability rules, Naples, 2003, 239; GAMBINI, The civil responsibilities of the internet service provider, Naples, 2006; ZENO ZENCOVICH, The relationship between civil liability and criminal liability in communications on the Internet (preliminary reflections), in Dir. inf. inform., 1999, 1050.

Salvis Juribus – Rivista di informazione giuridica
Direttore responsabile Avv. Giacomo Romano
Listed in ROAD, con patrocinio UNESCO
Copyrights © 2015 - ISSN 2464-9775
Ufficio Redazione: redazione@salvisjuribus.it
Ufficio Risorse Umane: recruitment@salvisjuribus.it
Ufficio Commerciale: info@salvisjuribus.it
***
Metti una stella e seguici anche su Google News

Articoli inerenti