Ireland

[IT] Monitoring the Activities of P2P Users Runs Foul of Privacy Legislation

IRIS 2008-7:1/26

Amedeo Arena

Università degli Studi di Napoli "Federico II"

In its decision of 28 February 2008, the Garante per la Protezione dei Dati Personali (the Italian Data Protection Authority) outlawed the use by private companies of a software designed to monitor, for the purpose of identifying and suing them, the activities of peer-to-peer (P2P) users that share copyrighted files on the Internet.

The decision of the Garante was adopted in the broader context of the controversial “Peppermint case”. The genesis of the case dates back to 2007, when the German record label Peppermint Jam Records GmbH (Peppermint) and the Polish videogame developer Techland sp. z o.o. (Techland) entrusted Logistep, a company based in Switzerland, with the task of monitoring P2P networks where their copyrighted works were allegedly being shared. To this end, Logistep used its own proprietary software, known as “File Sharing Monitor” (FSM), to monitor the availability of specified electronic contents on several file exchange networks, notably eDonkey and GNUtella. The IP addresses of users who downloaded or made such contents available to others were logged in a database.

Peppermint and Techland hence brought several actions before the Rome Civil Court of First Instance seeking an order that the relevant Italian Internet Service Providers (ISPs) be enjoined to disclose the identities of the users behind the IP addresses included in the Logistep database. The earliest cases were decided in favour of Peppermint and Techland, which promptly contacted the users concerned requesting inter alia that they pay EUR 330 or face the consequences of criminal proceedings. In subsequent judgments, however, following the intervention in the proceedings of the consumer association Adiconsum and of the Garante itself, the Rome Court reversed its earlier case-law and dismissed the applicants’ claims.

In parallel with the said court proceedings – which dealt with the possible uses of Logistep’s database – the Garante initiated its own investigation to determine whether the gathering of such data was lawful in the first place. The procedure, which was carried out in cooperation with the Polish, Swiss and German Data Protection Authorities, led to the conclusion that the monitoring and data collection effected by Logistep was at variance with EU and Italian privacy legislation on several grounds.

At the outset, the Garante took the view that the data collection effected by Logistep constituted an instance of “interception or surveillance of communications”, which is not permitted to private parties pursuant to Article 5 of Directive 2002/58/EC on privacy and electronic communications and Article 122 of the Italian Data Protection Code.

In accordance with the decision of the Préposé fédéral à la protection des données et à la transparence (the Swiss Data Protection Authority) in the same case, the Garante further established a breach of the purpose limitation principle laid down in Article 6(b) of Directive 95/46/EC (the Data Protection Directive), as well as in Article 5(b) of the Strasbourg Convention No. 108/1981 for the Protection of Individuals with Regard to Automatic Processing of Personal Data. P2P networks, indeed, are meant to exchange data and files between users for personal purposes. The use of users’ data for other purposes, such as those pursued by Logistep and the other companies, thus contravenes the law.

Moreover, the Garante established an infringement of the principle of transparency, as P2P users received no prior notification that their data was being processed. Drawing on the case law of the Rome Court, as well as on the Working document on data protection issues related to intellectual property rights (issued on 18 January 2005 by the Article 29 Data Protection Working Party), the Garante determined that the data in question (i.e. IP addresses, downloaded and shared files, etc.) constituted “personal data”, and should thus have been processed accordingly.

In view of the foregoing, the Garante adopted a decision under Article 143(1)(c) and 154(1)(d) of the Italian Data Protection Code whereby Peppermint, Techland and Logistep were barred from further processing the said data and were enjoined to erase it by 31 March 2008. Pursuant to Article 170 of the Code, failure to comply with such a decision may result in imprisonment for up to 2 years for the natural persons involved.