No doubts about the direct civil liability of a Provider of illegal acts performed by the provider itself. But can we talk about provider’s civil responsibility also with regards of the diffusion, by means of its infrastructure, of illegal contents by part of third-parties? Drawing inspiration from a recent sentence of the Corte d’Appello di Roma (appeal court of Rome), in this article we will try to clear things on the civil responsibility of Cloud ISP.


In the IT language, the term Provider refers to an intermediary entity in communication that offers different services: for instance, access to the network with Internet - Network Provider; or access to Internet services - Internet Provider; Website hosting - Host Provider; and so forth. So, what is the responsibility of a Provider for such “mediatoring” activity? A recent sentence of the aforementioned Corte d’Appello di Roma, sentence n.2833 of April 29, 2017, stated declared the civil liability of a provider for any illegal act committed by third parties using the provided digital platform.

In particular, such third party illegally used and diffused with the platform provided by the provider, some TV shows whose rights holders sued the Provider for compensation.

The appeal court then confirmed the responsibility as it excluded that the activity of the Provider would be classified as only hosting provider and, therefore, mere “storing” of data, which an activity characterized by a “merely technical, automated and passive” aspect, thus ruling out any possible liability. The court instead classified the position of the company as active being a content provider and, anyway, an active aggregating provider because of “several activities performed by the provider in the management of content upload on its own digital platform” (for instance, crawling of audio and video content for ads purposes according to their visualizations, which is an activity that, as for the court, implies “the direct interest of such provider in knowing the nature and the type of content present on its platform” and “there’s an active data management different from the mere provide of a simple technical support for content uploading …”).

Therefore the court recognised “a voluntary activity aimed to concur or cooperate with a third party in the offence”, thus excluding the neutrality of the provider given the characteristics of the services provided. The position of the provider was further worsened by being warned of removing such content by the owner, so it knew about the diffusion of the content, but did nothing.
This recent verdict, which confirmed what also the court ruled in the first instance, gives us the opportunity of going deeper in the subject. As a general rule, art.15 of directive 31/2000/EC (“...on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market”) excludes the existence of “a general obligation on providers [...] to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity” with reference to mere conduit (art.12), temporary storage -caching- (art.13) and hosting (art.14) providers.

Art.14 of the same directive in particular, which was recalled in the ruling of the appeal court, deals with hosting, defined as “an information society service is provided that consists of the storage of information provided by a recipient of the service” which implies an exclusion of liability of the service provider, provided that such provider: a) is not actually aware of the illegal nature of the activity or information and, regarding compensation, is not aware of facts or circumstances that show such illegality, or b)as soon as it is aware of such facts, acts immediately removing said information or disable their access.

This indication has to be put in context also with “whereas” 42 of the directive, which clarifies that “the exemptions from liability established in this Directive cover only cases where the activity of the information society service provider is limited to the technical process of operating and giving access to a communication network over which information made available by third parties is transmitted or temporarily stored, for the sole purpose of making the transmission more efficient; this activity is of a mere technical, automatic and passive nature, which implies that the information society service provider has neither knowledge of nor control over the information which is transmitted or stored.

With a further clarification that the exemption from liability doesn’t hold “when the recipient of the service is acting under the authority or the control of the provider” (art.14, clause 2). This european directive has been transposed to the italian laws, regarding hosting and the verdict of the appeal court, with art.16 of the implementing legislative decree n.70 of 9.4.2003, which blindly repeats the content.

In conclusion, a case-by-case exam of the content of the service is needed to verify whether there is a civil liability of the Provider for the diffusion of illegal content; such exam requires a control on the service to determine if it is “merely technical, automated and passive” and, therefore, without a “controlling” capability of any other capability that could acknowledge the nature of the content being stored or transmitted, and to determine whether the aforementioned premises for a Provider’s exemption from liabilities are present.
Otherwise, as ruled in the case examined by the appeal court, “the provider cannot invoke at its own vantage that condition of neutrality and merely technical supports which reflects in a liability exemption ex art. 14 of the aforementioned CE directive and of art.16 of the related implementing decree.”

About the Author

Veronica Morlacchi

Laureata a pieni voti in giurisprudenza, è Avvocato Cassazionista, iscritta all’Albo degli Avvocati di Busto Arsizio dal 2004 e all’Albo degli Avvocati abilitati al Patrocinio davanti alla Corte di Cassazione e alle altre Giurisdizioni superiori. Si occupa principalmente, nell’interesse di Privati, Professionisti, Aziende ed Enti pubblici, di diritto civile, in particolare responsabilità civile e risarcimento danni, diritto delle nuove tecnologie e privacy, contratti, persone e famiglia. Ha conseguito un master in Responsabilità civile e un corso di perfezionamento in Tecniche di redazione dei contratti e, da ultimo, si è perfezionata in Data Protection e Data Governance all'Università degli Studi di Milano e in Strategie avanzate di applicazione del GDPR. Pubblica periodici aggiornamenti e articoli nelle materie di cui si occupa sul suo sito e da giugno 2016 collabora con Guru Advisor