The New Responsibilities for Internet Service Providers Introduced by the Italian Omnibus Decree

Written By Guest User

Italian Law No. 143 of October 7, 2024, converting the so-called Omnibus Decree (Italian Law Decree No. 113 of August 10, 2024, concerning urgent fiscal measures, extensions of legislative deadlines and economic interventions), has introduced a number of new obligations and responsibilities, for Internet Service Providers, including some carrying criminal charges.

Firstly, the law introduced significant revisions to Article 2 of the Italian Law No. 93/2023, concerning the disabling of access to abusive content disseminated online. In particular:

  • the provision for the AGCOM (Guarantor Authority for Communications) to order the disabling of access to abusive content has been extended, allowing not only the block of DNS resolution of domain names but also of the routing of network traffic towards IP addresses “predominantly” used for illicit activities (rather than only “exclusively”, as previously required) (paragraph 1);

  • the range of entities that can be subject to so called expedited precautionary measures for disabling access, available for cases of urgence (such as for live contents), has been extended to also include providers of VPN and DNS services publicly available, wherever resident and located (paragraph 3);

  • to guarantee the subjects who demonstrate a qualified interest, the ability to request the revocation of access inhibition provisions, due to documented lack, even supervening, of legal requirements, has been introduced (paragraph 3);

  • a maximum period of 30 minutes from the notification of a disabling order has been established, for its recipients to implement all technical measures aimed at impeding visibility of the content. This term is also applicable to search engine operators and information society service providers, even if they are not involved in making the illegal website or services accessible (e.g., through deindexing in search engines) (paragraph 5);

  • it has been provided that domain name resolution and network traffic routing to blocked IP addresses must be reinstated, after a period of at least six months from the block, if they are no longer used for illicit purposes (paragraph 5-bis);

  • lastly, in order to ensure a more efficient launch of the automated unified technologic platform and the effective enforcement of inhibition orders, solely for the first year of the platform’s function for all the recipients of the disabling measures, the Authority must set maximum quantitative limits on IP addresses and Fully Qualified Domain Names (FQDNs) that can be blocked simultaneously (paragraph 7-bis).

Additionally, Law No. 143/2024 introduced the new Article 174-sexies into Italian Law No. 633/1941 (Copyright Law), with the main objective of combating the phenomenon of online piracy also under criminal law.

The provision concerns the following subjects:

  • providers of network access services;

  • search engine managers and information services providers, including providers and intermediaries of VPN or any technical solutions that obstruct the identification of the originating IP address;

  • content delivery network operators;

  • providers of internet security services and distributed DNS, placed between the visitors of a site and the hosting providers acting as reverse proxy servers for websites.

Such entities are now obligated to immediately report to the Judicial Authority or Judicial Police any criminally relevant conduct (e.g., violations of the Copyright Law, abusive accesses to computer or telematic systems, computer frauds, etc.) of which they become aware in the course of their activities, sharing all information available to them.

The same entities are also obligated to designate, and notify AGCOM, of a contact point allowing them to directly communicate with the authority (if established outside the EU, they must designate a representative in Italy).

Failure to report or communicate (except in cases of complicity in the same offence) is punishable, for individuals by imprisonment of up to one year, and for legal entities by monetary and disqualifying penalties under Article 24-bis of the Italian Legislative Decree No. 231/2001 on corporate administrative liability.

The described legislative novelties have generated criticism and debate: beyond interpretative issues (e.g., concerning the relationship with the exemption from liability for so-called passive hosting) or purely technical-informatics problems, there are some possible application difficulties, related for example to the need for providers and operators to possess the skills to correctly identify illicit behaviors, or to the large volume of appeals and reports that AGCOM would need to handle.

Certainly the most impactful aspect of the changes, which most concerns the operators, is the strict criminal liability regime. This also raises doubts about constitutional legitimacy when linked to the failure to report mere suspicions of illegal activities, amounting to a form of strict liability.

Furthermore, this system, by imposing continuous and generalized surveillance obligations, also risks to indirectly conflict with European (see particularly Articles 6 and 8 of the DSA) and national legislation on privacy.

It only remains to observe how it will be concretely applied and whether legislative or jurisprudential adjustments will follow.

Guest User
Previous

The ECJ on cross-border jurisdiction in patent infringement actions
Next

Search Order regarding Know-How: A recent successful case handled by Martini Manna & Partners before the Court of Brescia.