Internet Intermediary Liability for Copyright Infringement: From McFadden to the DSM Directive

When third parties use Internet services — open Wi-Fi networks, hosting providers, social media platforms, content-sharing services — to infringe copyright, the question of intermediary liability arises. Is the network owner, host, or platform liable for infringements committed by users? The European framework has evolved substantially over the past two decades, from the safe-harbour regime of the e-Commerce Directive 2000/31/EC, through the landmark CJEU decision in McFadden (C-484/14, 2016), to the major shift introduced by Article 17 of the DSM Directive 2019/790 and the Digital Services Act 2022.

This guide traces that evolution and explains the current Italian framework. For the broader copyright framework, see our master pillar guide to copyright law in Italy and Europe.

The starting point: e-Commerce Directive safe harbours

The e-Commerce Directive (2000/31/EC), transposed in Italy by D.Lgs. 70/2003, established three safe-harbour regimes for Internet intermediaries:

• Mere conduit (Article 12 / Art. 14 D.Lgs. 70/2003): pure transmission and access providers are not liable for infringing content transmitted, provided they do not initiate, select recipient, or modify content;
• Caching (Article 13 / Art. 15): temporary intermediate storage benefits from a parallel exemption;
• Hosting (Article 14 / Art. 16): hosting providers are not liable for stored content if they have no actual knowledge of infringement and act expeditiously to remove it upon obtaining knowledge.

These safe harbours were the foundation of the Internet as we know it — they allowed search engines, social platforms, and hosting services to emerge without facing liability for every user-uploaded infringement.

The McFadden decision (CJEU C-484/14, 2016)

Tobias McFadden ran a lighting and sound shop outside Munich and offered free open Wi-Fi to attract customers. Someone used the network to upload a Sony Music album by the German band “Wir sind Helden” without authorisation. Sony sued McFadden for damages.

The CJEU held on 15 September 2016:

• Free Wi-Fi offered to customers qualifies as an “information society service” under the e-Commerce Directive;
• The mere-conduit safe harbour applies — the operator is not liable for damages for third-party infringements;
• However, copyright holders can seek injunctions requiring the operator to take specific measures, including password-protecting the network and identifying users seeking access.

McFadden established the balance that continues to define EU intermediary liability: no damages, but injunctive measures available to enforce copyright protection.

The DSM shift: Article 17 and content-sharing platforms

The Digital Single Market Directive (2019/790), transposed in Italy by D.Lgs. 177/2021, fundamentally reshaped intermediary liability for a specific category: online content-sharing service providers (OCSSPs) — platforms whose main purpose is to store and give public access to large amounts of user-uploaded copyrighted content (YouTube, Facebook, TikTok, etc.).

Under Article 17 DSM (Article 102-sexies LDA in Italian implementation):

• OCSSPs are deemed to perform acts of communication to the public when users upload copyrighted content — meaning they directly engage copyright;
• OCSSPs must obtain authorisation (typically licences) from rights holders;
• Without authorisation, OCSSPs face direct liability unless they demonstrate they have:
  • made best efforts to obtain authorisation;
  • made best efforts to ensure unavailability of specific content for which rights holders provided relevant information;
  • acted expeditiously to remove notified content and prevent its re-upload (notice-and-stay-down).

This represents a substantial departure from the e-Commerce Directive safe harbour — for OCSSPs, the regime is now closer to direct liability with specific defences, rather than a true safe harbour.

The Digital Services Act (2022)

The DSA (Regulation 2022/2065) supplements the framework with:

• Updated mere-conduit, caching, and hosting safe harbours (replacing parts of the e-Commerce Directive);
• Notice-and-action mechanisms for illegal content;
• Transparency obligations for online platforms;
• Specific obligations for very large online platforms (VLOPs) under EU Commission designation;
• Coordinated enforcement framework across Member States.

The DSA does not replace DSM Article 17 — both apply, with DSM Article 17 governing the specific OCSSP context and the DSA governing the broader intermediary framework.

Italian enforcement: AGCOM and judicial measures

In Italy, copyright enforcement against online intermediaries operates through:

• AGCOM (Italian Communications Authority): administrative procedures for content takedown under Regulation 680/13/CONS and subsequent updates, including expedited procedures for live sports streaming piracy;
• Specialised IP chambers: judicial injunctions, damages claims, and procedural urgent measures (Article 700 CPC);
• “Piracy Shield”: Italian system for rapid blocking of pirate streaming domains, particularly for live sports;
• Cross-border coordination: through the EU framework for cooperation between national authorities.

AI training and intermediary liability

An emerging frontier: AI companies that scrape copyrighted content from the web for training their models. The intermediary framework provides some protection for the websites hosting the content being scraped, but AI training itself is governed by the separate DSM Articles 3-4 (text and data mining) framework with rights holders’ opt-out — see our AI photography guide for detail.

Implications for businesses

• Internet providers and Wi-Fi operators: McFadden safe harbour applies for damages, but injunctive measures (password protection, user identification) may be ordered;
• Hosting providers: e-Commerce / DSA hosting safe harbour applies, with notice-and-action obligations;
• Social media and UGC platforms: DSM Article 17 direct liability regime applies — licensing arrangements with rights holders are now essentially required;
• Streaming platforms: substantial licensing obligations and rights clearance frameworks;
• AI companies: DSM Articles 3-4 framework, plus EU AI Act transparency obligations.

How DANDI supports clients

DANDI.media advises Internet intermediaries, content platforms, AI companies, and rights holders on intermediary liability, DSM Article 17 compliance, DSA obligations, AGCOM proceedings, and cross-border enforcement. For consultation, book directly with Avv. Claudia Roggero or Avv. Donato Di Pelino.

Related guides

Dandi Law Firm provides legal assistance in several Practice Areas. Check out our Services or contact Us!