Summary. The following post will cover what happened in the Google executives’ trial in Itay from a legal point of view .
It explains which criminal sections were in the indictment, how they work, how the Electronic Commerce directive exempion works in Italy and why the electronic Commerce Directive did not apply in that particular case. We still do not have the complete ruling (only the verdict).
My best guess is this: Google made a possible mistake to not go for a formal consulting with the Italian Privacy Authority following the rule of sect. 17, before launching the service. It would have provided them with advice on how to deal with possible situations like this one, where users committed a crime (failing to comply with Data Protection code) using their service.
But even this is not a solution in my opinion, as it would require a service like Google Video or YouTube to ask each country for their specific rulings and exceptions, leading to a very complex legal situation.
I have been writing twice about the trial in my columns for Apogeonline: one written back in 2006, when everything started, and the other written hours after the news of the Google executives` conviction spread.
The post is a summary of the interview and both of my articles and of a conversation I had via Skype with Peter Kaptein while I was trying to explain him what was happening here but this post expresses my personal view only.
Everything happened in 2006 and I remember fairly well the frantic hours in the early days of November where a non stopping word of mouth was spreading amongst Italian blogs. A video depicting some students from a high school in Turin bullying and insulting a disabled guy had been found on Google Video. One of the students, a girl, was filming everything with her mobile phone and then uploaded the video. The video itself lived on its life in the internet magma from the beginning of September until the first days of November 2006 collecting lots of views meanwhile. This until someone reported its presence to a blog where it appeared a post about the video pointing out the shameful behavior of the students. A few days later we knew that a no profit organization filed a criminal suit in Milan for defamation (and in Turin other criminal suits followed against the students). Google itself took down the video after a formal request by the prosecutors and gave all the information they requested. Nevertheless within days the headlines of newspapers and all the media were announcing that Google Italy was prosecuted in Italy for defamation under the circumstance that the executives could be deemed accomplices to the students.
This was the beginning of the whole story that lead to the trial all the press is talking about worldwide and that has seen three Google`s executives convicted in Italy, even if the whole trial is still far from an ending. Many things have been said so far. As for now, anyway, no one knows what the judge stated in his decision since it has still to be made available to the public. I`d like to give my take trying to explain what we know now about the verdict and to give an overview about the laws stated in the indictment.
So the first hard question to give an answer to is if it`s possible, according to Italian law provisions, to deem the executives of a content provider liable for a crime committed by their users.
The case law decided on the 24 of February gives two different answers to this question, both very interesting and possibly scary at the same time.
During the trial, in fact, Google`s executives have been indicted with two charges: defamation and illicit processing of personal data.
The judge has acquitted all of the Google employees for the charge of defamation which means that the Italian court itself acknowledged that internet content providers have no obligation to control the content their users upload on their servers. The acquittal verdict was, in fact, “not guilty”. This opinion is shared by one of the Google`s executives lawyers, Giuseppe Vaciago who thinks that the acquittal from the charge of defamation can exclude an obligation for providers to control their users` content.
As for the second charge, instead, we have a completely different scenario. As for now, as Vaciago himself stated, we only know that actually the charges for the failure to comply with the privacy regulations were two, but we do not know yet for which of the two (or if for both) the Google executives were found guilty.
I think it`s important to give a quick look on the sections of the Italian Privacy Code that – according to the indictment – were violated in order to clarify the issues at stake.
Section 167 of the Italian data protection code states as follows:
“(Unlawful Data Processing)
1. Any person who, with a view to gain for himself or another or with intent to cause harm to another, processes personal data in breach of Sections 18, 19, 23, 123, 126 and 130 or else of the provision made further to Section 129 shall be punished, if harm is caused, by imprisonment for between six and eighteen months or, if the offence consists in data communication or dissemination, by imprisonment for between six and twenty-four months, unless the offence is more serious.
2. Any person who, with a view to gain for himself or another or with intent to cause harm to another, processes personal data in breach of Sections 17, 20, 21, 22(8) and (11), 25, 26, 27, and 45 shall be punished by imprisonment for between one and three years if harm is caused, unless the offence is more serious”.
The bold is mine and underlines the infringements stated in the indictment.
As for the section 23 recalled in the first sentence, it means that any organization can lawfully process people`s personal data only after collecting their prior consent.
The section 26 recalled in the second sentence, instead, regards “sensitive data”. In this situation the consent needs to be formal and signed. Anyways section 26 states also that no sensitive data disclosing health may be disseminated (i.e. shared on the web), not even if there is a written consent. This means that uploading a video where a disable person appears is forbidden.
Section 167 applies if the failure to comply with the above rules causes a damage to the person whose data are processed and if there`s a gain (which for the public prosecutors could be found in the AdSense ads that appear in Google Video).
Section 17, instead, states that before processing data that may carry specific risks it is mandatory to have a prior formal consulting with the Italian Privacy Authority in order to find a lawful way to comply with the rules and still maintain the service offered while preserving data subjects’ fundamental rights and freedoms and dignity.
So the sections relevant for section 167 are three (23, 26, 17) and all of them bring different rules and obligations. If the judge`s decision will state the failure of the prior consent or the unlawful dissemination of the disabled student`s data both the executives and the students should be deemed guilty. It is actually forbidden, in fact, for natural persons, to disseminate other people`s data without the prior consent. This means that before uploading a picture of Facebook where other people appear, or a video for instance, the consent becomes mandatory.
If the decision will state, instead, the violation of the rule of section 17 the unlawful behavior is by the executives of Google Italy alone.
We`ll be able to understand if the verdict was given because or the lack of prior consent, the unlawful processing of health related data or the omission of the prior consulting with the Privacy Authority (or all of the above) only after we`ll be able to read the sentence.
What we can reasonably hold for sure now is that Italian verdict was not based on the Electronic commerce directive, whose rules are in force and still apply and still are held as a basic safe harbor for internet providers here as in all EU member states.
I would also point that the said directive does not apply to privacy regulations (see section 1, point 5 b).
So, even if the electronic commerce directive provides a safe harbor for providers, it is not going to apply for privacy regulations for the whole European Union member states, not only in Italy.
But what could the basis of the conviction be then? Given that there is no safe harbor for privacy rules but still providers have in general no obligation to control users` generated content how should a provider behave to comply with Italian laws? Control or nor control? Both things have disgraceful effects. Control brings to censorship, the lack of control brings to responsibility (at least, for sure, under the privacy provisions).
My personal opinion is to follow a precautionary rule.
The first and obvious answer, in fact, is that a provider who is aware that through its services users might commit crimes regarding personal data should seek for a prior formal consulting with the Italian Privacy Authority following the rule of sect. 17.
The second one could be to force the users to formally accept and understand by the terms of service that they cannot share other people`s data. It is normal, in fact, that the responsibility of having the mandatory permissions to process other people`s data should lie on the user and not on the provider. Also because the latter has no concrete means to control that every single content is lawful. And to force the provider to control that every of its users have all the rights means also to take the responsibility related to such control, which is unrealistic and, for this reason, unlawful itself.
Awareness of what you are doing when you are lifestreaming yourself and your friends on the web, anyway, is a goal towards we all should strive to.
For sure this trial is going to be a landmark in Italy as it shows that the rules in force are still far from finding a balance between the freedom of expression in general and the protection of personal data in particular. And even following the precautionary rule would be a strong limitation not only for Google but for every internet service in general because that would mean that a local government should give its prior consent before the service can be rolled out in that country. This goes against the basic principle of the web as it has become to be: that all data and services are available world wide. In the worst case each country would be like a walled garden where each service, and so the users’content that it carries and delivers, should ask permission to enter.