On 27.2.2012 the Milan Court of Appeal published the reasoning behind the decision taken on 21.12.2012 declaring the full acquittal of Google in the case Google vs. Vividown.
The Court affirms that the criminal offence of unlawful data processing, stated by Section 167 of the Italian Personal Data Protection Code does not exist in the case under examination.
In order to have a better understanding of the decision, it is useful to analyse the text of Section167, as provided by the Italian Data Protection Authority website.
“Section 167. Unlawful Data Processing
1. Any person who, with a view to gaining for himself or another or with intent to cause harm to another, processes personal data in breach of Sections 18, 19, 23, 123, 126 and 130 or else of the provision made further to Section 129 shall be punished, if harm is caused, by imprisonment for between six and eighteen months or, if the offence consists in data communication or dissemination, by imprisonment for between six and twenty-four months, unless the offence is more serious.
2. Any person who, with a view to gaining for himself or another or with intent to cause harm to another, processes personal data in breach of Sections 17, 20, 21, 22(8) and (11), 25, 26, 27, and 45 shall be punished by imprisonment for between one and three years if harm is caused, unless the offence is more serious”.
According to Section 167, the criminal offence exists only if three circumstances occur simultaneously:
1) deceit with the clear intention of either gaining profit or of causing damage
2) data are processed violating one of the other Sections mentioned in Section 167
3) data processing has in fact caused damage.
According to the Court, the third circumstance has occurred. The other two have not.
First of all, clear deceit has not occurred: in fact it implies not only the purpose of gaining profit through ordinary commercial activity, but a specific profit directly achieved by the accused.
Secondly, data have been processed without giving data information to the data subject, but Section 13 of the Italian Personal Data Protection Code, which affirms this duty, is not mentioned in Section 167. Moreover, the duty to give data information to the data subject is the duty of the data processor, who in this case is the uploader of the video.
We can certainly share the opinion of the Milan Court of Appeal regarding their reasoning, which has the merit of shedding some light on a highly complex matter, which still has to be defined.
On 21.12.2012 the Milan Court of Appeal declared the full acquittal of the Google executives who had been convicted of violation of the data protection law in 2010 by the Milan Court, whose decision caused a worldwide sensation.
These are the facts: the video of a disabled schoolboy being bullied by his schoolmates which they had then uploaded to You Tube.
Google was not convicted due to the fact that under Italian Law providers has no obligation to carry out a prior control. However, as there is the involvement of personal criminal responsibility in this case the Google executives were convicted of violation of the privacy law. The main points debated were the applicability of Italian law per se in the case and Google’s obligation to verify that those who had uploaded the video had respected the data protection law.
We look forward to reading the reasoning behind this judgement, which for numerous different reasons will certainly have wide-ranging implications.
Blogs and online magazines are not required to be officially registered and therefore they cannot be accused of the crime of operating a “clandestine press”. This is the reasoning behind the Italian Supreme Court’s ruling which concludes the trial of Carlo Ruta, the journalist and Sicilian historian and founder of the blog “Accade in Sicilia” (“It happens in Sicily”).
In 2008 the journalist was convicted of the crime of operating a “clandestine press” by the Modica Court for publishing his blog without authorisation, as provided for by art. 5 of the Law 8.2.1948, n. 47. The judgement of the Modica Court was the confirmed by the Catania Court of Appeal.
During the course of the proceedings the defence had argued to no purpose that this blog and all blogs in general are not equivalent to printed newspapers in that they are to be considered simply as tools of information, also taking into consideration the fact that they are not regularly updated.
Despite the imminent prescription of the offence, the outcome of the appeal to the Supreme Court was awaited with a certain apprehension by the defenders of citizens’ online rights.
A confirmation of previous decisions would have represented the introduction of an outdated legal obligation for all Internet blogs, and thus a bureaucratic burden which would realistically have led to many sites closing.
With decision n. 2330, the Third Criminal Division of the Supreme Court of Cassation has overturned all previous decisions affirming that the legal definition of a press product requires two conditions which are not satisfied by electronic newspapers, namely those of printed reproduction and the publication of such materials.
In the opinion of the judge, not even the most recent provisions relating to the registration of newspapers are applicable to Ruta’s blog. Law 7.3.2001, n. 62 (concerning the regulation both on publishing and published products, which modified Law 5.8.1981, n. 416) and which introduced registration for online newspapers, specifies that the obligation is to be carried out only for administrative reasons and exclusively with the aim of obtaining funds set aside for publishing.
Moreover this limitation was confirmed by legislative decree 9.11.2003, n. 70, which explicitly provided that registration for online newspapers is compulsory exclusively for those activities for which service providers require access to public funds.
As appears evident, this is a decision with wide-ranging implications since it affirms that neither blogs, nor even online newspapers are subject to the obligation to register if they do not intend to have access to public funds.
On the 12th of October, 2012 the Consiglio di Stato (Italian Supreme Court of Administration) expressed a positive opinion on the ministerial draft regulation containing the technical rules referring to e-invoicing to State administration departments.
The draft decree, now awaiting approval by the Italian Council of Ministers, imposes an exclusively electronic form of invoicing management on public administration suppliers.
It is particularly worthy of note that this invoicing procedure is seen as a single multiphased process in which an electronic form is obligatory at every stage from issuing to archiving.
Public administration departments will have to implement adequate working procedures for receiving e-invoices as they will no longer be able to accept invoices issued or transmitted in a paper form.
On the 16th of October 2012 the Italian Council of Ministers approved the bill “New Provisions for Administration simplifications in Favour of Private Citizens and Businesses”.
The content, which will now follow parliamentary procedure in order to be approved, impacts on various sectors with measures aimed at simplifying business activity.
The provision according to which the Data Protection Code does not apply to those who process data in the course of business activity, even if of an individual nature, is particularly worthy of note and is likely to lead to lively debate.
The Data Protection Authority has already expressed grave doubts on the impact that this provision will have if finally approved.
The Proposal Regulation by the European Parliament and the Council of electronic identification and trust services for electronic transactions on the domestic market has recently been published and has begun its Parliamentary procedure.
Here is an outline of the main innovations provided for by the Proposal.
The most important innovation is the legal instrument chosen, which is no longer a directive, but a regulation. This is to ensure the uniformity of the new regulation: it provides for a single EU “law” instead of 27 “ national laws”.
It is a fact that complexity and juridical uncertainty generate a cost which Europe must eliminate in order to present itself as a single market.
The same choice has been made for the recent proposal on the General Data Protection Regulation.
Thus, the aim is to create a genuine single market for digital services, removing the obstacles created by different national laws.
The main aim of the new proposal is to achieve legal and technical interoperability among the EU countries regarding questions of e-identification, e-authentication and e-signature.
Once again to encourage the development of the domestic market in the field of digital services.
1. Member States have the right to notify the European Commission of individual national electronic identification schemes. Once notification has been given and has been included on the list published by the Commission, it must be accepted by the other Member States (e.g. in public procurements).
2. The e-seal which constitutes a legal person’s signature has been introduced and must be considered as distinct from the e-signature which constitutes a natural person’s signature.
Therefore a company will be able to use an e-seal without the signature of the legal representative in order to guarantee the origin and integrity of e-documents.
3. The obligation to store information concerning e-identification and qualified e-signatures has been introduced.
4. Extensive reference to technical standards.
5. Explicit recognition of the e-signature on remote servers and on mobiles.
The non-discrimination principle of documents with e-signatures on the sole ground that they are in an electronic form has been reaffirmed.
The equivalence between qualified electronic signatures and handwritten signatures has been reaffirmed.
Voluntary agreements under private law (such as those between banks and their clients) are not subject to the provisions of the regulation.
Personal data protection is changing.
After the modifications introduced by the Monti government in Italy, the recent proposal for a regulation relating to the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (2012/0011 – 25 .1.2012) is about to greatly change the picture.
The most important characteristic of the draft regulation is the change in the regulatory instrument which is not a directive, but a regulation.
This is to ensure the uniformity of the new regulation: a single EU “law” instead of 27 “laws”.
In fact, complexity and juridical uncertainty create a cost which Europe must eliminate in order to present itself as a single market.
Thus a European model would counterbalance the US model.
What are the main changes?
Speaking of general principles, the main changes concern the emphasis on the social function of the right to personal data protection, the increasing role of the principle of reasonableness and the importance given to the timescale.
The most relevant changes in greater detail are:
- The right to be forgotten
- The right to data portability
-The principle of accountability
-Privacy by design
-The increased emphasis on security expressed in:
Security breach notification
Data protection impact assessment
- More detailed regulation of transfers of personal data to third countries.
The so-called “advanced electronic signature” plays a leading role on the Italian market today.
It has recently been reintroduced into Italian legislation, with the latest version of the so-called “Digital Administration Code”, (Codice dell’amministrazione digitale -CAD), D. lgs. 7.3. 2005, n. 82 as modified by D. Lgs. 30.12.2010, n. 235.
Despite its name, the Code applies to both private and public bodies.
With regard to electronic signatures, the Code provides for a new kind of signature defined as the advanced electronic signature, which will be the fourth kind after the qualified, digital and electronic signatures. The definition of the advanced electronic signature is the same as Directive 1999/93/EC.
According to EU directive 93/1999 on electronic signatures the advanced electronic signature is defined as “an electronic signature which meets the following requirements:
[a] it is uniquely linked to the signatory;
[b] it is capable of identifying the signatory;
[c] it is created using means that the signatory can maintain under his sole control; and
[d] it is linked to the data to which it relates that any subsequent change of the data is detectable”.
According to Italian legislation, the advanced electronic signature, the qualified signature and the digital signature all satisfy legal requirements to the same degree, except for a few cases (concerning contracts regarding real estate). All of these signatures may have the same legal value as a hand-written signature.
The most interesting use of the advanced electronic signature in Italy is the handwritten signature on tablets, which is currently in use in many Italian banks.
The website www.italia programmi.net is again in the news for trying to extort a payment to none other than President of the Italian Republic Giorgio Napolitano.
The mechanism of the scam of the website has been repeatedly reported on our blog: the website offers users the possibility to download some softwares, notoriously known to be free, in exchange of the registration of their data.The truth is that, through the registration procedure the consumers subscribe without their knowledge a two-year contract with the company Estesa Limited based in the Seychelles, for the provision of a software at an annual cost of €96 to be paid in advance once a year. After the registration users start to receive letters which threaten them of a legal action if they do not pay by a certain date. Of course, the fear of facing up to a trial leads many citizens to pay off.
Despite the heavy financial penalty for misleading and aggressive commercial practices imposed by the Antitrust Authority in January, the intimations of Extended Limited keep harassing Italian people. Surprisingly, on the 6th of February a letter of payment has also reached the palace of the Italian Republic Presidency, the Quirinal.
As reported by the press, the request of a payment of 96 euros (plus 8.5 for costs with relative transaction code (F681819) and Iban for the transfer to be sent before the 23rd of February to a bank situated in Cyprus) was sent to the Italian Republic President Giorgio Napolitano.
Through the offices of the Quirinal Palace, President Napolitano, who probably has never personally registered on the website, reported the incident to the police, as thousands of other people did before him.
We hope that the many victims of the scam who have been written us during the last months could feel a bit heartened by the fact that the fraud is unevenly distributed, and it do not save the high places!