The Italian Data Protection Authority (DPA) has rejected an appeal by an ex-terrorist, who had requested the de-indexation of web pages reporting serious crimes he had committed between the end of the 1970s and the beginning of the 1980s.
Having served his sentence, in 2009 the man had requested Google to remove a number of URLs and search suggestions shown by their “autocomplete” function, which, when typing in the man’s name and surname, called up the term “terrorist”.
Given that Google took no action regarding the claimant’s request, the ex-terrorist turned to the Italian DPA complaining that the continued presence on the Internet of contents dating so far back in time and which were a misrepresentation of his current way of life, was causing serious harm both to his personal and professional life. Maintaining that he was not a public figure but a free citizen, the claimant demanded the right to be forgotten.
The DPA rejected his appeal on the grounds that the information, for which de-indexation was requested, refers to particularly serious crimes that come under those indicated in the Guidelines on the implementation of the right to be forgotten adopted in 2014 by the European Privacy Authorities; crimes for which requests for removal require more stringent evaluation.
The DPA further emphasized that in the case submitted, all the information has acquired historical value and is in the public mind. Indeed it refers to one of the darkest periods of recent Italian history, during which the claimant had not only been a supporting actor but had essentially played a leading role.
Moreover, despite the considerable length of time, which had passed since the circumstances in question, there is still a very high level of public interest in that period of time and those events, as demonstrated by the topicality of the references accessible through the same URLs.
Therefore, declaring that it was of paramount importance for the public interest to have access to the information in question, the DPA adjudged the request for removal of the URLs indicated by the claimant and indexed by Google to be unfounded.
Hosting providers are not to be held liable for any offences committed by their users nor are they required to remove contents at the request of subjects who claim to be injured parties. The Court of Grosseto relieves Tripadvisor from all responsibility for negative reviews by members of its community.
In judgment no. 46 of 2016, the Court of Grosseto established that providers of services such as Tripadvisor are to be considered as hosting providers and for this reason are not to be held liable for offences committed by their users.
The case was brought by a hotel in the Argentario area, which pressed charges against the travel portal in 2013 for publishing a negative review that the hotelier considered to be false and defamatory. In the opinion of the plaintiff, Tripadvisor was jointly liable for defamation, as it did not prevent the publication of the review, remove the review promptly enough following its being notified and also as it failed to agree to communicate details of the reviewer.
By rejecting the hotelier’s application, the Court of Grosseto established that the platform acted in compliance with Italian legislation. According to the judge what is important when defining a hosting service is the role played in relation to published contents: in the case in question the portal does not interfere with the contents of reviews and therefore cannot be considered liable.
On the 2nd of May 2016 a draft law was submitted to the Chamber of Deputies of the Italian Parliament, which aims at “regulating digital platforms for the sharing of goods and services”, and at “promoting an economy based on mutual sharing”. The purpose is to regulate the so-called sharing economy through an across-the-board approach to different professional areas.
Italy would be the first country to regulate this booming economic sector, which includes such by now notorious services as Uber (now prohibited in Italy) and AirBnB.
The draft text is the result of eighteen months’ work carried out by the Parliamentary Intergroup for Technological Innovation. Article 1 lays down the law’s objectives, while Article 2 clarifies the definition of “sharing economy”, establishing that services for which providers determine a fixed charge are not to be included. Article 3 calls for sharing platforms to register with a national electronic register kept by the Italian Antitrust Authority. With the creation of an electronic register, platforms will have to obtain the approval of the Authority, whose task it will be to evaluate inconsistencies and possible infringements (or acts of unfair competition against the traditional sectors).
However, it is principally the fiscal aspect, which the draft law aims to regulate. The new regulation provides for 10% taxation on the revenue generated by platforms, up to a maximum of 10,000€ per year, which can also comprise sums for different services. The obligation for payment of the taxes would lie with the platforms themselves, which would be required to withhold the amounts due from the takings of registered customers, thus acting as withholding agents. On exceeding the threshold of 10,000€, the income made by platforms will be considered as actual earnings, to be added to those already made. New rules have also been provided for payments, which must henceforth only be carried out by digital means.
The signatories of the draft law expect this operation to raise tax revenue from 150 million € to 3 billion € by 2025.
The draft law has started its approval procedure at the Joint Parliamentary Commissions of Transport and Productive Activities.
The Italian Antitrust Authority has submitted an opinion to the Italian Parliament and Government, in which it warns that SIAE’s current monopoly of the management of copyright restricts both the ability of other market operators to do business and users’ freedom of choice.
In a communication on the implementation of Directive 2014/26/EU by the European Parliament and the Council on the collective management of copyright in the internal market, the Antitrust Authority emphasised that the core of the Directive is based on freedom of choice and that it specifically provides rightsholders with the right to decide their choice of collective management organisation “(…) irrespective of the Member State of nationality, residence or establishment of the collective management organisation, the other entity or the rightholder (…)”.
The Antitrust Authority has remarked that in an economic climate characterized by significant technological changes, the preservation of a legal monopoly appears to be in contrast with the aim of enabling rightsholders to operate a free choice from a range of operators. According to the Authority, “the merit and the very rationale of the European legal framework are severely compromised by the presence within (Italian) national legislation, of the regulation contained in art. 180, law 22 April 1941, no. 633 (Italian copyright law), which is now a solitary case compared to other Member States’ legislations, in reserving to a single organisation (SIAE) the management activity regarding copyrights”.
The Antitrust Authority stresses that the implementation of the Directive offers the opportunity to open up the market to competitor organisations in the field of copyright management. However, the draft law approved by the Chamber of deputies and currently under discussion before the Senate, which delegates the Government to implement European directives and carry out other acts of the European Union (the 2015 European delegation law), does not expressly provide for any specific action on SIAE’s status as a legal monopoly.
Therefore, the Authority hopes that action aiming at liberalisation should be integrated by an overall reform of the procedures of copyright management listed in the Copyright law, without overlooking a review of the role and the function of the SIAE in today’s changed climate.
* SIAE is the acronym for the Italian Society of Authors and Publishers (Società italiana degli Autori e Editori).
The Working Group’s activity will once again focus on “electronic transferable records”, with particular reference to current operating practices and related legislative issues. During the session there will be an analysis of the international draft provisions on the matter, which have been drawn up by the Secretariat on the basis of the deliberations of previous meetings.
As usual, the session was attended by Full Professor Giusella Finocchiaro as President of the Working Group and representative of the Italian Government at UNCITRAL. For further information please consult the section covering Working Group activities on the UNCITRAL website.
On the 14th of April 2016, more than four years after the European Commission proposal, the European Parliament approved at second reading the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The incessant technological progress of the last few years, the result product of an information society which has become increasingly more intrusive in people’s private lives, had on the one hand highlighted the inadequacy of European data protection legislation Directive 95/46/EC, formulated in the first stages of the digital revolution and on the other underlined the regulatory fragmentation that the implementation of the Directive had caused in the Member States. Thus, the Regulation meets the long awaited need to reform the legislation on personal data protection extending the number of rights for data subjects compared to those provided by the Directive and to bring into line the different legislations of the Member States, as a means to also strengthening the internal European market. In that sense the choice of the European legislator to adopt the instrument of the Regulation is a significant one in that, in contrast with the Directive it does not require acts of transposition, as it can be directly and identically applied in each Member State.
Among the most significant recommendations introduced by the Regulation, of particular relevance seems to be the new local scope of application in accordance with art. 3. Directive 95/46/EC previously provided for the regulation to be applicable by means of the national legislations when personal data were processed in the framework of the activities of a data controller’s establishment physically present in the European Union. Therefore, the fundamental criterion for defining the scope of applicability of the Directive was the physical location in which the data were processed. Today, this criterion seems to have been overturned by art. 3, paragraph 1 of the Regulation, which defines the applicability of the act “regardless of whether or not the processing takes place in the Union”. Already over the last two years, from the Google Spain ruling to the recent Schrems decision, the orientation, which has become definite in the European Court of Justice’s case-law, has highlighted a trend towards a less restrictive interpretation of this criterion.
In fact, it seems that the will has also arisen to extend European legislation to cases in which data controllers are non-European subjects and data are mainly processed outside Europe. Now, art. 3 of the Regulation seems in a certain sense to have codified the Court’s broadened interpretation by providing multiple connecting criteria that also allow those cases of data processing which previously had been difficult to include, to be drawn into the sphere of application of the regulatory provision. The Regulation is now applicable not only to data processing performed in the context of the activities of a data controller’s establishment within the Union, but also in the case of a data processor’s establishment. Moreover, it is applicable when the data processing activities are related to an offer of goods or services, even if free of charge, to interested data subjects within the European Union, or when they are related to the monitoring of the such data subjects’ behaviour, even if the data controllers or processors are not settled in the European Union.
The reform introduces various innovations, among which the provision of a new range of rights for data subjects (for example the right to be forgotten and the right to data portability), the placing of more responsibilities on subjects involved in the processing of personal data (in particular the obligation for data controllers to carry out privacy impact assessments and to notify of data breaches), new safeguards for the transfer of data abroad in addition to the confirmation of the two regulatory authorities represented by the Data Protection Officer and the Supervisory Authority.
With regard to coordination with the European legislation (the Regulation will be applicable after a two year period from the date of entry into force), the Italian legislator will have to choose which of the two alternative routes to follow: either the direct application of the Regulation, which would imply the abrogation of all national provisions incompatible with the European legislation, or the integration of the current Italian Personal Data Code, despite the inevitable risks of erroneous transpositions or misinterpretations of the European provisions.
Digital identity management and trust services will be the main themes discussed at the colloquium convened by the Secretariat of the United Nations Commission on International Trade Law (UNCITRAL), that will take place on the 21st and 22nd of April 2016 at the Vienna International Centre.
During the meeting, Working Group IV on Electronic Commerce will focus its activity on legal issues related to identity management and trust services with a view to compiling information on the scope and methodology of future work in that area. The session will be attended by Full Professor Giusella Finocchiaro as President of the Working Group and representative of the Italian Government at UNCITRAL.
For further information please consult the section covering Working Group activities on UNCITRAL website.
It is unnecessary to resort to international rogatory in order to tap BlackBerry mobile system chats nor is it necessary to use requisition measures.
This is what the Third Criminal Division of the Italian Supreme Court (ruling no. 50452/15) established with its appeal judgment issued in relation to the appeal on the part of certain defendants who had been placed under preventive detention by the Court of Rome due to their being implicated in drug trafficking.
The detention order was founded on various evidence, including chats on BlackBerry mobile systems, which related to importing a 10 kilo consignment of cocaine to Italy.
The defendants involved in this phone tapping brought the question before the Italian Supreme Court, claiming that the chats which had been tapped could not be considered as evidence, since they had taken place on BlackBerry’s mobile systems, which have their head office in Canada. Therefore, in their opinion, an international rogatory would have been required in order to legally acquire the content of the chats. Moreover, according to the defence, conversations in a chat context could not be considered as “phone conversations” as they are in fact a stream of computer data. On these grounds requisition measures regarding computer data (according to art. 254bis of the Italian Criminal Procedure Code) should have been carried out rather than a procedure of phone tapping.
In response to the first point, the Supreme Court asserted that it is a well-established principle that international phone calls routed to a specific Italian telephone “junction” should not be subject to international rogatory as all activity involving reception and recording takes place on Italian territory. This principle was also correctly applied by the Collegio di Cautela* in relation to the use of Blackberry chats. In this regard, the Supreme Court emphasized that computer interceptions had been correctly carried out on PIN codes, while the subsequent request to the Canadian company regarding ID data associated with the intercepted PIN codes had related to data that do not enjoy special protection.
Consequently, the Supreme Court considered it irrelevant that BlackBerry was Canadian, as the communications in question took place in Italy as a result of them transferred over an ICT platform located in Italy.
Conversely, the Court considered as unfounded the objection regarding the failure to implement requisition measures for the computer data. The judgment clarifies that, even if held by Internet service providers, requisitioning IT documents or IT devices excludes per se the concept of “communication”. Requisitioning will be specifically required when it is necessary to acquire documents for purposes of evidence, by means of inspections to be carried out on data contained in those documents. The Supreme Court asserted that “with regard to the use of chats on the BlackBerry system, it is correct to acquire contents by means of tapping according to art. 266bis c.p.p. and subsequent, as even if they are not simultaneous, online conversations constitute a flow of communication”.
Although the Court upheld the defendants’ appeal on the basis of considerations that go beyond the analysis of this post, the Court rejected the abovementioned specific technical objections, pointing out that: “even the most careful interpretation of the delicate relationship between the computer interception system and new technologies has observed that tapping BlackBerry chats takes place by using traditional systems, i.e. monitoring a phone’s PIN (or IMEI), which is uniquely associated with a nickname, underlining how tapping is managed at a technical level at the company’s Italian head office”.
The text of the Supreme Court judgment is available HERE.
*Second-instance Court empowered to hear appeals of decisions on preventive measures