Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

posted by admin on luglio 15, 2016

Right to oblivion

(No comments)

The Italian Data Protection Authority (DPA) has rejected an appeal by an ex-terrorist, who had requested the de-indexation of web pages reporting serious crimes he had committed between the end of the 1970s and the beginning of the 1980s.

Having served his sentence, in 2009 the man had requested Google to remove a number of URLs and search suggestions shown by their “autocomplete” function, which, when typing in the man’s name and surname, called up the term “terrorist”.

Given that Google took no action regarding the claimant’s request, the ex-terrorist turned to the Italian DPA complaining that the continued presence on the Internet of contents dating so far back in time and which were a misrepresentation of his current way of life, was causing serious harm both to his personal and professional life. Maintaining that he was not a public figure but a free citizen, the claimant demanded the right to be forgotten.

The DPA rejected his appeal on the grounds that the information, for which de-indexation was requested, refers to particularly serious crimes that come under those indicated in the Guidelines on the implementation of the right to be forgotten adopted in 2014 by the European Privacy Authorities; crimes for which requests for removal require more stringent evaluation.

The DPA further emphasized that in the case submitted, all the information has acquired historical value and is in the public mind. Indeed it refers to one of the darkest periods of recent Italian history, during which the claimant had not only been a supporting actor but had essentially played a leading role.

Moreover, despite the considerable length of time, which had passed since the circumstances in question, there is still a very high level of public interest in that period of time and those events, as demonstrated by the topicality of the references accessible through the same URLs.

Therefore, declaring that it was of paramount importance for the public interest to have access to the information in question, the DPA adjudged the request for removal of the URLs indicated by the claimant and indexed by Google to be unfounded.

 

 

Hosting providers are not to be held liable for any offences committed by their users nor are they required to remove contents at the request of subjects who claim to be injured parties. The Court of Grosseto relieves Tripadvisor from all responsibility for negative reviews by members of its community.

In judgment no. 46 of 2016, the Court of Grosseto established that providers of services such as Tripadvisor are to be considered as hosting providers and for this reason are not to be held liable for offences committed by their users.

The case was brought by a hotel in the Argentario area, which pressed charges against the travel portal in 2013 for publishing a negative review that the hotelier considered to be false and defamatory. In the opinion of the plaintiff, Tripadvisor was jointly liable for defamation, as it did not prevent the publication of the review, remove the review promptly enough following its being notified and also as it failed to agree to communicate details of the reviewer.

By rejecting the hotelier’s application, the Court of Grosseto established that the platform acted in compliance with Italian legislation. According to the judge what is important when defining a hosting service is the role played in relation to published contents: in the case in question the portal does not interfere with the contents of reviews and therefore cannot be considered liable.

With regard to the plaintiff’s grounds, the Court clarified that Tripadvisor simply qualifies as a hosting provider, despite having implemented automated filters to prevent the publication of explicitly inappropriate or fake reviews, as provided for by its privacy policy. Furthermore, the judge specified that platforms which publish user generated contents (Ugc) or contents provided by users, may at their discretion remove such contents, but are under no obligation to do so at the request of subjects who consider themselves injured parties, as the judiciary is the only competent authority to ascertain the possible defamatory nature of contents.

 

 

On the 2nd of May 2016 a draft law was submitted to the Chamber of Deputies of the Italian Parliament, which aims at “regulating digital platforms for the sharing of goods and services”, and at “promoting an economy based on mutual sharing”. The purpose is to regulate the so-called sharing economy through an across-the-board approach to different professional areas.

Italy would be the first country to regulate this booming economic sector, which includes such by now notorious services as Uber (now prohibited in Italy) and AirBnB.

The draft text is the result of eighteen months’ work carried out by the Parliamentary Intergroup for Technological Innovation. Article 1 lays down the law’s objectives, while Article 2 clarifies the definition of “sharing economy”, establishing that services for which providers determine a fixed charge are not to be included. Article 3 calls for sharing platforms to register with a national electronic register kept by the Italian Antitrust Authority. With the creation of an electronic register, platforms will have to obtain the approval of the Authority, whose task it will be to evaluate inconsistencies and possible infringements (or acts of unfair competition against the traditional sectors).

However, it is principally the fiscal aspect, which the draft law aims to regulate. The new regulation provides for 10% taxation on the revenue generated by platforms, up to a maximum of 10,000€ per year, which can also comprise sums for different services. The obligation for payment of the taxes would lie with the platforms themselves, which would be required to withhold the amounts due from the takings of registered customers, thus acting as withholding agents. On exceeding the threshold of 10,000€, the income made by platforms will be considered as actual earnings, to be added to those already made. New rules have also been provided for payments, which must henceforth only be carried out by digital means.

The signatories of the draft law expect this operation to raise tax revenue from 150 million € to 3 billion € by 2025.

The draft law has started its approval procedure at the Joint Parliamentary Commissions of Transport and Productive Activities.

posted by admin on giugno 1, 2016

Copyrights

(No comments)

The Italian Antitrust Authority has submitted an opinion to the Italian Parliament and Government, in which it warns that SIAE’s current monopoly of the management of copyright restricts both the ability of other market operators to do business and users’ freedom of choice.

In a communication on the implementation of Directive 2014/26/EU by the European Parliament and the Council on the collective management of copyright in the internal market, the Antitrust Authority emphasised that the core of the Directive is based on freedom of choice and that it specifically provides rightsholders with the right to decide their choice of collective management organisation “(…) irrespective of the Member State of nationality, residence or establishment of the collective management organisation, the other entity or the rightholder (…)”.

The Antitrust Authority has remarked that in an economic climate characterized by significant technological changes, the preservation of a legal monopoly appears to be in contrast with the aim of enabling rightsholders to operate a free choice from a range of operators. According to the Authority, “the merit and the very rationale of the European legal framework are severely compromised by the presence within (Italian) national legislation, of the regulation contained in art. 180, law 22 April 1941, no. 633 (Italian copyright law), which is now a solitary case compared to other Member States’ legislations, in reserving to a single organisation (SIAE) the management activity regarding copyrights”.

The Antitrust Authority stresses that the implementation of the Directive offers the opportunity to open up the market to competitor organisations in the field of copyright management. However, the draft law approved by the Chamber of deputies and currently under discussion before the Senate, which delegates the Government to implement European directives and carry out other acts of the European Union (the 2015 European delegation law), does not expressly provide for any specific action on SIAE’s status as a legal monopoly.

Therefore, the Authority hopes that action aiming at liberalisation should be integrated by an overall reform of the procedures of copyright management listed in the Copyright law, without overlooking a review of the role and the function of the SIAE in today’s changed climate.

* SIAE is the acronym for the Italian Society of Authors and Publishers (Società italiana degli Autori e Editori).

 

 

posted by admin on maggio 9, 2016

digital identity

(No comments)

THE ITALIAN DPA HAS RULED IN FAVOUR OF THE APPEAL BY A USER, TO WHOM FACEBOOK HAD NOT GRANTED A BAN ON FAKE PROFILES CREATED TO HIS DETRIMENT

Facebook will be accountable for fake profiles created on its platform and offer full cooperation and transparency. In the last few days the Italian DPA has published a provision from last February concerning a dispute between a well-known doctor from Perugia and Facebook Ireland Ltd. The complaint presented in November 2015 and originated from an attempt at extortion carried out on the pages of the famous social network.

The doctor had been the victim of activities amounting to threats, attempts at extortion, impersonation and the unlawful breaking into a computer system by a Facebook user, who, after requesting online friendship and obtaining acceptance from the doctor, started an “electronic correspondence with him, which at first was of a confidential nature, but which subsequently aimed to pursue criminal ends”. The criminal had created a fake account using photos and personal data of the Perugia doctor and had attempted to blackmail him with threats of sending obscene photomontages showing child pornography material to friends, acquaintances and colleagues. The doctor, who had not given in to these blackmail attempts, asked Facebook to take appropriate steps to eliminate the fake profiles and to provide him with all the relevant information necessary to limit as quickly as possible the damage suffered by his image.

According to the doctor’s lawyers, Facebook did not take the appropriate action on the matter, not granting satisfactory and complete access to the required data. In particular, Facebook simply made available through its “download tool” service a set of data, which were not clearly intelligible as they only referred to code numbers. Furthermore, the data set was incomplete as it simply referred to data from the claimant’s valid Facebook account and did not include data processed by the fake account and shared on the social network.

Therefore, the DPA established that Facebook Ireland Ltd, which is in possession of the information required by the doctor, must communicate “to the claimant in an intelligible form all data relating to him that are held with regard to the Facebook profiles opened in his name”. The social network must close down the fake profile in order to facilitate any possible investigation into establishing the identity of those responsible for the attempt at extortion.

Following the expiry of the thirty day term to comply with the DPA’s provisions, Facebook will have about two weeks to file opposition before the Court of Perugia, failing which the penalty will consist of a fine and up to two years’ imprisonment.

 

 

posted by admin on maggio 9, 2016

E-commerce and contracts

(No comments)

The fifty-third session of the Working Group on Electronic Commerce of the United Nations Commission on International Trade Law (UNCITRAL) will be held in New York, from 9th to 13th May 2016.

The Working Group’s activity will once again focus on “electronic transferable records”, with particular reference to current operating practices and related legislative issues. During the session there will be an analysis of the international draft provisions on the matter, which have been drawn up by the Secretariat on the basis of the deliberations of previous meetings.

As usual, the session was attended by Full Professor Giusella Finocchiaro as President of the Working Group and representative of the Italian Government at UNCITRAL. For further information please consult the section covering Working Group activities on the UNCITRAL website.

 

 

posted by admin on aprile 22, 2016

Privacy

(No comments)

On the 14th of April 2016, more than four years after the European Commission proposal, the European Parliament approved at second reading the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The incessant technological progress of the last few years, the result product of an information society which has become increasingly more intrusive in people’s private lives, had on the one hand highlighted the inadequacy of European data protection legislation Directive 95/46/EC, formulated in the first stages of the digital revolution and on the other underlined the regulatory fragmentation that the implementation of the Directive had caused in the Member States. Thus, the Regulation meets the long awaited need to reform the legislation on personal data protection extending the number of rights for data subjects compared to those provided by the Directive and to bring into line the different legislations of the Member States, as a means to also strengthening the internal European market. In that sense the choice of the European legislator to adopt the instrument of the Regulation is a significant one in that, in contrast with the Directive it does not require acts of transposition, as it can be directly and identically applied in each Member State.

Among the most significant recommendations introduced by the Regulation, of particular relevance seems to be the new local scope of application in accordance with art. 3. Directive 95/46/EC previously provided for the regulation to be applicable by means of the national legislations when personal data were processed in the framework of the activities of a data controller’s establishment physically present in the European Union. Therefore, the fundamental criterion for defining the scope of applicability of the Directive was the physical location in which the data were processed. Today, this criterion seems to have been overturned by art. 3, paragraph 1 of the Regulation, which defines the applicability of the act “regardless of whether or not the processing takes place in the Union”. Already over the last two years, from the Google Spain ruling to the recent Schrems decision, the orientation, which has become definite in the European Court of Justice’s case-law, has highlighted a trend towards a less restrictive interpretation of this criterion.

In fact, it seems that the will has also arisen to extend European legislation to cases in which data controllers are non-European subjects and data are mainly processed outside Europe. Now, art. 3 of the Regulation seems in a certain sense to have codified the Court’s broadened interpretation by providing multiple connecting criteria that also allow those cases of data processing which previously had been difficult to include, to be drawn into the sphere of application of the regulatory provision. The Regulation is now applicable not only to data processing performed in the context of the activities of a data controller’s establishment within the Union, but also in the case of a data processor’s establishment. Moreover, it is applicable when the data processing activities are related to an offer of goods or services, even if free of charge, to interested data subjects within the European Union, or when they are related to the monitoring of the such data subjects’ behaviour, even if the data controllers or processors are not settled in the European Union.

The reform introduces various innovations, among which the provision of a new range of rights for data subjects (for example the right to be forgotten and the right to data portability), the placing of more responsibilities on subjects involved in the processing of personal data (in particular the obligation for data controllers to carry out privacy impact assessments and to notify of data breaches), new safeguards for the transfer of data abroad in addition to the confirmation of the two regulatory authorities represented by the Data Protection Officer and the Supervisory Authority.

With regard to coordination with the European legislation (the Regulation will be applicable after a two year period from the date of entry into force), the Italian legislator will have to choose which of the two alternative routes to follow: either the direct application of the Regulation, which would imply the abrogation of all national provisions incompatible with the European legislation, or the integration of the current Italian Personal Data Code, despite the inevitable risks of erroneous transpositions or misinterpretations of the European provisions.

 

 

Digital identity management and trust services will be the main themes discussed at the colloquium convened by the Secretariat of the United Nations Commission on International Trade Law (UNCITRAL), that will take place on the 21st and 22nd of April 2016 at the Vienna International Centre.

During the meeting, Working Group IV on Electronic Commerce will focus its activity on legal issues related to identity management and trust services with a view to compiling information on the scope and methodology of future work in that area. The session will be attended by Full Professor Giusella Finocchiaro as President of the Working Group and representative of the Italian Government at UNCITRAL.

For further information please consult the section covering Working Group activities on UNCITRAL website.

 

 

It is unnecessary to resort to international rogatory in order to tap BlackBerry mobile system chats nor is it necessary to use requisition measures.

This is what the Third Criminal Division of the Italian Supreme Court (ruling no. 50452/15) established with its appeal judgment issued in relation to the appeal on the part of certain defendants who had been placed under preventive detention by the Court of Rome due to their being implicated in drug trafficking.

The detention order was founded on various evidence, including chats on BlackBerry mobile systems, which related to importing a 10 kilo consignment of cocaine to Italy.

The defendants involved in this phone tapping brought the question before the Italian Supreme Court, claiming that the chats which had been tapped could not be considered as evidence, since they had taken place on BlackBerry’s mobile systems, which have their head office in Canada. Therefore, in their opinion, an international rogatory would have been required in order to legally acquire the content of the chats. Moreover, according to the defence, conversations in a chat context could not be considered as “phone conversations” as they are in fact a stream of computer data. On these grounds requisition measures regarding computer data (according to art. 254bis of the Italian Criminal Procedure Code) should have been carried out rather than a procedure of phone tapping.

In response to the first point, the Supreme Court asserted that it is a well-established principle that international phone calls routed to a specific Italian telephone “junction” should not be subject to international rogatory as all activity involving reception and recording takes place on Italian territory. This principle was also correctly applied by the Collegio di Cautela* in relation to the use of Blackberry chats. In this regard, the Supreme Court emphasized that computer interceptions had been correctly carried out on PIN codes, while the subsequent request to the Canadian company regarding ID data associated with the intercepted PIN codes had related to data that do not enjoy special protection.

Consequently, the Supreme Court considered it irrelevant that BlackBerry was Canadian, as the communications in question took place in Italy as a result of them transferred over an ICT platform located in Italy.

Conversely, the Court considered as unfounded the objection regarding the failure to implement requisition measures for the computer data. The judgment clarifies that, even if held by Internet service providers, requisitioning IT documents or IT devices excludes per se the concept of “communication”. Requisitioning will be specifically required when it is necessary to acquire documents for purposes of evidence, by means of inspections to be carried out on data contained in those documents. The Supreme Court asserted that “with regard to the use of chats on the BlackBerry system, it is correct to acquire contents by means of tapping according to art. 266bis c.p.p. and subsequent, as even if they are not simultaneous, online conversations constitute a flow of communication”.

Although the Court upheld the defendants’ appeal on the basis of considerations that go beyond the analysis of this post, the Court rejected the abovementioned specific technical objections, pointing out that: “even the most careful interpretation of the delicate relationship between the computer interception system and new technologies has observed that tapping BlackBerry chats takes place by using traditional systems, i.e. monitoring a phone’s PIN (or IMEI), which is uniquely associated with a nickname, underlining how tapping is managed at a technical level at the company’s Italian head office”.

The text of the Supreme Court judgment is available HERE.

 

*Second-instance Court empowered to hear appeals of decisions on preventive measures

posted by admin on marzo 1, 2016

Privacy

(No comments)

The Supreme Court has spoken out its opinion in on the issue of automated phone calls generated by computerized telemarketing systems stating that it is forbidden to bother users with silent calls.

The Italian Supreme Court (ruling no. 2196/2016) dismissed an appeal by the ICT company Reitek Spa and Enel Energia against a decision expressed by the Italian Data Protection Authority. In 2013 the Authority required Enel Energia, in accordance with art. 143, par. 1, let. b) and art. 154, par. 1, let. c) of the Italian Personal Data Protection Code, to take all necessary measures including those of a technical nature to prevent the system from making recurrent “silent calls” by prohibiting repeat calls to the same number within at least a 30 day period.

The judgment had been given following protests from a number of users, who complained about receiving phone calls in which, once they answered the phone, there was no operator on the other end to reply. This phenomenon is the result of an organizational problem for companies which make commercial calls. In order to connect users to telemarketing operators, the majority of these companies employ automated call forwarding systems. However, automated systems sometimes direct a number of calls to call centers which exceed the actual availability of operators. As a consequence the user’s phone rings, but no one on the other end replies.

The Supreme Court upheld the Court of Rome’s decision which had dismissed the first appeal by the two companies on the grounds that the way in which personal data were processed through telemarketing systems was unlawful. As it aimed at optimizing the rate of successful calls, the method behind these systems placed the risk and discomfort caused by receiving “silent” calls squarely on the user alone.

The Supreme Court specified that it had been expressed on more than one occasion that, according to art. 4 and art. 11 of the Italian Data Protection Code, personal data are to be processed in a fair and relevant fashion and their use must not exceed that for which they have been collected.

The plaintiffs had complained that only very few users had been affected by the problem, however, their motivations were found to be irrelevant. In fact, in the Court’s opinion, stating – as Enel Energia had done – that the phenomenon of silent calls had been limited by the basis of system algorithms to a 3% threshold, was extraneous. “The objection does not change the terms of the issue, nor are they altered by Reitek’s remark regarding the minimal number of user complaints about “silent” calls received by the Authority as the infringement was connected to the chosen method of multiple calls, which makes it clear that the risk of discomfort was borne exclusively by the recipients of such calls”.

Ultimately, in the Supreme Court’s opinion, this is the only relevant point in considering the method used for processing personal data to be excessive in relation to the interests or rights and fundamental liberties of the persons involved.

The Court also dismissed the plaintiffs’ motivation, according to which, on the basis of art. 130, par. 3-bis, consent for the processing of personal data is not required if users are registered on lists of telephone subscribers and have not exercised their right to object by registering on the Public Objection Register (the so-called opt-out system). In regards to this, the Court highlighted that art. 130, par. 3-bis, must be interpreted in accordance with e-privacy directive 2002/58/CE which allows the use of the opt-out system for calls with an active operator, but never for automated calls. In practice, the European directive is addressed to direct marketing, conducted through the use of a telephone with an operator, whereas automated call systems that generate “silent calls”, are excluded precisely because they lack an operator.

_______

Read the Nymity interview with Giusella Finocchiaro examining the recent Italian Supreme Court decision on silent telemarketing calls.

The related article of Nymity magazine is HERE. By clicking HERE you can download the pdf document.

 

  • Recent comments

  • Popular posts

    • None found