A recent judgment by the European Court of Justice stated that IP addresses can be considered as personal data in that they can be used to identify a user by turning to the authorities or ISP providers.
The point was raised in the context of a controversy between Mr Patrick Breyer and the Bundesrepublik Deutschland (Federal Republic of Germany) concerning the registration and storage of Mr Breyer’s IP address on the occasion of his consulting a number of Internet websites of the German federal services.
Every access to German Government websites is registered with the aim of thwarting cyber attacks and identifying hackers and at the end of each consultation session, a range of data is stored, such as the name of the website or file consulted, words typed in the search bars, date and time of consultation, volume of transferred data, outcome of the consultation and the IP address of the computer which has effected access.
Mr Breyer petitioned the German administrative judges, requesting them to prohibit the Federal Republic of Germany from storing IP addresses. His request was rejected at first instance trial, but the Appeal Judge partially accepted his petition, condemning the Federal Republic of Germany to refrain from storing IP addresses when these are collected together with the corresponding date of consultation and when users reveal their identity during the consultation session, even though in the form of an e-mail address.
Therefore, according to the German Court of Appeal, dynamic IP addresses associated with dates of consultation are only to be considered personal data in those cases when users have revealed their identity when surfing the web, whereas if users do not reveal their identity during a consultation session, IP addresses would not be considered as personal data as only Internet service providers could link those IP addresses to the names of their subscribers.
As both the Federal Republic of Germany and Mr Breyer opposed the Appeal Court’s decision, each petitioned the Bundesgerichtshof (Federal Court of Justice), Mr Breyer aiming at full approval of his injunction and the State requesting its rejection.
The Federal Court of Justice pointed out that the qualification of IP addresses as «personal» data depends on whether or not it is possible to identity users and raised a question of doctrine regarding the choice of «objective» or «relative» criteria in order to establish whether a person is identifiable. Applying «objective» criteria, IP addresses could be considered personal data even if only one third party were able to determine the identity of the person involved; the third party, who in this case would be an Internet access service provider. On the other hand, according to «relative» criteria, these data could only qualify as personal data in relation to a particular subject, such as the Internet access service provider, who was able to trace precise identification back to a specific user. On the contrary, IP addresses could not be considered personal data for other subjects such as Internet site administrators, since they are not in possession of the necessary information for identification without resorting to external sources, except for those cases in which users reveal their identities while browsing the web.
First of all the European Court of Justice observed that a dynamic IP address does not represent information referring to an «identified natural person», since it directly reveals neither the identity of a computer owner connected to an Internet website, nor that of another person who may be using the same computer. However, the Court stressed that the wording in art. 2, letter a) of directive 95/46 proves that a person is considered identifiable when they can be identified not only directly, but also indirectly. Moreover, recital 26 of directive 95/46 states that, to determine whether a person is identifiable, it is appropriate that the sum total of the means that may be reasonably used by a data processor or others to determine said person’s identity should be taken into consideration.
According to the Court, the fact that additional information necessary to identify users is not directly in the possession of website administrators, but rather in that of Internet access service providers, is not sufficient to exclude dynamic IP addresses from being considered as personal data in accordance with art. 2, letter a) of directive 95/46. Indeed, it needs to be established whether the possibility to match a dynamic IP address to the names in the possession of Internet access service providers constitutes an accessible means for website administrators. A situation that would not be conceivable if the identification of the person involved was prohibited by law or in practice unfeasible, for example due to the fact that it would imply an enormous amount of time, cost and labour.
Despite German national legislation not allowing ISP providers to directly transmit information that identifies a person starting from an IP address, the Court stressed that there are legal instruments which, especially in cases of cyber attacks, allow website administrators to turn to the appropriate authorities, in order that these authorities can obtain the relevant information from Internet access service providers and initiate criminal proceedings. It follows that there are means, which, with the help of other subjects, can be reasonably used to identify a person based on their IP address.
Therefore, the European Court of Justice has established that article 2, letter a) of directive 95/46 must be interpreted as meaning that a dynamic IP address registered by a website represents personal data, where website administrators are concerned, in the event that they are in possession of the legal means to allow the identification of the person involved by recourse to an Internet access service provider.
The European Court of Justice decision is available HERE.
This is the interview Giusella Finocchiaro gave to Vanity Fair and which was published in issue 39/2016 of the weekly.
What laws do we have to protect us?
«Quite a few. Both of these recent incidents, for example, contain a series of civil offences that range from the violation of privacy legislation to the violation of a person’s fundamental rights. There are a number of possible offences that could be brought before a criminal court such as instigation to commit suicide, unlawful interference in a person’s private life and the handling of child-pornography material».
Who to press charges against? And how effective is it?
«Those to take action against are the authors, those who put the videos online. Then, naturally, action may also be taken against service providers, namely those companies which provide access to the Net, but only on certain conditions: they’re under no obligation to monitor in advance what’s made available online, nonetheless they’re legally required to remove contents if there’s provision to do so on the part of the judicial authority or of any other competent authority».
But can everything be blocked and for always?
«The possibility can’t be ruled out that the video has been downloaded by other users and that it keeps on circulating. Of course these other users are committing a crime as well. In practice, it’s a constant game of catch-up: in the digital dimension it’s extremely easy to even reproduce multiple copies of a message».
Should providers be given more responsibilities?
«Certainly, but not with a control system, because it’s very laborious. A mechanism to allow users to contact providers would be useful, because in this way, when they received a complaint, providers could verify and remove contents in a very short space of time».
What advice would you give to make good use of the Net?
« Never forget that when you access the Net you leave a strictly private dimension and you enter a very public one».
The Italian Supreme Court has found the Zecca dello Stato (The State Institute of Printing and Minting) guilty of monitoring its employees’ web surfing data, emails and phone calls, in violation of a number of provisions of the Statuto dei Lavoratori (Workers’ Statute of Rights, L. 300 of 1970).
With its decision of the 19th September 2016, n. 18302, the Court of Cassation established the illegality of the storage activity on the company server of employees’ emails, phone calls and web surfing data without prior application of the authorization procedure provided for by the Workers’ Statute of Rights and the Code for the protection of personal data.
The facts of the case on which the decision is based are as follows: in 2011 the Italian Data Protection Supervisor had emphasized with a disciplinary provision, that the Internet service provided by the Istituto Poligrafico e Zecca dello Stato (The State Institute of Printing and Minting) for its own employees not only prevented access to websites not inherent to work activity, but also stored every access, or attempt to access, any website, thus allowing the reconstruction of every single worker’s web browsing activity. In addition, the employees’ web surfing data were stored on the system for a length of time varying anywhere from six months to a year.
The Supervisor had also noticed the illegality of the storage system of employees’ sent and received emails on the company’s server, which allowed full view of them to the system administrators without any specific information on privacy having been provided in regard to the matter.
It had also been pointed out that the State Institute of Printing and Minting implemented a method of telephone traffic monitoring through the VoIP system which also in this case allowed the recording and prolonged storage of traffic data without providing any adequate privacy information for its employees.
Therefore, the Supervisor had considered that the activity of the State Institute of Printing and Minting violated L. n. 300 of 1970, arts. 4 and 8 of the Workers’ Statute of Rights as it made possible the disclosure of employees’ sensitive data without having acquired their prior consent (and consequently also in violation of arts. 11, 113 and 114 of the Code for the Protection of Personal Data). Therefore the provision prohibited the State Institute of Printing and Minting from storing and categorizing employees web surfing data in addition to their emails and phone calls, obliging the Institute to inform those involved about the ways in which their personal data were processed. The Supervisor had also required that the identities of the system administrators with authorization to access the company’s databases should be made public (and therefore known to the company’s employees) and that there should be the guarantee of all accesses made by the administrators being revealed in full.
In 2011 the Court of Rome rejected the appeal by the State Institute of Printing and Minting against the Supervisor’s provision, clarifying that, as provided for by art. 4 of the Workers’ Statute of Rights, employers are only allowed to use monitoring systems for requirements of organisation and production in agreement with the trade unions or in compliance with legal obligations, whereas the use of such systems is prohibited if it is carried out for monitoring the activity of employees. With reference to other previous decisions, the Court pointed out that the necessity to protect the company (and its activity) cannot legitimise suppressing fundamental employee rights such as the right to privacy.
Consequently, the State Institute of Printing and Minting appealed against the decision to the Supreme Court, maintaining that those controls not directed at work activities but rather at other employee conduct in the workplace, which might expose the business assets of the company to serious danger and which might be potentially harmful for third parties, with consequent liability on the part of the employer, fall entirely outside the scope of application of the provisions of the Workers’ Statute of Rights. This risk is all the more significant in that the Institute carries out public interest activities such as the printing of the Gazzetta Ufficiale (Italian Official Journal) and of the Raccolta ufficiale degli atti normativi della Repubblica italiana (the Official Compendium of Legislative Acts of the Italian Republic), the production of personal identification documents, security and anti-counterfeiting systems, legal tender and so on.
However the Court of Cassation considered that the significance of the public role entrusted to the State Institute of Printing and Minting does not justify violation of the current legislation, which aims to protect guarantees for constitutionally recognised workers’ rights. To this effect, the Judge emphasised the second paragraph of art. 4, which provides that monitoring systems required for organizational reasons or for safety in the workplace, but which also allow the distance monitoring of employee activity, may only be installed with the prior agreement of company trade union representatives or, in their absence, of the shop stewards’ committee. In the absence of an agreement and at the request of the employer, the Ispettorato del lavoro (the Labour Inspectorate) mediates, setting out where necessary the procedure for the use of such systems.
Therefore, rejecting the appeal and confirming the observations of the Court of Rome’s decision, the Court of Cassation underlined the necessity to strike a balance between the employer’s rights, in particular the right to conduct business and to protect the company’s business assets, and the protection of worker rights, first and foremost the right to privacy.
The European Court of Justice has recently been called on to rule on the use of the Internet and more specifically, of so called free wifi networks (namely wifi networks not protected by passwords), which are often used by Internet users who violate copyright rights, in taking advantage of the anonymity guaranteed by the net.
With its decision of the 15th September 2016 regarding lawsuit C-484/14, the Court of Justice ruled in favour of the acquittal of the administrator of a local wireless network, which was free and accessible without authorization, and which had been used by a user for the online distribution of a piece of music without the consent of the copyright holders.
Acknowledging Internet access services to be a service in the information society, which simply consist in the provision of access to a communication network, the Luxembourg Court adjudged the wifi network administrator to be exempt from all liability in accordance with Directive 2000/31/EC. As in the case of hosting service providers, the latter is in fact under no obligation (nor does he have the concrete means) to have any knowledge of and monitor information transmitted by his network.
However, keeping the necessary balance between fundamental rights (in the present case, the freedom to do business and copyright), the Court further stated that national judicial authorities may require service providers to put a stop to copyright violations or to prevent them, provided that the technical measures necessary to achieve this do not excessively restrict the provider’s freedom to do business.
According to the Court of Justice, protecting wifi networks with a password represents a technical measure which “in no way prejudices the essential content of the rights” of access service providers and at the same time, is appropriate for protecting copyright “insofar as network users are obliged to reveal their identity and cannot therefore act anonymously”.
The Italian Government has signed an agreement with the Chinese e-commerce giant in order to promote the excellence of Italian agricultural products and to fight against the phenomenon of counterfeit produce.
The agreement will enable Italian producers to satisfy the increasing demand for typical Italian products on the Chinese platform, which counts over 430 million consumers. The agreement aims at guaranteeing our Italian brands with a high level of protection against the counterfeit products market. This is also an important result in light of the fact that for decades the WTO has been searching for an adequate form of protection, which in this case has been achieved with a private company in the space of just a few months.
Since last year it has no longer been possible to find counterfeit Italian agricultural produce and foodstuffs on the Chinese website, which has prevented the monthly sale of 99 thousand tonnes of counterfeit Parmesan cheese, 10 times more than the production of the authentic cheese itself, and the sale of 13 million bottles of Prosecco which did not originate from the Veneto Region (in Italy). Italy is currently the only country on Alibaba, which has granted the same level of anti-counterfeit protection to DOP and IGP products as that provided for commercial brands. A level of protection which under this agreement is extended from the b2b platform, accessible solely to companies, to the b2c platform, consequently assuring that those 430 million Alibaba website users will be able to purchase genuine “Made in Italy” products.
The Ministry of Agriculture has set up an operational task force at the Anti-Fraud Inspectorate with the aim of identifying and reporting counterfeit products on a daily basis. The ads are removed within 3 days and the vendors are informed that they are violating Italian geographical indications and designations of origin.
We should point out that Italy has also invested in the promotion of Italian wine and food on the Chinese e-commerce platform. With this agreement Alibaba has undertaken to instruct both vendors and consumers on the importance of geographical indications and designations of origin in the food industry.
The Italian Data Protection Authority (DPA) has rejected an appeal by an ex-terrorist, who had requested the de-indexation of web pages reporting serious crimes he had committed between the end of the 1970s and the beginning of the 1980s.
Having served his sentence, in 2009 the man had requested Google to remove a number of URLs and search suggestions shown by their “autocomplete” function, which, when typing in the man’s name and surname, called up the term “terrorist”.
Given that Google took no action regarding the claimant’s request, the ex-terrorist turned to the Italian DPA complaining that the continued presence on the Internet of contents dating so far back in time and which were a misrepresentation of his current way of life, was causing serious harm both to his personal and professional life. Maintaining that he was not a public figure but a free citizen, the claimant demanded the right to be forgotten.
The DPA rejected his appeal on the grounds that the information, for which de-indexation was requested, refers to particularly serious crimes that come under those indicated in the Guidelines on the implementation of the right to be forgotten adopted in 2014 by the European Privacy Authorities; crimes for which requests for removal require more stringent evaluation.
The DPA further emphasized that in the case submitted, all the information has acquired historical value and is in the public mind. Indeed it refers to one of the darkest periods of recent Italian history, during which the claimant had not only been a supporting actor but had essentially played a leading role.
Moreover, despite the considerable length of time, which had passed since the circumstances in question, there is still a very high level of public interest in that period of time and those events, as demonstrated by the topicality of the references accessible through the same URLs.
Therefore, declaring that it was of paramount importance for the public interest to have access to the information in question, the DPA adjudged the request for removal of the URLs indicated by the claimant and indexed by Google to be unfounded.
Hosting providers are not to be held liable for any offences committed by their users nor are they required to remove contents at the request of subjects who claim to be injured parties. The Court of Grosseto relieves Tripadvisor from all responsibility for negative reviews by members of its community.
In judgment no. 46 of 2016, the Court of Grosseto established that providers of services such as Tripadvisor are to be considered as hosting providers and for this reason are not to be held liable for offences committed by their users.
The case was brought by a hotel in the Argentario area, which pressed charges against the travel portal in 2013 for publishing a negative review that the hotelier considered to be false and defamatory. In the opinion of the plaintiff, Tripadvisor was jointly liable for defamation, as it did not prevent the publication of the review, remove the review promptly enough following its being notified and also as it failed to agree to communicate details of the reviewer.
By rejecting the hotelier’s application, the Court of Grosseto established that the platform acted in compliance with Italian legislation. According to the judge what is important when defining a hosting service is the role played in relation to published contents: in the case in question the portal does not interfere with the contents of reviews and therefore cannot be considered liable.
On the 2nd of May 2016 a draft law was submitted to the Chamber of Deputies of the Italian Parliament, which aims at “regulating digital platforms for the sharing of goods and services”, and at “promoting an economy based on mutual sharing”. The purpose is to regulate the so-called sharing economy through an across-the-board approach to different professional areas.
Italy would be the first country to regulate this booming economic sector, which includes such by now notorious services as Uber (now prohibited in Italy) and AirBnB.
The draft text is the result of eighteen months’ work carried out by the Parliamentary Intergroup for Technological Innovation. Article 1 lays down the law’s objectives, while Article 2 clarifies the definition of “sharing economy”, establishing that services for which providers determine a fixed charge are not to be included. Article 3 calls for sharing platforms to register with a national electronic register kept by the Italian Antitrust Authority. With the creation of an electronic register, platforms will have to obtain the approval of the Authority, whose task it will be to evaluate inconsistencies and possible infringements (or acts of unfair competition against the traditional sectors).
However, it is principally the fiscal aspect, which the draft law aims to regulate. The new regulation provides for 10% taxation on the revenue generated by platforms, up to a maximum of 10,000€ per year, which can also comprise sums for different services. The obligation for payment of the taxes would lie with the platforms themselves, which would be required to withhold the amounts due from the takings of registered customers, thus acting as withholding agents. On exceeding the threshold of 10,000€, the income made by platforms will be considered as actual earnings, to be added to those already made. New rules have also been provided for payments, which must henceforth only be carried out by digital means.
The signatories of the draft law expect this operation to raise tax revenue from 150 million € to 3 billion € by 2025.
The draft law has started its approval procedure at the Joint Parliamentary Commissions of Transport and Productive Activities.
The Italian Antitrust Authority has submitted an opinion to the Italian Parliament and Government, in which it warns that SIAE’s current monopoly of the management of copyright restricts both the ability of other market operators to do business and users’ freedom of choice.
In a communication on the implementation of Directive 2014/26/EU by the European Parliament and the Council on the collective management of copyright in the internal market, the Antitrust Authority emphasised that the core of the Directive is based on freedom of choice and that it specifically provides rightsholders with the right to decide their choice of collective management organisation “(…) irrespective of the Member State of nationality, residence or establishment of the collective management organisation, the other entity or the rightholder (…)”.
The Antitrust Authority has remarked that in an economic climate characterized by significant technological changes, the preservation of a legal monopoly appears to be in contrast with the aim of enabling rightsholders to operate a free choice from a range of operators. According to the Authority, “the merit and the very rationale of the European legal framework are severely compromised by the presence within (Italian) national legislation, of the regulation contained in art. 180, law 22 April 1941, no. 633 (Italian copyright law), which is now a solitary case compared to other Member States’ legislations, in reserving to a single organisation (SIAE) the management activity regarding copyrights”.
The Antitrust Authority stresses that the implementation of the Directive offers the opportunity to open up the market to competitor organisations in the field of copyright management. However, the draft law approved by the Chamber of deputies and currently under discussion before the Senate, which delegates the Government to implement European directives and carry out other acts of the European Union (the 2015 European delegation law), does not expressly provide for any specific action on SIAE’s status as a legal monopoly.
Therefore, the Authority hopes that action aiming at liberalisation should be integrated by an overall reform of the procedures of copyright management listed in the Copyright law, without overlooking a review of the role and the function of the SIAE in today’s changed climate.
* SIAE is the acronym for the Italian Society of Authors and Publishers (Società italiana degli Autori e Editori).