The Italian Supreme Court has found the Zecca dello Stato (The State Institute of Printing and Minting) guilty of monitoring its employees’ web surfing data, emails and phone calls, in violation of a number of provisions of the Statuto dei Lavoratori (Workers’ Statute of Rights, L. 300 of 1970).
With its decision of the 19th September 2016, n. 18302, the Court of Cassation established the illegality of the storage activity on the company server of employees’ emails, phone calls and web surfing data without prior application of the authorization procedure provided for by the Workers’ Statute of Rights and the Code for the protection of personal data.
The facts of the case on which the decision is based are as follows: in 2011 the Italian Data Protection Supervisor had emphasized with a disciplinary provision, that the Internet service provided by the Istituto Poligrafico e Zecca dello Stato (The State Institute of Printing and Minting) for its own employees not only prevented access to websites not inherent to work activity, but also stored every access, or attempt to access, any website, thus allowing the reconstruction of every single worker’s web browsing activity. In addition, the employees’ web surfing data were stored on the system for a length of time varying anywhere from six months to a year.
The Supervisor had also noticed the illegality of the storage system of employees’ sent and received emails on the company’s server, which allowed full view of them to the system administrators without any specific information on privacy having been provided in regard to the matter.
It had also been pointed out that the State Institute of Printing and Minting implemented a method of telephone traffic monitoring through the VoIP system which also in this case allowed the recording and prolonged storage of traffic data without providing any adequate privacy information for its employees.
Therefore, the Supervisor had considered that the activity of the State Institute of Printing and Minting violated L. n. 300 of 1970, arts. 4 and 8 of the Workers’ Statute of Rights as it made possible the disclosure of employees’ sensitive data without having acquired their prior consent (and consequently also in violation of arts. 11, 113 and 114 of the Code for the Protection of Personal Data). Therefore the provision prohibited the State Institute of Printing and Minting from storing and categorizing employees web surfing data in addition to their emails and phone calls, obliging the Institute to inform those involved about the ways in which their personal data were processed. The Supervisor had also required that the identities of the system administrators with authorization to access the company’s databases should be made public (and therefore known to the company’s employees) and that there should be the guarantee of all accesses made by the administrators being revealed in full.
In 2011 the Court of Rome rejected the appeal by the State Institute of Printing and Minting against the Supervisor’s provision, clarifying that, as provided for by art. 4 of the Workers’ Statute of Rights, employers are only allowed to use monitoring systems for requirements of organisation and production in agreement with the trade unions or in compliance with legal obligations, whereas the use of such systems is prohibited if it is carried out for monitoring the activity of employees. With reference to other previous decisions, the Court pointed out that the necessity to protect the company (and its activity) cannot legitimise suppressing fundamental employee rights such as the right to privacy.
Consequently, the State Institute of Printing and Minting appealed against the decision to the Supreme Court, maintaining that those controls not directed at work activities but rather at other employee conduct in the workplace, which might expose the business assets of the company to serious danger and which might be potentially harmful for third parties, with consequent liability on the part of the employer, fall entirely outside the scope of application of the provisions of the Workers’ Statute of Rights. This risk is all the more significant in that the Institute carries out public interest activities such as the printing of the Gazzetta Ufficiale (Italian Official Journal) and of the Raccolta ufficiale degli atti normativi della Repubblica italiana (the Official Compendium of Legislative Acts of the Italian Republic), the production of personal identification documents, security and anti-counterfeiting systems, legal tender and so on.
However the Court of Cassation considered that the significance of the public role entrusted to the State Institute of Printing and Minting does not justify violation of the current legislation, which aims to protect guarantees for constitutionally recognised workers’ rights. To this effect, the Judge emphasised the second paragraph of art. 4, which provides that monitoring systems required for organizational reasons or for safety in the workplace, but which also allow the distance monitoring of employee activity, may only be installed with the prior agreement of company trade union representatives or, in their absence, of the shop stewards’ committee. In the absence of an agreement and at the request of the employer, the Ispettorato del lavoro (the Labour Inspectorate) mediates, setting out where necessary the procedure for the use of such systems.
Therefore, rejecting the appeal and confirming the observations of the Court of Rome’s decision, the Court of Cassation underlined the necessity to strike a balance between the employer’s rights, in particular the right to conduct business and to protect the company’s business assets, and the protection of worker rights, first and foremost the right to privacy.
The European Court of Justice has recently been called on to rule on the use of the Internet and more specifically, of so called free wifi networks (namely wifi networks not protected by passwords), which are often used by Internet users who violate copyright rights, in taking advantage of the anonymity guaranteed by the net.
With its decision of the 15th September 2016 regarding lawsuit C-484/14, the Court of Justice ruled in favour of the acquittal of the administrator of a local wireless network, which was free and accessible without authorization, and which had been used by a user for the online distribution of a piece of music without the consent of the copyright holders.
Acknowledging Internet access services to be a service in the information society, which simply consist in the provision of access to a communication network, the Luxembourg Court adjudged the wifi network administrator to be exempt from all liability in accordance with Directive 2000/31/EC. As in the case of hosting service providers, the latter is in fact under no obligation (nor does he have the concrete means) to have any knowledge of and monitor information transmitted by his network.
However, keeping the necessary balance between fundamental rights (in the present case, the freedom to do business and copyright), the Court further stated that national judicial authorities may require service providers to put a stop to copyright violations or to prevent them, provided that the technical measures necessary to achieve this do not excessively restrict the provider’s freedom to do business.
According to the Court of Justice, protecting wifi networks with a password represents a technical measure which “in no way prejudices the essential content of the rights” of access service providers and at the same time, is appropriate for protecting copyright “insofar as network users are obliged to reveal their identity and cannot therefore act anonymously”.
The Italian Government has signed an agreement with the Chinese e-commerce giant in order to promote the excellence of Italian agricultural products and to fight against the phenomenon of counterfeit produce.
The agreement will enable Italian producers to satisfy the increasing demand for typical Italian products on the Chinese platform, which counts over 430 million consumers. The agreement aims at guaranteeing our Italian brands with a high level of protection against the counterfeit products market. This is also an important result in light of the fact that for decades the WTO has been searching for an adequate form of protection, which in this case has been achieved with a private company in the space of just a few months.
Since last year it has no longer been possible to find counterfeit Italian agricultural produce and foodstuffs on the Chinese website, which has prevented the monthly sale of 99 thousand tonnes of counterfeit Parmesan cheese, 10 times more than the production of the authentic cheese itself, and the sale of 13 million bottles of Prosecco which did not originate from the Veneto Region (in Italy). Italy is currently the only country on Alibaba, which has granted the same level of anti-counterfeit protection to DOP and IGP products as that provided for commercial brands. A level of protection which under this agreement is extended from the b2b platform, accessible solely to companies, to the b2c platform, consequently assuring that those 430 million Alibaba website users will be able to purchase genuine “Made in Italy” products.
The Ministry of Agriculture has set up an operational task force at the Anti-Fraud Inspectorate with the aim of identifying and reporting counterfeit products on a daily basis. The ads are removed within 3 days and the vendors are informed that they are violating Italian geographical indications and designations of origin.
We should point out that Italy has also invested in the promotion of Italian wine and food on the Chinese e-commerce platform. With this agreement Alibaba has undertaken to instruct both vendors and consumers on the importance of geographical indications and designations of origin in the food industry.
The Italian Data Protection Authority (DPA) has rejected an appeal by an ex-terrorist, who had requested the de-indexation of web pages reporting serious crimes he had committed between the end of the 1970s and the beginning of the 1980s.
Having served his sentence, in 2009 the man had requested Google to remove a number of URLs and search suggestions shown by their “autocomplete” function, which, when typing in the man’s name and surname, called up the term “terrorist”.
Given that Google took no action regarding the claimant’s request, the ex-terrorist turned to the Italian DPA complaining that the continued presence on the Internet of contents dating so far back in time and which were a misrepresentation of his current way of life, was causing serious harm both to his personal and professional life. Maintaining that he was not a public figure but a free citizen, the claimant demanded the right to be forgotten.
The DPA rejected his appeal on the grounds that the information, for which de-indexation was requested, refers to particularly serious crimes that come under those indicated in the Guidelines on the implementation of the right to be forgotten adopted in 2014 by the European Privacy Authorities; crimes for which requests for removal require more stringent evaluation.
The DPA further emphasized that in the case submitted, all the information has acquired historical value and is in the public mind. Indeed it refers to one of the darkest periods of recent Italian history, during which the claimant had not only been a supporting actor but had essentially played a leading role.
Moreover, despite the considerable length of time, which had passed since the circumstances in question, there is still a very high level of public interest in that period of time and those events, as demonstrated by the topicality of the references accessible through the same URLs.
Therefore, declaring that it was of paramount importance for the public interest to have access to the information in question, the DPA adjudged the request for removal of the URLs indicated by the claimant and indexed by Google to be unfounded.
Hosting providers are not to be held liable for any offences committed by their users nor are they required to remove contents at the request of subjects who claim to be injured parties. The Court of Grosseto relieves Tripadvisor from all responsibility for negative reviews by members of its community.
In judgment no. 46 of 2016, the Court of Grosseto established that providers of services such as Tripadvisor are to be considered as hosting providers and for this reason are not to be held liable for offences committed by their users.
The case was brought by a hotel in the Argentario area, which pressed charges against the travel portal in 2013 for publishing a negative review that the hotelier considered to be false and defamatory. In the opinion of the plaintiff, Tripadvisor was jointly liable for defamation, as it did not prevent the publication of the review, remove the review promptly enough following its being notified and also as it failed to agree to communicate details of the reviewer.
By rejecting the hotelier’s application, the Court of Grosseto established that the platform acted in compliance with Italian legislation. According to the judge what is important when defining a hosting service is the role played in relation to published contents: in the case in question the portal does not interfere with the contents of reviews and therefore cannot be considered liable.
On the 2nd of May 2016 a draft law was submitted to the Chamber of Deputies of the Italian Parliament, which aims at “regulating digital platforms for the sharing of goods and services”, and at “promoting an economy based on mutual sharing”. The purpose is to regulate the so-called sharing economy through an across-the-board approach to different professional areas.
Italy would be the first country to regulate this booming economic sector, which includes such by now notorious services as Uber (now prohibited in Italy) and AirBnB.
The draft text is the result of eighteen months’ work carried out by the Parliamentary Intergroup for Technological Innovation. Article 1 lays down the law’s objectives, while Article 2 clarifies the definition of “sharing economy”, establishing that services for which providers determine a fixed charge are not to be included. Article 3 calls for sharing platforms to register with a national electronic register kept by the Italian Antitrust Authority. With the creation of an electronic register, platforms will have to obtain the approval of the Authority, whose task it will be to evaluate inconsistencies and possible infringements (or acts of unfair competition against the traditional sectors).
However, it is principally the fiscal aspect, which the draft law aims to regulate. The new regulation provides for 10% taxation on the revenue generated by platforms, up to a maximum of 10,000€ per year, which can also comprise sums for different services. The obligation for payment of the taxes would lie with the platforms themselves, which would be required to withhold the amounts due from the takings of registered customers, thus acting as withholding agents. On exceeding the threshold of 10,000€, the income made by platforms will be considered as actual earnings, to be added to those already made. New rules have also been provided for payments, which must henceforth only be carried out by digital means.
The signatories of the draft law expect this operation to raise tax revenue from 150 million € to 3 billion € by 2025.
The draft law has started its approval procedure at the Joint Parliamentary Commissions of Transport and Productive Activities.
The Italian Antitrust Authority has submitted an opinion to the Italian Parliament and Government, in which it warns that SIAE’s current monopoly of the management of copyright restricts both the ability of other market operators to do business and users’ freedom of choice.
In a communication on the implementation of Directive 2014/26/EU by the European Parliament and the Council on the collective management of copyright in the internal market, the Antitrust Authority emphasised that the core of the Directive is based on freedom of choice and that it specifically provides rightsholders with the right to decide their choice of collective management organisation “(…) irrespective of the Member State of nationality, residence or establishment of the collective management organisation, the other entity or the rightholder (…)”.
The Antitrust Authority has remarked that in an economic climate characterized by significant technological changes, the preservation of a legal monopoly appears to be in contrast with the aim of enabling rightsholders to operate a free choice from a range of operators. According to the Authority, “the merit and the very rationale of the European legal framework are severely compromised by the presence within (Italian) national legislation, of the regulation contained in art. 180, law 22 April 1941, no. 633 (Italian copyright law), which is now a solitary case compared to other Member States’ legislations, in reserving to a single organisation (SIAE) the management activity regarding copyrights”.
The Antitrust Authority stresses that the implementation of the Directive offers the opportunity to open up the market to competitor organisations in the field of copyright management. However, the draft law approved by the Chamber of deputies and currently under discussion before the Senate, which delegates the Government to implement European directives and carry out other acts of the European Union (the 2015 European delegation law), does not expressly provide for any specific action on SIAE’s status as a legal monopoly.
Therefore, the Authority hopes that action aiming at liberalisation should be integrated by an overall reform of the procedures of copyright management listed in the Copyright law, without overlooking a review of the role and the function of the SIAE in today’s changed climate.
* SIAE is the acronym for the Italian Society of Authors and Publishers (Società italiana degli Autori e Editori).
The Working Group’s activity will once again focus on “electronic transferable records”, with particular reference to current operating practices and related legislative issues. During the session there will be an analysis of the international draft provisions on the matter, which have been drawn up by the Secretariat on the basis of the deliberations of previous meetings.
As usual, the session was attended by Full Professor Giusella Finocchiaro as President of the Working Group and representative of the Italian Government at UNCITRAL. For further information please consult the section covering Working Group activities on the UNCITRAL website.
On the 14th of April 2016, more than four years after the European Commission proposal, the European Parliament approved at second reading the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The incessant technological progress of the last few years, the result product of an information society which has become increasingly more intrusive in people’s private lives, had on the one hand highlighted the inadequacy of European data protection legislation Directive 95/46/EC, formulated in the first stages of the digital revolution and on the other underlined the regulatory fragmentation that the implementation of the Directive had caused in the Member States. Thus, the Regulation meets the long awaited need to reform the legislation on personal data protection extending the number of rights for data subjects compared to those provided by the Directive and to bring into line the different legislations of the Member States, as a means to also strengthening the internal European market. In that sense the choice of the European legislator to adopt the instrument of the Regulation is a significant one in that, in contrast with the Directive it does not require acts of transposition, as it can be directly and identically applied in each Member State.
Among the most significant recommendations introduced by the Regulation, of particular relevance seems to be the new local scope of application in accordance with art. 3. Directive 95/46/EC previously provided for the regulation to be applicable by means of the national legislations when personal data were processed in the framework of the activities of a data controller’s establishment physically present in the European Union. Therefore, the fundamental criterion for defining the scope of applicability of the Directive was the physical location in which the data were processed. Today, this criterion seems to have been overturned by art. 3, paragraph 1 of the Regulation, which defines the applicability of the act “regardless of whether or not the processing takes place in the Union”. Already over the last two years, from the Google Spain ruling to the recent Schrems decision, the orientation, which has become definite in the European Court of Justice’s case-law, has highlighted a trend towards a less restrictive interpretation of this criterion.
In fact, it seems that the will has also arisen to extend European legislation to cases in which data controllers are non-European subjects and data are mainly processed outside Europe. Now, art. 3 of the Regulation seems in a certain sense to have codified the Court’s broadened interpretation by providing multiple connecting criteria that also allow those cases of data processing which previously had been difficult to include, to be drawn into the sphere of application of the regulatory provision. The Regulation is now applicable not only to data processing performed in the context of the activities of a data controller’s establishment within the Union, but also in the case of a data processor’s establishment. Moreover, it is applicable when the data processing activities are related to an offer of goods or services, even if free of charge, to interested data subjects within the European Union, or when they are related to the monitoring of the such data subjects’ behaviour, even if the data controllers or processors are not settled in the European Union.
The reform introduces various innovations, among which the provision of a new range of rights for data subjects (for example the right to be forgotten and the right to data portability), the placing of more responsibilities on subjects involved in the processing of personal data (in particular the obligation for data controllers to carry out privacy impact assessments and to notify of data breaches), new safeguards for the transfer of data abroad in addition to the confirmation of the two regulatory authorities represented by the Data Protection Officer and the Supervisory Authority.
With regard to coordination with the European legislation (the Regulation will be applicable after a two year period from the date of entry into force), the Italian legislator will have to choose which of the two alternative routes to follow: either the direct application of the Regulation, which would imply the abrogation of all national provisions incompatible with the European legislation, or the integration of the current Italian Personal Data Code, despite the inevitable risks of erroneous transpositions or misinterpretations of the European provisions.