A recent judgment by the European Court of Justice stated that IP addresses can be considered as personal data in that they can be used to identify a user by turning to the authorities or ISP providers.
The point was raised in the context of a controversy between Mr Patrick Breyer and the Bundesrepublik Deutschland (Federal Republic of Germany) concerning the registration and storage of Mr Breyer’s IP address on the occasion of his consulting a number of Internet websites of the German federal services.
Every access to German Government websites is registered with the aim of thwarting cyber attacks and identifying hackers and at the end of each consultation session, a range of data is stored, such as the name of the website or file consulted, words typed in the search bars, date and time of consultation, volume of transferred data, outcome of the consultation and the IP address of the computer which has effected access.
Mr Breyer petitioned the German administrative judges, requesting them to prohibit the Federal Republic of Germany from storing IP addresses. His request was rejected at first instance trial, but the Appeal Judge partially accepted his petition, condemning the Federal Republic of Germany to refrain from storing IP addresses when these are collected together with the corresponding date of consultation and when users reveal their identity during the consultation session, even though in the form of an e-mail address.
Therefore, according to the German Court of Appeal, dynamic IP addresses associated with dates of consultation are only to be considered personal data in those cases when users have revealed their identity when surfing the web, whereas if users do not reveal their identity during a consultation session, IP addresses would not be considered as personal data as only Internet service providers could link those IP addresses to the names of their subscribers.
As both the Federal Republic of Germany and Mr Breyer opposed the Appeal Court’s decision, each petitioned the Bundesgerichtshof (Federal Court of Justice), Mr Breyer aiming at full approval of his injunction and the State requesting its rejection.
The Federal Court of Justice pointed out that the qualification of IP addresses as «personal» data depends on whether or not it is possible to identity users and raised a question of doctrine regarding the choice of «objective» or «relative» criteria in order to establish whether a person is identifiable. Applying «objective» criteria, IP addresses could be considered personal data even if only one third party were able to determine the identity of the person involved; the third party, who in this case would be an Internet access service provider. On the other hand, according to «relative» criteria, these data could only qualify as personal data in relation to a particular subject, such as the Internet access service provider, who was able to trace precise identification back to a specific user. On the contrary, IP addresses could not be considered personal data for other subjects such as Internet site administrators, since they are not in possession of the necessary information for identification without resorting to external sources, except for those cases in which users reveal their identities while browsing the web.
First of all the European Court of Justice observed that a dynamic IP address does not represent information referring to an «identified natural person», since it directly reveals neither the identity of a computer owner connected to an Internet website, nor that of another person who may be using the same computer. However, the Court stressed that the wording in art. 2, letter a) of directive 95/46 proves that a person is considered identifiable when they can be identified not only directly, but also indirectly. Moreover, recital 26 of directive 95/46 states that, to determine whether a person is identifiable, it is appropriate that the sum total of the means that may be reasonably used by a data processor or others to determine said person’s identity should be taken into consideration.
According to the Court, the fact that additional information necessary to identify users is not directly in the possession of website administrators, but rather in that of Internet access service providers, is not sufficient to exclude dynamic IP addresses from being considered as personal data in accordance with art. 2, letter a) of directive 95/46. Indeed, it needs to be established whether the possibility to match a dynamic IP address to the names in the possession of Internet access service providers constitutes an accessible means for website administrators. A situation that would not be conceivable if the identification of the person involved was prohibited by law or in practice unfeasible, for example due to the fact that it would imply an enormous amount of time, cost and labour.
Despite German national legislation not allowing ISP providers to directly transmit information that identifies a person starting from an IP address, the Court stressed that there are legal instruments which, especially in cases of cyber attacks, allow website administrators to turn to the appropriate authorities, in order that these authorities can obtain the relevant information from Internet access service providers and initiate criminal proceedings. It follows that there are means, which, with the help of other subjects, can be reasonably used to identify a person based on their IP address.
Therefore, the European Court of Justice has established that article 2, letter a) of directive 95/46 must be interpreted as meaning that a dynamic IP address registered by a website represents personal data, where website administrators are concerned, in the event that they are in possession of the legal means to allow the identification of the person involved by recourse to an Internet access service provider.
The European Court of Justice decision is available HERE.
The European Court of Justice has recently been called on to rule on the use of the Internet and more specifically, of so called free wifi networks (namely wifi networks not protected by passwords), which are often used by Internet users who violate copyright rights, in taking advantage of the anonymity guaranteed by the net.
With its decision of the 15th September 2016 regarding lawsuit C-484/14, the Court of Justice ruled in favour of the acquittal of the administrator of a local wireless network, which was free and accessible without authorization, and which had been used by a user for the online distribution of a piece of music without the consent of the copyright holders.
Acknowledging Internet access services to be a service in the information society, which simply consist in the provision of access to a communication network, the Luxembourg Court adjudged the wifi network administrator to be exempt from all liability in accordance with Directive 2000/31/EC. As in the case of hosting service providers, the latter is in fact under no obligation (nor does he have the concrete means) to have any knowledge of and monitor information transmitted by his network.
However, keeping the necessary balance between fundamental rights (in the present case, the freedom to do business and copyright), the Court further stated that national judicial authorities may require service providers to put a stop to copyright violations or to prevent them, provided that the technical measures necessary to achieve this do not excessively restrict the provider’s freedom to do business.
According to the Court of Justice, protecting wifi networks with a password represents a technical measure which “in no way prejudices the essential content of the rights” of access service providers and at the same time, is appropriate for protecting copyright “insofar as network users are obliged to reveal their identity and cannot therefore act anonymously”.
The Italian Government has signed an agreement with the Chinese e-commerce giant in order to promote the excellence of Italian agricultural products and to fight against the phenomenon of counterfeit produce.
The agreement will enable Italian producers to satisfy the increasing demand for typical Italian products on the Chinese platform, which counts over 430 million consumers. The agreement aims at guaranteeing our Italian brands with a high level of protection against the counterfeit products market. This is also an important result in light of the fact that for decades the WTO has been searching for an adequate form of protection, which in this case has been achieved with a private company in the space of just a few months.
Since last year it has no longer been possible to find counterfeit Italian agricultural produce and foodstuffs on the Chinese website, which has prevented the monthly sale of 99 thousand tonnes of counterfeit Parmesan cheese, 10 times more than the production of the authentic cheese itself, and the sale of 13 million bottles of Prosecco which did not originate from the Veneto Region (in Italy). Italy is currently the only country on Alibaba, which has granted the same level of anti-counterfeit protection to DOP and IGP products as that provided for commercial brands. A level of protection which under this agreement is extended from the b2b platform, accessible solely to companies, to the b2c platform, consequently assuring that those 430 million Alibaba website users will be able to purchase genuine “Made in Italy” products.
The Ministry of Agriculture has set up an operational task force at the Anti-Fraud Inspectorate with the aim of identifying and reporting counterfeit products on a daily basis. The ads are removed within 3 days and the vendors are informed that they are violating Italian geographical indications and designations of origin.
We should point out that Italy has also invested in the promotion of Italian wine and food on the Chinese e-commerce platform. With this agreement Alibaba has undertaken to instruct both vendors and consumers on the importance of geographical indications and designations of origin in the food industry.
Hosting providers are not to be held liable for any offences committed by their users nor are they required to remove contents at the request of subjects who claim to be injured parties. The Court of Grosseto relieves Tripadvisor from all responsibility for negative reviews by members of its community.
In judgment no. 46 of 2016, the Court of Grosseto established that providers of services such as Tripadvisor are to be considered as hosting providers and for this reason are not to be held liable for offences committed by their users.
The case was brought by a hotel in the Argentario area, which pressed charges against the travel portal in 2013 for publishing a negative review that the hotelier considered to be false and defamatory. In the opinion of the plaintiff, Tripadvisor was jointly liable for defamation, as it did not prevent the publication of the review, remove the review promptly enough following its being notified and also as it failed to agree to communicate details of the reviewer.
By rejecting the hotelier’s application, the Court of Grosseto established that the platform acted in compliance with Italian legislation. According to the judge what is important when defining a hosting service is the role played in relation to published contents: in the case in question the portal does not interfere with the contents of reviews and therefore cannot be considered liable.
It is unnecessary to resort to international rogatory in order to tap BlackBerry mobile system chats nor is it necessary to use requisition measures.
This is what the Third Criminal Division of the Italian Supreme Court (ruling no. 50452/15) established with its appeal judgment issued in relation to the appeal on the part of certain defendants who had been placed under preventive detention by the Court of Rome due to their being implicated in drug trafficking.
The detention order was founded on various evidence, including chats on BlackBerry mobile systems, which related to importing a 10 kilo consignment of cocaine to Italy.
The defendants involved in this phone tapping brought the question before the Italian Supreme Court, claiming that the chats which had been tapped could not be considered as evidence, since they had taken place on BlackBerry’s mobile systems, which have their head office in Canada. Therefore, in their opinion, an international rogatory would have been required in order to legally acquire the content of the chats. Moreover, according to the defence, conversations in a chat context could not be considered as “phone conversations” as they are in fact a stream of computer data. On these grounds requisition measures regarding computer data (according to art. 254bis of the Italian Criminal Procedure Code) should have been carried out rather than a procedure of phone tapping.
In response to the first point, the Supreme Court asserted that it is a well-established principle that international phone calls routed to a specific Italian telephone “junction” should not be subject to international rogatory as all activity involving reception and recording takes place on Italian territory. This principle was also correctly applied by the Collegio di Cautela* in relation to the use of Blackberry chats. In this regard, the Supreme Court emphasized that computer interceptions had been correctly carried out on PIN codes, while the subsequent request to the Canadian company regarding ID data associated with the intercepted PIN codes had related to data that do not enjoy special protection.
Consequently, the Supreme Court considered it irrelevant that BlackBerry was Canadian, as the communications in question took place in Italy as a result of them transferred over an ICT platform located in Italy.
Conversely, the Court considered as unfounded the objection regarding the failure to implement requisition measures for the computer data. The judgment clarifies that, even if held by Internet service providers, requisitioning IT documents or IT devices excludes per se the concept of “communication”. Requisitioning will be specifically required when it is necessary to acquire documents for purposes of evidence, by means of inspections to be carried out on data contained in those documents. The Supreme Court asserted that “with regard to the use of chats on the BlackBerry system, it is correct to acquire contents by means of tapping according to art. 266bis c.p.p. and subsequent, as even if they are not simultaneous, online conversations constitute a flow of communication”.
Although the Court upheld the defendants’ appeal on the basis of considerations that go beyond the analysis of this post, the Court rejected the abovementioned specific technical objections, pointing out that: “even the most careful interpretation of the delicate relationship between the computer interception system and new technologies has observed that tapping BlackBerry chats takes place by using traditional systems, i.e. monitoring a phone’s PIN (or IMEI), which is uniquely associated with a nickname, underlining how tapping is managed at a technical level at the company’s Italian head office”.
The text of the Supreme Court judgment is available HERE.
*Second-instance Court empowered to hear appeals of decisions on preventive measures
Yahoo’s! Italian division had been convicted because of a number of videos uploaded by users on the “Yahoo! Video” platform which is now no longer operative. The incriminated videos had been taken from RTI (Mediaset Group) television broadcasts such as “Amici”, “Grande Fratello”, Striscia la notizia”, and so on.
In the opinion of the Court of First Instance, although the videos had been circulated by users, Yahoo was to be considered responsible for the violation inasmuch as the activity of the platform could not be restricted to the liability provided for under article 14 of the European Directive on Electronic Commerce (2000/31 / EC) implemented by Italian Legislative Decree 70/2003.
Failure to recognize the neutrality of the intermediary was motivated by Yahoo’s! alleged control over the videos which would have made the platform an “active” hosting provider and thus different from the “passive” providers protected by the Directive. Basically, the Court had identified the platform’s business activity to be of a publishing nature, due on account of the function of automatic indexing and, paradoxically, the ability to remove content reported as illegal.
Accordingly, the Court had also found Yahoo! guilty of the non-removal of all the videos following the injunction served by RTI. These were grounds that Yahoo! had unsuccessfully contested during the proceedings, claiming to have immediately removed the nine videos indicated and to have requested RTI to specify other URLs of videos to be removed, in addition to which they claimed they had never received the complete list.
In a ruling that overturns the judgment of First Instance, The Court of Appeal stressed that Yahoo! had also promptly proceeded to remove a further 218 videos, when the relative URLs were indicated by RTI during the course of the trial.
With regard to the platform’s culpability, the Court of Appeal quoted certain decisions taken by the Court of Justice of the European Union such as those relating to the SABAM-Scarlet case, the -SABAM Netlog case and the Telekebel case and rejected the interpretations of the Court of Milan in 2011. Consequently the conditions do not exist for considering the platform as belonging to a different type of hosting provider not protected by Directive 2000/31/EC. Yahoo! is therefore a simple intermediary and as such under no obligation to independently identify any content in violation of RTI’s rights, nor would it have needed to implement a system of filters to prevent the further violations.
RTI has therefore been ordered to pay Yahoo’s! legal costs incurred in First Instance and Appeal amounting to 244,000 Euros.
The text of the judgment is published HERE.
On the 22nd of April 2014 the Marco Civil, the Brazilian “Internet Constitution”, was granted final approval by the Brazilian Senate. The law, which regulates the rights and obligations of network users, was signed by President Dilma Rousseff at the opening of the “NetMundial” conference, a two day event dedicated to worldwide network governance.
After a work project lasting five years the regulations protecting privacy, freedom of expression and net neutrality were approved in Sao Paolo. With specific regard to net neutrality, the Brazilian Internet Constitution is considered by civil liberty activists as a revolutionary document in Internet history. The regulations will in fact prevent telecommunication companies from setting up preferential channels to band access as a prerogative of some services and to the detriment of others, as is an emerging trend in the business strategies of connectivity providers worldwide.
The law process speeded up after Edward Snowden’s revelations from which it emerged that the United States were monitoring President Rousseff’s communications.
However, as regards datagate, the Brazilian law proves to be less effective on comparison with its first formulation.
In fact one of the most contested innovations contained in the bill, namely the idea of preventing the storage of Brazilian citizens’ data on servers located abroad, was deleted from the main body of the regulation before Senate approval.
By virtue of the removal of the above mentioned proposal, another article of the regulations has been strengthened, which provides that companies that collect user data generated in Brazil must submit to the Brazilian government regulations on Data Protection, regardless of the location of the servers where the information is stored.
The Marco Civil also contains provisions against the attribution of liability to intermediaries, formalizing that providers are not responsible for the content published online by users, a hotly contested topic for years in Europe but on which Brazil had not yet legislated.
Under the new legislation, service providers will only be liable for third party content if they fail to ensure the removal of material pursuant to a court order.
As we have read in the press, the moment of the President’s signature was accompanied by applause and clamour from the NetMundial audience which was made up of experts and representatives of the major worldwide network companies.
In a speech which briefly preceded Rouseff’s signature, Tim Berners-Lee, the inventor of the World Wide Web, expressed the hope that other governments would follow Brazil’s example and join together in signing the paper described as a wonderful example of how governments can play a positive role in the advancement of civil rights on the Internet and in maintaining an open network.
Following the President’s speech, the European Commissioner Neelie Kroes also expressed her enthusiasm and defined the Marco Civil as “real cause for celebration”.
In Italy there is an ongoing and ever more widespread outcry on the part of traders and business people against TripAdvisor, from Federalberghi (the hoteliers’ association), which speaks of a “genuine emergency” caused by malpractice that through blackmail and the threat of fear severely disrupts the activity of Tour Operators, to the Sos albergatori association which uses the Pirtadvisor app in an attempt to flush out misleading reviews.
There are also those who have come out in open revolt against the American portal and display a decidedly blunt sign at the entrance to their premises plainly stating “TripAdvisor users not welcome”.
The problem is the subject of long-standing debate and is first and foremost legal: Decree Law 70/2003 (from the European directive 2000/31/Ce) orders that the owners of websites are not responsible for any information sent by users, unless said owners are aware that such activity or information is illegal or that although aware of such facts and following the request of the Judge they fail to act immediately to remove or to prevent access to such information.
It is for this precise reason why TripAdvisor and other similar sites are under no obligation to verify the identity of the writer or the information received. Consequently the only possible protection to be obtained is when the violation has already taken place; namely to demand removal of the review, either directly or through a lawyer and to ask for payment of damages or to sue in the case of defamation or the violation of the right to personal identity.
The Italian Supreme Court’s reasoning for its verdict in the well known case Vividown vs. Google has been announced: namely that the Provider is not liable for the violation of the privacy of individuals in videos uploaded by users.
The Third Criminal Chamber of the Supreme Court published the reasoning for its verdict of acquittal for the three Google executives who were sentenced to six months in prison by a first instance judgment in 2010, following the upload on the Google video platform of a video in which a disabled minor was humiliated by classmates.
According to the Supreme Court, Internet host providers cannot be held criminally liable in cases of violation of privacy due to videos posted on the web.
Press sources have reported certain extracts of the explanation for the sentence: “The offences before us here, relating to Article 167 of the Privacy Code, shall be construed as offences committed under colour of authority, as here we are dealing with conduct only resulting in a breach of the obligations of the owner of the data processed and not of any other person who in any way handles the data being processed, but without related decision-making powers”.
The Supreme Court has specified that the hosting service provider “has no control over the data stored nor does it contribute in any way to the selection of the same, its research or the creation of the file that contains it, such data being entirely attributable to the users of the service who upload them onto the platform placed at their disposal”.
The facts giving rise to the legal proceedings date back to 2006 when the association Vividown (the Italian Association for scientific research and protection of Down’s Syndrome patients, based in Milan) had sued Google for allowing the showing of a video in which a disabled boy was humiliated at school. In 2010, Judge Oscar Magi sentenced three Google executives to six months in prison for invasion of privacy.
According to the court, the California-based company was liable due to the vague nature of the information concerning privacy that Google Video provided for users who uploaded videos. A vagueness that was all the more serious as it relates to an activity carried out for motives of profit.
In December 2012, the Court of Appeal of the Milan court overturned Judge Magi’s decision and fully acquitted the three executives because in their opinion the liability for processing the data was to be attributed to the uploader of the video and not to the content provider. Therefore, this violation does not involve Google, but rather those responsible for the online publication of the video (in this case the student who uploaded the video). For an in depth analysis of the Court’s reasoning, please refer to Prof Giusella Finocchiaro’s comments.
The judgment of the Supreme Court of 18th December 2013 confirmed the verdict of the Court of Appeal. In its explanation released today, the Supreme Court has in fact found that Google Video operated as a “mere Internet host provider, a role that confines itself to providing a platform on which users can freely upload their own videos”, the “content of which is their own exclusive responsibility”. Therefore, the three Google executives accused in the proceedings “are not owners of any data processed”, whereas “the sole owners of the sensitive data processed and contained in the videos uploaded onto the site are the users themselves who uploaded them and they are the only ones who both the administrative and penal sanctions envisaged for the owner of processed data by the Privacy Code can be applied to”.
The case Vividown vs. Google, considered the best known Italian Internet law case, was concluded on Wednesday December 11th 2013 with the announcement that the Supreme Court had acquitted the three Google executives.
Upholding the judgment on appeal, the Third Criminal Chamber of the Supreme Court acquitted David Drummond, George De Los Reyes and Peter Fleischer, Google’s three executives, who were sentenced by a first instance judgment in 2010 to six months in prison.
The facts giving rise to the legal proceedings date back to 2006 when the association Vividown (the Italian Association for scientific research and protection of Down’s Syndrome patients, based in Milan) had sued Google for allowing the showing of a video in which a disabled boy was humiliated by classmates. The footage was uploaded on the Google video platform by a girl student, then a minor, and almost instantly became one of the most “clicked on” videos, moving right up the viewing list of the most popular videos on the platform.
The verdict of guilty passed by the Court of Milan had considerable international repercussions and was taken up by the world press. Judge Oscar Magi who drafted the judgment, had essentially convicted the executives not of libel, which was the request of the prosecution, but of invasion of privacy. According to the court, the California-based company was liable due to the vague nature of the information concerning privacy that Google Video provided for users who uploaded videos, a vagueness which was all the more serious as it relates to an activity carried out for motives of profit. In the Court’s opinion, the girl who had uploaded the video had not been given adequate warning of having to pay full regard to questions of privacy.
The Court of Milan’s decision raised a chorus of international protest because of its attribution of liability to the content provider. Most of the criticism predictably came from both Google’s official blog and Peter Fleischer’s personal blog, the result of which was an almost immediate forceful media reaction against the Italian judgment. The protests made reference to the neutrality of providers guaranteed by art. 17 of Legislative Decree no. 70/2003 implementing Directive 31/2000, which excludes the obligation for monitoring and only assigns liability subsequent to the committing of the offense under certain conditions.
In December 2012, the Court of Appeal of the Milan Court overturned Judge Magi’s decision and fully acquitted the three executives because in their opinion there was no case to answer. The Court attributed liability for processing the data to the uploader of the video and not to the content provider. Therefore, this violation does not involve Google, but rather those responsible for the online publication of the video (in this case the student). For an in depth analysis of the Court’s reasoning, please refer to Giusella Finocchiaro’s comment.
However, the question was not resolved in the Court of Appeal and in 2013 the Milan prosecutors lodged an appeal with the Supreme Court, arguing that platforms like YouTube should be obliged to carry out prior checks on videos uploaded by users and to obtain clearance from the people filmed in these videos.
From what we learn from media reports, in his submissions the Deputy Public Prosecutor Mario Fraticelli sought annulment with postponement of acquittal and called for a second appeals process, referring to the fact that “the judgment of the Appeal Court states that the three defendants had examined the video and had had the opportunity to inspect its contents” and that “you cannot think that anyone who provides a service on a platform should then not attend to and be responsible for what is uploaded.” The Supreme Court, however, did not accept this request.
The reasoning for the Supreme Court’s verdict will be announced in a month’s time.
Google says it is satisfied with the outcome of the court case: “We are happy that the Supreme Court has confirmed our colleagues are innocent. Our thoughts are again for the boy and his family. Today’s decision is also important because it confirms an important legal principle.”