The Italian Data Protection Authority (DPA) has rejected an appeal by an ex-terrorist, who had requested the de-indexation of web pages reporting serious crimes he had committed between the end of the 1970s and the beginning of the 1980s.
Having served his sentence, in 2009 the man had requested Google to remove a number of URLs and search suggestions shown by their “autocomplete” function, which, when typing in the man’s name and surname, called up the term “terrorist”.
Given that Google took no action regarding the claimant’s request, the ex-terrorist turned to the Italian DPA complaining that the continued presence on the Internet of contents dating so far back in time and which were a misrepresentation of his current way of life, was causing serious harm both to his personal and professional life. Maintaining that he was not a public figure but a free citizen, the claimant demanded the right to be forgotten.
The DPA rejected his appeal on the grounds that the information, for which de-indexation was requested, refers to particularly serious crimes that come under those indicated in the Guidelines on the implementation of the right to be forgotten adopted in 2014 by the European Privacy Authorities; crimes for which requests for removal require more stringent evaluation.
The DPA further emphasized that in the case submitted, all the information has acquired historical value and is in the public mind. Indeed it refers to one of the darkest periods of recent Italian history, during which the claimant had not only been a supporting actor but had essentially played a leading role.
Moreover, despite the considerable length of time, which had passed since the circumstances in question, there is still a very high level of public interest in that period of time and those events, as demonstrated by the topicality of the references accessible through the same URLs.
Therefore, declaring that it was of paramount importance for the public interest to have access to the information in question, the DPA adjudged the request for removal of the URLs indicated by the claimant and indexed by Google to be unfounded.
The recent “Facebook” decision by the European Court of Justice can be interpreted from two different perspectives, which are not (however) mutually exclusive. The first interpretation is of a legal-technical nature, while the second is political.
Let us start with the first. The facts are known as are the conclusions. The United States is not considered to be a country that guarantees an adequate level of protection in accordance with the Directive on personal data protection, dir. 95/46.
The path is outlined in art. 25 of the Directive, which is hereinafter quoted for convenience and clarity, in order to better understand the past (the decision) and the future (the currently open directions).
1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer, may only take place if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.
4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.
5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.
6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.
Member States shall take the measures necessary to comply with the Commission’s decision”.
In the past the Commission had deemed the level of protection afforded by the Safe Harbour framework to be appropriate, but this decision by the Court shows its disagreement and invalidates the Safe Harbour.
This does not imply, however, that the transfer of personal data to the United States can no longer take place. It can take place on the basis of the express consent of the interested party or on the basis of the Binding Corporate Rules. Therefore either the interested party may give their consent for the transfer or the data controller may adopt management rules approved by the Data Protection Authority that will allow the transfer.
So, what is the difference then? The difference is that it will not be possible to use the Safe Harbour framework, i.e. transfer data to the United States without consent or without pre-approved rules, that is assuming the data to be protected in the United States in the same way as they are in Europe.
From a strictly legal-applicative point of view all comment ends here. Undoubtedly, there will be higher management costs for those who transfer data from Europe to the United States, but there will certainly be no ban.
On the other hand, the political interpretation of the decision which follows roughly a year after the Google Spain case is far more problematic. As mentioned above, in the Court’s opinion, the United States does not provide an adequate level of data protection.
Essentially the Court states that the level of protection of personal data is higher in Europe and that it is the European law which should be applied to European subjects’ personal data (apologies for this simplification, obviously the decision refers to data transfer from Europe under certain conditions). Similar assertions can be found in the Google Spain decision.
The Court anticipates the contents of art. 3 of the forthcoming European regulation for the protection of personal data with another decision which is also political. Then again, personal data protection has constitutional significance in Europe (article 8 of the Charter of Fundamental Rights), but not in the USA. This obviously reflects a different scale of values in two regions of the world, albeit very similar to each other if compared to the Asian region. This of course has a cost, which big players such as Google and Facebook can much more easily afford than small ones. And it underlines that Europe and the United States have not (yet) reached a political agreement on the question.
Users can not invoke the right to be forgotten for recent events of significant public interest, but are entitled to the amendment of any supplemental texts automatically generated by a search engine which contains misleading information.
The Authority has expressed this ruling and has rejected the appeal of a user who had not obtained de-indexation from Google of a news item concerning a court inquiry in which he was involved. According to the user, the article contained information which was “extremely misleading and grossly prejudicial”, and which therefore could not be connected to him with any justification in Google’s search results.
The Authority rejected the request. The disputed news item in question is in fact a very recent one concerning an important judicial inquiry and reports the facts in compliance with the principle of the essentialness of information.
In this regard, the Authority pointed out that a person who believes himself to be the victim of misleading information about him, can contact the publisher to request rectification and integration of the information contained in the article.
Conversely, with regard to the summary texts automatically generated by Google to integrate search results, known as “snippets”, the Authority has recognized as legitimate requests for elimination of the texts not in line with the narration of the facts reported on the pages of the links to which they refer.
Although excluding “the possibility of editorial intervention by Google”, snippets carrying incomplete data, “effectively constitute processing of personal data and as such must be relevant, correct and not misleading.”
In the case under consideration by the Authority, the claimant had obtained from Mountain View modification of the snippet which connected him to more serious crimes than those for which he was under investigation. Google had in fact complied with the request and proceeded independently to delete the misleading summary generated by their algorithm.
Google has presented a new tool for the “right to be forgotten”, by means of which users will be able to request the cancellation of certain results associated with their name.
Following the recent decision by the EU Court of Justice which has established that users can ask search engines to remove results linked to their name, Google has released a new tool for requesting the removal of the content.
Commenting on the indications contained in the judgment, Google has announced that a request for removal can be forwarded by any citizen who considers the information in the results associated with a search relating to their name to be unsuitable, irrelevant or no longer relevant, or even excessive in relation to the purposes for which such information has been published.
On the web page carrying the form, the company advises that “For the duration of implementation of this decision we will evaluate each individual request and try to find an appropriate balance between the individual person’s rights to privacy with the right of everyone to know and share information. When evaluating a request we will establish whether results include outdated information about the user and whether the information is of public interest, for instance whether it relates to financial fraud, professional negligence, criminal convictions or the conduct of public officials.”
Larry Page, Google’s CEO has expressed his concern to the Financial Times regarding the decision of the European Court, stressing that the judgment risks damaging the next generation of digital start-ups and reinforces the repressive actions of those governments which attempt to limit the free flow of information on the Internet.
The company also announced that it is working on setting up a committee of experts for providing advice on how to manage the new facility dedicated to the right to be forgotten.
The Italian Supreme Court’s reasoning for its verdict in the well known case Vividown vs. Google has been announced: namely that the Provider is not liable for the violation of the privacy of individuals in videos uploaded by users.
The Third Criminal Chamber of the Supreme Court published the reasoning for its verdict of acquittal for the three Google executives who were sentenced to six months in prison by a first instance judgment in 2010, following the upload on the Google video platform of a video in which a disabled minor was humiliated by classmates.
According to the Supreme Court, Internet host providers cannot be held criminally liable in cases of violation of privacy due to videos posted on the web.
Press sources have reported certain extracts of the explanation for the sentence: “The offences before us here, relating to Article 167 of the Privacy Code, shall be construed as offences committed under colour of authority, as here we are dealing with conduct only resulting in a breach of the obligations of the owner of the data processed and not of any other person who in any way handles the data being processed, but without related decision-making powers”.
The Supreme Court has specified that the hosting service provider “has no control over the data stored nor does it contribute in any way to the selection of the same, its research or the creation of the file that contains it, such data being entirely attributable to the users of the service who upload them onto the platform placed at their disposal”.
The facts giving rise to the legal proceedings date back to 2006 when the association Vividown (the Italian Association for scientific research and protection of Down’s Syndrome patients, based in Milan) had sued Google for allowing the showing of a video in which a disabled boy was humiliated at school. In 2010, Judge Oscar Magi sentenced three Google executives to six months in prison for invasion of privacy.
According to the court, the California-based company was liable due to the vague nature of the information concerning privacy that Google Video provided for users who uploaded videos. A vagueness that was all the more serious as it relates to an activity carried out for motives of profit.
In December 2012, the Court of Appeal of the Milan court overturned Judge Magi’s decision and fully acquitted the three executives because in their opinion the liability for processing the data was to be attributed to the uploader of the video and not to the content provider. Therefore, this violation does not involve Google, but rather those responsible for the online publication of the video (in this case the student who uploaded the video). For an in depth analysis of the Court’s reasoning, please refer to Prof Giusella Finocchiaro’s comments.
The judgment of the Supreme Court of 18th December 2013 confirmed the verdict of the Court of Appeal. In its explanation released today, the Supreme Court has in fact found that Google Video operated as a “mere Internet host provider, a role that confines itself to providing a platform on which users can freely upload their own videos”, the “content of which is their own exclusive responsibility”. Therefore, the three Google executives accused in the proceedings “are not owners of any data processed”, whereas “the sole owners of the sensitive data processed and contained in the videos uploaded onto the site are the users themselves who uploaded them and they are the only ones who both the administrative and penal sanctions envisaged for the owner of processed data by the Privacy Code can be applied to”.
The case Vividown vs. Google, considered the best known Italian Internet law case, was concluded on Wednesday December 11th 2013 with the announcement that the Supreme Court had acquitted the three Google executives.
Upholding the judgment on appeal, the Third Criminal Chamber of the Supreme Court acquitted David Drummond, George De Los Reyes and Peter Fleischer, Google’s three executives, who were sentenced by a first instance judgment in 2010 to six months in prison.
The facts giving rise to the legal proceedings date back to 2006 when the association Vividown (the Italian Association for scientific research and protection of Down’s Syndrome patients, based in Milan) had sued Google for allowing the showing of a video in which a disabled boy was humiliated by classmates. The footage was uploaded on the Google video platform by a girl student, then a minor, and almost instantly became one of the most “clicked on” videos, moving right up the viewing list of the most popular videos on the platform.
The verdict of guilty passed by the Court of Milan had considerable international repercussions and was taken up by the world press. Judge Oscar Magi who drafted the judgment, had essentially convicted the executives not of libel, which was the request of the prosecution, but of invasion of privacy. According to the court, the California-based company was liable due to the vague nature of the information concerning privacy that Google Video provided for users who uploaded videos, a vagueness which was all the more serious as it relates to an activity carried out for motives of profit. In the Court’s opinion, the girl who had uploaded the video had not been given adequate warning of having to pay full regard to questions of privacy.
The Court of Milan’s decision raised a chorus of international protest because of its attribution of liability to the content provider. Most of the criticism predictably came from both Google’s official blog and Peter Fleischer’s personal blog, the result of which was an almost immediate forceful media reaction against the Italian judgment. The protests made reference to the neutrality of providers guaranteed by art. 17 of Legislative Decree no. 70/2003 implementing Directive 31/2000, which excludes the obligation for monitoring and only assigns liability subsequent to the committing of the offense under certain conditions.
In December 2012, the Court of Appeal of the Milan Court overturned Judge Magi’s decision and fully acquitted the three executives because in their opinion there was no case to answer. The Court attributed liability for processing the data to the uploader of the video and not to the content provider. Therefore, this violation does not involve Google, but rather those responsible for the online publication of the video (in this case the student). For an in depth analysis of the Court’s reasoning, please refer to Giusella Finocchiaro’s comment.
However, the question was not resolved in the Court of Appeal and in 2013 the Milan prosecutors lodged an appeal with the Supreme Court, arguing that platforms like YouTube should be obliged to carry out prior checks on videos uploaded by users and to obtain clearance from the people filmed in these videos.
From what we learn from media reports, in his submissions the Deputy Public Prosecutor Mario Fraticelli sought annulment with postponement of acquittal and called for a second appeals process, referring to the fact that “the judgment of the Appeal Court states that the three defendants had examined the video and had had the opportunity to inspect its contents” and that “you cannot think that anyone who provides a service on a platform should then not attend to and be responsible for what is uploaded.” The Supreme Court, however, did not accept this request.
The reasoning for the Supreme Court’s verdict will be announced in a month’s time.
Google says it is satisfied with the outcome of the court case: “We are happy that the Supreme Court has confirmed our colleagues are innocent. Our thoughts are again for the boy and his family. Today’s decision is also important because it confirms an important legal principle.”
Two recent court decisions lead us to reflect on the issue of the liability of the Net. The first is the European Court of Human Rights’ decision in the case of Delfi AS vs. Estonia and the second is the recent Grand Instance Court of Paris’s decision in the case of Max Mosley vs. Google Inc.
The two judgements confirm the responsibility, respectively of the portal and the search engine, for contents posted by users.
I believe that these decisions impose on lawyers the duty to question the topicality of European Directive 31/2000 on electronic commerce and on the system of responsibility of the provider. It should also be pointed out that the liability of the provider can only be additional to that of the end beneficiary of the offence.
The decision of the European Court of Human Rights highlights a substantial compatibility of the conviction of the Estonian news portal to settle damages for the defamatory comments published therein by anonymous readers with art. 10 of the Convention, which protects the freedom of expression. Although the sum of the damages was paltry and only amounted to 320€ for non-pecuniary damage, it clearly underlined the principle expressed by the Court, namely that the discredited party must be able to obtain compensation (it was not possible to identify the author in this particular case).
The ruling by the Grand Instance Court of Paris, which has lately raised many doubts, ordered Google Inc. to remove links related to the unauthorized photographs regarding the former president of the FIA (Fédération Internationale de l’Automobile), Max Mosley. Google was granted two months to comply with Judge Marie Mongin’s decision and to pay the former president the symbolic sum of 1€ damages and 5,000€ for legal fees.
The misalignment between regulation and law is clearly obvious to those in the know.
If we only consider the normative data, there can be no doubt: the responsibility of the provider is governed by the EU Directive and by Italian art. 17 of Legislative Decree no. 70/2003 which excludes any obligation for monitoring and only considers any responsibility subsequent to committing the offence under certain conditions. From a historical point of view, this rule was created to meet the needs of the economy, an approach that characterises Directive 31/2000 and the EU’s approach to electronic commerce itself: the need was to encourage the development of the Internet. Moreover, a liability rule that exempts from liability is most particular. This economic need is also accompanied by the need to meet the additional requirements of freedom and the neutrality of the Net
However, jurisprudence today seems ever more frequently to seek interpretative solutions that enable it to overcome the provision of the law.
We can consider emblematic the recent Italian case of Google vs. Vividown (Court of Milan, April 12, 2010, subsequently reformed by the Milan Court of Appeal on December 21, 2012), in which the grounds for Google’s responsibility was to be found in the legislation on the protection of personal data.
It is therefore necessary to reflect on the historical and economic reasons behind this change of scenario. In something less than fifteen years from 2000 to today, the Internet has radically changed. The need today is no longer that of “network expansion”, but of rethinking the legislative framework as well as the allocation of responsibility in this mature phase of the Internet.
At this point, the role of search engines must also be considered. Are they really neutral? Or do they create a sort of parallel reality for the average Internet user? There are already a number of decisions that confirm the responsibility of search engines: in the UK the judgement of the Royal Courts of Justice on 14 February 2013, in Australia in the case of Trkulja vs. Google on 12 November 2012 and finally in France, the judgement of the Grand Instance Court of Paris, which convicted Google of defamation with its judgement on 8 September 2010.
These decisions oblige lawyers to reflect on the actuality of Legislative Decree no. 70/2003 and the need for reforms.
Therefore it is high time we began pondering over and having second thoughts about a rule which came into being in 2000, but which was conceived even earlier, when the main aim was to get the Internet to expand.
What is the function of civil liability and its objective in this new context?
To answer this question, we must first answer two others. And it comes down to questions of method, in a context in which with increasing frequency laws are written without there being any plan, without any wondering why and abandoning what should be a lawyer’s true role, namely firstly to ask and also to ask oneself questions and only afterwards to write the rules.
And the questions to ask oneself – and there are at least two – are these.
The first, what are the values one is called on to protect through the law in this case? The second: who decides? The judge or the legislator?
The right to oblivion on the Internet is again at the centre of the international debate.
This time attention is focused on Spain where at the beginning of the year the Agencia Española de Protección de Datos (AEPD) ordered Google to remove certain links to pages hosting personal information regarding Spanish citizens from its results.
These are a certain number of pages, most of which are newspaper articles, containing news which can be interpreted as damaging for the reputations of the subjects involved. One particular case stands out: that of Doctor Hugo Guidotti Russo, a plastic surgeon who in 1991 was involved in a case of medical malpractice and who is now asking Google to remove the related articles from search results connected with his name.
However, the Spanish Authority’s decision met with a stance of non-collaboration on the part of the Mountain View Company which announced that it had no intention of carrying out what it considers censorship of its results.
In January the controversy between Google and the Spanish Authority ended up in a Madrid Court, where both parties asked the judge to find in favour of the protection of important rights: the Authority asked for the protection of the right to privacy and the right to oblivion whereas Google asked for the protection of the right to inform and freedom of speech.
As reported in the Wall Street Journal, during the trial a lawyer representing Google stated that Spain is the only country where a company is obliged to remove links to Web pages even if these do not contain illegal content of any description.
The Spanish Authority replied that the only way to block access to content is through search engines. This is because newspapers online have the right to refuse to remove legally published news from their archives.
Several weeks later the Madrid Court asked the European Court of Justice for its opinion on the matter. This Court will now have to establish whether the Spanish Authority’s requests are compatible with Community legislation.
The European Court’s decision is awaited with growing interest both in Europe and in the US in that it may establish a decisive precedent for the future of the availability of archive information on the Internet.
This issue is particularly relevant as an overhaul of the EU’s 15-year-old data-protection law is awaited within the next year or two. Currently the main topic of the European debate is conciliation between freedom of speech and the right to privacy.
In November during a conference in Brussels Viviane Reding, the European Commissioner for Justice, stated:
“As somebody once said: “God forgives and forgets but the Web never does!” This is why the “right to be forgotten” is so important for me. With more and more private data floating around the Web – especially on social networking sites – people should have the right to have their data completely removed.”
However, not all data is equal. It should be possible to distinguish between information voluntarily put on a social network site and information published in newspaper articles of global interest, such as those regarding murders. This is what Google’s Global Privacy Counsel Peter Fleischer declares in a post published on his personal blog where he asks for greater clarity regarding the uniquely European concept of the right to oblivion.
Peter Fleischer, who was last year sentenced to six months’ imprisonment by the Milan Court in the Vividown vs. Google case, wonders how a national law could successfully issue orders to remove links that are used globally to search for information.
Fleischer uses the precise case of Google/Vividown as a reference for a reflection that has also been reported by the American press:
“The web is littered with references to my criminal conviction in Italy, but I respect the right of journalists and others to write about it, with no illusion that I should have a “right” to delete all references to it at some point in the future. But all of my empathy for wanting to let people edit-out some of the bad things of their past doesn’t change my conviction that history should be remembered, not forgotten, even if it’s painful. Culture is memory.”
Clearly the debate is still open. For a broader in depth analysis of the various points of view we suggest you should read the relevant pages from The Guardian, El Paìs, The Wall Street Journal and Forbes Magazine.