The Italian Data Protection Authority (DPA) has rejected an appeal by an ex-terrorist, who had requested the de-indexation of web pages reporting serious crimes he had committed between the end of the 1970s and the beginning of the 1980s.
Having served his sentence, in 2009 the man had requested Google to remove a number of URLs and search suggestions shown by their “autocomplete” function, which, when typing in the man’s name and surname, called up the term “terrorist”.
Given that Google took no action regarding the claimant’s request, the ex-terrorist turned to the Italian DPA complaining that the continued presence on the Internet of contents dating so far back in time and which were a misrepresentation of his current way of life, was causing serious harm both to his personal and professional life. Maintaining that he was not a public figure but a free citizen, the claimant demanded the right to be forgotten.
The DPA rejected his appeal on the grounds that the information, for which de-indexation was requested, refers to particularly serious crimes that come under those indicated in the Guidelines on the implementation of the right to be forgotten adopted in 2014 by the European Privacy Authorities; crimes for which requests for removal require more stringent evaluation.
The DPA further emphasized that in the case submitted, all the information has acquired historical value and is in the public mind. Indeed it refers to one of the darkest periods of recent Italian history, during which the claimant had not only been a supporting actor but had essentially played a leading role.
Moreover, despite the considerable length of time, which had passed since the circumstances in question, there is still a very high level of public interest in that period of time and those events, as demonstrated by the topicality of the references accessible through the same URLs.
Therefore, declaring that it was of paramount importance for the public interest to have access to the information in question, the DPA adjudged the request for removal of the URLs indicated by the claimant and indexed by Google to be unfounded.
It is unnecessary to resort to international rogatory in order to tap BlackBerry mobile system chats nor is it necessary to use requisition measures.
This is what the Third Criminal Division of the Italian Supreme Court (ruling no. 50452/15) established with its appeal judgment issued in relation to the appeal on the part of certain defendants who had been placed under preventive detention by the Court of Rome due to their being implicated in drug trafficking.
The detention order was founded on various evidence, including chats on BlackBerry mobile systems, which related to importing a 10 kilo consignment of cocaine to Italy.
The defendants involved in this phone tapping brought the question before the Italian Supreme Court, claiming that the chats which had been tapped could not be considered as evidence, since they had taken place on BlackBerry’s mobile systems, which have their head office in Canada. Therefore, in their opinion, an international rogatory would have been required in order to legally acquire the content of the chats. Moreover, according to the defence, conversations in a chat context could not be considered as “phone conversations” as they are in fact a stream of computer data. On these grounds requisition measures regarding computer data (according to art. 254bis of the Italian Criminal Procedure Code) should have been carried out rather than a procedure of phone tapping.
In response to the first point, the Supreme Court asserted that it is a well-established principle that international phone calls routed to a specific Italian telephone “junction” should not be subject to international rogatory as all activity involving reception and recording takes place on Italian territory. This principle was also correctly applied by the Collegio di Cautela* in relation to the use of Blackberry chats. In this regard, the Supreme Court emphasized that computer interceptions had been correctly carried out on PIN codes, while the subsequent request to the Canadian company regarding ID data associated with the intercepted PIN codes had related to data that do not enjoy special protection.
Consequently, the Supreme Court considered it irrelevant that BlackBerry was Canadian, as the communications in question took place in Italy as a result of them transferred over an ICT platform located in Italy.
Conversely, the Court considered as unfounded the objection regarding the failure to implement requisition measures for the computer data. The judgment clarifies that, even if held by Internet service providers, requisitioning IT documents or IT devices excludes per se the concept of “communication”. Requisitioning will be specifically required when it is necessary to acquire documents for purposes of evidence, by means of inspections to be carried out on data contained in those documents. The Supreme Court asserted that “with regard to the use of chats on the BlackBerry system, it is correct to acquire contents by means of tapping according to art. 266bis c.p.p. and subsequent, as even if they are not simultaneous, online conversations constitute a flow of communication”.
Although the Court upheld the defendants’ appeal on the basis of considerations that go beyond the analysis of this post, the Court rejected the abovementioned specific technical objections, pointing out that: “even the most careful interpretation of the delicate relationship between the computer interception system and new technologies has observed that tapping BlackBerry chats takes place by using traditional systems, i.e. monitoring a phone’s PIN (or IMEI), which is uniquely associated with a nickname, underlining how tapping is managed at a technical level at the company’s Italian head office”.
The text of the Supreme Court judgment is available HERE.
*Second-instance Court empowered to hear appeals of decisions on preventive measures
We present here an interview published in december 2015 on the CINECA Consortium Magazine.
Do the legal principles covering the Net derive from general legal principles of from made-to-measure laws?
The general legal principles are always the same, of course. There would be no sense in trying to find a made-to-measure solution and a made-to-measure law for each specific problem, without due consideration for the overlying framework. It’s not always true, therefore, that, in order to regulate new technologies, new laws have to be made.
We need to get away, too, from the common idea that technology runs ahead while the law limps along behind. The reality is quite different. Take the laws on electronic signatures, for example. In Italy, the law arrived ahead of technology and even ahead of the need.
The principle has recently been affirmed according to which the law should be technologically neutral. On the basis of this principle, the legislator should not condition the market by favouring one technology over another, nor should he condition the development of technology. This approach is “functional” in the sense that it regulates, not the object, but the function. We must avoid constraining any specific form of technological or commercial development. Rather, we need to set out general principles that will remain unvaried for a certain period of time, and will not be constrained by changing technologies.
Apart from the electronic signature, another emblematic case is that of laws for the protection of consumers over remote sales contracts. What is involved, clearly, is a way of selling, not a specific technology. As far as the law is concerned, therefore, it is not important to make a distinction between purchases made using, for example, an App, or those made through a traditional website.
Speaking of users’ rights, the privacy and copyright laws are well known, but people are also invoking the right to be forgotten. What is this about?
The right to be forgotten is not a right in itself but it is nevertheless a restatement of other rights that are recognized by the law. Traditionally, the right to be forgotten describes a person’s right not to have republished information, even if it was legitimately published at the time, relating to events that happened a considerable length of time ago.
In Internet, obviously, the time involved is not that between publication and republication of the information, but the time that has lapsed since the item was published. The time factor regards, not just news items, but events which took place a long time ago, though for which this fact is not evident because no time context is given. In these cases, jurisprudence has suggested there may be an infringement of an individual’s right to his or her personal identity.
The problem is to ensure that the proper weight is given to the information, in order to avoid the person’s identity being distorted by the Net. As we saw from a decision by the Supreme Court, no. 5525 of 5 April 2012, this goal can be achieved by placing the information in context. It is not a right to be forgotten, then, but a right to a proper context.
The underlying theme, but one that emerges strongly, is that of the protection of an individual’s identity, in all its multiple forms.
What is at issue, then, is not the question of a specific news item about a specific individual and a specific event that can be retrieved through Google, but the protection of a person’s identity in the Internet, which is often perceived as a sole archive. It is not a sole archive, but it is a major source of information and sometimes the only one accessible.
“The Law in the Net”, but also “The Net in the Law”: how has Internet affected or modified the principles of “Jus Commune”?
Generally speaking, the principles of “Jus Commune” remain as before, but it cannot be denied that the advent of new technologies has brought fresh challenges for legal scholars.
What we have said about the right to be forgotten is a good example. In the real, physical world, the key element of this is the concept of “republication”. With Internet, on the other hand, the issue is the time the information stays available. Here it is not a question of drawing public attention back to a past event. The point is that, potentially, the past event has always remained there. So in this case the need that the law has to satisfy is a different one. It is no longer a question of republishing or not, it is a question of how a publication, that was maybe made quite legitimately many years earlier, is to be presented now.
A Net without borders: how have international regulations been affected by Internet?
The same general considerations apply. It is clear that the advent of Internet has drawn international attention to the need to regulate certain situations. I am thinking first of all of regulations aimed at encouraging the use of Internet as a trading tool and, as a consequence, the regulations set up for the protection of consumers.
A separate chapter belongs to the international conventions created to facilitate cooperation between the forces of law and order in relation to crimes committed via computer systems. I am thinking, for example, of the Budapest Convention of the European Council of 23 November 2001 on cybercrime.
Which judge has jurisdiction over disputes in Internet?
It depends on the nature of the dispute. The same procedural rules apply as in the real, physical world. The problem with internet is that the proper jurisdiction is not always easy to identify.
You are a teacher at Bologna University. How, in your opinion, has Internet revolutionized the world of the university? Is it simply a question of having new tools available for the administration and for the students, or is there more to it than that? Has there been a change of mentality, for example?
There are pros and cons to using Internet, in the university world like any other. Clearly, immediate access to a wider range of information has speeded up research processes. There is wider access to study texts. But it has to be said that the information stored on the Internet is disorderly. All the information on the net appears at the same level. From an academic point of view, research via the Internet poses problems for students, who are not always able to assess the reliability of the sources they are consulting. Consultation of texts in the library, on the other hand, allows more control over the information. It makes it easier to distinguish between original and secondary sources.
Turning now to the changes that Internet has brought to administrative aspects, we have to remember that publicity, that is to say the means of spreading awareness of information, is not the same on and off the net. On the Internet, anyone can access it without limits, unless restrictions to access have been expressly placed – reserved areas, passwords and so on. There are also no temporal limits. So publication online and publication offline are, legally, two very different things. Bologna University has adopted an innovative regulation on the publication of its official acts. The time of publication is limited to three years, and the regulations also cover the means of access and the essential nature of the content that is to be published. Transparency doesn’t mean publishing everything on Internet. Let’s remember that it’s a storehouse, not a structured archive of knowledge.
You were among the first in Italy to deal with these questions. Today you are a leading international expert, with major appointments and awards. What attracted you in the first place, and how would you sum up this experience today?
I must say that, from my professional viewpoint, I always prefer not to draw up a balance of what has been done. I prefer to look ahead to the things I still have to do. I always hope to make further improvements. I can certainly say that I am satisfied with having chosen to study a branch of law that is a continual source of new stimuli.
In the first place, I was pushed by curiosity for a new aspect of law. I was also fired by a passion for technical innovation. I therefore discovered, in my specialized field, a fascinating aspect of the legal profession: creativity in law. I believe, therefore, that I have been very lucky, not least because I have always found motivation and interest for my work. Nevertheless, however satisfied I may be, I am very much aware that a lot of new challenges lie ahead.
The recent “Facebook” decision by the European Court of Justice can be interpreted from two different perspectives, which are not (however) mutually exclusive. The first interpretation is of a legal-technical nature, while the second is political.
Let us start with the first. The facts are known as are the conclusions. The United States is not considered to be a country that guarantees an adequate level of protection in accordance with the Directive on personal data protection, dir. 95/46.
The path is outlined in art. 25 of the Directive, which is hereinafter quoted for convenience and clarity, in order to better understand the past (the decision) and the future (the currently open directions).
1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer, may only take place if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.
4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.
5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.
6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.
Member States shall take the measures necessary to comply with the Commission’s decision”.
In the past the Commission had deemed the level of protection afforded by the Safe Harbour framework to be appropriate, but this decision by the Court shows its disagreement and invalidates the Safe Harbour.
This does not imply, however, that the transfer of personal data to the United States can no longer take place. It can take place on the basis of the express consent of the interested party or on the basis of the Binding Corporate Rules. Therefore either the interested party may give their consent for the transfer or the data controller may adopt management rules approved by the Data Protection Authority that will allow the transfer.
So, what is the difference then? The difference is that it will not be possible to use the Safe Harbour framework, i.e. transfer data to the United States without consent or without pre-approved rules, that is assuming the data to be protected in the United States in the same way as they are in Europe.
From a strictly legal-applicative point of view all comment ends here. Undoubtedly, there will be higher management costs for those who transfer data from Europe to the United States, but there will certainly be no ban.
On the other hand, the political interpretation of the decision which follows roughly a year after the Google Spain case is far more problematic. As mentioned above, in the Court’s opinion, the United States does not provide an adequate level of data protection.
Essentially the Court states that the level of protection of personal data is higher in Europe and that it is the European law which should be applied to European subjects’ personal data (apologies for this simplification, obviously the decision refers to data transfer from Europe under certain conditions). Similar assertions can be found in the Google Spain decision.
The Court anticipates the contents of art. 3 of the forthcoming European regulation for the protection of personal data with another decision which is also political. Then again, personal data protection has constitutional significance in Europe (article 8 of the Charter of Fundamental Rights), but not in the USA. This obviously reflects a different scale of values in two regions of the world, albeit very similar to each other if compared to the Asian region. This of course has a cost, which big players such as Google and Facebook can much more easily afford than small ones. And it underlines that Europe and the United States have not (yet) reached a political agreement on the question.