Google Italy & Privacy: Not What You Might Think

Reading through Italian news coverage of the Google Italy case, another picture emerges. User privacy may well be at issue, but not in the way you probably think. I grew up in Italy and now research and teach Internet law in the United States. When I heard about the verdict against three Google executives, one of them an alumnus of the law school where I work, I went first to American sources, then to Italian ones. What I found was that most Americans may be getting the basic facts and ideas of the case wrong.

Consider a recent op ed by Marc Rotenberg (another alumnus) over at the Huffington Post. Mr. Rotenberg claims that Google did not “respond to the many requests it received before it actually took the video down.” According to coverage of the case by the Italian newspaper La Repubblica, Google received two requests to take down the video of children abusing a disabled classmate, and did so within a day of the first. The video was up for months, but it had only a handful of views until an Italian blogger discovered it.

I agree with Mr. Rotenberg, however, that this case has little to do with free speech, as some very knowledgeable lawyers like Chris Wolf have maintained. The prosecutor brought two sets of charges against Google’s executives. The first sought to hold them criminally liable for the defamatory acts of the kids that uploaded the offending video. This charge was thrown out, likely on the basis of an Italian law—Article 17 of Legislative Decree 70—that mostly resembles our own federal immunity for content uploaded by third-parties. We’ll see when the court publishes its reasoning in a few months.

The second set of charges, of which the Google executives were actually convicted, are supposed to be about privacy—namely, criminal liability for violating provisions of the Italian Personal Data Protection Code. But as Susan Crawford told the New York Times, “[a]ny concern for privacy in this case is a pious cover.” Indeed, it appears that the prosecution sought to use these infractions as a way to defeat the above-mentioned immunity, on the theory that Article 17 protection is not available to criminals. (UPDATE: Chris Parsons pointed me toward a post over at Out-Law explaining that data privacy violations are not entitled to immunity at all under EU law.)

Two of the privacy code’s provisions are largely technical. They require a service like Google Video to preregister with the local authority before collecting certain forms of data. I asked around: no one seems to do this. It’s just not enforced against foreign companies. The third provision is sweeping—it prohibits “processing” any personal data without the express consent of the subject of that data. Applied literally, this would mean that Flickr would be liable for every picture anyone submitted that had another person in it, unless Flickr sought and received consent from that person. (It would, in fact, “kill the Internet.”) Violating these regulations is criminal under Section 167 of the code when done “with a view to gain” or “with intent to cause harm.”

Now Google can be a frustrating company. One week it stands up to Chinese censorship and defaults Gmail to higher security (https). The next it launches a social networking platform that automatically reveals who its users interact with the most. But there is no support for the very serious charge that Google purposefully leaves up footage of disabled children being abused, against their will, because it wants to derive more ad revenue or generate interest in its services.

So then what is this case really about? There are several theories. One is that a particularly influential Italian person is upset with Google. A media company controlled by Italy’s prime minister sued Google for alleged copyright violations. The problem with this theory, popular in the United States, is that there is no love lost between Silvio Berlusconi, who is under indictment for corruption, and the public prosecutor.

Another Italian newspaper may have hit upon something. Last year Corriere della Sera reported on complaints by the Milan district attorney’s office—the same that brought the current charges against Google’s employees—to the effect that Google is not giving up user information easily enough to the Italian authorities. Google is apparently reserving the right not to comply reflexively with law enforcement requests. To make matters worse, the company is tossing certain account data out after 30 days, instead of keeping it for 12 months as Italian law requires. This could well be coincidence, but it would be deeply ironic were Italy's prosecutor to use consumer privacy laws selectively in an effort to pressure a company to turn over citizen data.


A new comment - in Italian - on the decision:
'Una Sentenza piccola piccola…'
The 111 pages judgement seems to have held Google liable because of its economic interest and lack of warning to prevent the upload of such a video. Should Google be liable for the lack of clear warning to require concent of the data subject prior the publication of the video?
At the same time, Guido Scorza questions the absence of liability even if the Terms and Conditions of service were clear.
The court seems not to have made reference to the E-commerce directive
Google Australia was considered to be subject to the Italian Data Privacy Law as collecting and processing data from users of the website from Italy.
Google was considered to be an 'active host' and therefore liable for defamation and invasion of privacy. The commentator seems to attribute this judgement to ideological considerations more than to an exercise in legal logic, An uncertainty remains on the application of the regulation for users of such services.

I am always distrustful of any article where the writer can't be bothered to spell correctly - it is not "Corierre della Serra", but "Corriere della Sera". The one, a meaningless jumble of misspelled Italian words, the other the title of an Italian newspaper ('Evening Courier')
As the writer says: "most Americans may be getting the basic facts ... wrong"

I'd take this comment more seriously if there were a period after the second and third sentences or if either clauses of the second sentence had verbs.

They are probably political pressures behind this surprising decision. Another point that has been controversial is the notice of take down. As far as I am aware of, initially the video had been uploaded in 2006 on Google video with no possible comments. The E-commerce directive - pre web 2.0 and user generated content - is not specific on the requirement for a valid Notice of take down. UK for instance, has somehow clarified the situation by enumerating the list of information to be included in the notice. Italy would not have specified the matter in his implementation of the E-commerce directive. Therefore, Google would not have reacted on the simple comments of users on its website. The prosecutors accused Google of negligence, arguing that the video remained online for two months even though some web users had already posted comments asking for it to be taken down. It is not clear if these comments could be technically considered as notice of take down.
On the other hand, the video would have been shortly taken down - within hours or a day according to different sources - of formal notification by the Italian authorities.
However, the E-commerce directive makes an exception for privacy, maybe because the case would be dealed by the Data Protection Directive, and this is how the Italian Judges could attack Google under the Section 167 of the Italian data protection code reported by Elvira Berlingieri -
1. Any person who, with a view to gain for himself or another or with intent to cause harm to another, processes personal data in breach of Sections 18, 19, 23, 123, 126 and 130 or else of the provision made further to Section 129 shall be punished, if harm is caused, by imprisonment for between six and eighteen months or, if the offence consists in data communication or dissemination, by imprisonment for between six and twenty-four months, unless the offence is more serious.
2. Any person who, with a view to gain for himself or another or with intent to cause harm to another, processes personal data in breach of Sections 17, 20, 21, 22(8) and (11), 25, 26, 27, and 45 shall be punished by imprisonment for between one and three years if harm is caused, unless the offence is more serious" .
In my opinion, the Italian judge were confused between the data processor and the data controller. It could not be imposed to Google or any service provider to collect consent prior to publication as it wasn't Google who processed the controversial personal data.
This also shows how fast law looses its past with new technologies. The E-commerce and data protection Directive are both post Web 2.0 and web 3; their application is not adapted by the actual state of the technology.
This decision comes while, Italy has seen issues with website of hater or contest against Berlusconi himself that have been censored.
The Italian government had plans to black out Internet hate sites until executives from Facebook, Google and Microsoft agreed to a shared code of conduct rather than legislation.

Add new comment