Reading through Italian news coverage of the Google Italy case, another picture emerges. User privacy may well be at issue, but not in the way you probably think. I grew up in Italy and now research and teach Internet law in the United States. When I heard about the verdict against three Google executives, one of them an alumnus of the law school where I work, I went first to American sources, then to Italian ones. What I found was that most Americans may be getting the basic facts and ideas of the case wrong.
Consider a recent op ed by Marc Rotenberg (another alumnus) over at the Huffington Post. Mr. Rotenberg claims that Google did not “respond to the many requests it received before it actually took the video down.” According to coverage of the case by the Italian newspaper La Repubblica, Google received two requests to take down the video of children abusing a disabled classmate, and did so within a day of the first. The video was up for months, but it had only a handful of views until an Italian blogger discovered it.
I agree with Mr. Rotenberg, however, that this case has little to do with free speech, as some very knowledgeable lawyers like Chris Wolf have maintained. The prosecutor brought two sets of charges against Google’s executives. The first sought to hold them criminally liable for the defamatory acts of the kids that uploaded the offending video. This charge was thrown out, likely on the basis of an Italian law—Article 17 of Legislative Decree 70—that mostly resembles our own federal immunity for content uploaded by third-parties. We’ll see when the court publishes its reasoning in a few months.
The second set of charges, of which the Google executives were actually convicted, are supposed to be about privacy—namely, criminal liability for violating provisions of the Italian Personal Data Protection Code. But as Susan Crawford told the New York Times, “[a]ny concern for privacy in this case is a pious cover.” Indeed, it appears that the prosecution sought to use these infractions as a way to defeat the above-mentioned immunity, on the theory that Article 17 protection is not available to criminals. (UPDATE: Chris Parsons pointed me toward a post over at Out-Law explaining that data privacy violations are not entitled to immunity at all under EU law.)
Two of the privacy code’s provisions are largely technical. They require a service like Google Video to preregister with the local authority before collecting certain forms of data. I asked around: no one seems to do this. It’s just not enforced against foreign companies. The third provision is sweeping—it prohibits “processing” any personal data without the express consent of the subject of that data. Applied literally, this would mean that Flickr would be liable for every picture anyone submitted that had another person in it, unless Flickr sought and received consent from that person. (It would, in fact, “kill the Internet.”) Violating these regulations is criminal under Section 167 of the code when done “with a view to gain” or “with intent to cause harm.”
Now Google can be a frustrating company. One week it stands up to Chinese censorship and defaults Gmail to higher security (https). The next it launches a social networking platform that automatically reveals who its users interact with the most. But there is no support for the very serious charge that Google purposefully leaves up footage of disabled children being abused, against their will, because it wants to derive more ad revenue or generate interest in its services.
So then what is this case really about? There are several theories. One is that a particularly influential Italian person is upset with Google. A media company controlled by Italy’s prime minister sued Google for alleged copyright violations. The problem with this theory, popular in the United States, is that there is no love lost between Silvio Berlusconi, who is under indictment for corruption, and the public prosecutor.
Another Italian newspaper may have hit upon something. Last year Corriere della Sera reported on complaints by the Milan district attorney’s office—the same that brought the current charges against Google’s employees—to the effect that Google is not giving up user information easily enough to the Italian authorities. Google is apparently reserving the right not to comply reflexively with law enforcement requests. To make matters worse, the company is tossing certain account data out after 30 days, instead of keeping it for 12 months as Italian law requires. This could well be coincidence, but it would be deeply ironic were Italy's prosecutor to use consumer privacy laws selectively in an effort to pressure a company to turn over citizen data.