The ruling is subject to appeal and Google has said it will challenge the ruling. Many people have commented on the case reflecting upon its deep implications over freedom of speech, privacy law and the Internet business model. I personally share the concern that prior control over UGC might dangerously compress freedom of speech, yet the solution certainly is not to neglect users’ and third parties’ privacy protection. The bottom line is that such a ruling may shake the foundations of the Internet industry and that nobody I know has a clear idea about a good trade-off among the many conflicting interests.
In this post, however, I will more simply focus on explaining the probable reasons for the Google conviction. I say “probable” because the full opinion has not yet been published. Still, I have an impression of the probable reasons for the conviction based upon reading the statements released by Google’s attorney and the Prosecutor in charge of the case.
Reason #1. There is no safe harbor for privacy violations. This may be surprising for most Internet companies but, as a matter of law, EU privacy regulation in general, and the Italian one in particular, do NOT apply the safe harbor exemption to matters concerning the right to privacy. It may appear like a loophole in the system, but probably, when drafting the E-Commerce directive, the EU legislator did not have in mind a service totally based on UGC, such as a video sharing platform. Directive 2000/31/CE shields mere conduit, cashing and hosting services against commercial liabilities, but not against the rights “of individuals with regard to the processing of personal data…”.
Article 1, §5, lett. b of the E-Commerce directive says: “This Directive shall not apply to: …
(b) questions relating to information society services covered by Directives 95/46/EC and 97/66/EC.”
Guess what subject matter is regulated by Directive 95/46/EC?
Pretty straight forward, isn’t it? If there is no safe harbor for a privacy violation –> liability of the service provider for contributing to the criminal conduct.
The same regulation applies in Italy by virtue of the Legislative Decree n. 70, 2003 art. 1, comma 2 lett. b which precludes the application of the safe harbor regime (art. 14 and ff.) for matters involving privacy rights.
Reason #2. Google violated the Italian Personal Data Protection Code. Google’s counsel released a statement indicating the rules allegedly violated by Google, as specified in the indictment: art. 23, 26 and 17 of the Data Protection Code. art. 23 and art. 26 (here an official version in English) provide that before processing any personal data it is necessary to seek consent of the owner of the data. This is necessary moreover (written consent is required) if the processing concerns sensitive data, such as the existence of a heath condition. It is probable that the Court considered that depicting the likeness of a person affected by Down Syndrome is sufficient to constitute “processing of sensitive data”, considering the apparent and recognizable existence of a heath condition in the person portrayed.
Art. 17 provides a general obligation to consult with the Data Protection Authority before initiating any potentially dangerous processing of personal data. The violation of such article may be construed as creating liability for other independent violations. We’ll see when the opinion is published…
Reason #3. Google did not take down the video promptly. Proof of a prompt take down is crucial to prove or disprove damages. In fact, damages are necessary for the application of the criminal sanction set forth in art. 167 of the Data Protection Code.
Google took the video down after the police made such request. The victim’s representative argued that the video was actually accessible for about 2 months and, even after the video was flagged by some users and a take down notice filed by the victim’s representative, Google did not respond with the requested promptness.
Thus, the Prosecutor accused Google of being inefficient and untimely in taking down the video since, as Google’s deputy general counsel for Europe also admits, Google took the video down only when the police asked to do so, many days after the first flagging. However, there is no clear information about the timeline of mentioned facts. We’ll see…
Furthermore, the Court probably concluded that the accessibility of the video for about 2 months, coupled with the significant amount of views and comments, gave Google notice (or should have given Google notice) of the existence of the video. This is my speculation. We’ll see…
Unfortunately, there is no black letter law applicable to take down notices for privacy violations. In fact, nothing like the DMCA exists in the EU even with respect to IP rights. I bet Google misses the clear cut provisions of the DMCA when dealing with the EU.
In fact, the Prosecutor remarked about Google’s vague and evasive attitude towards certain requests for discovery. It turns out that Google was unable to restore the original page with the comments or to produce the first flagging of the video. Google’s defense is, according to the Prosecutor, that producing this evidence was too costly and complicated for Google’s engineers.