The re-posting of this analysis is part of a cross-posting collaboration with MediaLaws: Law and Policy of the Media in a Comparative Perspective.
On 21 December 2012, the Milan Court of Appeals overturned the decision issued in 2010 by the Court of Milan in the ’Google Vividown’ case. Filed on 27 February 2013, the Court of Appeals’ decision was based on and confirmed the general principle that Internet Service Providers (ISPs) have no general duty to monitor user-uploaded content on their systems. Laura Liguori and Federica De Santis, Partner and Associate respectively at Portolano Cavallo Studio Legale, analyse the impact of the case on ISPs’ liability and the wider landscape of overlapping interests in the digital climate.
In this case, three executives from Google were sentenced to a six-month suspended conviction for unlawful data processing pursuant to Italian data protection laws after a video showing an autistic boy being bullied by his classmates was uploaded to the Google Video platform. The Milan Court of Appeals overturned the 2010 first instance ruling by finding the Google executives not guilty for unlawful data processing under Italian law.
Court of Appeals
First, the Court of Appeals upheld the lower court’s decision to acquit the Google executives of defamation, since Google had no duty to review the content on its system. According to the Court of Appeals, an ISP’s functionality would be clearly impaired if it were required to prevent defamation on its platform, as the ISP would have to apply general filtering systems on the uploaded content to prevent defamatory postings.
The Court of Appeal also ruled:
- the jurisdiction of the Italian Courts applies in the case at hand, as the damages (the diffusion of the relevant content) occurred in Italy, regardless of where the Google servers with the uploaded content are located.
- the Italian Data Protection Code (Legislative Decree no. 196/2003) applies to Google Italy either because it is established in Italy according to Section 5, paragraph 1 of the Data Protection Code or because Google Italy should be considered as ‘non-automated equipment’ located in Italy for processing personal data according to Section 5, paragraph 2 of the Data Protection Code.
Nevertheless, the decision reversed the unlawful data processing conviction for the following reasons:
- No general duty to monitor may be imposed on ISPs, in accordance with the relevant provisions under the EU E-commerce Directive (2000/31/EC), implemented in Italy by the E-commerce Decree (Legislative Decree no. 70/2003). From a technical standpoint, it would be impossible to impose such a duty, which could undermine freedom of expression.
- Failure to provide data subjects with a proper privacy notice does not result in unlawful data processing, punished as a crime under Section 167 of the Italian Data Protection Code, and is subject only to administrative fines according to Section 161 of the Code.
- Only the user who processed the autistic boy’s data when she recorded the disputed video and then uploaded it to the Google Video platform should have obtained the boy’s parents’ consent before the video was uploaded to Google Video, as she was the relevant data controller with regard to such data. This did not apply to Google which, according to the Court, is not the controller of the data in the video uploaded by users nor is processing data when storing such data.
- Unlawful data processing is considered as a crime only when personal data are processed (i) with a view to gain an advantage; or (ii) with wilful intent to cause harm to others. The Court of Appeals held that in the case at hand, Google had no intent to profit from the disputed video since no sponsored link appeared on it and the Google executives did not act with ‘wilful intent’ since they were not aware of the content of the disputed video before it was uploaded.
The Court of Appeals decision offers a comprehensive overview of Italian case law regarding an ISP’s liability for when users violate laws or infringe on others’ rights, especially in cases of violation of personal data protection laws. Against this backdrop, the decision does not address Google’s role from a data protection standpoint nor it clarifies why handling a video (e.g. storing or deleting it) is not tantamount to processing of personal data.
While there are still unclear issues in the decision, the latter will contribute significantly to the ongoing debate about how to balance the competing interests involved in the digital environment: protecting personal data and third parties’ rights vs. safeguarding freedom of speech and internet freedom.