Italian prosecutors have filed criminal charges against four Google executives for permitting a video to be posted on a Google web site which allegedly violates Italian data privacy law. This appears to be one of the first cases in which company executives are charged with criminal violations of E.U. data protection laws.
In this case, a user uploaded a video to the Italian Google web site showing a student with Down syndrome being taunted by other students. Google promptly removed the video after it received complaints about it, but an advocacy group for people with Down syndrome filed a complaint with Italian authorities alleging defamation and privacy violations. According to the International Association of Privacy Professionals, the Italian prosecutors filed charges against Google's Global Privacy Counsel, Chief Legal Officer, a former Chief Financial Officer and a former Google Video executive.
Italian law does not hold ISPs liable for content on their web sites, but Italian prosecutors have alleged that Google is a content provider, not an ISP. It is important to remember that these are legal definitions under Italian law and not necessarily the same definitions we might think of under U.S. laws. American laws provide for a legal safe harbor for Internet content providers as they do for ISPs. As long as a U.S. Internet service or content provider removes objectionable content, neither is held liable for the actual content of the posting. But Italian authorities are prosecuting Google as an Internet content provider, rather than as an ISP, and Italy's penal code states that such providers are responsible for third-party content on their sites.
What is most striking about this case is the criminal charges which have been brought against individuals for the actions taken by the company. According to Italian law, the Google executives face a maximum sentence of 36 months in prison.
This case fires a warning shot to all company executives in the U.S. that might have put E.U. privacy compliance on the backburner and highlights the European data protection authorities' increasing efforts to target company executives for privacy violations and to charge such executives with criminal, not just civil, liability.