The Italian Court of Cassation, Criminal Section has recently revised its previous interpretation of Article 167 of the new Privacy Code, de facto limiting the cases in which the sending of marketing communications may constitute a crime and from a civil law perspective, also confirming the evaluation mechanism to quantify the compensation for damages resulting from the illicit conduct described.
- Main elements of Art. 167 Privacy Code with particular reference to the sending of commercial communications
Article 167 of the new Privacy Code punishes anyone who, in order to profit, for themselves or others, or to cause damage to the data subject, in violation, among others, of Article 130 (on the sending of unwanted communications), causes “harm” (i.e. damage) to the data subject. In order to constitute such a crime, even after the reform of the Privacy Code carried out with Legislative Decree no. 101 of 10 August 2018 (Article 15, paragraph 1, letter b), it is necessary to send commercial communications without the consent of the data subject, in order to obtain a profit for oneself or others or to cause damage to the data subject. The offence is therefore connoted as a crime of specific criminal intent (as per Italian Court of Cassation, Criminal Section III, no. 3683 of 11/12/2013, dep. 2014, Rev. 258492). Similarly, the reference to the necessity of the occurrence of damage to the concerned data subject remains unchanged.
- Damage: the new weight in measuring the criminal relevance of unlawful processing of personal data
The previous jurisprudence that had developed on the subject has always interpreted harm, or damage, as an objective condition for punishability, i.e. the external element that affects only the punishability of the conduct. In fact, the crime was punishable only if the person concerned suffered actual damage. This required the conduct to be interpreted in terms of concrete danger: “The crime of unlawful processing of personal data, as per Article 167 of Legislative Decree no. 196/03, is a crime of actual danger and not merely presumed; consequently, the unlawful use of personal data is punishable, not in itself and for itself, but in that it is liable to produce harm to the person concerned and/or his or her property”. In addition, specify the Court, “the harm may not only be financial, but also more immediately personal, such as, for example, the wasting of time in screening unwanted e-mails and in the procedures to be followed to avoid further receipt of such messages”.”
In the judgment in question, instead, the Supreme Court states that “for such conduct to take on criminal importance, it is necessary for each recipient to be subjected to actual ‘harm’, which can certainly not be the simple annoyance of having to delete unwanted e-mails from time to time, but must result in a concrete prejudice, also not patrimonial, but in any case, likely to be legally appreciated, requiring in this sense an adequate factual verification to ascertain, for example, whether the user has indicated to the sender that he does not want to receive a certain type of message and whether, despite this initiative, the agent has continued to send unwanted messages in a not-occasional way, thus creating a real discomfort to the recipient.” “Harm” cannot only be the discomfort of having to delete a few and occasional unwanted messages, requiring, in order to attribute criminal relevance to the fact, a quid pluris, consisting of a real prejudice, which proves to be proportionate to the invasiveness of the behavior of those who send unwanted content, remaining perhaps indifferent to any requests to stop sending a certain type of messages.” 
It is precisely from this peculiar aspect that a change in the jurisprudential approach can be seen, which demonstrates an acceptance of an interpretation of harm as a constitutive element of the case, insofar as “a concrete damage to the personal or patrimonial sphere, which, in view of the case in point, must be considered directly ascribable to an illicit processing of the protected data” is required. This interpretative change has a significant impact since it falls both on the existence in itself of the criminal relevance of the conduct (there is the crime only if there is damage to each data subject), and on the subjective element (the will to commit an illicit treatment must now also cover the damage to the data subject). In other words, today, according to this new orientation, in order to answer criminally for unlawful processing of personal data, the data controller is required to act consciously and willingly to carry out unlawful processing, i.e. consciously and willingly sending commercial communications without the conditions of lawfulness referred to in art. 130 of the Privacy Code, not only for the purpose of profit, but also in the awareness that it is causing damage to the data subject. And such damage, as seen, no longer consists in the simple annoyance of having to delete some unwanted e-mails. Instead, a real prejudice is necessary, consisting in the sending of many unwanted e-mails even after a having received formal opposition/withdrawal of consent by the data subject.
This new interpretation, in our opinion, significantly reduces the scope of criminal relevance of the conduct because the public prosecution will have to prove that each person who has received unwanted communications (sent without consent and for profit) has suffered real damage.
- Reflections on compensation for damages
With regard to the civil law aspects of compensation for damages resulting from the violation or omission of the measures aimed at obtaining the consent of the data subject, both the Privacy Code (Legislative Decree 193/2003) and the GDPR (EU Reg. 679/2016) establish the right to obtain compensation for damages.
In some jurisprudential rulings, however, the compensation for damages is “in re ipsa”.  But let us clarify its meaning because the expression may not be immediately clear for market operators. We have learned above that the nature of the crime seems to be of damage and no longer of danger, with the consequences highlighted above. This reinforces the orientation that (civil) damage cannot be considered “in re ipsa”, i.e. compensation cannot disregard the verification of the existence of actual damage and its seriousness, it being understood that compensation for civil damage may arise regardless of whether the conduct constitutes a crime or not. If the damage were actually compensated in re ipsa, it would mean that the conduct, simply because it was unlawful, i.e. in breach of privacy laws, would by itself give rise to a right to compensation, irrespective of the actual damage, the proof of it, and its gravity. This would mean unhinging the now granitic coordinates of compensation for non-material damage inaugurated with the San Martino United Division in 2008 (https://www.altalex.com/documents/news/2010/02/19/il-danno-esistenziale-esiste-la-posizione-delle-sezioni-unite) and consolidated by numerous jurisprudential rulings, also in the United Division, which have instead affirmed that simple discomfort and annoyance cannot be compensated, but it must be assessed whether the illicit conduct carried out in violation of the legal precept has produced serious and not trivial damage (“damage consequence”), so as to overcome the filter of gravity required by art. 2 Cost. to grant compensation (the so-called “bagatellare clause”).
In order to be compensated, the damage must therefore derive from the violation of a rule of law, but, next to the “damaging event” (the one just described) the “damage consequence” must be assessed. It follows that the compensation could not arise from the unlawful processing itself, but only once it has been verified that there is (i) a damage to an interest protected by the law, in this case the fundamental rights of the individual under Art. 2 and 21 of the Constitution and 8 ECHR such as the protection of personal data, and (ii) that such damage is serious and not tolerable. The unlawful processing would therefore be compensable at the civil law level, according to constant case law, where this causes inconvenience, suffering, anxiety and concern, all of which must be proven, even though simple assumptions, demonstrating that they exceed a certain threshold of “tolerability” and therefore seriousness (ex plurimis, Court of Cassation, Civil Section I, 08/01/2019, n.207).
If the above considerations may in some way be reassuring, the fact that the data processing can be referred to as a dangerous activity, as per art. 2050 of the Italian Civil Code, should be less reassuring. There is therefore a presumption of guilt on the part of the person who carries out the data processing, and this implies that instead of being the injured party who must prove that damage has been suffered, it will be the person who carried out the (allegedly illicit) processing who must overcome the presumption that such damage has occurred, providing proof to the contrary (e.g. by demonstrating that he has acquired consent, or that it does not reach a certain threshold of gravity and is therefore “bagatellare”, or “futile”). It should be made clear, however, that gravity should not necessarily be read in quantitative terms, in the sense that there is no lack – on the contrary – of rulings granting compensation even for a single message sent without the consent of the recipient.
In conclusion, the unlawful processing of data raises two assumptions: the first is provided by the structure of Article 2050 of the Italian Civil Code, that is, from the presumption of guilt on the part of the person who processed the personal data, and the second, according to which the non-economic consequences of such damage can be presumed to have occurred unless the damaging party proves otherwise or has taken all appropriate measures to avoid the damage (in the case of sending commercial communications, for example, by acquiring consent) or that anxiety, stress, or disturbance were not present or, even if present, were not “serious” and are therefore irrelevant consequences, so-called “bagatellari”, or even that the injured party has in any case benefited from the unlawful processing of their data (Court of Siena 29.10.2018 n. 1244).
However, it cannot be excluded that, in the future, the jurisprudence may go further, precisely in view of the numerous cases of punitive damages present in our system, with respect to which compensation is granted not according to the damage suffered by the victim and its seriousness, but to the advantage gained by the injuring party, even in the absence of damage to the victim, with the aim of punishing the person who has violated the law, rather than compensating the person who has suffered damage. In such a case, a change of perspective in the nature of civil liability, from restorative to punitive would be evident.