On 3 February 2014, the Italian Court of Cassation disclosed the reasons adduced in the sentence issued on 18 December 2014, in which the Court eventually acquitted three of Google’s managers who were initially accused and charged by the Milan Court of First Instance with six months in prison (judgment no. 1972 of 4 February 2010) for uploading a video where a disabled child was bullied by his classmates and sharing it via the website www.video.google.it.
Since the very beginning, the case has been followed not only by lawyers, but also by the public, with discussions based around the use of the Internet and its rules. The crucial point of the discussion was the decision of the Court of First Instance which, charging the three managers for unlawful data protection punished by art. 167 of the Italian Personal Data Protection Code, qualified Google Italy and its administrators as the personal data controllers and processors and consequently declared them responsible for the violation.
Hereafter, the case arrived in front of the Court of Appeal, which reversed the decision of the Court of First Instance by discharging the accused on every count. The judge declared the their action could not constitute grounds of a charge of unlawful data processing and he excluded the managers’ responsibility. This is because the accountability for the unlawful personal data processing is linked to the lack of specific conditions that allowed the legitimate use of that data; nevertheless, the judge considered that the controller of the personal data cannot be in charge of these conditions. To process, to acquire, to memorise or delete a video, doesn’t mean to process personal data itself.
The Italian Court of Cassation confirmed the decision of the Court of Appeal. The reasons adduced to the sentence are particularly interesting: after summing up the current legal framework, with a clear reference to the Italian Personal Data Protection Code and to legislative decree no. 70/2003, the Court highlighted the fundamental principles related to the responsibility, qualification and role of the web media, which is, de facto, Google:
- the host provider’s obligations: the Court specified that, considering the nature of the service offered, the host provider doesn’t have to supervise data uploaded by a third party, neither does it have to inform the third party about the personal data processing rules. Nevertheless the host provider has to immediately remove contingent unlawful contents in case the authority in charge orders to do so;
- the host provider qualification and the role of the processor of the personal data uploaded on the Internet. The Court declared that Google Italy and its administrators are merely Internet host providers: they simply provide an online platform where users can freely upload videos, of which content the users are exclusively in charge. Hence Google, in this specific case, cannot be qualified as the “processor” of the uploaded data because, even if it materially processes the data at issue, it doesn’t have the power to decide with regards to purposes, procedures and means of the process (decisions that are up to the video uploader); the Court, quoting the General Advocate conclusions that were presented in front of the EU Court of Justice in case C-131/12, stated that the status of personal data processor, on the contrary, amounts to the host provider when it directly affects the research index structure, for instance, making it easier or more difficult to find a specific website.
The judgment of the Italian Supreme Court, excluding the party who manages the online platform of the responsibility of the violation made by uploading user generated content, and identifying the uploader as exclusively responsible for processing the personal data included in the video, represents an important turning point in case law, in a complex matter that, no doubt, will continue to evolve again and again.