Italian courts set a troubling precedent last week by convicting three Google executives in a criminal case. The case was brought by prosecutors in connection with a clip showing the bullying of a teenager with Down's syndrome. The clip was uploaded to Google Video in 2006 by the school children responsible for the bullying. Peter Fleischer (Google's global privacy counsel), David Drummond (chief legal officer) and George Reyes (former CFO) received six-month suspended jail sentences, despite having no knowledge of or direct involvement with the uploading of the video. In fact, Google had removed the video from the site within hours of receiving a notice from Italian police authorities. Reactions from politicians, other internet companies and privacy lobbyists have been highly critical of the decision.
The legal issue
The case concerned alleged breaches of Italian defamation and privacy laws. European law generally permits providers of e-commerce services to avoid liability for damages and criminal sanctions where a service provider acts as a "mere conduit". This applies where the service provider does not initiate the relevant transmission of content, did not select the receiver of the transmission and did not select or modify the information contained in the transmission. The Milan prosecutor, however, decided to bring criminal charges on the basis of Article 167 of Italy's 2003 Data Protection Code. That Article provides that any person who processes personal data in breach of the code (generally, without the consent of the subject) with a view to making a gain or causing harm to the subject is liable to imprisonment or a fine. Although the full reasons for the judgment are unlikely to be published for some months, commentators have suggested the fact Google makes gains from advertising around content available on its sites (such as user uploaded video) may have been a basis for the decision, as well as the court holding the view that Google had insufficient controls in place to prevent the processing of personal data in breach of the code.
The decision is, effectively, saying executives of sites that host user generated content can be criminally liable for that content, rather than users. It implies that, while companies may look to the "mere conduit" defence, the risks may be greater for individual directors (particularly those responsible for privacy issues). Critics have suggested the decision undermines established freedom of speech protections in European law and means sites will need to pre-screen user-generated content before it is published (a task that Google has pointed out is near impossible, with 20 hours of video uploaded to YouTube (which replaced Google Video) every minute). The full impact of the decision will not be clear until the judgment is published. Google, in any case, has indicated that it will support the directors in launching appeals against the convictions, so the issues are likely to remain live for some time.
What does this mean for privacy professionals and company execs?
The decision is concerning for obvious reasons. Privacy professionals and company executives are at risk of criminal prosecution for privacy breaches in Italy, regardless of their direct involvement in or knowledge of the relevant breach. Clearly directors are at risk whether they are domiciled in Italy or not, if their company's services are available there. The decision puts in doubt previous assumptions that e-commerce and online service providers and their directors can rely on their role as a "mere conduit" to avoid liability in providing online services. It suggests sites operating in Italy that until now have relied on reactive moderation of content following alerts from users or authorities ("notice and take down") should consider operating proactive pre-publication review of content instead. It suggests that even where policies for proactive policing of content are in place, directors will need to check closely that company employees are complying with them. The full reasons for the decision, and the success of any appeal, will need close analysis. Until then, at least, privacy professionals will need to be more aware than normal of the sanctions they may face as individuals, as well as the actions that might be brought against the companies they represent.