On February 24 2010 the Court of Milan convicted three Google executives for violating Italian data protection law. The case was brought in connection with a video on the Google Video website that showed a boy with Down’s syndrome being bullied by his classmates.
In addition to violation of data protection provisions, the defendants were charged with defamation, but were acquitted on the latter charge.
The publication on April 12 2010 of the full text of the decision sheds light on this potential landmark case. This is the first decision worldwide in which Google executives have been convicted of violating local data protection law.
What appears to be clear by reading the decision is that this is not a decision against Internet freedom. Indeed, the judge clarifies that hosting services providers have no duty of prior control on content posted on their website, nor do they have a duty to prevent the posting of defamatory content by users. Notwithstanding that, however, the judge found Google’s executives liable for not having provided a proper and clear information notice to users for data protection purposes.
The crime in question: unlawful processing of personal data under Italian law
The executives were convicted for the unlawful processing of sensitive personal data, which is punishable by between one and three years' imprisonment under Sections 167(1) and (2) of the Data Protection Code. According to the code, ‘sensitive data’ includes data relating to health issues, such as the medical condition of the boy being bullied in the video.
Unlawful processing of personal data occurs when:
- sensitive personal data is processed;
- the data subject's written consent is not obtained;
- the data subject suffers damage as a result of the processing; and
- the data processor intends to profit from the unlawful processing.
With these criteria in mind, how was the crime assessed by the public prosecutor, the defense counsel and the court?
Public prosecutor's interpretation: Google Italy as content provider
The public prosecutor considered Google Italy to be a content provider in connection with the processing of personal data.
In the public prosecutor’s view, the processing of the boy’s data was carried out in Italy by Google Italy, although the videos available through Google Video were managed by Google Inc on servers located abroad. Google Italy's position arose from its commercial relationship with Google Video, a service managed by Google Inc. The public prosecutor argued that this relationship allowed Google Italy to use the Google Adwords system to make relevant profits from parties that paid to appear on the Google Video website through the use of keywords.
In the public prosecutor’s view, this demonstrated (i) Google's role as data controller in respect of the videos on Google Video, and (ii) its intent to profit from the unlawful processing of personal data. In respect of the data disclosed through the Google Video service, Google Italy had a significant role in the processing, not merely providing hosting services, but acting as a content provider.
On this basis the public prosecutor argued that the Google Italy executives and the user who had uploaded the video were guilty of unlawful data processing, as Google Italy had processed the boy’s sensitive data without first obtaining his consent.
The defence: Google Italy as hosting services provider
Counsel for the defence challenged the public prosecutor’s interpretation and maintained that the code did not apply to Google Italy, as the relevant data processing had been performed in the United States - Google Inc's US servers process all personal data contained in all uploaded videos worldwide. Furthermore, it was claimed that there was no link between Google Video and the Adwords system. Therefore, there was no intent to profit from the unlawful processing of personal data.
As a result, counsel argued that Google Italy should be regarded merely as a hosting provider, which would imply that it had no general duty to monitor content uploaded to a website. Hosting services providers are also exempt from liability under the E-commerce Law (which implements the EU E-commerce Directive), according to which an internet service provider is not liable for content posted on its website if it removes offensive content upon receipt of notice. Google Italy had received a notice from the Postal Police and had removed the video under Section 17 of the law. Therefore, only the user who uploaded the video should be held liable for the unlawful processing of personal data.
The court based its analysis on two points: the boy had not given express consent and had suffered damage as a result of the processing of the data. Therefore, it sought to establish whether the duty to obtain a data subject’s express consent should apply only to the user who uploaded the video or whether such duty should extend to Google Italy. The court held as follows:
- No general duty to monitor uploaded content should apply to Google Italy. However, the judge agreed with the public prosecutor's construction of the facts, which was aimed at demonstrating Google Italy's role as content provider (and thus its liability for the videos posted by users and for the absence of prior monitoring of the videos).
- Hosting providers have a general duty to ensure that only appropriate information is made available to website users.
- Therefore, Google Italy should have made clear in its information for users that before uploading a video, the express consent of third parties appearing therein was required.
- The information on data subjects that was available on Google Video's homepage and was viewed during the registration process (which users had to complete in order to upload videos) made no reference to the need to obtain consent from third parties.
- Google Italy's executives with control over Google Video were liable for the unlawful processing of personal data due to the infringement of duty in respect of information.
Acquittal on defamation charge
The public prosecutor also sought a conviction for defamation for the executives and the uploader of the video. The court acquitted the defendants, stating that a general duty to monitor content uploaded to websites does not apply to internet service providers (ISPs), such as Google Italy.
A conviction for defamation could not have been handed down unless the public prosecutor had demonstrated the ISP's intent to defame. The fact that the video had been published on the website for two months and had been added to the 'funniest videos' category by the user constituted insufficient grounds to find the executives guilty of defamation.
The decision raises several significant issues. Its presentation of the facts, in which Google’s internal processes and structures are analyzed in detail, gives an unflattering view of a company beset by bureaucracy and unwieldy superstructures and a failure to assign sufficient personnel to cover certain key issues (eg, managing responses to potentially unlawful content flagged by users).
The legal grounds for the decision have been widely criticized as a threat to the freedom of the Internet. However, this view appears to be incorrect: the judge clearly stated that the principle of non-liability for hosting providers is safe and that the law does not make them subject to a duty of prior control of content posted by users, nor to a duty to prevent the posting of defamatory content by users
Nonetheless, the grounds for the decision are certainly weak. The judge should have offered greater clarification on the Code's scope of application. The Code applies to processing carried out by controllers that are either established in Italy or established outside the European Union, but using equipment located in Italy. The court regarded Google Italy as the controller of the personal data in this case, but it arrived at this conclusion solely on the basis that the company benefitted commercially from the sponsored content available through the Google Video service. This seems to be a weak justification for regarding Google Italy as the data controller; moreover, it is not arguable on a correct interpretation of the code.
The court stated that as a hosting services provider, Google Italy was not subject to a duty of prior control over the content posted by its users, but was bound to comply with the code in connection with the personal data contained in videos uploaded by third parties. The judge clarified that the data subject's consent should have been obtained by the video's creator, and that a hosting provider could not be expected to obtain written consent from the data subject. However, Google Italy - or, more precisely, its executives - had consciously allowed the video to be uploaded without a third party’s consent, as users were given no clear and proper information on the need for such consent. Therefore, the executives were guilty.
This is arguably another weak point in the decision. To what extent should a hosting services provider be expected to inform users that they must obtain consent from the data subjects in their home videos? Does anyone seriously believe that the video would not have been uploaded and that Google liability’s would have been excluded if Google Italy had provided such information?
A few days after the publication of the final decision, the chairman of the Data Protection Authority gave an interview that included a reference to a technical mistake in the court's decision. The chairman stated that under Section 13 of the code, the information for a data subject must contain information that the ISP will provide on its specific means and modalities of processing, without reference to the processing of third parties' data, which is performed under the sole liability of the creator of the video.