Internet liability rules as to data protection issues might considerably change after that the Italian Supreme Court decision acquitted 3 Google managers previously convicted to 6 months of imprisonment for a video published on Google Video.
As previously reported, 3 Google high ranked managers had been investigated and then convicted by the Court of Milan for a video uploaded by a user on Google Video showing an handicapped kid while he was bullied by his classmates.
Interestingly, the core of the dispute was the breach of Italian data protection regulations since it was challenged the lack of provision by Google of a privacy information notice to users registering an account on Google Video and the lack of prior written consent to the processing of personal data contained in the uploaded videos. Also, since the video showed an handicapped person, sensitive data relating to his disease had been deemed to have been processed which require even a written consent to the data processing under Italian law.
Some of our clients believe that data protection is just a useless cost, but not many would have liked to be in Google’s managers shoes after their conviction by the Court of Milan. Italian law provides also for criminal sanctions in case of data protection breaches, but fortunately for Google the Italian Supreme Court held that:
the defendants are not data controllers of any data and the sole data controllers of the sensitive data contained in the videos uploaded on the site are the users themselves that uploaded them and against whom the criminal and administrative sanctions prescribed by the Privacy Code can be applied
Also the Court referred to the liability exemption for hosting providers prescribed by Italian law implementing the EU E-Commerce Directive according to which hosting providers are not liable, unless they are aware of facts or circumstances from which the illegal activity or information is apparent and upon request from the competent authorities do not remove or to disable access to the challenged information/content.
Under the scenario above, the reasoning of the Italian Supreme Court linked the principles set out by the EU E-Commerce Directive to data protection regulations in order to reach the conclusion that Google was a hosting provider in managing Google Video and as such was not the data controller of the data contained in the videos uploaded by its users and therefore was not liable for potential privacy-law breaches. On the contrary, the users uploading the videos were liable for the violation of data protection regulations.
This was a major victory for Google whose managers were all acquitted, but a relevant question relates to the liability regime applicable should Google have become aware of the potential illegal contents of the challenged video. In this case, would the potential delay in removing the video have triggered also a privacy-related liability? What level of awareness is required to give rise to the potential liability? Italian e-commerce regulations refer to the obligation to remove the material only following a notification from the competent authorities, is this the internal policy to be adopted?
Also, would the scenario above change as a consequence of the coming into force of the new regime on copyright breaches occurring on the Internet?
Google complied with its “don’t be evil” motto in this dispute, but with some many open issues I wonder whether their managers can have nice and quite sleeps.