IAPP-GDPR Web Banners-300x250-FINAL

By Mathew Schwartz

Set to resume March 17: The criminal trial in Milan court against four Google executives accused of defamation and privacy law violations. If convicted, they face up to three years in jail. Prosecutors say the suit will help define the responsibilities of online content aggregators. But could it create a dangerous precedent that puts privacy professionals in the firing line over every potential corporate breach of personal data privacy?

The criminal trial against four Google executives accused of defamation and privacy law violations resumed February 18 in Milan court, where Judge Oscar Magi determined that the case, and three secondary claims, should be heard.

Among those charged is Google’s head of global privacy, Peter Fleischer. Experts say this appears to be the first time criminal sanctions have been pursued against a privacy professional for his company’s actions.

The trial stems from a mobile phone video of four Turin high school boys bullying a teenage boy with Down syndrome. On September 8, 2006, one of the assailants uploaded the video to Google Italia YouTube. News reports of the video sparked outrage in Italy, and a court for minors in Piedmont sentenced the four boys to community service.

At issue is Google’s role in the video’s dissemination. The Italian Interior Ministry, which investigates Internet-related crimes, issued a takedown notice to Google on November 6, 2006. Less than 24 hours later, Google removed the video.

Case closed? Not so: Milan prosecutors have been investigating the incident since 2006. And in November 2008, lead prosecutor Francesco Cajani pursued the four Google executives—Fleischer, chief legal officer David Drummond, former chief financial officer George De Los Reyes, and the former head of Google Video for Europe, Arvind Desikan—on two fronts: 1) failing to prevent the video from being uploaded in the first place, then allowing it to remain online, during which time it was viewed more than 12,000 times; and, 2) insufficiently disclosing how Google Italia uses personal information. The charges carry a maximum penalty of three years’ incarceration.

“What is at issue is whether or not privacy laws that apply to newspapers or to the radio also apply on the Web, or whether it is a sort of free port where anything goes,” Milan prosecutor Alfredo Robledo told the International Herald Tribune.

In particular, “the indictment concerns the violation of two laws: the legislative decree no. 70/2003 on e-commerce and other online activities (see articles 14 to 21), and the legislative decree no. 196/2003 on privacy and personal data processing and protection (article 13),” says Rocco Panetta, head of the law practice Studio Legale Panetta in Rome, and a former top-level officer at the Italian Data Protection Authority

Italy: Tough Privacy Laws

While Italy had no data protection laws prior to 2003, since the EU directive, the country has enacted some of Europe’s strongest privacy protections. These include administrative sanctions—fines—as well as civil and criminal penalties, meaning that company directors with legal powers can be held personally accountable when their company breaks e-commerce and data privacy rules. Furthermore, involved third parties have the right to claim damages. In this case, which involved a minor, that has included both the Municipality of Milan and Vivi Down, an association dedicated to the protection of people with Down syndrome.
During the February 18 proceedings, however, the bullying victim withdrew from the case against Google, citing satisfaction with the company’s response. ”The decision to withdraw from the case has been taken because Google officials have not only expressed their solidarity over what happened, but have also taken concrete actions that show their sensitivity to the problems of handicapped people and the grave problem of bullying,” said the family's lawyer, Michela Malerba, in a statement

Google: content creator, or service provider?

As the case moves forward, many are asking this question: Are Milan prosecutors applying the current laws correctly to Google? Under the 2003 Italian e-commerce law, Internet content providers (ICPs), such as newspapers and radio stations, are legally responsible for all content they publish, and thus must prevent defamatory or protected private material from appearing in the first place. By contrast, Internet service providers (ISPs) only have to remove content after receiving a takedown notice.
Legal experts have noted that Google is clearly an ISP. “Google is not the content provider here. It shouldn’t be prosecuted as one,” wrote Daniel J. Solove, a professor of law at George Washington University Law School, on his Concurring Opinions blog. “If Google officials can be criminally prosecuted any time a person uploads a defamatory or privacy invasive video to YouTube, it’s hard to see how they can possibly avoid running afoul of the law. YouTube and much of Web 2.0 would pose massive risks of criminal liability.”

A Google spokesperson reacted similarly: “We cannot agree with the concept that a tool can be blamed for the use that is made of it. We think that the decision on the part of the Court of Milan to commit the Google staff members to trial is difficult to understand and may well create a worrying precedent.”

But while Google does “substantively” appear to be an ISP, there’s more to the case than may be apparent at first glance, says Panetta. “According to the Milan prosecutors, Google did not act promptly to remove the [abusive] video, which remained online for almost two months. Prosecutors allege a sort of ‘culpa in vigilando’ [negligence in supervision] against Google. This is an obligation both for ISPs and ICPs.”

Again, the issue concerns when Google removed the video: “Too late for prosecutors; just in time, for Google,” says Panetta

Will Google Executives Do Hard Time?

Despite the suit, legal experts say it is unlikely that the Google plaintiffs would receive anything more than a fine or community service—if that. “These proceedings are more important as a symbol, rather than how the sanctions are going to be issued. Because it will [be] very relevant for all ISPs and platforms that aggregate content,” says Giangiacomo Olivi, a partner at law firm DLA Piper in Milan.
In particular, the suit could help answer this question: “What is the responsibility of the content aggregator?” says Olivi. For example, Google already filters content. Could it, or should it, be doing more? On YouTube, “there is certainly a filter that is already made, because there are some horrible things you see on the Net, but you will not see them on YouTube—gladly. But given that there is some filtering, to what extent does that filter imply a responsibility for the [people] exercising this filter?”

Given all of the underlying—and often, very complex—legal issues, don’t expect this case to end anytime soon. “It’s not something that’s going to be solved in a matter of a few months,” says Olivi

Business Repercussions

In the interim, should privacy directors at ISPs, social networking sites and other businesses operating in Italy worry about being subject to criminal lawsuits?
“I wouldn’t think it would have a wider impact on businesses in general,” says Olivi. He noted that Italy’s e-commerce and data privacy regulations do stem from a shared EU directive, and thus in their ultimate interpretation will “not be something that is so alien from the other European countries.”

Mathew Schwartz, a freelance journalist based in England, has covered information security issues for more than a decade. 


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»