By Mathew Schwartz
Set to resume March 17: The criminal trial in Milan court against four Google executives accused of defamation and privacy law violations. If convicted, they face up to three years in jail. Prosecutors say the suit will help define the responsibilities of online content aggregators. But could it create a dangerous precedent that puts privacy professionals in the firing line over every potential corporate breach of personal data privacy?
The criminal trial against four Google executives accused of defamation and privacy law violations resumed February 18 in Milan court, where Judge Oscar Magi determined that the case, and three secondary claims, should be heard.
Among those charged is Google’s head of global privacy, Peter Fleischer. Experts say this appears to be the first time criminal sanctions have been pursued against a privacy professional for his company’s actions.
The trial stems from a mobile phone video of four Turin high school boys bullying a teenage boy with Down syndrome. On September 8, 2006, one of the assailants uploaded the video to Google Italia YouTube. News reports of the video sparked outrage in Italy, and a court for minors in Piedmont sentenced the four boys to community service.
At issue is Google’s role in the video’s dissemination. The Italian Interior Ministry, which investigates Internet-related crimes, issued a takedown notice to Google on November 6, 2006. Less than 24 hours later, Google removed the video.
Case closed? Not so: Milan prosecutors have been investigating the incident since 2006. And in November 2008, lead prosecutor Francesco Cajani pursued the four Google executives—Fleischer, chief legal officer David Drummond, former chief financial officer George De Los Reyes, and the former head of Google Video for Europe, Arvind Desikan—on two fronts: 1) failing to prevent the video from being uploaded in the first place, then allowing it to remain online, during which time it was viewed more than 12,000 times; and, 2) insufficiently disclosing how Google Italia uses personal information. The charges carry a maximum penalty of three years’ incarceration.
“What is at issue is whether or not privacy laws that apply to newspapers or to the radio also apply on the Web, or whether it is a sort of free port where anything goes,” Milan prosecutor Alfredo Robledo told the International Herald Tribune.
In particular, “the indictment concerns the violation of two laws: the legislative decree no. 70/2003 on e-commerce and other online activities (see articles 14 to 21), and the legislative decree no. 196/2003 on privacy and personal data processing and protection (article 13),” says Rocco Panetta, head of the law practice Studio Legale Panetta in Rome, and a former top-level officer at the Italian Data Protection Authority
Italy: Tough Privacy Laws
While Italy had no data protection laws prior to 2003, since the EU directive, the country has enacted some of Europe’s strongest privacy protections. These include administrative sanctions—fines—as well as civil and criminal penalties, meaning that company directors with legal powers can be held personally accountable when their company breaks e-commerce and data privacy rules. Furthermore, involved third parties have the right to claim damages. In this case, which involved a minor, that has included both the Municipality of Milan and Vivi Down, an association dedicated to the protection of people with Down syndrome.
During the February 18 proceedings, however, the bullying victim withdrew from the case against Google, citing satisfaction with the company’s response. ”The decision to withdraw from the case has been taken because Google officials have not only expressed their solidarity over what happened, but have also taken concrete actions that show their sensitivity to the problems of handicapped people and the grave problem of bullying,” said the family's lawyer, Michela Malerba, in a statement
Google: content creator, or service provider?
As the case moves forward, many are asking this question: Are Milan prosecutors applying the current laws correctly to Google? Under the 2003 Italian e-commerce law, Internet content providers (ICPs), such as newspapers and radio stations, are legally responsible for all content they publish, and thus must prevent defamatory or protected private material from appearing in the first place. By contrast, Internet service providers (ISPs) only have to remove content after receiving a takedown notice.
Legal experts have noted that Google is clearly an ISP. “Google is not the content provider here. It shouldn’t be prosecuted as one,” wrote Daniel J. Solove, a professor of law at George Washington University Law School, on his Concurring Opinions blog. “If Google officials can be criminally prosecuted any time a person uploads a defamatory or privacy invasive video to YouTube, it’s hard to see how they can possibly avoid running afoul of the law. YouTube and much of Web 2.0 would pose massive risks of criminal liability.”
A Google spokesperson reacted similarly: “We cannot agree with the concept that a tool can be blamed for the use that is made of it. We think that the decision on the part of the Court of Milan to commit the Google staff members to trial is difficult to understand and may well create a worrying precedent.”
But while Google does “substantively” appear to be an ISP, there’s more to the case than may be apparent at first glance, says Panetta. “According to the Milan prosecutors, Google did not act promptly to remove the [abusive] video, which remained online for almost two months. Prosecutors allege a sort of ‘culpa in vigilando’ [negligence in supervision] against Google. This is an obligation both for ISPs and ICPs.”
Again, the issue concerns when Google removed the video: “Too late for prosecutors; just in time, for Google,” says Panetta
Will Google Executives Do Hard Time?
Despite the suit, legal experts say it is unlikely that the Google plaintiffs would receive anything more than a fine or community service—if that. “These proceedings are more important as a symbol, rather than how the sanctions are going to be issued. Because it will [be] very relevant for all ISPs and platforms that aggregate content,” says Giangiacomo Olivi, a partner at law firm DLA Piper in Milan.
In particular, the suit could help answer this question: “What is the responsibility of the content aggregator?” says Olivi. For example, Google already filters content. Could it, or should it, be doing more? On YouTube, “there is certainly a filter that is already made, because there are some horrible things you see on the Net, but you will not see them on YouTube—gladly. But given that there is some filtering, to what extent does that filter imply a responsibility for the [people] exercising this filter?”
Given all of the underlying—and often, very complex—legal issues, don’t expect this case to end anytime soon. “It’s not something that’s going to be solved in a matter of a few months,” says Olivi
In the interim, should privacy directors at ISPs, social networking sites and other businesses operating in Italy worry about being subject to criminal lawsuits?
“I wouldn’t think it would have a wider impact on businesses in general,” says Olivi. He noted that Italy’s e-commerce and data privacy regulations do stem from a shared EU directive, and thus in their ultimate interpretation will “not be something that is so alien from the other European countries.”
Mathew Schwartz, a freelance journalist based in England, has covered information security issues for more than a decade.