As of last week, Law no. 71/2017, the so-called "anti-cyberbullying law," officially entered into force after being approved by the Italian Parliament at the end of May. In the legislature's view, such a novelty could no longer be postponed, neither could the ever-growing amount of cases regarding millennials being victimized by abuses performed via online means, as well as social media platforms.
This Italian Data Protection Authority, the Garante, who played a crucial role in orienting the content of this new law toward greater compliance with the current (and future) national discipline regarding data protection, saluted the provision as an important step forward for the protection of children and teenagers in the digital environment. In fact, since the Garante has always shown a very proactive attitude with regards to the issues of privacy at school and digital education, this result can also be considered a turning point for the authority's policymaking and lobbying activities.
Although essential for granting a higher degree of protection to the privacy and data protection rights of minors, the law did not seem immune from critiques, both of a technical and a political nature.
On the one hand, for instance, the Garante declared that it is hoping that the government will allocate sufficient resources for its implementation to the competent institutions, i.e., schools of all degree and level, the Ministry of Education and Justice, telecommunications watchdogs, the Postal Police, civil society stakeholders, local administrations and the same data protection authority.
On the other, practitioners lamented possible difficulties in the concrete application of the new provisions, especially with regards to prevention and education purposes and, not less importantly, enforcement procedures in compliance with the Italian criminal and civil procedure code.
Leaving the narrative in the background, here are some of the main features of the new law that are worth a thought and a synthetic overview, always with an eye of regard to data protection.
- Scope of the new law: The provision aims to contrast the phenomenon of cyberbullying in all its expressions, with preventive actions whose purpose is to shift attention on protecting the victims and their families while re-educating the perpetrators, if possible.
- Definition of “cyberbullying”: With this expression, the law refers to "whatever form of psychological pressure, aggression, harassment, blackmail, injury, insult, denigration, defamation, identity theft, alteration, illicit acquisition, manipulation, unlawful processing of personal data of minors and/or dissemination made through electronic means … whose intentional and predominant purpose is to isolate a minor or a group of minors by putting into effect a serious abuse, a malicious attack or a widespread and organized ridicule."
- Empowerment of minors and complaints to the Garante: Underage victims who are at least 14 years old, as well as their parents, can now contact the data controller or the website provider in order to request the removal, blocking or takedown of content, as well as obtaining its immediate cancellation. If the data controller does not respond or grant to the victim that it will take all steps necessary aimed at preventing cyberbullying in the following 48 hours, the interested data subject can complain directly to the Garante, who may intervene by means of a specific order or a sanction in the course of the next 48 hours.
- Responsibility of service providers: The definition of "service provider of information society services" will not recall that of Law no. 70/2003, implementing Directive 31/2000/EC (the so-called "E-commerce Directive"). In fact, with this term, the law refers to those service providers who provide only for the management of contents of a website in where cyberbullying acts can take place, i.e., social networking and online messaging platforms. Access providers, cache providers and search engines providers seem therefore excluded from this group.
- Stronger sanctions for perpetrators: Criminal sanctions relevant to the crime of stalking have also been extended to cyberbullying. In addition to that, in the most serious cases of injury, defamation, threat or unlawful data processing, the punishment is subject to the intention of the victim or his or her family to file a lawsuit against the perpetrators, especially against those who are under the age of 14 years. This, in order to limit, as far as possible, the infliction of heavy criminal sanctions to minors.
- Major role for the Ministry of Education and schools: Competent institutions are subject to the obligation to draft and revise annual guidelines for the prevention and contrast of cyberbullying to be implemented at both a local and national level. This, by means of different initiatives — from conferences to workshops, from school classes to publications, and so on. However, it is still unclear on what budget schools and public administrations are supposed to rely for realizing such activities.
- Planning and monitoring activities: The government is supposed to create an institutional forum composed by experts and interested stakeholders for discussing the issue of fighting cyberbullying and monitoring the effective implementation and enforcement of the law. Furthermore, it also foresees the future creation of an ad hoc national database relevant to cyberbullying phenomenon and crimes.
In conclusion, although the new law may indeed serve as an effective tool for better protecting underage people’s individual rights in the online environment, it seems still unclear whether its effects will be substantial and how those are to be implemented at both a local and a national level.
That, in effect, will be up to the technical roundtable — which the government is supposed to set up — to decide, as soon as the Ministry of Education drafts its anti-cyberbullying national plan.
In all this, the Garante’s role will prove crucial, also in light of the new provisions of the GDPR regarding minors’ consent for data processing activities. It is still subject to the effective allocation of resources dedicated to the fight of this dangerous digital plague, however.
Last but not least, I see a number of emerging problems. On one hand, the Parliament is increasing the powers and role of the Garante, including on the side of the enforcement. On the other hand, the Parliament and government are not showing a sound and clear road map for the final implementation of GDPR, next year in May, bringing the risk that Garante will only see increasing its cumbersome powers without a reasonable strategy on the future of the authority.
If you want to comment on this post, you need to login.