This intriguing question has been at the centre of a legal saga that has unfolded before Italian courts (Milan Court of First Instance [for an analysis of first instance proceedings, see here], Milan Court of Appeal, and Court of Cassation) over the past few years.
According to Advocate General (AG) Jaaskinen's recent Opinion in Case C-131/12 Google Spain, although it is true that an ISP (an internet search engine service provider in this case, =Google) ‘processes’ personal data, this cannot be considered as ‘controller’ of the processing of such personal data.
This Kat is reporting this story only now, because the Court made available its extended judgment only a few days ago.
|Is this sufficient |
or do ISPs also have to inform users
of their data protection obligations?
In September 2006 a video showing a disabled student being verbally and physically abused by three of his fellow school mates was uploaded on Google Videos. This video was viewed so many times that it became both the most popular video in the 'Funny Videos' section and one of the most downloaded videos on Google Videos.
It was only in November that year that Google removed the video, following a request from the Italian Postal Police.
ViviDown, an Italian charity that promotes scientific research and the safeguard of people with Down syndrome, and the father of the bullied student brought criminal proceedings against both the authors of the video and three Google executives.
In particular as regards the latter, it was claimed that Google had failed to inform the users of its video platform about their data protection obligations. In addition, also considering how preeminent this video which unduly disclosed personal (health) data of the subject represented therein had become, Google must certainly have knowledge of its illicit nature, and yet had done nothing to remove it from its platform.
In 2010 the Milan Court of First Instance held the three Google executives criminally liable pursuant to Article 167 of the Italian Data Protection Code, ie illicit treatment of personal data.
In 2012 the Milan Court of Appeal overturned the first instance decision, and held that that the Google executives had committed no criminal offence, on consideration that (1) Article 167 does not impose any obligation on ISPs to inform users about their data protection obligations, and (2) Google executives had no prior knowledge of the illicit nature of the video.
The Court of Cassation upheld the ruling of the Court of Appeal, reasoning as follows.
|A likely instance|
of illicit treatment of personal data
The Court analysed the relevant legislative framework, including the Data Protection Code and the legislative decree by which Italy implemented the Ecommerce Directive, and concluded that:
- There is no general obligation on ISPs to monitor the information and data provided by third parties.
- There is no obligation on ISPs (having a criminal nature) to inform the subject who has provided the data about his/her obligations under data protection laws. This is because an ISP cannot be consider itself as a personal data controller within Article 167 of the Data Protection Code. A personal data controller is only the subject who has the power to determine the objectives and means through which the treatment of personal data is due to take place and, as a consequence, is required to manage the risks associated with such treatment and obtain the consent required from interested parties.
- A hosting provider merely stores information provided by recipients of its service. As such, it has neither control over the data stored nor contributes in any way to their selection or management. Pursuant to Article 14 of the Ecommerce Directive, liability of a hosting provider may arise only where: (a) it does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or (b) upon obtaining such knowledge or awareness, it acts expeditiously to remove or to disable access to the information.
- This means that, even in the context of data protection obligations, until the ISP obtains knowledge of the illicit nature of the information it stores, it cannot be considered as a personal data controller. Of course, as soon as the ISP becomes aware of the illicit nature of such information, it has an obligation to remove or make such information inaccessible. If it fails to do so, the ISP can be considered as a personal data controller and, as such, be subject to relevant obligations and sanctions under the Personal Data Code.
- Although the protection of individuals with regard to the processing of personal data is governed by specific directives [Directive 95/46/EC and Directive 97/66/EC, although EU Commission is currently engaged in comprehensive reform of data protection rules] and not the Ecommerce Directive [see recital 14], the latter serves to clarify further the relevant legislative framework applicable to data protection and privacy.