March 26, 2010

Facebook and Site Open Governance (Again)

Facebook is very aware that every move it makes is recorded and meticulously analyzed by observers from all countries.

Then, Facebook came up with the brilliant idea to turn this attention to his advantage by inviting its user base and said observers to join the debate about the governance of the site.

In other words, Facebook is now going to change its TOS and Privacy Policy and is asking users' feedback.

HERE's blog where the proposed changes are discussed.

I will add my comments  soon (unless in the next few hours they decide to make no changes at all).

March 18, 2010

Facebook Settles Beacon Privacy Class Action

Past December 2009, Facebook contacted its user to inform them of the existence of this class action.
If you were wondering what happened, a $9.5 million settlement has been approved.
Here you find more details.

Definition of Controller and Processor in Data Treatment

On Feb. 16, the Art. 29 Data Protection Working Party released its Opinion 1/2010 on the concepts of "controller" and "processor".  I find it an extremely useful attempt to re-embrace the definition of such concepts, especially after the Google Italia case.

Among the many examples, the opinion also contains some interesting insights about Behavioral Advertising.  

March 4, 2010

Italian Republic v. Google Video. Why Was Google Convicted?

Three of Google's executives were recently convicted by the Court of Milan for violating Italian privacy laws.  Google's executives were held liable because Google Video, hosted, allowed comments and did not promptly (or promptly enough upon notice) take down a video portraying a disabled kid getting abused by his schoolmates.  The schoolmates who actually uploaded the video were convicted and sentenced to 10 months of community service.  You may find a more complete description of the facts here.

The ruling is subject to appeal and Google has said it will challenge the ruling.  Many people have commented on the case reflecting upon its deep implications over freedom of speech, privacy law and the Internet business model.  I personally share the concern that prior control over UGC might dangerously compress freedom of speech, yet the solution certainly is not to neglect users' and third parties’ privacy protection.  The bottom line is that such a ruling may shake the foundations of the Internet industry and that nobody I know has a clear idea about a good trade-off among the many conflicting interests.

In this post, however, I will more simply focus on explaining the probable reasons for the Google conviction.  I say  "probable" because the full opinion has not yet been published.  Still, I have an impression of the probable reasons for the conviction based upon reading the statements released by Google's attorney and the Prosecutor in charge of the case.

Reason #1.  There is no safe harbor for privacy violations.  This may be surprising for most Internet companies but, as a matter of law, EU privacy regulation in general, and the Italian one in particular, do NOT apply the safe harbor exemption to matters concerning the right to privacy.  It may appear like a loophole in the system, but probably, when drafting the E-Commerce directive, the EU legislator did not have in mind a service totally based on UGC, such as a video sharing platform.  Directive 2000/31/CE shields mere conduit, cashing and hosting services against commercial liabilities, but not against the rights "of individuals with regard to the processing of personal data...".

Article 1, §5, lett. b of the E-Commerce directive says:  "This Directive shall not apply to: ...
(b) questions relating to information society services covered by Directives 95/46/EC and 97/66/EC."

Guess what subject matter is regulated by Directive 95/46/EC?

Pretty straight forward, isn't it?  If there is no safe harbor for a privacy violation --> liability of the service provider for contributing to the criminal conduct.

The same regulation applies in Italy by virtue of the Legislative Decree n. 70, 2003  art. 1, comma 2 lett. b which precludes the application of the safe harbor regime (art. 14 and ff.) for matters involving privacy rights.

Reason #2.  Google violated the Italian Personal Data Protection Code.  Google's counsel released a statement indicating the rules allegedly violated by Google, as specified in the indictment: art. 23, 26 and 17 of the Data Protection Code.  art. 23 and art. 26 (here an official version in English) provide that before processing any personal data it is necessary to seek consent of the owner of the data.  This is necessary moreover (written consent is required) if the processing concerns sensitive data, such as the existence of a heath condition.  It is probable that the Court considered that depicting the likeness of a person affected by Down Syndrome is sufficient to constitute "processing of sensitive data", considering the apparent and recognizable existence of a heath condition in the person portrayed.

Art. 17 provides a general obligation to consult with the Data Protection Authority before initiating any potentially dangerous processing of personal data.  The violation of such article may be construed as creating liability for other independent violations. We'll see when the opinion is published...

Reason #3.  Google did not take down the video promptly.  Proof of a prompt take down is crucial to  prove or disprove damages.  In fact, damages are necessary for the application of the criminal sanction set forth in art. 167 of the Data Protection Code.

Google took the video down after the police made such request.  The victim's representative argued that the video was actually accessible for about 2 months and, even after the video was flagged by some users and a take down notice filed by the victim's representative, Google did not respond with the requested promptness.

Thus, the Prosecutor accused Google of being inefficient and untimely in taking down the video since, as Google's deputy general counsel for Europe also admits, Google took the video down only when the police asked to do so, many days after the first flagging.  However, there is no clear information about the timeline of mentioned facts.  We'll see...

Furthermore, the Court probably concluded that the accessibility of the video for about 2 months, coupled with the significant amount of views and comments, gave Google notice (or should have given Google notice) of the existence of the video.  This is my speculation. We'll see...

Unfortunately, there is no black letter law applicable to take down notices for privacy violations.  In fact, nothing like the DMCA exists in the EU even with respect to IP rights. I bet Google misses the clear cut provisions of the DMCA when dealing with the EU.

In fact, the Prosecutor remarked about Google's vague and evasive attitude towards certain requests for discovery.  It turns out that Google was unable to restore the original page with the comments or to produce the first flagging of the video.  Google’s defense is, according to the Prosecutor, that producing this evidence was too costly and complicated for Google's engineers.  Well, the Court might have thought it wasn't...