A video of an autistic boy being harassed by bullies is posted to a service offered by Google in Italy. Google is informed of the availability and content of the video. Google removes the video within two (2) hours of being informed. Did Google react appropriately?
Those familiar with US privacy laws know that there is little about which Google should be concerned. Those familiar with European Union (EU) privacy laws generally conclude that Google is protected by the safe harbor under Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market. Those unfamiliar with EU privacy laws probably conclude that Google did the right thing, acted swiftly and should not be responsible for material posted by third parties about which Google is not aware.
Google is guilty of violation of Italian privacy laws, says an Italian court. The Italian court held three (3) Google executives criminally liable for making the bully video available. Yeah, seriously, convicted in absentia for violation of privacy (but cleared of defamation charges), Google’s Chief Legal Officer, Chief Privacy Counsel and a former Chief Financial Officer were sentenced to six-month suspended sentences. (I understand that for most convictions of less than two years, sentences are generally suspended if there are no prior convictions.)
Prosecutors may have successfully argued that Google is not a service provider (and protected by the above EU Directive), but rather is a content provider because of the numerous ways that Google “touches” its users. The amount of user data Google collects raises the level of duty owed to its users, making an invasion of privacy charge stick, prosecutors argued. The judge has until late May to issue his rationale for the convictions.
This case creates an absolute chilling effect on Internet companies that allow third parties to distribute or post content online. The number of possible scenarios where Internet companies can be found liable for invasion of privacy in Italy in light of this ruling is mind boggling. A user posts a naked picture of an ex-boyfriend out of anger, Facebook could be liable. A user publishes some private details about another user, Twitter could be liable. There are existing laws that effectively provide relief for those aggrieved parties that do not involve the Internet company, but in Italy they go after the Internet company.
I believe that the ruling in Italy is not in line with privacy laws in the EU, or at least with enforcement of those laws. Will Italian citizens now have a claim against Vodafone when a mobile phone user uses MMS messaging to send a private photograph to another person? What if Federal Express delivers stolen credit card information of Italian residents to an address in Italy?
Until this situation plays out (you know Google will be appealing the ruling), companies with social media services or capabilities for users to post their content to a company-hosted web site need to give real consideration of the risks of doing business in Italy, specifically in the EU.