With the countdown to the GDPR almost at its end, this interim order from the Court of Rome (full Italian text here) has been largely debated in Italy in the last days.

These are the facts, in sum:

• During a divorce proceedings, a mother has been publishing on social networks many photos, videos, posts relating this lawsuit, including information about her son – a 16 years old guy;
• The son was really frustrated by this situation. Details about him were constantly disseminated on social networks by his mother and his history – in all details – became known to all his schoolmates. He started suffering serious psychological effects – particularly he was scared of being discriminated and considered “different” by his mates due to his private “issue”.
• For this reason, the guardian of the son (previously appointed in another proceedings) asked the Court to confirm his right to attend a US college to get a new life far away from this nasty situation.

In the interim injunction, the Court ordered:

(i) the mother to stop publishing on social networks and any other media, images, information and any other data relating her son, (ii) to remove all these contents published so far on social networks; additionally the Court (iii) fixed a monetary sanction for any violation of these orders.

(iv) the guardian of the son to ask search engines to de-list and social networks to remove all images, information and any data relating the young guy.

The interim decision is of course reasonable. The Court has not relied on a particular legal qualification of the matter, however apparently based on general civil law principles considering psychological damages suffered by the young guy. Thus the decision seems to refer to a general right to privacy (even before considering a question of fair processing of personal data).

The case confirms how social networks can be risky for our privacy due to their media massive effect. A part from this specific case, we should wonder about possible negative consequences of posting certain contents about third parties, that we might not foresee. This is particularly true for underage people, where particular attention is to be paid to their privacy – also in the long term (for a view on the possible negative consequences of parental oversharing, see for example here: ‘it’s difficult for an individual to control that information once it’s out there. When it comes to our children, we’re making the decision to put things out on their behalf, and what seems appropriate now may not be appropriate in ten years’ time’).

Even before the GDPR, the EU data protection legislation required consent for publishing contents about third parties on social media, with some exception as in case of news reporting (that remains mostly a matter of national law). But not – of course – if it is a parent publishing data about his/her underage son. The GDPR is now paying new attention to:

(i) the processing of data of underage people (Recitals 38, 58, 65, 71, 75) – the GDPR requires parental consent for the use of information technology services (Art. 8). Although limited to this type of services, it sets the legal age for data protection choices (i.e., a “digital consent”) at 16 years old (there is some flexibility for national legislation, but this age cannot be below 13 years). If this applies also to the exercise of privacy rights is difficult to say (Recital 65 seems to confirm this option) and it shall probably consider national legislation as well. Recital 38 states that consent by a parent or guardian is not required in the context of preventive or counselling services offered directly to a child. For example, the provision of child protection services offered online to a child by means of an online chat service does not require prior parental authorization, clarifies the WP29 Guidelines on Consent under the GDPR (here).

(ii) the risk of discrimination – a risk we should often consider in certain personal data processing operations (we have discussed this aspect in relation to profiling activities here).

Francesco Banterle

Court of Rome – Judge Monica Velletti – order 23 December 2017