Tag: privacy

The Court of Rome orders a mother to stop publishing on social networks contents relating her underage son

IPlensLeave a comment

With the countdown to the GDPR almost at its end, this interim order from the Court of Rome (full Italian text here) has been largely debated in Italy in the last days.

These are the facts, in sum:

  • During a divorce proceedings, a mother has been publishing on social networks many photos, videos, posts relating this lawsuit, including information about her son – a 16 years old guy;
  • The son was really frustrated by this situation. Details about him were constantly disseminated on social networks by his mother and his history – in all details – became known to all his schoolmates. He started suffering serious psychological effects – particularly he was scared of being discriminated and considered “different” by his mates due to his private “issue”.
  • For this reason, the guardian of the son (previously appointed in another proceedings) asked the Court to confirm his right to attend a US college to get a new life far away from this nasty situation.

In the interim injunction, the Court ordered:

(i) the mother to stop publishing on social networks and any other media, images, information and any other data relating her son, (ii) to remove all these contents published so far on social networks; additionally the Court (iii) fixed a monetary sanction for any violation of these orders.

(iv) the guardian of the son to ask search engines to de-list and social networks to remove all images, information and any data relating the young guy.

The interim decision is of course reasonable. The Court has not relied on a particular legal qualification of the matter, however apparently based on general civil law principles considering psychological damages suffered by the young guy. Thus the decision seems to refer to a general right to privacy (even before considering a question of fair processing of personal data).

The case confirms how social networks can be risky for our privacy due to their media massive effect. A part from this specific case, we should wonder about possible negative consequences of posting certain contents about third parties, that we might not foresee. This is particularly true for underage people, where particular attention is to be paid to their privacy – also in the long term (for a view on the possible negative consequences of parental oversharing, see for example here: ‘it’s difficult for an individual to control that information once it’s out there. When it comes to our children, we’re making the decision to put things out on their behalf, and what seems appropriate now may not be appropriate in ten years’ time’).

Even before the GDPR, the EU data protection legislation required consent for publishing contents about third parties on social media, with some exception as in case of news reporting (that remains mostly a matter of national law). But not – of course – if it is a parent publishing data about his/her underage son. The GDPR is now paying new attention to:

(i) the processing of data of underage people (Recitals 38, 58, 65, 71, 75) – the GDPR requires parental consent for the use of information technology services (Art. 8). Although limited to this type of services, it sets the legal age for data protection choices (i.e., a “digital consent”) at 16 years old (there is some flexibility for national legislation, but this age cannot be below 13 years). If this applies also to the exercise of privacy rights is difficult to say (Recital 65 seems to confirm this option) and it shall probably consider national legislation as well. Recital 38 states that consent by a parent or guardian is not required in the context of preventive or counselling services offered directly to a child. For example, the provision of child protection services offered online to a child by means of an online chat service does not require prior parental authorization, clarifies the WP29 Guidelines on Consent under the GDPR (here).

(ii) the risk of discrimination – a risk we should often consider in certain personal data processing operations (we have discussed this aspect in relation to profiling activities here).

Francesco Banterle

Court of Rome – Judge Monica Velletti – order 23 December 2017

 

Right to be forgotten: the first Italian decision after Google Spain

IPlensLeave a comment

By its judgment of 3 December 2015 (full text here), the Court of Rome issued the first decision of an Italian court dealing with the so called “right to be forgotten” after the ECJ leading case of 13 May 2014, C- 131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Costeja Mario González.

The applicant, a lawyer, sued Google, asking the de-listing of 14 links resulting from a list of results displayed following a search made on the basis of his name, on the assumption of the existence of a right to be forgotten. He argued that the links were referring to a court case dating back to the years 2012/2013 and dealing with an alleged fraud in which he was involved (but never condemned) with some representatives of the clergy and other subjects linked to the criminal organization known as “Banda della Magliana”. As a consequence, the lawyer called for the monetary compensation due to the illegal treatment of its personal data.

The Court of Rome dismissed the plaintiff’s request on the assumption that the disclosed personal data were both recent and of public interest.

The Court based its decision on the principles recently recognized by the Court of Justice in Google Spain (and already accepted by Italian previous case law, cfr. Cass. Civ. Sec. III, 05-04-2012, n. 5525).

In this case the ECJ ruled that the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the EU Charter of Fundamental Rights (and in application of Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46/EC), request that the personal data in question no longer be made available to the general public by its inclusion in such a list of results. However, inasmuch as the removal of links from the list of results could, depending on the information at issue, have effects upon the legitimate interest of internet users potentially interested in having access to that information, “a fair balance should be sought in particular between that interest and the data subject’s fundamental rights under Articles 7 and 8 of the Charter” (par. 81).

Whilst “it should be held that those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name”, the Court also recognised the existence of an exception to this general rule when “for particular reasons, such as the role played by the data subject in public life […], the interference with [the] fundamental rights [of the data subject] is justified by the preponderant interest of the general public in having, on account of [the] inclusion [of the information] in the list of results, access to the information in question” (par. 97).

The Article 29 Data Protection Working Party (hereinafter only “WP”) in its Guidelines on the implementation of the ECJ Judgement on Google Spain, adopted on 26 November 2014 for the purpose of establishing a list of common criteria to be used by European data protection authorities to evaluate whether data protection law has been complied with, stated that “no single criterion is, in itself, determinative”.

However among these criteria there are both whether the data are temporally relevant and not  excessive (i.e. closely related to the data’s age) and whether the data subject play a role in public life (s.c. public figures criterion).

With reference to the second criterion, even if it is not possible to establish with certainty the type of role in public life an individual must have to justify public access to information about them via a search result, the WP pointed out that “by way of illustration, politicians, senior public officials, business-people and members of the (regulated) professions can usually be considered to fulfil a role in public life”.

Under this test, the Court of Rome rejected the plaintiff’s request on the assumption that the treated personal data were both recent and of public interest and denied that the data subject had a right that the information relating to him should, at this point in time, no longer be linked to his name.

The decision can be welcomed to the extent it shows the benefits of the process of EU harmonization realized by means of the interpretative ruling of the ECJ and of the WP on the right to prevent indexing of personal data published on third parties’ web pages.

The judgement, in any case, works in the direction to limit the scope of application of the right to consign personal data to oblivion, since it affirms that the “public figure role” can be recognized not only to politicians and public officials but also to the large class of “business-people”, belonging to regulated professional orders.

Jacopo Ciani

Court of Rome, 3 December 2015, No. 23771, Dott.ssa Damiana Colla