Health data: new Council of Europe guidelines

Lawyer Vincenzo Colarocco

The Council of Europe, with a recommendation adopted on last 27 March (hereinafter referred to as the “Recommendation”), has provided a set of guidelines for the Member States with the aim of guiding them in the proper processing of health data.

The clear intention of the above European body is to ensure, in law and in practice, that the processing of such special categories of data under Article 9 of EU Regulation 679/2016 (“GDPR” or “Regulation”) will be implemented in full respect of human rights, at a particular historical time when the use of new technologies is quickly increasing[1]. This assumption implies the need to set up the treatment considering the cornerstones set at the basis of the Regulation:  privacy by design and privacy by default as regulated by art. 32 of the GDPR. Therefore, the technical and organisational measures to be implemented should be incorporated from the design phase of any system that processes health data. In addition, in order to further implement these principles, the Recommendation specifies that compliance with these provisions should be regularly reviewed throughout the entire life cycle of the processing and that the Controller must carry out, before starting the processing and at regular intervals, an assessment of the potential impact in terms of data protection and respect for privacy, including an evaluation  about measures to mitigate the risk.

The Recommendation also sets out some interesting clarifications on the legal basis that could legitimize the processing of health data. Established that the basis of said treatment consists in the informed consent of the data subject (according to Art. 9 of the GDPR), Recommendation also provides, alternatively, two further circumstances which would seem to exclude the prior collection of a consent:

  1. when the processing is necessary for the execution of a contract concluded by the data subject with a health care worker submitted to conditions defined by law, including the obligation of secrecy;
  2. when such data have been made public by the data subject himself.

With reference to the timing of storage (“retention”) to be applied to the category of health data, the Recommendation provides that, if adequate security measures are in place, the retention may be extended[2] when processing is envisaged for purposes of storage in the public interest or for scientific or historical purposes or, again, for research and statistics. In this latter case, the data should, in principle, be rendered anonymous as soon as research, archiving or statistical studies allow; if this is not possible, pseudonymisation could be used to safeguard the fundamental rights and freedoms of the data subjects.

In conclusion, it is clear that the Recommendation follows almost blindly the requirements of the GDPR, but in any case it must be pointed the importance and relevance of these provisions in light of the increasing digitization, that, necessarily, also involves the processing of personal data. This phenomenon evidently leads to an improvement in medical care and patient care, but inevitably causes an exponential increase in the amount of health data submitted to processing operations and, as a result, it determines the necessity to apply legal and technical measures that allow effective protection of each individual.



[1] The Recommendation also outlines indications regarding the processing of health data collected through mobile devices which, whether implanted in the individual or not, may reveal information about his physical or mental state, or which have, as their object, any information concerning health care and social care benefits.

[2] Therefore, by exceeding the storage periods strictly necessary for the purpose of patient’s caring.

CJU Case C-18/18: the stay-down duties of Facebook according to the Opinion of Advocate General M. Szpunar

Lawyer Alessandro La Rosa

On 4 June 2019 the Advocate General (AG) Szpunar delivered an Opinion in the context of the preliminary ruling request on Case C-18/18, in which the Austrian Supreme Court presented the following questions to the EUCJ:

  1. Does Article 15(1) of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) generally preclude any of the obligations listed below of a host provider which has not expeditiously removed illegal information, specifically not just this illegal information within the meaning of Article 14(1)(a) of the Directive, but also other identically worded items of information:

a.a. worldwide? a.b. in the relevant Member State? a.c. of the relevant user worldwide? a.d. of the relevant user in the relevant Member State?

  1. In so far as Question 1 is answered in the negative: Does this also apply in each case for information with an equivalent meaning?
  2. Does this also apply for information with an equivalent meaning as soon as the operator has become aware of this circumstance?

The facts

The complaint was made by Ms Eva Glawischnig-Piesczek, member of the Nationalrat (National Council, Austria), chair of the parliamentary party die Grünen (‘the Greens’) and federal spokesperson of that party. On 3 April 2016 a user shared on Facebook an article from the Austrian online news magazine entitled ‘Greens: Minimum income for refugees should stay’ and published in connection with the article disparaging comments about the applicant, accusing her of being a ‘lousy traitor of the people’, a ‘corrupt oaf’ and a member of a ‘fascist party’. The content placed online by that user could be consulted by any other Facebook user.

AG Opinion

The AG recalled that the “service provider’s conduct must be limited to that of an ‘intermediary service provider’ within the meaning intended by the legislator in the context of Section 4 of that directive.” (par. 29) and that according to Recital 42 of Directive 2000/31/EC (E Commerce Directive, ECD), the liability limitation is subject to the fact that the service provider’s conduct is purely technical, automatic and passive, which implies that it has neither knowledge nor control over the data it stores and that the role it plays must therefore be neutral (par.29).

Considering Article 15, paragraph 1 ECD the AG clarifies that this provision prevents the intermediary service provider from being forced to monitor all of its user’s data in order to prevent future violations  (as this would go against what the CJEU has established in the SABAM C-360/10 Case). This said, this article doesn’t cover monitoring obligations applicable in specific cases as provided in Article 14, paragraph 3 ECD, on the basis of which a provider may be forced to prevent a violation which “logically implies a certain form of monitoring in the future” (par.41) and in Article 18 ECD, that requires Member States to ensure that Court actions available under national law concerning information society services’ activities allow for the rapid adoption of measures to prevent any further impairment of the interests involved.

The AG continues by adding that “a host provider may be ordered, in the context of an injunction, to remove illegal information which has not yet been disseminated at the time when that injunction is adopted, without the dissemination of that information being brought, again and separately from the original removal request, to its knowledge” (par.44).

However, in accordance with the ban of a general monitoring obligation provided in the ECD, such order must be referred to violations of the same kind, from the same recipients and for the same rights (as already established in Case C-324/09 L’Oreal vs eBay). It follows that, obligations of active monitoring may be imposed to a social network operator, provided that they are related to a specific infringement, that the monitoring period is specified and that clear indications about the nature of the violations are provided, such as their author and object.

Therefore, an injunction may force the provider to search and identify, among the information shared by the users of the platform, identical information to the one qualified as illegal by the judge, as the reproduction of the same content by other users of the platform can usually be detected with technological tools without the need to actively filter, in a non-automatic way, all of the information present on the platform. The injunction may also require a service provider to search and identify equivalent information to the illegal one, only among the information shared by the same user that shared the illegal one.

This is due to the fact that, in this specific case, the illegal material relates to offensive remarks and not to IP infringements. As stated by the AG “it is important not to lose sight of the factual context in which the relevant case-law was developed, namely the context of infringements of intellectual property law. Generally, such infringements consist in the dissemination of the same content as that protected or, at least, a content resembling the protected content, any changes in that content, which are sometimes difficult to make, requiring specific intervention. On the other hand, it is unusual for a defamatory act to use the precise terms of an act of the same type. That is, in part, the result of the personalised nature of the way in which ideas are expressed.[…]For that reason, in connection with defamation, a mere reference to acts of the same nature could not play the same role as in connection with infringements of intellectual property law.” (par. 69-70).

Therefore, the injunction of a judge that orders the removal of such equivalent information must ensure clarity, predictability and must balance the different fundamental rights involved, taking into account the proportionality principle.

If follows that, Article 15, paragraph 1, ECD mustn’t prevent a hosting provider from removing equivalent information to the one identified as illegal, where the obligation to remove such information doesn’t imply a general monitoring but derives from a knowledge resulting from the notice provided by the person harmed by the illegal content and not from another source. In such case, the violation of Article 15, paragraph 1 ECD doesn’t arise.

The AG Opinion is in line with the recently published Communications of the European Commission on these matters. In Communication 555/2017 of 28 September 2017 the Commission clarified that “Online platforms may become aware of the existence of illegal content in a number of different ways, through different channels. Such channels for notifications include (i) court orders or administrative decisions; (ii) notices from competent authorities (e.g. law enforcement bodies), specialised “trusted flaggers”, intellectual property rights holders or ordinary users, or (iii) through the platforms’ own investigations or knowledge.”, and that such operators, “In addition to legal obligations derived from EU and national law”, are required a “duty of care” and “should ensure a safe online environment for users, hostile to criminal and other illegal exploitation, and which deters as well as prevents criminal and other infringing activities online”. The Communication also clarifies that “in light of their central role and capabilities and their associated responsibilities” platforms shouldadopt effective proactive measures to detect and remove illegal content online and not only limit themselves to reacting to notices which they receive”.

In relation to the admissibility of dynamic injunctions, the European Commission has clarified in Communication 708/2017 of 29 November 2017 that “some Member States provide for the possibility of issuing forward-looking, catalogue-wide and dynamic injunctions”. These injunctions force the intermediaries to impede further infringements of the rights detained by a rightholder or of rights that are part of a catalogue or of a repository of a license holder,  following the  established infringement of a sample of these rights.

At national level, the Italian Supreme Court in Case n.7708/19 (RTI c Yahoo!) of 19 March 2019, recently rejected the ruling of the Milan Court of Appeal  (n.29/2015 of 7 January 2015) that provided that there could be no obligation to prevent the publication of the same illegal content that had already violated others ‘rights.

In conclusion, specific removal obligations for illicit information that is identical or equivalent is confirmed, in relation to copyright law, in the explicit stay-down obligations provided in Article 17, paragraph 4, letter c of the Directive on Copyright in the Digital Single Market, published in the Official Journal on 17 May 2019, which reads that “If no authorisation is granted, online content-sharing service providers shall be liable for unauthorised acts of communication to the public, including making available to the public, of copyright-protected works and other subject matter, unless the service providers demonstrate that they have […]acted expeditiously, upon receiving a sufficiently substantiated notice from the rightholders, to disable access to, or to remove from their websites, the notified works or other subject matter, and made best efforts to prevent their future uploads”.

The Google Case C 507/17: Right to be forgotten is Limited to Eu

Lawyer Vincenzo Colarocco

By decision of 21 May 2015, the President of the French Commission nationale de l’informatique et des libertés (CNIL’) served formal notice on Google that, when acceding to a request from a natural person for the removal of links to web pages from the list of results displayed following a search performed on the basis of that person’s name, it must apply that removal to all of its search engine’s domain name extensions. By adjudication of 10 March 2016, the CNIL, after finding that Google had failed to comply with that formal notice by the prescribed time limit, imposed on it a penalty, which was publicised, of €100 000. By an application lodged before the Conseil d’État (Council of State, France), Google seeks to have that adjudication annulled. The Conseil d’État decided to refer several questions to the Court of Justice for a preliminary ruling. Advocate General Maciej Szpunar, in his Opinion, stating that the Community provisions on the subject do not expressly regulate the question of the territoriality of deindexing and that a differentiation is necessary according to the place from which the research is carried out, proposes that the Court should declare that the “search engine operator is not required, when acceding to a request for de-referencing, to carry out that de-referencing on all the domain names of its search engine in such a way that the links in question no longer appear, irrespective of the location from which the search on the basis of the requesting party’s name is performed”. However, the Advocate General underlines that “once a right to de-referencing within the EU has been established, the search engine operator must take every measure available to it to ensure full and effective de-referencing within the EU, including by use of the ‘geo-blocking’ technique, in respect of an IP address deemed to be located in one of the Member States, irrespective of the domain name used by the internet user who performs the search.” In conclusion, dealing with the specific case Advocate General Szpunar had the opportunity to point out that the fundamental right to be forgotten must be balanced against other fundamental rights, such as the right to data protection and the right to privacy, as well as the legitimate public interest in accessing the information sought, stating that, if worldwide de-referencing were permitted, the EU authorities would not be able to define and determine a right to receive information, let alone balance it against the other fundamental rights to data protection and to privacy.

Ruling of the Italian Supreme Court in the Mediaset vs Yahoo! Case

Lawyers Alessandro La Rosa

Mediaset has sued Yahoo Inc. and Yahoo! Italy for the illegal broadcasting of more than 200 videos extracted from television programs broadcast by its television networks. The Civil Court of Milan, at first instance, had recognized the liability of Yahoo! Italy as operator of the Yahoo! Video service, for not having prevented the publication of the videos of Mediaset despite having been warned not to do so with an injunction containing the titles of the television programs in question and some URLs by way of example. For the first time in Italy, the Civil Court of Milan had taken on board the lessons of the EU Court of Justice on the concept of “active role” providers. At a later time, the Milan Court of Appeal overturned the decision of the first judge, denying the same configurability as the figure of the hosting provider “with an active role” and excluded the liability of Yahoo! Italy. With its decision of March 19, 2019, the Court of Cassation accepted the motivational approach of the Civil Court of Milan and asked the Court of Appeal of Milan to modify its decision on the basis of the following principles.

With ruling n. 7708 of March 19, 2019 the Italian Supreme Court upheld the action filed by RTI (Mediaset Group) and intentionally clarified the responsibility of the hosting providers (i.e. the service provider which memorises the information provided by the users, as provided by art. 14 Directive 2000/31/CE) towards the affected rightholders.

The Court has provided fundamental guidance that will have to be followed by national jurisprudence. The principles established by the Court can be summarized as follows:

a) the hosting provider must be defined “active” when his conduct has the effect to complete and enrich the consumption of illegal online advertising content by third parties. In this case there is a direct support (notably, active) to the illegal act carried out by these third parties with full civil responsibility towards the rightholders and the inapplicability of the Legislative Decree 70/2003 (the Italian legislative transposition of Directive 2000/31/CE) as the general rules are to be followed: the ruling identifies thoroughly also a number of useful indexes for which the hosting provider must be considered active, such as the activity of filtering, indexing, organizing and so on; or the adoption of a behavioral evaluation technique of the users to increase their loyalty to the service.

b) when such an active conduct is not recognized, the service provider must be qualified as “passive” and Article 16 of the Legislative Decree 70/2003 applies. This however doesn’t mean that such entity is entitled of an absolute liability exemption: In fact, according to these rules the provider is still liable towards the rightholders of content illegally published online by third parties when, he is aware of the illegal nature of the content (illegality that arises when, as in this case, rights of others related to copyright are violated) and nevertheless doesn’t remove it nor blocks access to it.

c) Especially in the actions for damages, responsibility arises when there is manifest illegality of this same content and, although the hosting provider is aware of it, he doesn’t impede its availability, omitting to remove or to disable access to such content. The knowledge arises not only when the rightholder informs about the illicit act and related damage, which can also be done in oral form (without the need of a written warning), but also when the provider has acquired such information by other means or became aware of it after its own verification. In fact, the ruling specifies that, when the communication is done by the affected rightholder, it does not necessarily have to be in written form (writing is advisable for practical need of evidence, but is not required by legislation). Practically speaking, the communication only has to allow hosting providers to understand and identify the illegal content (the Court of Cassation adds that, when videos extracted from TV programmes are concerned, it is to be assessed on a case by case basis if, for this purpose, only the title of the programme is needed or if other descriptive elements or other elements are necessary, with the possibility for the judge to require a technical advice).

d) Although the passive hosting provider is not required to carry out a general, anticipated and constant monitoring and therefore is not responsible for cases where he omitted to monitor in a preventive and continuous manner the content uploaded by the users of the service, it is likewise true that he is responsible for the damages when he acquires knowledge of the content and didn’t act for its immediate removal. There is no obligation to carry out an active search of the illegal material uploaded and distributed online, this obligation arises subsequently to the above knowledge, as legislation hasn’t completely annulled, but only limited, the control over the uploaded content which could be included in an illicit telematic act.

e) upon receiving communication of the illegal act from the rightholder, the hosting service provider can’t, in any case, stay inactive. On the contrary, he is required to evaluate, in accordance with common experience criteria and professional diligence, the notice received (and, if made by the damaged party, the reasonable grounds of the communication) and in case this evaluation is positive, to act expeditiously to remove the identified content. The Court of Cassation adds that, in cases of actions for damages, the illegal act must result “evident” to the operator, meaning it should be identifiable with no major difficulties as experience, knowledge and professional diligence allows. In such cases the hosting provider is liable for cases of intent or serious negligence (without prejudice to the fact that, also in cases of non-manifest illegal acts the provider can’t be inactive, as he should at least inform the competent authorities).

f) the passive hosting provider, when aware of the manifest illegal content uploaded, becomes liable when he doesn’t act. This arises unless he proves, once his knowledge of the illegal act is ascertained and after the elements that make the illegality evident have been included in the actions for damages, that he has never had the chance to effectively take action (but this possibility always arises when the hosting providers has the technical and legal instruments to impede the violations, as the Court of Cassation explains in the ruling).

g) ultimately, pursuant art. 16 of the Legislative Decree 70/2003 (corresponding to art. 14 Directive 2000/31/CE), even when the hosting provider is “passive” and not “active” he is liable for the damages against the affected rightholders when he doesn’t provide for the immediate removal of the illegal content or continues to upload it, if the following three conditions occur: i) the hosting provider becomes legally aware of the illegal act carried out by the user of the service, having known this from the affected rightholder or by other means; ii) the unlawfulness of the conduct of others is reasonably evident and therefore, the operator is in serious negligence for not noticing it, as such diligence is to be reasonably expected from a professional online operator in a given moment in history; iii) the hosting service provider has the possibility to usefully take action as he was made aware, in a sufficiently specific manner, of the illegal content to be removed.

h) in any case, apart from the claims for damages for the established violations, once the passive hosting provider becomes aware of illegal content of the same type, the reasons that exclude an obligation of constant and preventive monitoring no longer apply. Therefore, the judge can decide to impose injunction measures to the provider for the future, not only in order to put an end to the ongoing violations but also to prevent future ones (the ruling also specifies that nothing prevents a Court from requiring the hosting provider to block, not only access to content illegally published online, but also access to any other illegal content of the same type, about which the provider could become aware in the future – also for cases in which this implies a significant cost).

Media: any information that can identify a victim of sexual violence, even indirectly, is prohibited

Lawyer Vincenzo Colarocco

The Italian Data Protection Authority has reiterated, with some recent decisions (see inter alia No. 906580790657829065800 in Italian language) the principle that prohibits the media to publish information that can make identifiable, even indirectly, a victim of sexual violence.

Article. 137 of the Privacy Code provided -and still provide in the new text of Article 12, paragraph 1(c) of Legislative Decree 101/2018– that in the event of disclosure or communication of personal data for journalistic purposes the limitations imposed on freedom of the press, to protect the rights and freedoms of persons, shall be left unprejudiced, and, in particular, the limit of materiality of the information with regard to facts of public interest.

The Authority stated that this limit must be interpreted with particular strictness when are considered data suitable for identifying victims of crimes, even more so with reference to news concerning episodes of sexual violence, given the special protection afforded by the law to the confidentiality of the persons injured by such crimes.

The diffusion within an article of information suitable to make identifiable, even if indirectly, the victim, is in contrast with the requirements of protection of the dignity of the same, also according to the Article 8, paragraph 1, of the code of practice concerning the processing of personal data in the exercise of journalistic activities.

The Authority reminded that in the event of non-compliance with the prohibition, the data controller, in this case the publisher, may also incur the new administrative sanctions introduced by the GDPR, in Article 83, paragraph 5(e), which can reach up to 20 million of euro or 4% of the total annual turnover in the previous year.

Guidelines on the territorial scope of the GDPR

Lawyer Vincenzo Colarocco

The guidelines 3/2018 clarify some aspects of article 3 of the GDPR which, as known, requires many big players in the digital world to comply with the EU data legislation.

In the specific case, for instance, how can establish when an Asian company is required to comply with the GDPR? What about those who market their products through an e-commerce portal: the opening of an office in Italy is considered as an establishment?

EU Data Protection Authorities intervened to answer these and other more or less complex questions in order to facilitate the understanding and, therefore, the application of the legal provision. Article 3 of the GDPR lays down two main criteria: the “establishment” and the “object of processing of personal data”. If one of these two criteria is met, the relevant provisions of the GDPR will apply. Moreover, paragraph 3 settles the application of the current legislation in the case of processing of personal data by a data controller that is not established in the European Union but in a region subject to the law of a Member State under international public law.

Clearly, these Guidelines will have the effect to produce strong consequences both on institutions and on european and foreign companies. This is exactly why the European Data Protection Board has submitted the text for public consultation before its final approval.

Therefore, it is expected the final text that will surely be useful in order to guarantee a proper interpretation of the EU regulation.

The posting on a website of a photograph, which was previously published online without express restrictions, still has to be authorized by the copyright owner

Lawyer Alessandro La Rosa

With a decision published on the 7th of August 2018 (case C- 161/17 – Land Nordrhein-Westfalen v. Dirk Renckhoff), the European Court of Justice ruled on the issue whether “the posting on a website of a photograph previously published without any restrictions and with the consent of the copyright holder on another website constitutes a ‘communication to the public’, within the meaning of Article 3(1) of Directive 2001/29”.

The facts of the case underlying the question for preliminary ruling by the Court concerned the publication on a school website of a photograph, which, by way of illustration, constituted part of a workshop organized by a student of the institute, who downloaded it from another website where it was previously published with the consent of its author. The latter then claimed that he gave a right of use exclusively to the operators of the first online portal, while the posting of the photograph on the school website infringed his copyright.

The Court, taking for granted that the posting on a website constitutes an act of “making available”, and starting by saying that “it follows from recitals 4, 9 and 10 of Directive 2001/29 that the latter’s principal objective is to establish a high level of protection for authors”, and that “the concept of ‘communication to the public’ must be interpreted broadly, as recital 23 of the directive expressly states”, takes on the main issue at stake, thus considering whether such a “communication” was made “to a ‘new public’, that is to say, to a public that was not already taken into account by the copyright holders when they authorized the initial communication to the public of their work”.

On this topic, a first observation of the Court (recalling, on this point, its previous judgments of 31 May 2016, Reha Training, C‑117/15, EU:C:2016:379, paragraph 30; of 16 November 2016, Soulier and Doke, C‑301/15, EU:C:2016:878, paragraph 33; and of 14 June 2017, Stichting Brein, C‑610/15, EU:C:2017:456, paragraph 20) deals with the fact that, besides their right to give consent for the communication of their works to the public, “under Article 3(1) of Directive 2001/29, authors have a right which is preventive in nature which allows them to intervene between possible users of their work and the communication to the public which such users might contemplate making, in order to prohibit such communication”.

In the opinion of the Court, then, “Such a right of a preventive nature would be deprived of its effectiveness if it were to be held that the posting on one website of a work previously posted on another website with the consent of the copyright holder did not constitute a communication to a new public. Such a posting on a website other than that on which it was initially posted might make it impossible or at least much more difficult for the holder of a right of a preventive nature to require the cessation of that communication, if necessary by removing the work from the website on which it was posted with his consent or by revoking the consent previously given to a third party.

In fact, the Court gives considerable value to the circumstance that, in the present case (to the contrary, e.g., of those cases where the work is not newly “re-uploaded” on another website, but it is only “recalled” by means of an hyperlink to the website where it was originally published, as the Court would explain in detail) the copyrighted work would remain available to the public “even if the holder of the copyright decides no longer to communicate his work on the website on which it was initially communicated with his consent. On this point the Court recalls his judgment of 16 November 2016, Soulier and Doke, C‑301/15, EU:C:2016:878, paragraph 51, to remember that “the author of a work must be able to put an end to the exercise, by a third party, of rights of exploitation in digital format that he holds on that work, and to prohibit him from any future use in such a format, without having to submit beforehand to other formalities”.

A second factor taken into account by the Judges is that “Article 3(3) of Directive 2001/29 specifically provides that the right of communication to the public referred to in Article 3(1) of that directive is not exhausted by any act of communication to the public or making available to the public within the meaning of that provision”, which instead would essentially happen if the posting online of a work, previously uploaded on another website with the consent of its copyright holder, would not be considered as an act of “making available” to a “new public” of that work.

As a third factor the Court holds relevant the circumstance that “that rule would deprive the copyright holder of the opportunity to claim an appropriate reward for the use of his work” (recalling on this point recital 10 of the Directive 2001/29 and its judgment of 4 October 2011, Football Association Premier League and Others, C‑403/08 and C‑429/08, EU:C:2011:631, paragraphs 107 and 108).

Instead, it is not relevant nor convincing, in order to hold the opposite of what is stated by the Court (which, on this point, clearly takes distance from the opinion of the Advocate General), that “the copyright holder did not limit the ways in which internet users could use the photograph”; to that extent the Court recalls that it has already stated “that the enjoyment and the exercise of the right provided for in Article 3(1) of Directive 2001/29 may not be subject to any formality” (the reference is, again, to its judgment of 16 November 2016, Soulier and Doke, C‑301/15, EU:C:2016:878, paragraph 50).

Therefore, the conclusion of the Judges is that “the posting of a work protected by copyright on one website other than that on which the initial communication was made with the consent of the copyright holder, in circumstances such as those at issue in the main proceedings, must be treated as making such a work available to a new public. In such circumstances, the public taken into account by the copyright holder when he consented to the communication of his work on the website on which it was originally published is composed solely of users of that site and not of users of the website on which the work was subsequently published without the consent of the rightholder, or other internet users.

The motivation of the Court, however, does not end here. Actually, it seems somehow concerned with the fact that the present ruling may appear inconsistent with the principle – expressed in particular in its judgement of 13 February 2014, Svensson and Others (C‑466/12, EU:C:2014:76, paragraphs 25 and 26), and in its order of 21 October 2014, BestWater International (C‑348/13, not published, EU:C:2014:2315, paragraph 16) – holding that “regarding the making available of protected works by means of a clickable link referring to another website on which the original publication was made, that the public targeted by the original communication was all potential visitors to the website concerned, since, knowing that access to those works on that site was not subject to any restrictive measure, all internet users could access it freely.

In contrast, again, to what was affirmed by the Advocate General, it holds that it is exactly the different way of “making available” that allows a distinction between the present case and its precedents. Again, the key factor that leads the Court to consider, still upholding its precedents, that in the present case the communication is made to a “new public”, is represented by the preventive nature of the rights held by the authors, which “are preserved, since it is open to the author, if he no longer wishes to communicate his work on the website concerned, to remove it from the website on which it was initially communicated, rendering obsolete any hyperlink leading to it. However, in circumstances such as those at issue in the main proceedings, the posting on another website of a work gives rise to a new communication, independent of the communication initially authorized. As a consequence of that posting, such a work may remain available on the latter website, irrespective of the prior consent of the author and despite an action by which the rightholder decides no longer to communicate his work on the website on which it was initially communicated with his consent.

It is interesting to note that, in exposing these arguments, the Court considers that the “hyperlinking” system, according to its own jurisprudence, contributes “in particular to the sound operation of the internet by enabling the dissemination of information in that network characterized by the availability of immense amounts of information”, while it could have no relevance the circumstance that the student behavior may constitute exercise of the right to education, since “the findings set out in paragraph 35 of the present judgment, relating to the concept of ‘new public’, are not based on whether the illustration used by the pupil for her school presentation is educational in nature, but on the fact that the posting of that work on the school website made it accessible to all the visitors to that website”.

The Italian Decree no. 101/2018, implementing Regulation no. 679/2016 (GDPR)

Lawyer Vincenzo Colarocco

On September 4th, the legislative decree n. 101 of 10 August 2018, concerning the provisions for the adaptation of the national legislation to the Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and rules to the free movement of such data, better known as “GDPR”. The Regulation is already obligatory from 25 May, but the national legislation, and precisely our Privacy Code, needed an appropriate adjustment. The result is a “slimmer” Code, but also more coherent with the European law.

The legislative technique adopted by the Italian legislator was to avoid duplicating provisions, which are present both in the Regulation and in the Code. The decree will be applicable on September 19: this decision has been taken to guarantee the continuity of the legislation, saving for a transitional period the provisions of the Authority and the authorizations, which will be reviews in future, as well as the deontological codes in force. Among the most relevant innovations are:

a) forecasts that, for the first eight months after entry into force, the Guarantors for the protection of personal data take into account the fact that they are still at an early stage in implementing the legislation, to provide the penalties;

b) the consent of Italian minors from the age of 14 for the processing of personal data in the use of information society services (in France, the draft provides for 15 years);

c) the repeal of the crime referred to in art. 169 of the Privacy Code, since the minimum security measures are no longer foreseen, together with other penal sanctions which, in the face of new administrative sanctions, would have violated the principle of “ne bis in idem“, in the face of the inclusion of new types of offense;

d) the prediction that in cases of receipt of the curricula spontaneously transmitted by the candidates, for the purpose of establishing a working relationship, the information must be provided at the time of the first useful contact, following the sending of the curriculum. Furthermore, consent to the processing of personal data in the curricula is not due;

e) the management of rights concerning the deceased persons who may be exercised by those who have an interest of their own, or who are acting to protect the data subject, as their agent, or for family reasons deserving of protection.

New measures and incentives to support private investment on Green Policies

Lawyer Andrea Bernasconi

On March 2018 a set of decrees for the promotion of alternative energy policies has been signed by the Italian Ministry of the Economic Development. Meanwhile, the Ministry engaged in a number of procedures, along with the Ministry of the Environment, in order to promote new guidelines on renewables.

Among the most significant measures, the decree for the promotion of the use of biomethane and other advanced biofuels in the transport sector should be remarked. Italy, which is already a leader country in the European biomethane market, sets the target for the consumption of renewable energy in the transport sector out to 10% to be fulfilled by 2020. None of the provisions will adversely affect the gas or electricity bills of the final consumers, since the project is financed exclusively by “obligated entities”, namely economic operators that sell petrol and diesel fuel, who have long been obliged to replacepart of them with biofuel.

It is also worth mentioning the decree on the implementation of the current taxes and fees system for the industrial companies subject to a high consumption of natural gas. It has been drafted in  accordance with EU guidelines, in order to establish a system of facilities similar to the one involving energy-intensive companies and finance decarbonisation measures. The decree is particularly designed both for companies that use natural gas as raw material for a non-combustible use (including chemistry and fertilizers) and for companies with a gas consumption above a certain threshold. Such companies will take advantages of tariff exemptions in return for decarbonisation charges.

Furthermore the Minister has issued a decree scheme (so-called FER1), to be discussed with the Ministry of the Environment, which aims at developing a three-year incentive plan (2018-20) on onshore wind, solar photovoltaic, hydroelectric, traditional geothermal, landfill and sewage gas. Maximising the amount of renewable energy produced, relying on the greater competitiveness for these sources is the final goal. The access to incentives would be granted through competitive procedures based on economic criteria, in order to stimulate the reduction of costs on bills as well as efficiency in the supply chain of the components.


Profiling and automated decisions: is it possible on minors?

Lawyer Vincenzo Colarocco

The Art. 29 Group recently adopted (on 6 February 2018) the new version of the “guidelines on the processing of personal data carried out by automated decision-makers” in which profiling is included, adapting them to the new EU rules on privacy. Profiling, as introduced by the guidelines, is a process applied to numerous sectors: banking, finance, healthcare, taxation, insurance, marketing and advertising are just some of the areas in which profiling is used more frequently in order to support decision-making processes.

Thanks to the technological increase, these processes, applying artificial intelligence and big data analytics capabilities, simplify the creation of individuals’ profiles and significantly affect people’s rights and freedoms. In this regard, the guidelines, in addition to clarifying the definition contained in the GDPR on the concepts of automated decision making and profiling, also contain general and more specific provisions, recommendations and good practices on profiling carried out against minors.

Let’s consider a minor who creates a personal account to subscribe himself to a social network. The form will collect his personal data: name, surname, address, telephone number and the social will use the online behaviour of this young user to offer him a personalized news feed or advertising images. At the same time the minor could visit a site to see the results of his favourite football team and the advertising cookies will record information on his navigation deducing his interests.

If on the one hand the legislation requires that minors’ data are not collected and treated to profile on the other how can the holder prove that the consent has been given by a minor or an adult? Most of the users do not clearly understand these concepts or even imagine the existence of an automated procedure that allows the browser -once visited the site and given its consent- to save the data related to the navigation and then reuse them later. It therefore follows that the demonstrability that consent has been acquired by an adult rather than a minor becomes really complex to justify for the Data Controller.

This latter must provide clear, complete and exhaustive information in such a way that the data subject provides a consent enabling the pursuit of profiling purposes.. Finally, all web pages attributable to the data controller should link to the dedicated area within which the user can exercise his rights with respect to the data, for example, by revoking the consent given.