Posts

Media: any information that can identify a victim of sexual violence, even indirectly, is prohibited

Lawyer Vincenzo Colarocco

The Italian Data Protection Authority has reiterated, with some recent decisions (see inter alia No. 906580790657829065800 in Italian language) the principle that prohibits the media to publish information that can make identifiable, even indirectly, a victim of sexual violence.

Article. 137 of the Privacy Code provided -and still provide in the new text of Article 12, paragraph 1(c) of Legislative Decree 101/2018– that in the event of disclosure or communication of personal data for journalistic purposes the limitations imposed on freedom of the press, to protect the rights and freedoms of persons, shall be left unprejudiced, and, in particular, the limit of materiality of the information with regard to facts of public interest.

The Authority stated that this limit must be interpreted with particular strictness when are considered data suitable for identifying victims of crimes, even more so with reference to news concerning episodes of sexual violence, given the special protection afforded by the law to the confidentiality of the persons injured by such crimes.

The diffusion within an article of information suitable to make identifiable, even if indirectly, the victim, is in contrast with the requirements of protection of the dignity of the same, also according to the Article 8, paragraph 1, of the code of practice concerning the processing of personal data in the exercise of journalistic activities.

The Authority reminded that in the event of non-compliance with the prohibition, the data controller, in this case the publisher, may also incur the new administrative sanctions introduced by the GDPR, in Article 83, paragraph 5(e), which can reach up to 20 million of euro or 4% of the total annual turnover in the previous year.

Guidelines on the territorial scope of the GDPR

Lawyer Vincenzo Colarocco

The guidelines 3/2018 clarify some aspects of article 3 of the GDPR which, as known, requires many big players in the digital world to comply with the EU data legislation.

In the specific case, for instance, how can establish when an Asian company is required to comply with the GDPR? What about those who market their products through an e-commerce portal: the opening of an office in Italy is considered as an establishment?

EU Data Protection Authorities intervened to answer these and other more or less complex questions in order to facilitate the understanding and, therefore, the application of the legal provision. Article 3 of the GDPR lays down two main criteria: the “establishment” and the “object of processing of personal data”. If one of these two criteria is met, the relevant provisions of the GDPR will apply. Moreover, paragraph 3 settles the application of the current legislation in the case of processing of personal data by a data controller that is not established in the European Union but in a region subject to the law of a Member State under international public law.

Clearly, these Guidelines will have the effect to produce strong consequences both on institutions and on european and foreign companies. This is exactly why the European Data Protection Board has submitted the text for public consultation before its final approval.

Therefore, it is expected the final text that will surely be useful in order to guarantee a proper interpretation of the EU regulation.