Media: any information that can identify a victim of sexual violence, even indirectly, is prohibited

Lawyer Vincenzo Colarocco

The Italian Data Protection Authority has reiterated, with some recent decisions (see inter alia No. 906580790657829065800 in Italian language) the principle that prohibits the media to publish information that can make identifiable, even indirectly, a victim of sexual violence.

Article. 137 of the Privacy Code provided -and still provide in the new text of Article 12, paragraph 1(c) of Legislative Decree 101/2018– that in the event of disclosure or communication of personal data for journalistic purposes the limitations imposed on freedom of the press, to protect the rights and freedoms of persons, shall be left unprejudiced, and, in particular, the limit of materiality of the information with regard to facts of public interest.

The Authority stated that this limit must be interpreted with particular strictness when are considered data suitable for identifying victims of crimes, even more so with reference to news concerning episodes of sexual violence, given the special protection afforded by the law to the confidentiality of the persons injured by such crimes.

The diffusion within an article of information suitable to make identifiable, even if indirectly, the victim, is in contrast with the requirements of protection of the dignity of the same, also according to the Article 8, paragraph 1, of the code of practice concerning the processing of personal data in the exercise of journalistic activities.

The Authority reminded that in the event of non-compliance with the prohibition, the data controller, in this case the publisher, may also incur the new administrative sanctions introduced by the GDPR, in Article 83, paragraph 5(e), which can reach up to 20 million of euro or 4% of the total annual turnover in the previous year.

Guidelines on the territorial scope of the GDPR

Lawyer Vincenzo Colarocco

The guidelines 3/2018 clarify some aspects of article 3 of the GDPR which, as known, requires many big players in the digital world to comply with the EU data legislation.

In the specific case, for instance, how can establish when an Asian company is required to comply with the GDPR? What about those who market their products through an e-commerce portal: the opening of an office in Italy is considered as an establishment?

EU Data Protection Authorities intervened to answer these and other more or less complex questions in order to facilitate the understanding and, therefore, the application of the legal provision. Article 3 of the GDPR lays down two main criteria: the “establishment” and the “object of processing of personal data”. If one of these two criteria is met, the relevant provisions of the GDPR will apply. Moreover, paragraph 3 settles the application of the current legislation in the case of processing of personal data by a data controller that is not established in the European Union but in a region subject to the law of a Member State under international public law.

Clearly, these Guidelines will have the effect to produce strong consequences both on institutions and on european and foreign companies. This is exactly why the European Data Protection Board has submitted the text for public consultation before its final approval.

Therefore, it is expected the final text that will surely be useful in order to guarantee a proper interpretation of the EU regulation.

The posting on a website of a photograph, which was previously published online without express restrictions, still has to be authorized by the copyright owner

Lawyer Alessandro La Rosa

With a decision published on the 7th of August 2018 (case C- 161/17 – Land Nordrhein-Westfalen v. Dirk Renckhoff), the European Court of Justice ruled on the issue whether “the posting on a website of a photograph previously published without any restrictions and with the consent of the copyright holder on another website constitutes a ‘communication to the public’, within the meaning of Article 3(1) of Directive 2001/29”.

The facts of the case underlying the question for preliminary ruling by the Court concerned the publication on a school website of a photograph, which, by way of illustration, constituted part of a workshop organized by a student of the institute, who downloaded it from another website where it was previously published with the consent of its author. The latter then claimed that he gave a right of use exclusively to the operators of the first online portal, while the posting of the photograph on the school website infringed his copyright.

The Court, taking for granted that the posting on a website constitutes an act of “making available”, and starting by saying that “it follows from recitals 4, 9 and 10 of Directive 2001/29 that the latter’s principal objective is to establish a high level of protection for authors”, and that “the concept of ‘communication to the public’ must be interpreted broadly, as recital 23 of the directive expressly states”, takes on the main issue at stake, thus considering whether such a “communication” was made “to a ‘new public’, that is to say, to a public that was not already taken into account by the copyright holders when they authorized the initial communication to the public of their work”.

On this topic, a first observation of the Court (recalling, on this point, its previous judgments of 31 May 2016, Reha Training, C‑117/15, EU:C:2016:379, paragraph 30; of 16 November 2016, Soulier and Doke, C‑301/15, EU:C:2016:878, paragraph 33; and of 14 June 2017, Stichting Brein, C‑610/15, EU:C:2017:456, paragraph 20) deals with the fact that, besides their right to give consent for the communication of their works to the public, “under Article 3(1) of Directive 2001/29, authors have a right which is preventive in nature which allows them to intervene between possible users of their work and the communication to the public which such users might contemplate making, in order to prohibit such communication”.

In the opinion of the Court, then, “Such a right of a preventive nature would be deprived of its effectiveness if it were to be held that the posting on one website of a work previously posted on another website with the consent of the copyright holder did not constitute a communication to a new public. Such a posting on a website other than that on which it was initially posted might make it impossible or at least much more difficult for the holder of a right of a preventive nature to require the cessation of that communication, if necessary by removing the work from the website on which it was posted with his consent or by revoking the consent previously given to a third party.

In fact, the Court gives considerable value to the circumstance that, in the present case (to the contrary, e.g., of those cases where the work is not newly “re-uploaded” on another website, but it is only “recalled” by means of an hyperlink to the website where it was originally published, as the Court would explain in detail) the copyrighted work would remain available to the public “even if the holder of the copyright decides no longer to communicate his work on the website on which it was initially communicated with his consent. On this point the Court recalls his judgment of 16 November 2016, Soulier and Doke, C‑301/15, EU:C:2016:878, paragraph 51, to remember that “the author of a work must be able to put an end to the exercise, by a third party, of rights of exploitation in digital format that he holds on that work, and to prohibit him from any future use in such a format, without having to submit beforehand to other formalities”.

A second factor taken into account by the Judges is that “Article 3(3) of Directive 2001/29 specifically provides that the right of communication to the public referred to in Article 3(1) of that directive is not exhausted by any act of communication to the public or making available to the public within the meaning of that provision”, which instead would essentially happen if the posting online of a work, previously uploaded on another website with the consent of its copyright holder, would not be considered as an act of “making available” to a “new public” of that work.

As a third factor the Court holds relevant the circumstance that “that rule would deprive the copyright holder of the opportunity to claim an appropriate reward for the use of his work” (recalling on this point recital 10 of the Directive 2001/29 and its judgment of 4 October 2011, Football Association Premier League and Others, C‑403/08 and C‑429/08, EU:C:2011:631, paragraphs 107 and 108).

Instead, it is not relevant nor convincing, in order to hold the opposite of what is stated by the Court (which, on this point, clearly takes distance from the opinion of the Advocate General), that “the copyright holder did not limit the ways in which internet users could use the photograph”; to that extent the Court recalls that it has already stated “that the enjoyment and the exercise of the right provided for in Article 3(1) of Directive 2001/29 may not be subject to any formality” (the reference is, again, to its judgment of 16 November 2016, Soulier and Doke, C‑301/15, EU:C:2016:878, paragraph 50).

Therefore, the conclusion of the Judges is that “the posting of a work protected by copyright on one website other than that on which the initial communication was made with the consent of the copyright holder, in circumstances such as those at issue in the main proceedings, must be treated as making such a work available to a new public. In such circumstances, the public taken into account by the copyright holder when he consented to the communication of his work on the website on which it was originally published is composed solely of users of that site and not of users of the website on which the work was subsequently published without the consent of the rightholder, or other internet users.

The motivation of the Court, however, does not end here. Actually, it seems somehow concerned with the fact that the present ruling may appear inconsistent with the principle – expressed in particular in its judgement of 13 February 2014, Svensson and Others (C‑466/12, EU:C:2014:76, paragraphs 25 and 26), and in its order of 21 October 2014, BestWater International (C‑348/13, not published, EU:C:2014:2315, paragraph 16) – holding that “regarding the making available of protected works by means of a clickable link referring to another website on which the original publication was made, that the public targeted by the original communication was all potential visitors to the website concerned, since, knowing that access to those works on that site was not subject to any restrictive measure, all internet users could access it freely.

In contrast, again, to what was affirmed by the Advocate General, it holds that it is exactly the different way of “making available” that allows a distinction between the present case and its precedents. Again, the key factor that leads the Court to consider, still upholding its precedents, that in the present case the communication is made to a “new public”, is represented by the preventive nature of the rights held by the authors, which “are preserved, since it is open to the author, if he no longer wishes to communicate his work on the website concerned, to remove it from the website on which it was initially communicated, rendering obsolete any hyperlink leading to it. However, in circumstances such as those at issue in the main proceedings, the posting on another website of a work gives rise to a new communication, independent of the communication initially authorized. As a consequence of that posting, such a work may remain available on the latter website, irrespective of the prior consent of the author and despite an action by which the rightholder decides no longer to communicate his work on the website on which it was initially communicated with his consent.

It is interesting to note that, in exposing these arguments, the Court considers that the “hyperlinking” system, according to its own jurisprudence, contributes “in particular to the sound operation of the internet by enabling the dissemination of information in that network characterized by the availability of immense amounts of information”, while it could have no relevance the circumstance that the student behavior may constitute exercise of the right to education, since “the findings set out in paragraph 35 of the present judgment, relating to the concept of ‘new public’, are not based on whether the illustration used by the pupil for her school presentation is educational in nature, but on the fact that the posting of that work on the school website made it accessible to all the visitors to that website”.

The Italian Decree no. 101/2018, implementing Regulation no. 679/2016 (GDPR)

Lawyer Vincenzo Colarocco

On September 4th, the legislative decree n. 101 of 10 August 2018, concerning the provisions for the adaptation of the national legislation to the Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and rules to the free movement of such data, better known as “GDPR”. The Regulation is already obligatory from 25 May, but the national legislation, and precisely our Privacy Code, needed an appropriate adjustment. The result is a “slimmer” Code, but also more coherent with the European law.

The legislative technique adopted by the Italian legislator was to avoid duplicating provisions, which are present both in the Regulation and in the Code. The decree will be applicable on September 19: this decision has been taken to guarantee the continuity of the legislation, saving for a transitional period the provisions of the Authority and the authorizations, which will be reviews in future, as well as the deontological codes in force. Among the most relevant innovations are:

a) forecasts that, for the first eight months after entry into force, the Guarantors for the protection of personal data take into account the fact that they are still at an early stage in implementing the legislation, to provide the penalties;

b) the consent of Italian minors from the age of 14 for the processing of personal data in the use of information society services (in France, the draft provides for 15 years);

c) the repeal of the crime referred to in art. 169 of the Privacy Code, since the minimum security measures are no longer foreseen, together with other penal sanctions which, in the face of new administrative sanctions, would have violated the principle of “ne bis in idem“, in the face of the inclusion of new types of offense;

d) the prediction that in cases of receipt of the curricula spontaneously transmitted by the candidates, for the purpose of establishing a working relationship, the information must be provided at the time of the first useful contact, following the sending of the curriculum. Furthermore, consent to the processing of personal data in the curricula is not due;

e) the management of rights concerning the deceased persons who may be exercised by those who have an interest of their own, or who are acting to protect the data subject, as their agent, or for family reasons deserving of protection.

New measures and incentives to support private investment on Green Policies

Lawyer Andrea Bernasconi

On March 2018 a set of decrees for the promotion of alternative energy policies has been signed by the Italian Ministry of the Economic Development. Meanwhile, the Ministry engaged in a number of procedures, along with the Ministry of the Environment, in order to promote new guidelines on renewables.

Among the most significant measures, the decree for the promotion of the use of biomethane and other advanced biofuels in the transport sector should be remarked. Italy, which is already a leader country in the European biomethane market, sets the target for the consumption of renewable energy in the transport sector out to 10% to be fulfilled by 2020. None of the provisions will adversely affect the gas or electricity bills of the final consumers, since the project is financed exclusively by “obligated entities”, namely economic operators that sell petrol and diesel fuel, who have long been obliged to replacepart of them with biofuel.

It is also worth mentioning the decree on the implementation of the current taxes and fees system for the industrial companies subject to a high consumption of natural gas. It has been drafted in  accordance with EU guidelines, in order to establish a system of facilities similar to the one involving energy-intensive companies and finance decarbonisation measures. The decree is particularly designed both for companies that use natural gas as raw material for a non-combustible use (including chemistry and fertilizers) and for companies with a gas consumption above a certain threshold. Such companies will take advantages of tariff exemptions in return for decarbonisation charges.

Furthermore the Minister has issued a decree scheme (so-called FER1), to be discussed with the Ministry of the Environment, which aims at developing a three-year incentive plan (2018-20) on onshore wind, solar photovoltaic, hydroelectric, traditional geothermal, landfill and sewage gas. Maximising the amount of renewable energy produced, relying on the greater competitiveness for these sources is the final goal. The access to incentives would be granted through competitive procedures based on economic criteria, in order to stimulate the reduction of costs on bills as well as efficiency in the supply chain of the components.


Profiling and automated decisions: is it possible on minors?

Lawyer Vincenzo Colarocco

The Art. 29 Group recently adopted (on 6 February 2018) the new version of the “guidelines on the processing of personal data carried out by automated decision-makers” in which profiling is included, adapting them to the new EU rules on privacy. Profiling, as introduced by the guidelines, is a process applied to numerous sectors: banking, finance, healthcare, taxation, insurance, marketing and advertising are just some of the areas in which profiling is used more frequently in order to support decision-making processes.

Thanks to the technological increase, these processes, applying artificial intelligence and big data analytics capabilities, simplify the creation of individuals’ profiles and significantly affect people’s rights and freedoms. In this regard, the guidelines, in addition to clarifying the definition contained in the GDPR on the concepts of automated decision making and profiling, also contain general and more specific provisions, recommendations and good practices on profiling carried out against minors.

Let’s consider a minor who creates a personal account to subscribe himself to a social network. The form will collect his personal data: name, surname, address, telephone number and the social will use the online behaviour of this young user to offer him a personalized news feed or advertising images. At the same time the minor could visit a site to see the results of his favourite football team and the advertising cookies will record information on his navigation deducing his interests.

If on the one hand the legislation requires that minors’ data are not collected and treated to profile on the other how can the holder prove that the consent has been given by a minor or an adult? Most of the users do not clearly understand these concepts or even imagine the existence of an automated procedure that allows the browser -once visited the site and given its consent- to save the data related to the navigation and then reuse them later. It therefore follows that the demonstrability that consent has been acquired by an adult rather than a minor becomes really complex to justify for the Data Controller.

This latter must provide clear, complete and exhaustive information in such a way that the data subject provides a consent enabling the pursuit of profiling purposes.. Finally, all web pages attributable to the data controller should link to the dedicated area within which the user can exercise his rights with respect to the data, for example, by revoking the consent given.

The countdown to GDPR

Lawyer Vincenzo Colarocco

The General Data Protection Regulation (‘GDPR’) it’s gonna be applied starting from 25 May 2018 by giving to the companies and the data protection authorities a limited window to get ready for the new rules: the time available is less than sixty days.

As it is known, the GDPR is aimed at standardizing the national data protection laws by introducing a new set of data protection rules directly enforceable for all EU Member States. But the effect of the GDPR will not be limited to the European context: given its wide geographical scope, the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

Moreover the Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Therefore, companies should appreciate -as soon as possible- how the GDPR will affect their business models and data processing practices.

In this regard, the main innovations introduced by the Regulation are:

  1. Theaccountability”: the data controller has to demonstrate that he has adopted a comprehensive process of legal, administrative, technical measures for the protection of personal data collected, including the development of specific organizational models;
  2. Privacy Impact Assessment: obligation for each data controller to perform and document a risk assessment based from the treatments performed; on the basis of the results the data controller has to consider to carry out a possible prior consultation with the Authority;
  3. Privacy by design and privacy by default: it is required to adopt measures for pseudonymisation and minimization of data processing, with regard to access, the overall context in which the data processing takes place, risks for the rights and freedoms of data subjects;
  4. The Data Protection Officer (DPO): the Regulation introduces this figure who can be considered a data protection manager; the DPO is a figure of control, advice and support to the data controller and to the processor for the concrete application within the GDPR;
  5. Data breach notification: all data controllers (regardless of size and sector of intervention) have to notify the data breach to the Authority within 72 hours from the moment in which they became aware of the fact, or at the time in which the controller has made aware of it, without unjustified delay, after having carried out an assessment on the nature and seriousness of the violation of personal data and its consequences and negative effects for the subjects;
  6. The new rights: the controller must recognize and easily allow the exercise of the rights (access, portability, erasure, opposition, rectification) of the data subjects;
  7. Sanctions: the Regulation has significantly increased the penalties deriving from non-compliance with the EU law up to a maximum of 20 million euro or 4% of the total annual turnover in the previous year (if higher).

Therefore, it is clear that GDPR has application area that exceeds the boundaries of the UE: the deadline of 25 May is here and the extra-eu companies are also required to conform to the new legislation.

First and foremost, assess whether, as not-EU controller or processor, you will fall within the scope of the GDPR; after, determine where your main establishment might be located based on your data processing activities.

The developments of copyright enforcement, in order to fight piracy and mirroring

Lawyer Alessandro La Rosa

Digital pirates often try to overcome website blockages imposed by judicial and administrative authorities on network access providers, by creating new websites accessible through top-level or second-level domain names, that are partially different from those reached by blocking orders, to which the latter redirect: these sites, de facto, fully reproduce the contents of those initially blocked, and for such reason they’re defined “mirror sites“.

The European Commission, with the “Communication COM(2017) 708” of the 29th November 2017, has provided guidelines for the interpretation of Directive 2004/48/EC (c.d. Enforcement), by expressly recognising the admissibility of injunctions specifically aimed at preventing the phenomenon of mirroring, and acknowledging that injunctions, in certain cases, may “lose some effectiveness because of changes in the subject matter in respect of which the injunction was ordered. This may be, for example, the case of website blocking injunctions, where a competent judicial authority grants the injunction with reference to certain specific domain names, whilst mirror websites can appear easily under other domain names and thus remain unaffected by the injunction. Dynamic injunctions are a possible means to address this. These are injunctions which can be issued for instance in cases in which materially the same website becomes available immediately after issuing the injunction with a different IP address or URL and which is drafted in a way that allows to also cover the new IP address or URL without the need for a new judicial procedure to obtain a new injunction”. Soon after, on the 21st December 2017, the High Court of Justice of England and Wales confirmed what had already been previously established by the High Court of Justice Chancery Division (‘HCJ’) on a case where Football Association Premier League Limited (shortly followed by UEFA with a similar initiative), the owner of the Premier League filming rights, requested the adoption of a blocking order for the so-called “streaming servers“, to the major English connectivity service providers (including British Telecommunication PLC and Sky Uk Limited).

The peculiarity of HCJ’s decisions concerns the technical solution granted to rightholders: the injunction is not aimed (as in the past) at individual pirated websites, but directly at the servers from which the illegal streaming of content is originated. The blocking order, which HJC itself has defined as a “live blocking order“, is aimed at IP addresses specifically used by streaming server operators during each football match; IP addresses that must be “unblocked” once the football match is over. As the blocking is limited to the duration of matches, it will not affect the freedom of access providers to conduct business, which will be able to use already available technologies, without facing any additional costs. On the other hand, the rightholder will receive immediate and effective protection. In this framework, both the sequestration orders repeatedly issued by the Italian Criminal Judicial Authority, with object not only the current domain name of a given pirate site, but also the “relative aliases and current and future domain names, referring to the site itself“, and the very recent proposal of AGCOM for the amendment of the Regulation on the copyright protection, as per resolution no. 680/13/CONS which, precisely, provides for particularly rapid blocking procedures in cases of repeated violations already established, including through websites that are a mere reproduction of those already subject to previous blocking orders. On an international level, Russia has also recently adopted specific rules to contrast the widespread phenomenon of pirated “mirror” sites with the Decree 1225 of 7 October 2017: this regulatory instrument allows rightholders to obtain measures to block “mirror” sites with no need to obtain new orders from the judicial Authorities each time (as a result, more than 500 sites have already been blocked since the aforementioned Decree became effective).

The European Recommendation on the fight against illegal content online

Lawyer Alessandro La Rosa

On the 1st of March, the European Commission adopted a recommendation on measures to effectively monitor illegal content online (“Recommendation”). The main objective of this recommendation is linked to the services of hosting providers, which, as known, play a key role in the enforcement of rights, including copyright, on the Internet: a guideline was already set out by the European Commission in its Communication dated 28 September 2017; with this recommendation, the Commission consolidates the measures taken in the framework of various initiatives.

First of all, a fundamental principle is settled: “what is illegal offline, is illegal online as well”, and therefore any information that is not in accordance with the EU or Member State’s law (both child pornography and infringements of intellectual property rights), if it is illegal in the physical reality, is illegal in digital reality as well.

The Recommendation is a further step forward, as it formally defines the operational measures that should be taken by businesses and Member States, regarding the detection and the removal of illegal content, through reactive or proactive measures (such as the use of automated tools to detect illegal contents). Specifically, it’s reiterated that, according to the rules contained in the E-Commerce Directive (2000/31/EC), Member States may impose a duty of care on hosting service providers, regarding illegal content that they may store (Recommendation, recital 8). While imposing “effective, appropriate and proportionate” measures to impede – and where possible prevent – the stream of illegal content, consideration should be given to all fundamental rights, in particular those guaranteed by the Charter of Fundamental Rights of the European Union, including intellectual property (Recommendation, recital 13), as well as the current status of technological development (Recommendation, recital 14).

The Commission, in accordance with the law cases of the EU Court, has reiterated that hosting service providers can become aware of illegal content independently (“in different ways“) of the alert from the subject involved, and that in the case of a report, the level of accuracy of the report itself should be analysed “in the light of the specific features of each individual case”: it implies that, in the case of infringements of intellectual property rights, the information that may be given to the provider may be significantly different from that required, for example, for the localization of illegal content of another nature (e.g., defamatory content). In order to ensure transparency in the activity of hosting service providers, they should publish, at regular intervals, reports on their activities related to the removal of illegal content or the blocking of the access to it, as well as specific reports to the Commission on their monitoring activities. The desire of Commission is that the fight against illegal content online will be carried out with a “holistic approach“, as such content is often transferred from one hosting service provider to another, which should share experiences, technological solutions and best practices (Recommendation, recital 30). Finally, of considerable importance, is the fact that the Recommendation is also intended to affect the activities of all hosting service providers, regardless of whether they are established in the Union or in a third country, on condition that their activities are directed at consumers resident in the Union.