Even Thumbs Deserve Privacy

This article published by Il Fatto Quotidiano is illustrated by a photo that portrays a policeman from the mobile team of Rome and an arrested man whose image is blurred. Not, as you might think without seeing it, on the face that also has a winking expression towards the photographer, but on the hand that is shaped in the pose (the thumb raised) universally become synonymous with “I like it”.

The expression of the arrested subject is disturbing because it is no different from that of a star crossing the red carpet of a film festival or a sports champion celebrating a victory. And it reinforces the mistaken perception – further distorted by television series such as Narcos and Gomorrah – that there is an aesthetic of evil in the name of which, by committing atrocious acts, one can become famous.

This “right thumb” attached to the hand of an ordinary person accused of a crime obviously means that from the desire for a “moment of glory” experienced in film/television fiction we have moved on to the lust of a celebrity at all costs, including that of becoming a protagonist of a crime story.

I don’t know who (whether the photographer or the newspaper) has made the choice to blur the anatomical detail of the arrested, but in both cases I can’t find a reasonable explanation, except for the one that, by now, even the thumbs have a right to their privacy.

Light Spam is not a criminal offense says the Italian Supreme Court

The Italian Supreme Court – III criminal branch ruled that “light spam” is not a criminal offense under both the pre and post GDPR enforcement in Italy.

Section 167 of the Italian Data Protection Code holds as a criminal offense the illegal processing of personal data when the processing is carried on by causing “nocumento” (a legal concept different from “damage”, “tort” or “threat”, that is related to the causation of an infringement of the personal or financial sphere of the individual ). So, for somebody to be charged of this criminal offense, the sole element of unauthorized processing is not enough. Continue reading “Light Spam is not a criminal offense says the Italian Supreme Court”

Why The Reasonable Privacy Expectation is a Flawed Test

In Protecting Personal Information we (Professor Wacks and I) argue that the right to privacy should be considered as the right to control our own personal information, where the attribute “personal” means “related to the intimate sphere of the individual.”

A major critics to this approach is held by those who find our definition of “personal information” to vague because what is “personal” for subject A may not be alike for subject B. In contrast, they favour the “reasonable privacy expectation” test that is (supposed to be) an objective standard in ECHR Article 10 cases.

I think that this criticism has no merit. Continue reading “Why The Reasonable Privacy Expectation is a Flawed Test”

On Jurisdiction, the European Court of Justice and the GPDR

In the decision C-507/17 the European Court of Justice holds that

it is not apparent from the legal texts that the EU legislature has struck such a balance as regards the scope of a de-referencing outside the EU, nor that it haschosen to confer a scope on the rights of individuals which would go beyond the territory of the Member States. Nor is it apparent from those texts that it would have intended to impose on an operator, such as Google, a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to the Member States. What is more, EU law does not provide for cooperation instruments and mechanisms as regards the scope of a de-referencing outside the EU.

Thus, the Court concludes that, currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.

The Court therefore reaffirms the prevalence of the legal notion of jurisdiction as a geographical limit to the exercise of State power and – correctly – refers to the borders of the Member States and not of the European Union as such.

On the other hand, it cannot be agreed with the part of the decision where

The Court points out, next, that Google Inc.’s establishment in French territory carries on activities, including commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concernedand, second, that that search engine must, in view of, inter alia, the existence of gateways between its various national versions, be regarded as carrying out a single act of data processing in the context of the activities of Google Inc.’s French establishment. Such a situation therefore falls within the scope of the EU legislation on the protection of personal data.

This is the very same legal principle affirmed by the Court in Costeja-Google Spain to affirm its jurisdiction and enforced by the Italian Data Protection Authority in the injuction that fined Facebook Italy for the Cambridge Analytica scandal.

The injunction verbatim states 1

in this case, the activities examined were unequivocally addressed to Italian users through the sections that Facebook reserves for them to use the services of the social network. The close correlation between the Italian territory and the context of the processing operations carried out, which involved, for the most part, Italian users, is therefore apparent;


even if it refers to the activities of a search engine operated by a non-European entity, the provisions of the judgment of the Court of Justice of the European Union, C-131/12, must also be taken into consideration. In particular, paragraph 60 of that judgment states that”processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, …  when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State.

This principle of law is politically understandable, but not legally acceptable.

It may be true that the purpose of advertising is to ‘push’ users to use a service, but it is also true that the actual and technical use of the service itself is originated by the user that sends the data to the USA and that, therefore, the processing starts outside the EU. Thus, in terms of processing of personal data, the direct obligations of the service provider start only later, that is, for example, when information about the user is actively collected through cookies.

However, the fact remains that the legislation on the processing of personal data regulates the collection and not the “contribution” or the mere “support” to the collection of data. Therefore, if the European subsidiaries do not develop (even partially) autonomous activities in the technical process of collecting and further processing of data, it cannot be argued that Community law should also apply to them.

  1. Unofficial translation by Andrea Monti

The EUCJ to Alter The Personal Liability Principle

With a disturbing decision, related to case C-136/17 in re: search engine’s de-listing duties the European Court of Justice hold that

the operator of the search engine as the person determining the purposes and means of that activity must ensure, within the framework of his responsibilities, powers and capabilities, that the activity meets the requirements of EU law in order that the guarantees laid down by EU law may have full effect and that effective and complete protection of data subjects, in particular of their right to privacy, may actually be achieved.

but did not spend a single word on the role and duties of the originator of information. Continue reading “The EUCJ to Alter The Personal Liability Principle”