On December 17, 2010 the Court of Milan held two managers of a company, Buongiorno Vitaminic, liable for unlawful data processing, as they sent unsolicited email (so-called “spamming”) to about 180.000 subscribers of a website.
It is the first time in Italy a court sentences imprisonment for “spamming” practices.
Facts
Since 2001 the website “fuorissimo.com” asked Buongiorno Vitaminic to manage the database of the “fuorissimo” newsletter, which had about 450.000 subscribers. After the termination of the contract for such service, Buongiorno Vitaminic went on sending newsletters to about 180.000 users of the “fuorissimo.com” website advertising its own services, without asking for the users’ consent. As a result, two managers of Buongiorno Vitaminics were sentenced by the Court of Milan to nine month imprisonment for unlawful data processing.
Now, according to the press, the Court of Appeal has confirmed the first instance decision.
Privacy framework
Under Italian law, email addresses are personal data,[1] and shall be processed in compliance with the data protection requirements as set forth by the Data Protection Code (Legislative Decree no. 196/2003). Thus their use for promotional and/or advertising purposes is only allowed if the data subject[2] has given his or her prior free, specific and informed consent (“opt-in” approach), by differentiating between the different purposes and services/products on offer prior to sending out the relevant messages.[3]
Consent may not be considered unnecessary because personal data concerning an individual’s e-mail address are allegedly “public” in that they are available to everyone. For instance, email addresses relating to users participating in discussion groups on the Internet are made known exclusively for taking part in a given discussion and may not be used for different purposes in the absence of their specific consent. A similar conclusion can be drawn in case of email addresses contained into databases set for certain purposes, such as the “fuorissimo.com” database in the case in comment.
E-mailing without data subjects’ consent might constitute unlawful data processing. In such event, the following sanctions might apply:
- an administrative fine ranging from EUR10.000,00 to EUR120.000,00[4]; and
- only if acts were committed with “fraud”/willful intent, the criminal sanction of imprisonment ranging between six and eighteen months and, if personal data were unlawfully communicated or disseminated, imprisonment for between six and twenty-four months.
Comment
“Massive” e-mailing (“spamming”) is a very hot topic under Italian law. The Data Protection Authority (the Garante) prohibited “spamming” practices (carried out also via fax and sms) in several decisions, highlighting the need for personal data to be processed only in so far as data subjects have given their prior free, specific and informed consent thereto.
In addition, it is worth noting that spamming is considered an unfair commercial practice (in particular, an “aggressive” practice) under a consumer law perspective,[5] and might be sanctioned by the Italian Competition Authority for a maximum of EUR500.000.
Before the aforementioned courts’ decision against Buongiorno Vitaminc, there not appear to exist criminal convictions for such practices. This is probably because “spamming” might result in a crime only if specific requirements are met (e.g. once demonstrated that a company or an individual processed personal data with a view either to gain profit, for itself or another, or with intent to cause harm to the data subject (thus in both cases with “fraud”).[6]
Some arrangements might suffice to lawfully send emails for advertising purposes and avoid sanctions. In this regard, the Garante issued guidelines to lawfully e-mail advertising messages (Resolution of May 23, 2009, doc. web n. 1589969). For instance, the necessity to obtain data subjects’ consent may not be evaded by sending an initial e-mail with advertising and/or promotional contents to request the data subject’s consent, or by only granting the right to “opt-out” of the list of addressees in order to stop receiving similar messages.
Conversely, a “best practice” might be preliminarily obtaining the data subjects’ consent and thereafter confirming receipt of said consent by sending a message only aimed at informing that advertising material will be subsequently transmitted. This practice – in the view of the Garante – also allows verifying the e-mail addresses corresponding to the subjects that had given their consent as well as establishing whether the latter still applies.
The grounds for the Court of appeal’s decision have not been released yet. In the meanwhile, Buongiorno Vitaminic has already announced its intention to file an appeal to the Supreme Court.
[1] Article 4(1)(b) of the Data Protection Code: “any information relating to natural or legal persons, bodies or associations that are or can be identified, even indirectly, by reference to any other information including a personal identification number.”
[2] Article 4(1)(i) of the Data Protection Code: “Any natural or legal person, body or association that is the subject of the personal data.”
[3] Article 11 of the Data Protection Code.
[4] Article 162, paragraph 2-bis, of the Data Protection Code.
[5] Article 26(1)(c) of Legislative Decree 206/2005 (Consumer Code).
[6] Article 167(1) of the Data Protection Code.
