Some considerations to the famous case “Vivi Down versus Google Video Italy” require to point out that the increasing evolution of technologies has determined on the one hand a certain crisis of “old” legal concepts (such as the connection between the territorial sovereignty of a State and its domestic jurisdiction), and on the other the necessity to adopt new legislative measures in order to avoid lacunas. For instance, this occurs with regard to the lack of competition regulation upon the Online Gambling in Italy against which the European Commission started an infringement proceeding in 2003. This paper aims at underlining the arguments that need to be considered in the case at hand.
The first issue to address is the question of jurisdiction. Since the world wide web goes beyond the State’s boundaries, it’s not easy to determine the competent court to hear a specific case. In fact, in the present case, Google is an organization based in U.S., though “Google Italy” is located in our country; therefore, what is the applicable law, and what is the competent jurisdiction? Can the directive 95/46 EC and the Italian Data Protection Code (both on data protection) be applied? In this light, the Italian Court of Appeal has stated that: “Since Google Italy is a legal entity established in Italy, the company is burden by the duty to comply with the Italian legislation governing personal data protection.” However, as defendant argued, Google Italy could not be bound by the Italian legislation since the data contained in the offending video were processed in Denver (USA), the real location of Google services, while not in Italy.
In conclusion, the Court of Appeal recognised the jurisdiction of the Italian Tribunal, making reference even to the “effect theory”, which considers the effects of a harmful conduct consistent with Brussel I regulation.Indeed, under this regulation, the defendant can be sued even before the Court of the place where the damage occured (the competent court is no longer only that of the defendant domicile). Moreover, according to the ECJ, both the place where the harmful event happened and the one which gave rise to that event are relevant. These considerations lead to think not only that the rules on jurisdiction have overcome State boundaries, but also that an increasing jurisprudence trend takes into account where the effects of a tort occured.
On merit, the second question concerns the liability of the ISP for having published the offensive video uploaded by a girl where an autistic guy appears to be bullied by a group of schoolmates. The Google executives were charged two criminal offences: first, defamation, second unlawful processing of personal data.
Under article 595 of the Italian criminal Code, defamation is a statement that harms the reputation of an individual. In Vividown versus Google the reputation of Vivi Down association and the one of the bullied boy have clearly been offended. Essentially, the ISP deliberately launched the video uploaded without any kind of control as to its business policies. Therefore, the Court has to assess whether a causal nexsus between the omission of the ISP and the damage suffered by the individual occurred. Pursuant to article 40(2) of the Italian criminal Code, failing to prevent an event which one has the legal obligation to prevent, is equivalent to causing it. The Court of Appeal stated that there was not general obligation upon ISP to check the site content, as no provions rule such a duty. Hence, given the dimension of the data inflow, the Court claimed it would be impossible for the operator to check all the contents, despite all its efforts; furthermore, a preventive check shall be excluded since its extreme difficulty from a technical viewpoint. In addition, such an obligation might clash with the principle of freedom of expression. Remarkably, it is very difficult to balance the right of expression, under art. 10 of the ECHR and the right of privacy incorporated under art. 8 of the same Charter.
The second issue concerns the unlawful processing of personal data. Under Italian law, art. 13 of the Data Protection Code provides that the circulation of personal data is permitted contingent upon the agreement of the individual involved. Therefore, there was an obligation upon ISP to notice all the users that their personal data were processed. This is a crucial point because the Court of Appeal overturned the first instance decision. As the court pointed out, the provision mentioned made no reference to any potential liability of ISP not to have informed the users about the use of third party personal data. It only referred to the obligation to inform the subject of the processed data (in this case the autistic guy). Finally, it emerged that it was only the uploader who acted as a data controller (the young girl) to ensure that the posted content on the web did not infringe third parties rights. Hence, under the Italian legal system, a real relationship between Google, acting as a data processor, and the autistic guy, the data subject, was not found. According to the Court of Appeal, only the data controller is responsible of the charges. At the meantime the liability does not extend to the data processor, irrespectively of its active or passive role. Indeed, it is not relevant in terms of liability: a “quid pluris” of control does not amount to a legal obligation to monitor content posted by the users.
To conclude, only the girl who uploaded the video is liable. As a matter of fact, she was the only controller of the data, while Google merely processed the video upon request. Therefore, Google did not breach any Italian laws. It must not be forgotten that the Courts has the duty to decide according to the law into force.
 The author would like to thank Oreste Pollicino, Associate Professor of Public Law at Bocconi University, for his great support and for having stimulated the research.
Brussel I Regulation, n.°1215/2012, article 7 paragraph 2.