Thursday, January 31, 2013

Acquitted in Italy, finally


Finally, after 6 years of criminal prosecutions and appeals, my colleagues and I have been acquitted of a “privacy crime” in Italy.  

This case generated significant interest in the broader legal and Internet communities.  Some dismissed the entire proceedings as absurd.  Others viewed it as a seminal test of freedom of speech and the liability of Internet platforms for user-generated content.  I want to share a few thoughts, both on the procedural next steps, and on the broader significance of the verdict, from my personal perspective.  

Procedural Next Steps:  The Milan court announced its decision to acquit us on December 21, but it has until February 19 to issue its written decision.  The Public Prosecutor will have until roughly April 5 to decide whether or not to appeal the acquittal to the top Court of Cassation.  So, things are not quite finished...

Why is the case important?  Well, first, my colleagues and I were on trial personally.  Indeed, Google Inc was never on trial here.  Under Italian law, you can’t put a corporation on criminal trial, so the prosecutors had to find some “responsible” humans instead.  The lower-court judge imposed 6-month (suspended) jail sentences on three of us defendants.  I was always baffled by the conviction, because the Italian Privacy Code’s Article 13, on which my conviction was based, doesn’t carry a criminal penalty and I had no connection, direct or indirect, with the incident or conduct of affairs of Google Italy.  As a lawyer, I would have thought:  case closed!

For many years, I simply refused to set foot in Italy.  Criminal law is a blunt instrument that is inappropriate as a regulatory tool.  My criminal prosecution in Italy is a terrible example of a court trying to make Internet/privacy policy in a very dynamic field through criminal prosecution. Let the Garante, the Italian Parliament and the European Union resolve such issues.  

Globally, this case resonated, because people quickly understood that this has a direct impact on free speech and freedom of the Internet. The Internet is an incredibly valuable resource that provides services to the worlds’ population not even imaginable a decade ago. It can only function in an open and free environment, and intermediary liability is a critical issue.

This case also affected the global perceptions of Italy, in terms of business and e-commerce.  Italy was simply viewed as out of step with how other advanced countries are dealing with these issues, or as one journalist put it more colorfully:  “Italy risks internet Stone Age with trial of Google Executives.”  By maintaining this aggressive use of its criminal privacy laws, it moved itself further outside of the area of risk that e-commerce businesses are willing to take on to do business in Italy. Why would anyone locate an EU e-commerce headquarters or major data center in Italy given this risk?  

The case dealt with the unfortunate ways that vulnerable victims can be injured by users of the Internet. The Italian courts had already dealt with the students who abused the victim here and their teacher who made this unfortunate incident possible.  But the appeal by us three Google employees raised far different issues. Billions of photos and videos are uploaded to Internet platforms around the world every day.  Is it fair or right to prosecute employees of the internet company that provides the forum and search capabilities for a single bad photo or video that is later found amongst those billions of others?  

I am relieved that justice was finally served in Italy.  I hope the prosecutor does not choose to appeal this case to the top Court of Cassation.  Enough is enough.  I have no idea how much Italian public resources have been wasted on this mis-guided 6-year prosecution.  This prosecution served no public interest, and least of all, Italy’s.  Justice has now finally been done, and it’s time to let this entire sorry saga rest in peace.     

Tuesday, January 29, 2013

My Resolutions on Privacy Day



January 28 is Privacy Day.   I love the privacy profession.  Privacy Day is a good day to reflect a bit, and January is the time for new resolutions.  Here are mine:     

1)  Take the high road:  I've chosen a career built on the fault lines of privacy, and it's my job to help people cope with them.  This stuff matters, real people get hurt every day, and I should try to be worthy of it. Can you imagine the anguish of a teenager who would jump off a bridge when his privacy was invaded?  

2)  Respect governments:  Governments are full of contradictions.  One arm regulates privacy while another arm operates vast surveillance systems.  Show respect for governments by fighting every day for the rule of law, especially where the rule of law is weak.   

3)  Streamline:  Privacy is a field that has spawned a complicated compliance bureaucracy.  Meet your compliance obligations, but paperwork is not your life's mission.  Don't become entangled in it like a turtle in a fishnet.    

4)  Be a lawyer, not a martyr:  don't let people hold you accountable for stuff over which you have no control.   I've been through years of criminal prosecution for not stopping a single video upload, in a world of billions of videos.  I'm a lawyer and a privacy professional.  I'm not a scapegoat for the sins of the Internet.       

5)  Stay pragmatic:  Privacy law has always been a tussle between two schools:  the realist/pragmatists and the aspirational/fundamentalists.  Follow the pragmatists' lead:  take a look at the eminently reasonable and pragmatic leadership shown by the UK Information Commissioner's Office new cookie disclosure:.  Leave privacy-as-a-beautiful-fiction to the poets.  

6)  Strong backbone:  emulate people who have the backbone to deny requests for users' data from law enforcement, when law enforcement doesn't follow the rules.  Admire the backbone it takes to make these statistics public.  

7)  Help the courts resolve the law's conundrums:  you're not a court, and don't try to resolve real-world conflicts between the Right to be Forgotten and Freedom of Expression.  The world will throw these knots into your lap and ask you to untangle them.   Throw them back to the courts where they belong. 

8)  Operationalize:  Privacy is a field full of reality-divorced rhetoric, and it always has been.  The legislative debate in Brussels over revising the EU privacy laws is wandering through whacky, weird wonderland.  As privacy professionals, our job is to operationalize privacy rules.  If the law-composers in Brussels are writing a score that no human musician can play, what good is that?

9)  Cherish your private zen-zone:  I swim a lot.  It helps me focus and stay calm.  Privacy issues are becoming more intense, laws and lawsuits are proliferating, criminal laws are being invoked more frequently.  I start most days with intense swim training:  After 8X50 descending set fly, I can face just about anything.  

10) The best is yet to come:  Tech will evolve, faster than you think.  Internet services will get more personalized.  Big Data will get bigger.  Government surveillance is increasing.  Security attacks will become more dangerous and sophisticated.  Machines and nanotech will be able to record and remember everything.  

And you, dear privacy professional, should steel yourself to stare into the luminous face the future.  

Happy Privacy Day!