Decree no.225 of 29 December 2010, the so-called “milleproroghe” (the annual thousand extentions Decree) has removed both the obligation for Internet access providers to identify users and that of keeping data relating to operations made by them provided for by the so-called Pisanu Decree which has already been referred to on several occasions.
In point of fact, the paragraphs removed are nos.4 and 5 of Legislative Decree no.144 of 27 July 2005, approved with amendments by law no.155 of 31 July 2005.
The obligation of identifying Internet users constituted a typically Italian anomaly which was not to be found in other countries. The abrogation of this norm had long been hoped for in that it would eliminate such anomaly.
Clearly, the obligation has been eliminated but those providers who still wish to identify their users, however, will be permitted to do so once their users have been adequately informed in compliance with their contracts and with the norms of the Personal Data Protection Code.
There has been a certain amount of concern on the web due to the Authority’s deliberation regarding the regulation of audiovisual and radio online services,published at the end of 2010.
The most widely criticized aspect of the regulation is the possibility of its being applied equally to all audiovisual media providers. Therefore it would affect YouTube and traditional audiovisual media providers, such as television broadcasters. In point of fact this regulation will be applied to all commercial audiovisual media services which exceed 100.000 euros per year income derived from advertising, Tv-shopping, sponsorships, contracts with public and private bodies, public funding and pay-per-view offers.
This regulation will also affect user generated content website organizations when they have editorial responsibility and also indirectly or directly generate economic profits from their activities.
According to the Authority’s second deliberation, the concept of “editorial responsibility” also includes a video cataloguing service provided by such user generated content sites. Simple automatic indexing of audiovisual content also appears to be included in the definition.
Thus, the regulation would appear to exclude small Web Tvs and amateur videoblogs, but it would include video portals such as YouTube, Vimeo, Daily Motion and so on. Such sites will now be subject to the same legal obligations fulfilled by television networks, among which direct responsibility for audiovisual content.
In particular, new obligations for the major audiovisual content websites will therefore include the obligation of rectification within 48 hours, the protection of minors, and copyright infringement responsibility.
According to many analysts, the concept of editorial responsibility will in future play an increasingly important role in all those trials in which broadcasters and copyright owners claim compensation and removal of content from video sharing sites.
Some experts have also raised the question of the difficulty in applying norms which are traditionally applied to television, such as the introduction of safe time slots for children.
However, there are serious doubts as to whether the Authority’s regulation could be effectively applied to websites operating in other countries of the European Economic Zone.
Social networks, privacy-by-design, right to oblivion and accountability were the main topics debated in the course of “Privacy Generations”, the 32nd International Conference on Data Protection and Privacy Commissioners .
The newest of these topics is the concept of accountability, the introduction to which is the result of more than two years of work by a group of experts of which I am part and which is documented and published in The Centre for Information Policy Leadership.
Accountability will play an important role in modifications (currently in progress) of the European Directive on e-privacy.
What is accountability? It could be defined as responsibility and at the same time proof of responsibility.
The concept was originally devised in order to facilitate the international flow of personal data, but it may have a broader application and may be a more general reference model in personal data processing.
Sources of accountability may be legislative, administrative or contractual. The data controller must be able to demonstrate that he has adopted a comprehensive procedure of personal data protection consisting of legal measures, organizational procedures and technical solutions and has also acted through the creation of specific organizational models, similar to those used in the application of d.lgs 231/2001.