Italy - DPA orders Facebook to 'hand over’ user data
Published 11 February 2016
An Italian Facebook user asked the Italian DPA to issue an order to Facebook to hand over the data it held relating to both to his real profile and to a false profile purporting to belong to the user created by third parties to commit criminal activities. Following this request, the DPA issued an order to Facebook to hand over the data and not to delete it so that it was available to the authorities.
The order was based on Section 7 of Italy’s Privacy Law (D.Lgs. 196/03) about the Right to Access Personal Data, which provides that “a data subject shall have the right to obtain confirmation as to whether or not personal data concerning him exist, (…)and communication of such data in intelligible form.”
The Italian DPA held that it was competent to hear a claim lodged by an Italian user, and rejected Facebook’s claim to be subject to Irish jurisdiction.
This conclusion was based on Italian law, which (Section 5 of Italy’s Privacy Law) applies to organisations based in Italy, which Facebooked was deemed to be, having an Italian permanent establishment, Facebook Italy s.r.l.), under Section 4 Paragraph 1, lett. A) of the Directive 95/46/EC, and the European Court’s decisions “Google Spaint of 13 May 2014 and “Weltimmo” of 1 October 2015.
This decision is yet another example of companies not headquartered in country being nevertheless subject to that country's law due to them being deemed to have an "establishment" there. An Italian branch of an organisation based in another country should check possible differences between Italian law and their domestic privacy law and consider that the Italian DPA may have jurisdiction.
The judgement can be accessed here (Italian).
Submitted by Aldo Feliciani of Studio Legale Bonora e Associati – Milan, Italy