Peter Fleischer, Google’s Global Privacy Counsel, has resumed blogging after a long hiatus that is related to Italy’s criminal charges against him and other Google executives. The charges are the result of a video that some Italian teens uploaded showing the harassment of a classmate with Down’s Syndrome. Peter explains his absence:
I was rattled to see an Italian public prosecutor scour my blog and print out copies of it to help him indict and prosecute me and some of my Google colleagues for some “privacy” criminal theory. I’m all for free speech, and love a robust debate of privacy issues, but seeing your own words being combed through by a prosecutor who’s looking for evidence to convict you in criminal court is enough to give anyone reason to pause from blogging.
Or to just delete their whole blog. It’s bad enough having people poring over your blog looking for evidence against you in a civil case, but a criminal case must be absolutely stomach-knotting. Peter describes his arrest here, and in a subsequent blog entry, Ciao, Italia!, comments on the import of the trial:
Italy has a legal concept which is unknown in Anglo-Saxon countries: namely, that an employee of a company can be held personally criminally liable for the actions or non-actions of the corporation he works for. Moreover, Italy has also criminalized much of its data protection laws, meaning that routine data protection questions can give rise to criminal prosecutions. As everyone in the field of privacy knows, data protection laws are full of sweeping statements that need to be interpreted with judgment and common sense. But imagine the consequences if every data protection decision made by a company can be second-guessed by a public prosecutor with little knowledge of privacy law. Does that mean that a data protection lawyer working for a company is running the risk of personal criminal arrest and indictment and prosecution for routine business practices?
This case is a troubling one on many levels. Should executives of companies ever be prosecuted criminally for data protection lapses or privacy breaches, and if so, under what conditions? What do you think? Reading about this case reminds me of a t-shirt one of my kids has that says, “I didn’t say it was your fault. I said I was going to blame you.”