In its long awaited judgement, the Italian Supreme Court ruled that Google Video could be not be deemed a data controller with regard to the videos it hosts on its platform. As a result, they cannot be held responsible for the dissemination of these videos. The Court specified that the rules ‘presuppose actual decision-making power over (a) the purposes and means of the relevant processing (dissemination to the public); and (b) the balancing between different rights and interests at stake. It can be deduced from the existing framework that this decision making power depends on the existence of actual knowledge. In other words, Google Video only becomes responsible (data controller) from the moment it is made aware. This interpretation, the Court explained, is in line with what is written down in the eCommerce Directive (exemption of hosting providers and no general obligation to monitor, artt.14-15).
It is worth saying, however, that many processing activities are relevant in this context. The dissemination of the video (containing personal data) is one processing activity, for which the uploader should be considered controller. But, besides this, the video (and hence the personal data contained within) is potentially subject to many other processing activities as well (analysis for behavioural marketing purposes, facial recognition, etc.). With regard to this second strand of uses of the data, a strong argument can be made for the hosting platform to be the data controller. After all, they are determining the purpose and means of these specific activities.
Because in the case at hand, it was mainly the activity of dissemination that was objected to, the original controller bears primary responsibility. But this should not overshadow the responsibilities of hosting platforms (and the like) for the plethora of other processing activities the data is subject to.