MMS and Data Protection - 12 march 2003 
MMS and Data Protection - 12 march 2003 
[doc. web n. 1672134]
MMS and Data Protection
The Garante per la protezione dei dati personali
Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, Members, and Mr. Giovanni Buttarelli, Secretary-General, having convened today,
Having regard to the reports submitted to the Authority in connection with MMS messaging,
Having regard to the records on file,
Having regard to official records as well as to the considerations made by the Secretary General pursuant to Section 15 of Regulations no. 1/2000,
Acting on the report by Prof. Gaetano Rasi,
Reports have been submitted to the Authority questioning compliance with personal data protection legislation of the use of the new mobile phones allowing images and sound to be rapidly recorded, stored and communicated to third parties by means of the GPRS - General Packed Radio Service technology and, with regard to filmed images, via the UMTS - Universal Mobile Telecommunications System network, being the so-called Multimedia Messaging Service, hereinafter referred to as MMS,
Said reports refer to the circumstance that any person in the possession of a mobile phone capable to send these messages can easily record and circulate images collected in public places, whether publicly accessible or not, in respect of individuals whose private sphere and dignity may be affected without their being aware thereof,
1. General Considerations
The aforementioned reports concern new mobile telephony applications that can be lawfully used; in fact, they are quite commonly used in connection with one´s private life and relations.
These utilities are not very different from those made available by digital cameras that can be connected with a computer; however, given their direct link to a digital mobile telephony device, they allow images to be transmitted even more quickly to an indefinite amount of recipients also via the Internet.
This Decision takes into consideration some possibly unlawful applications that might be related both to use of the above devices by natural persons for personal purposes and to other circumstances such as their use by private detectives - without prejudice to the timely assessment of other application issues that may arise in future, starting from the envisaged extension of MMS technology to fixed telephony equipment.
2. MMS Messages May Entail Processing of Personal Data
Images, sound and motion pictures sent via MMS messages may contain personal data concerning an identified/identifiable data subject, in particular a natural person (see Section 1(2) of Act no. 675 of 31 December 1996 - defining personal data as "any information relating to natural or legal persons, bodies or associations that are or can be identified, even indirectly, by reference to any other information including a personal identification number" ).
Collection, storage, use and dissemination of such data may give rise to "processing" of personal data (see Section 1, letter b) of the DPA) and might also concern health, sex life and other "sensitive" information requiring special safeguards to protect data subjects (see Section 22(1) of the Act - only think of reproducing images in which disabled people are displayed).
In reminding users of the precautions and obligations applying to MMS messages, it is necessary first and foremost to clarify when the provisions on processing of personal data are applicable - with particular regard to Act no. 675/1996.
3. Cases in Which Act No. 675/1996 Does Not Apply
Act no. 675/1996 does not apply if the MMS messages do not contain personal data.
Nor does the Act apply if individual natural persons process personal data "for exclusively personal purposes". In such cases the processing operations are not subjected to the relevant obligations, in particular those laid down in Act no. 675/1996 - on condition, however, that the processed data "are not intended for systematic communication and/or dissemination".
For instance, the provisions in the aforementioned Act do not apply if a picture is taken and then sent to friends or relatives: the person taking the picture and/or filming the images via its own mobile phone is doing so to fulfil exclusively personal purposes - to cultivate his interests, entertain himself or others, etc. - and the images (s)he communicates are available to a limited range of entities.
Conversely, the Act does apply if an image is collected to be then disseminated on the Internet or else communicated to third parties on a systematic basis - even though this is only aimed at meeting cultural or information requirements.
There may also be extreme situations falling within the scope of the two examples quoted above, which will require special care and should be assessed on a case-by-case basis.
For instance, an MMS message may be sent out through a single communication act that is addressed, however, to a very large number of recipients. In this case it might happen, in practice, that the circumstances under which the image is sent out, even though on an occasional basis, give rise to a cascade communication - similarly to the circumstances accounting for application of the DPA to non-systematic communication of personal data via the Internet by individual users that implement the so-called MLM system.
Irrespective of the final outcome, i.e. of whether the provisions of the DPA apply or not, any natural person sending MMS messages for exclusively personal purposes should comply with the obligation to secure the information collected (see Sections 3(2) and 15 of the DPA). Additionally, account must be taken of the fact that respect for rights, fundamental freedoms and dignity of the third parties concerned should be ensured also with regard to these processing operations (see Section 1(1) of the Act), and that if damage (including non-pecuniary damage) is caused to third parties, the sender of such messages is liable to redress unless he can prove that all suitable measures were taken to prevent said damage from occurring (Section 18 of the DPA and Section 2050 of the Civil Code).
4. Cases in Which Act No. 675/1996 Applies
Act no. 675/1996 applies, as already specified, if images, sound and other personal data are intended either for systematic communication to one or more recipients other than the data subject (see Section 1(2), letter g), of the Act), or else for dissemination to unidentified entities in whatever form also by making them available or searchable (see Section 1(2), letter h) of the Act - reference can be made to publication of an image on an Internet site by someone who had originally either collected or received such image via an MMS message).
In such cases, alleging that the processing is aimed at "exclusively personal purposes" (as per Section 3 of the DPA) is inappropriate; the Act applies in full ever since the personal data are initially collected.
As a consequence, the controller of the processing of the data contained in MMS messages is required to inform data subjects in the cases and in accordance with the arrangements set forth in Section 10 of the Act, either at the time of collecting the data or thereafter - depending on whether the data are collected directly from the data subject or not, respectively.
Furthermore, the data subject´s prior consent will have to be obtained - in writing if sensitive data are involved as per Section 22 of the DPA - unless any of the circumstances referred to in Sections 12 and 20 of the DPA apply in connection with "ordinary" personal data.
The specific provisions on exercise of journalistic activities and non-systematic publication of papers, essays and other intellectual works may also be applicable, which includes the well-known safeguards and guarantees required under the DPA as well as by the journalists´ code of conduct - i.e. respect for limitations on freedom of the press, with particular regard to "materiality of the information in respect of events and circumstances of public interest", possibility to provide a simplified information notice, and so on.
If the provisions on personal data protection are fully applicable, it will be necessary to comply, inter alia, with those requiring that the processing should be lawful, accurate, relevant and not excessive as well as with the regulations on transborder data flows, exercise of the data subjects´ right of access and compensation for damage.
5. Using MMS Technology Carries Additional Obligations
Irrespective of whether Act no. 675/1996 applies, using and sending MMS messages entails compliance with additional obligations that are laid down in general civil and criminal law provisions to safeguard third parties - also if the MMS technology is used for exclusively personal purposes as described above.
Image and sound data should be collected, communicated and disseminated by respecting the data subjects´ rights and fundamental freedoms; image data concerning another person should be used as permitted under the law.
Therefore, attention will have to be paid, in particular, to the safeguards laid down in Section 10 of the Civil Code - concerning Misuse of Another´s Image.
The same attention will have to be paid to the safeguards applying to exhibition, reproduction and marketing of a person´s portrait failing that person´s consent (see Section 96 of Act no. 633 of 22 April 1941 on copyright). The latter provides that the person´s consent is necessary unless image reproduction can be justified "by celebrity, the public office filled, judicial or police requirements, scientific, teaching or cultural purposes, or else whenever reproduction is related to events, circumstances, and celebrations either of public interest or taking place publicly". Exhibition and marketing are anyhow prohibited if they are "prejudicial to the pictured person´s honour, renown or decorum" (Section 97(1) of Act no. 633 of 22 April 1941).
Furthermore, the legal obligations applying to a person using MMS technology do not consist merely in the duty to refrain from infringing the rights recognised to data subjects as above, also in pursuance of the "neminem laedere" principle referred to in Section 2043 of the Civil Code. In fact, the user of MMS technology is required to comply with additional prohibitions carrying criminal punishments, such as those related to, in particular,
a) unauthorised collection, disclosure and dissemination of images concerning the private sphere taken either in another´s house or in other private dwellings (Section 615-bis of the Criminal Code),
b) the possible offence of "Abuse" in connection with specific messages that are sent to affect the recipient´s honour and/or decorum (Section 594 of the Criminal Code),
c) obscene publications (Section 528 of the Criminal Code),
d) protection of children against pornography (Section 600-ter of the Criminal Code, and Act no. 269 of 3 August 1998).
Therefore, users of MMS technology should consider all the above circumstances and take care that their conduct does not result into violating third parties´ rights - for instance, they should refrain from filming/picturing people in situations and/or under circumstances such as to affect their dignity and should fail to disseminate images to a considerable number of entities, also on a non-systematic basis, without the imaged person´s being aware of this in order to take the measures required to protect his/her own private life.
6. Additional Issues
Finally, three issues should be pointed out to complete the analysis of the safeguards that are required and/or appropriate in these cases:
a) Firstly, reference can be made to the possibility for managers of premises that are either publicly accessible or accessible to selected customers (e.g. gyms, sports clubs) to prohibit use of MMS technology inside the premises, or else to make it conditional upon appropriate safeguards. In such cases the instructions given will have to be complied with and non-compliance will be relevant in order to assess lawfulness and fairness of any behaviour departing from said instructions.
b) Secondly, it is necessary to take account of the well-known issue related to protection of freedom and confidentiality of telephone communications. This protection is also enshrined in our Constitution and entails the prohibition for telephone service providers to keep the contents of MMS messages except where this is necessary in connection with specific services requested by the subscribers concerned, based on their prior information and consent, as well as to access such contents in whatever manner by means of persons they have entrusted with this task.
c) Thirdly, account should be taken of the transient retention of MMS messages by providers offering specific services to send and receive MMS messages, in particular to recipient subscribers that are not equipped with mobile devices capable to receive such messages. If the messages are made accessible to recipients via the Internet on the basis of a personal code as well as for a short term, it will be necessary for said messages not to be kept by the providers either after being read by the relevant recipients - who may be alerted via SMS messages - or at the expiry of the above term.
It is hereby considered necessary that a copy of this decision be sent to telecommunication service providers as regards management of MMS-related services as well as in connection with their relationships with users and subscribers. A copy should be also forwarded to the Authority for Communications Safeguards and the Ministry for Communications.
BASED ON THE ABOVE PREMISES, THE GARANTE
a) under Section 31(1), letter c), of Act no. 675 of 31 December 1996, draws TLC service providers´ attention to the need for ensuring compliance of processing operations concerning personal data with the provisions and principles referred to herein,
b) orders that a copy of this decision be sent to the Authority for Communications Safeguards and the Ministry for Communications.
Done in Rome, this 12th day of March 2003.
THE SECRETARY GENERAL