Safe enough!

Safe enough! Not.

As a comeback after this very long pause, I would like to address a recent ruling of a Portuguese court, which followed the complaint of a woman against her ex-boyfriend, alleging revenge porn due to the online release of an intimate video on related websites.

Grosso modo, the details of the case are as follows: the woman and the man had a relationship. During that period, they mutually agreed to video record sexual interactions, on the condition that that record would never be watched by anyone else.

The quality and the angles of the images allowed for a clear identification of the complainant. The man retained a copy of the record and saved it in his personal computer.

After having ended the relationship, the woman found out that the video had been published and further divulged online, where it was freely available, and easily found by a simple and adequate terminological search. Moreover, it was argued that it was visualized by people who personally knew the complainant, namely from her area of residence and workplace.

It was not demonstrated in court that the man was the author of the original online release of the video. As a result, it was not demonstrated that this was a case of revenge porn. However, he admitted that the computer where a copy of the video was saved was frequently used by friends and family members.

Thus considering, the court concluded that the man was – due to the abovementioned pre-existing verbal agreement – obliged to keep safe the copy of the video he retained and to practice according necessary acts.

Therefore, by unrestrainedly permitting the access to the computer where a copy of the aforesaid recording was saved, it was deemed that he consequently had violated the duty of appropriately guarding it, i.e., by lacking to practice the acts he was obligated to.

The court hence ruled that this omission of properly secure sensitive information regarding the complainant entitled the latter to a pecuniary compensation.

In my opinion, this unprecedented ruling is very welcomed as a necessary judicial answer to the proliferation of revenge porn in the online context.

However, while I am fully aware that it is very difficult to judicially sustain allegations of revenge porn and that neither the responsibility of its authors nor the moral damages of the victims should go unanswered, I am really not sure if the procedence of such claims should rely on the ‘omission’ of an agreed act of keeping a given information secure.

It is evident that nowadays, particularly in regards of computerized information, privacy cannot be dissociated from security. However, recent history demonstrates that even large firms, processing information as sensitive, with far more resources and despite spending millions on security diligence, are unable to keep personal and sensitive data safe.

Therefore, it must be asked: what can qualify as such an omission when individuals are involved, specifically when demonstrated that an individual has no particular knowledge regarding ICT security or is convinced that all the appropriate measures were taken?

In the particular case at stake, it seems that it was the negligence – the permission of access to the computer where a copy of the video was saved – that was deemed determinant to qualify the conduct as a relevant omission.

Nevertheless, considering the lack of objective criteria, would it make a difference if the video was saved on the desktop as ‘wildnightsexwith(girlfriend’sname).mp4’ or if it was in a personal account in the computer and he forgot to log off, thus enabling others to access his personal files?

Anyway, as this is certainly the first of many ruling on similar factual issues, the courts will have plenty of opportunities to clarify the unanswered questions and to define objective criteria – or at least try – in this regard.