The Article 29 Working Party of the European Data Protection Authorities (DPAs) has published a report on the public consultations held inside the Working Group in particular regarding critical aspects of the Privacy Regulation such as the concept of “consent”, compliance with notification of data breach and the profiling process.
As we know, the European Regulation 2016/679 on the processing of personal data, which has been in force since 24th May 2016, will take full effect from 25th May 2018. So, with the aim of taking prompt action to put in place the implementation of the GDPR, the Article 29 Working Party has organized a number of Fablab workshops with the objective of opening up dialogue with representatives of European industry, the civil society, relevant associations and the academic world. More than 90 participants took part in the last Fablab session, which took place on April 5th and 6th in Brussels, where they discussed the priority issues of the European Regulation with the European DPAs.
With regard to the subject of “consent”, which constitutes the main legal basis for the processing of personal data, it emerged from the workshop that in certain cases the definition of “consent” contained in the Regulation might not in fact be a reliable basis for the use of personal data. Specific concerns have been raised about the processing of the personal data of a minor, since there is currently no way to either verify the exact age of individuals who give their consent online, or to confirm the identity of persons who declare online that they have parental responsibility.
With regard to consent for the processing of personal data for scientific research purposes, uncertainty was expressed about the secondary use of these data.
Participants also expressed uncertainty about the possibility of the withdrawal of already given consent and the possible consequences faced by those who refuse to grant it. Specific concerns were expressed about the situations in which those individuals who do not give their consent are not able to avail themselves of a particular service.
Further issue concerns have been raised about deals with data breach notifications. Participants asked for greater flexibility on the contents of notifications given the damage to their reputations companies which are victims of such attacks might suffer. They also asked for greater clarity both about methods of notification and the recipients of the notification in cases concerning data of data subjects from different Member States. Is notification required to be given to the Authorities of each Member State involved?
In addition, the workshop participants discussed the question of profiling as a particular form of processing of personal data. There are numerous types of profiling which differ from sector to sector and which cannot be subject to the same provision. For this reason, specific guidelines for each type of profiling have been requested. In addition the guidelines will have to take into account the different objectives for which profiling is made. On this subject, doubts have been expressed about whether there should be limitations to the types of data that can be used. In particular regarding the personal data of minors. Participants also raised objections about there being no clear distinction between profiling processes based on human intervention and those which are completely automated.
The complete meeting report is available on the European Commission webpage dedicated to WP29.
In a piece published on the 15th April 2017 in the Quotidiano Nazionale (a daily which features articles from three Italian newspapers, Il Resto del Carlino, Il Giorno and La Nazione), Giusella Finocchiaro offered her thoughts on data protection and minors.
“Can children and adolescents sign up to Facebook or other social network accounts?
If being of age is a legal requirement for concluding a contract, then, why should it not be the case for signing up to a social network account? What is the age required for giving valid consent to the processing of personal data? Under Facebook regulations it is 13 years of age and under Italian law it is 18.
Then, why are so many Italian children and adolescents signed up to social networks? The answer is simple: according to the majority of subscription contracts, it is not Italian law which is applicable but the law governing the social network, which means, in the case of Facebook, the law of the United States of America and of the State of California.
Which law takes precedence? This is the most classical legal problem on the Internet, namely, determining which law is applicable and the jurisdiction. The new European Regulation n. 2016/679 on the Protection of Personal Data, which represents the new European law on data protection and is directly applicable from 25th May 2018, solves the problem with a partial compromise. It provides that European law takes precedence and that 16 is the minimum age to sign up (with an option for each Member State to set a lower age, provided that it is not below 13 years). Where the child is below the age of 16, parental consent is given or authorised.
According to certain recent Italian decisions in similar cases (the posting of pictures of their own children on social networks), the consent of both parents is needed. It is clear that it will not be very difficult to get round this provision. However, as the European Regulation provides for, it is the social network itself which will need to keep a check on things, by using available technology”.
The Italian Court of Cassation has recently been called on to deal with the issue of whether payment descriptions for bank transfers qualify as sensitive data, in cases in which they specify indemnity payments for illness or disability using the wording “allowance ex L. 210/1992”, (the law which grants allowances to parties who have suffered irreversible complications due to mandatory vaccination and blood transfusions, or in cases of decease, to their families).
The Supreme Court judges have expressed conflicting decisions in several such cases. In all the examined cases, the matter concerned the relations between the Region, which issues the allowance and authorizes the bank transfer, and the ill or disabled party’s bank, which is the recipient of the allowance on behalf of its current account holder.
In the case of the first decision dating from 2014 (judgement n. 10947 of 19th May 2014), the Court considered the payment description, which quoted the above-mentioned legislative references, as sensitive data and thus determined that both the Region and the bank had unlawfully processed personal data since they had not adopted security measures for the transmission and dissemination of said data, such as encryption techniques and non-identifiable codes, as provided for by Art. 22, 6° par. of the Personal Data Protection Code.
In the second decision (judgement n. 10280 of 20th May 2015), which is clearer and better developed than the previous one, the Supreme Court judges overturned their first approach and followed a quite different decision-making process. Firstly, they rejected the concept that payment descriptions for allowances filled out in such a way constituted sensitive data, as the law quoted provided that the recipients of these allowances could either be the parties directly affected or otherwise their families. Since the payment of the allowance did not depend on the illness of the party who actually received it, the judges concluded that the information was not sufficient to reveal the recipient’s state of health and, therefore, did not constitute sensitive data.
Secondly, according to the Supreme Court, it was not a question of the Region rendering the data transferred to the bank public, as this would have implied – in conformity with Art. 4, lett. m) of the Code – disclosure of the data to unspecified parties, whereas in this case the disclosure was only made to the bank of the current account holder who was the beneficiary of the allowance.
Furthermore, the judges considered that references to Art. 22, 6° par. of the Code were groundless, since, as correctly quoted, the adoption of encryption techniques is only required in specific cases where the data originate from directories or registries and the aim is to manage and consult them. Neither could the bank be considered to have the responsibility for adopting these measures for three different reasons: firstly, the provision is only applicable to public bodies; secondly, private entities are only obliged to adopt encryption measures in relation to sensitive data which would reveal a state of health and were processed with electronic systems, both of which conditions are missing in the present case; finally, communicating to a client of the bank’s his/her personal data does not constitute processing of personal data.
Finally, in the opinion of the Court, the role of the bank was that of the current account holder’s representative and it received the payment from the Region on his/her behalf: thus, the payment was to be considered as being directly effected by the debtor (the Region) to the creditor (the recipient of the allowance). Therefore, the Supreme Court considered both the Region’s and the bank’s conduct to be within the law and acknowledged there had been no illegal processing of personal data.
This question has recently once again been deliberated by the 1st Civil Division of the Court of Cassation, which has issued two interlocutory orders (no. 3455 and no. 3456 registered on 9th February 2017) delegating the “Sezioni Unite” (the Joint Divisions), the task of devising a solution to this conflict of case law. On this occasion the Supreme Court has abstained from expressing its own opinion one way or the other with regard to the different interpretations of case law regarding this issue, and has simply commented on the nature of payment descriptions as “sensitive data”. The Court has pointed out that, even if payment can be made both to the family and the ill or disabled party, only the latter would receive payment in instalments (whereas family would receive a lump sum). This particular method of payment would clearly identify the recipient of the payment as the victim of illness or disability and for this reason the indication of a payment in instalments would constitute sensitive data.
We will have to wait to see how the Joint Divisions will solve this conflict of case law we have just described and in particular whether they opt for a broad or restrictive interpretation of the concept of sensitive data.
Giusella Finocchiaro was re-elected President of the IV Working Group on Electronic Commerce of the United Nations Commission on International Trade Law (UNCITRAL).
The election was held during the 55th session of the Working Group which took place from 24th to 28th of April 2017 in New York. At the same time the Working Group initiated its work on the legal issues related to Identity Management and Trust Services.
Under the presidency of Giusella Finocchiaro, the group of experts is required to develop the first drafts about Digital Identification systems which should concern both multi-party and two-party identity systems and natural and legal persons’ identity, without excluding consideration of digital objects.
The Commission’s mandate also concerns Trust Services which will immediately be taken into consideration working out their definitions.
To follow the work-in-progress, see UNICTRAL’s website to the dedicated page.
The Italian DPA has imposed fines totalling over 11 million euros on five money transfer companies which had unlawfully processed more than one thousand users’ personal data in order to bypass anti money-laundering regulations.
These companies collected and transferred to China sums of money belonging to Chinese businessmen, violating both the anti money-laundering law and the data protection law. By using the technique of structuring (i.e. the technique of breaking up large amounts of money into several smaller transactions below the anti money-laundering legal threshold), companies allocated money transfers to more than 1,000 customers, who were completely unaware of these transactions, by illegally using their data.
These serious violations came to light during an investigation by the Procura di Roma (the Rome Public Prosecutor’s Office). The Currency Police Unit of the Italian Financial Police, authorised by the Judicial Authorities, ascertained that the names of the people these money transfers were registered to did not correspond to the real senders. In addition, in certain cases the transaction forms turned out not even to have been signed or to have been filled out by people who were either deceased or non-existent. The personal data used were taken from photocopies of id documents, which were stored in specific folders to be used when needed. Money transfers were carried out within seconds of each other and involved sums of money which were just under the legal threshold and addressed to the same recipient.
Due to this infringement of the Data Protection Law committed by the companies, the Italian Data Protection Authority was obliged to intervene and, in view of the seriousness of the violations, the number of parties involved whose personal data had been processed without their consent and the importance (and size) of the database, has imposed the following fines: 5,880,000 euros for the multinational corporation and fines of 1,590,000 euros, 1,430,000 euros, 1,260,000 euros and 850,000 euros respectively for the other four companies, for a total of over 11 million euros.
The Italian Data Protection Authority has established that a “reputation rating” project violates the provisions of the Personal Data Protection Code and impacts negatively on human dignity.
The project, which was devised by an organisation structured as an association and a company appointed for its management, is based on a web platform and a database which gathers vast amounts of personal data either uploaded by users or obtained from the web, on various types of individual – from job candidates to business people, freelance professionals and private individuals. By means of a specific algorithm the system would then be able to objectively measure people’s reliability in the economic and professional fields, by assigning a score (“rating”) to their online reputation.
The DPA observed that the system would create significant problems in relation to privacy due to the confidential nature of the information, the pervasive impact on the interested parties and the method of processing. Essentially, the system implies the massive collection – also online – of information open to significantly impacting on the economic and social representation of thousands of people. Such processed reputation ratings might have serious repercussions on the lives of those who had been rated, since it might influence other people’s choices as well as jeopardising access for rated parties to services and benefits.
The DPA also expressed a number of doubts about the objectivity claimed for the ratings, stressing that the company could not prove the effectiveness of the algorithm used to regulate the settings of the “ratings”, which would be calculated without rated parties having any chance to freely give their consent. Given the complexity and sensitivity of measuring situations and variables which are not easy to classify, any rating might be based on incomplete or flawed documents and certificates with the consequent risk of creating inaccurate profiles which do not correspond to the real social identity of the rated parties.
Moreover, the DPA was concerned about the unreliability of allowing an automated system to decide upon such complex and sensitive issues relating to individuals’ reputations.
The system’s security measures which are principally based on “weak” authentication systems (user ids and passwords) and on encryption techniques only for judicial data, were found to be totally inadequate in the DPA’s opinion. Finally, further critical issues were detected in the time period for data storage and privacy policies for interested parties.
Therefore, in conclusion, the DPA has banned all present and future processing operations related to the reputation rating project.
Voted the Oxford Dictionaries’ international word of 2016, so-called “post-truth” refers to an apparently new concept.
The compound word relates to all those circumstances in which objective facts are less influential in shaping public opinion than news stories based on emotion or personal belief.
After its first appearances in 2015 in a number of articles, in 2016 the term “post-truth” became disconnected from its original definition and became widely used in political comment, especially with regard to the Brexit referendum and the U.S. Presidential election. In Italy the term has often been used in commenting on the outcome of the constitutional referendum.
In simple terms, according to many commentators, the UK’s exit from the European Union, the election of Trump and the failure of Renzi’s referendum proposal are the direct consequence of an era in which voters opt not to believe in objective facts but rather in emotionally charged news stories. Naturally it is not possible to assess how consciously this decision is taken by voters, but it seems obvious that the debate on post-truth also and perhaps mainly refers to those who are unable to distinguish between reliable sources of information and those which are manifestly biased.
As is entirely predictable, at the heart of this alarming situation countless observations can be found on the role of social media as the main vehicle of this uncontrolled spread of fake news and propaganda. Although news is posted and shared by users, the role these platforms play is much more active than might be imagined. On Facebook, for example, the “Trending Topics feed” column actively encourages the reading and sharing of the most popular articles on the social network, many of which come from unreliable websites full of glaringly fake news, the importance of which is exaggerated in this way.
Buzzfeed magazine uncovered the prime case of certain (more than 100) pro-Trump websites, which had been created by numbers of Macedonian teens and which reported sensationalist and totally fictitious news with the single declared aim of making money through Google’s online Ad-sense advertising network. One example is of the baseless smear campaign against Hillary Clinton which helped generate over 140,000 shares (reactions and comments) by U.S.users (on Facebook).
Facebook’s management were faced with a torrent of rage and criticism in the wake of Trump’s victory, being accused of not admitting their responsibility in shaping public opinion. In response to this criticism, on the 15th of December 2016, Mark Zuckerberg announced the launch of an article classification system, which will begin flagging news stories reported as fake by users, which will then be sent to (five) third-party outside professional fact-checking organisations for verification.
However, there are many who do not want to leave the power to distinguish real news from fake news to the major Internet platforms, the so-called Over The Top (OTT) players. Both commentators and experts have underlined the danger of leaving private companies in charge of assessing the accuracy of web-based information.
Speaking of which, the Financial Times interview with Giovanni Pitruzzella, head of the Italian Antitrust, published on the 30th December 2016, attracted particular attention. In the interview, Pitruzzella underlines the need to set up “a network of independent national bodies in charge of identifying and removing fake news from circulation (and imposing fines if necessary)”. A sort of Authority tasked with monitoring the truthfulness of information.
The idea has sparked a certain interest among commentators but also a chorus of accusations in relation to the presumed intention on the part of the Institutions to impose censorship. In Italy the former comedian and political leader Beppe Grillo has defined the post-truth alarm as “a new inquisition”. There are also those, such as Riccardo Luna, the former editor of Wired Italia, who asks for a rethink of quality journalism’s commitment as a bastion to combat widespread misinformation, stressing that although post-truth is not a new phenomenon, it is hugely amplified nowadays by the web and social networks.
However, this prompts us to make a further consideration. If it is true that the web has increased chances of running into fake news, it must also be acknowledged that the wide variety of information sources allows us more than ever today, to study news items in depth and to analyse and compare them. It goes without saying that a certain degree of skill to discriminate is necessary, but it is only in the context of a multiplicity of voices that it becomes possible to develop helpful cognitive instruments for distinguishing between relatively realistic news and sensational hoaxes. Therefore, in addition to being difficult to apply, devising solutions to limit and control information (contained in news) might also be counterproductive.
Yet there are still only very few voices which underline the need to help present and future voters in providing themselves with those intellectual instruments which would enable them to recognise the most reliable sources by themselves. So, regardless of any effective practical solutions (there may be), the mere fact of discussing post-truth publicly may represent a first step towards awareness of a global issue each one of us can give our personal contribution to limiting in a very simple way: namely, by avoiding sharing unverified news.
On 1st January 2017 France brought into force a law on the “right to disconnect”, which aims at banning office emails outside working hours.
Conceived as a means to combat an increase in stress, linked to compulsive out-of-hours email checking, the new legislation requires all companies with more than 50 employees to start negotiations in order to define the rights of employees to ignore their smartphones out of working hours.
As is well known, replying to emails outside working hours is not usually considered as overtime and therefore generally remains unpaid. Moreover, employee availability during off-hours is nowadays considered “a duty” by many employers. For this reason the new law requires companies to reach an agreement with their employees, in which the out-of-hours times when employees are required to reply to office communications must be explicitly detailed. The new measure also aims to protect digital professionals, who work remotely and are therefore more exposed to off-hours calls.
The law was introduced after Labour Minister Myriam El Khomri had commissioned a report on the health impact of the uninterrupted flow of digital information, so-called “info-obesity”, coming from the workplace. The excessive use of digital devices on which employees are reachable 24/7 has been considered the cause of any number of health conditions from “burnout”, to sleeplessness and relationship problems.
A number of multinational companies based in France have already announced that they have already taken steps to put in place innovative solutions such as a “curfew” on evening communications or systems that automatically delete emails sent to employees when they are on holiday or not working.
-
- All contents on this blog are published under a Creative Commons Licence
