Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

In a piece published on the 15th April 2017 in the Quotidiano Nazionale (a daily which features articles from three Italian newspapers, Il Resto del Carlino, Il Giorno and La Nazione), Giusella Finocchiaro offered her thoughts on data protection and minors.

“Can children and adolescents sign up to Facebook or other social network accounts?

If being of age is a legal requirement for concluding a contract, then, why should it not be the case for signing up to a social network account? What is the age required for giving valid consent to the processing of personal data? Under Facebook regulations it is 13 years of age and under Italian law it is 18.

Then, why are so many Italian children and adolescents signed up to social networks? The answer is simple: according to the majority of subscription contracts, it is not Italian law which is applicable but the law governing the social network, which means, in the case of Facebook, the law of the United States of America and of the State of California.

Which law takes precedence? This is the most classical legal problem on the Internet, namely, determining which law is applicable and the jurisdiction. The new European Regulation n. 2016/679 on the Protection of Personal Data, which represents the new European law on data protection and is directly applicable from 25th May 2018, solves the problem with a partial compromise. It provides that European law takes precedence and that 16 is the minimum age to sign up (with an option for each Member State to set a lower age, provided that it is not below 13 years). Where the child is below the age of 16, parental consent is given or authorised.

According to certain recent Italian decisions in similar cases (the posting of pictures of their own children on social networks), the consent of both parents is needed. It is clear that it will not be very difficult to get round this provision. However, as the European Regulation provides for, it is the social network itself which will need to keep a check on things, by using available technology”.

 

 

posted by Giusella Finocchiaro on novembre 10, 2015

Privacy

(No comments)

The recent “Facebook” decision by the European Court of Justice can be interpreted from two different perspectives, which are not (however) mutually exclusive. The first interpretation is of a legal-technical nature, while the second is political.

Let us start with the first. The facts are known as are the conclusions. The United States is not considered to be a country that guarantees an adequate level of protection in accordance with the Directive on personal data protection, dir. 95/46.

The path is outlined in art. 25 of the Directive, which is hereinafter quoted for convenience and clarity, in order to better understand the past (the decision) and the future (the currently open directions).

Article 25

Principles

1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer, may only take place if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.

4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.

5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.

6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.

Member States shall take the measures necessary to comply with the Commission’s decision”.

 

In the past the Commission had deemed the level of protection afforded by the Safe Harbour framework to be appropriate, but this decision by the Court shows its disagreement and invalidates the Safe Harbour.

This does not imply, however, that the transfer of personal data to the United States can no longer take place. It can take place on the basis of the express consent of the interested party or on the basis of the Binding Corporate Rules. Therefore either the interested party may give their consent for the transfer or the data controller may adopt management rules approved by the Data Protection Authority that will allow the transfer.

So, what is the difference then? The difference is that it will not be possible to use the Safe Harbour framework, i.e. transfer data to the United States without consent or without pre-approved rules, that is assuming the data to be protected in the United States in the same way as they are in Europe.

From a strictly legal-applicative point of view all comment ends here. Undoubtedly, there will be higher management costs for those who transfer data from Europe to the United States, but there will certainly be no ban.

On the other hand, the political interpretation of the decision which follows roughly a year after the Google Spain case is far more problematic. As mentioned above, in the Court’s opinion, the United States does not provide an adequate level of data protection.

Essentially the Court states that the level of protection of personal data is higher in Europe and that it is the European law which should be applied to European subjects’ personal data (apologies for this simplification, obviously the decision refers to data transfer from Europe under certain conditions). Similar assertions can be found in the Google Spain decision.

The Court anticipates the contents of art. 3 of the forthcoming European regulation for the protection of personal data with another decision which is also political. Then again, personal data protection has constitutional significance in Europe (article 8 of the Charter of Fundamental Rights), but not in the USA. This obviously reflects a different scale of values in two regions of the world, albeit very similar to each other if compared to the Asian region. This of course has a cost, which big players such as Google and Facebook can much more easily afford than small ones. And it underlines that Europe and the United States have not (yet) reached a political agreement on the question.

 

 

posted by Giusella Finocchiaro on gennaio 26, 2015

Privacy

(No comments)

The Google service that allows virtual exploration of spectacular places is about to arrive in Italy.

At the request of the Mountain View colossus, the Italian Data Protection Authority has given authorization for partial exemption from the obligation to inform the public, but has set strict rules for photo shoots.

The most beautiful places in Italy including beaches, museums, parks and archaeological sites will soon be visitable at a distance thanks to Google Special Collects, a collection of virtual environments devised to popularize the most magnificent corners of the world.

Images are captured with similar equipment to that used for the Google Street View service, but with one difference, namely the special cameras capable of 360 degree shots are not mounted on cars, but on the backpacks of special “trekkers”, that is operators appointed by Google to “map out” places without the use of vehicles.

In their request to the Authority, Google stated that in museums and other places with limited access, recordings would be made during closing times to the public with the aim of limiting accidental filming of visitors and of protecting their privacy. In outdoor locations times will be chosen when passersby are less likely to be encountered. The American corporation will also take action to black out faces and other identification features such as vehicle license plates which might have been recorded, before making the images available on the Google Maps service.

In granting Google partial exemption from informing the public, the Authority has obliged the corporation to take further precautions to protect the public and to implement simplified measures to inform the public of all ongoing filming activities.

In particular, on the three days before beginning recordings, Google will have to publish information on its website in Italian about shooting locations. A further announcement will also have to be posted on websites and any other communication outlets of the organizations involved seven days before filming. In physical locations Google operators will have to see to informing the public of the upcoming recording of images by means of special notices or signs posted at the entrances to sites, in order to allow visitors to exercise their right not to be photographed.

In addition, the “trekkers” who carry photographic equipment will need to be recognized by stickers or other clearly marked distinguishing features to be attached to clothing and equipment, so as to clearly indicate that they are collecting images to be published online on Google Maps through the Google Special Collects service in Street View.

Google will also have to ensure the training of their personnel involved in these operations concerning compliance with the legislation on the protection of personal data.

 

Google has presented a new tool for the “right to be forgotten”, by means of which users will be able to request the cancellation of certain results associated with their name.

Following the recent decision by the EU Court of Justice which has established that users can ask search engines to remove results linked to their name, Google has released a new tool for requesting the removal of the content.

Commenting on the indications contained in the judgment, Google has announced that a request for removal can be forwarded by any citizen who considers the information in the results associated with a search relating to their name to be unsuitable, irrelevant or no longer relevant, or even excessive in relation to the purposes for which such information has been published.

On the web page carrying the form, the company advises that “For the duration of implementation of this decision we will evaluate each individual request and try to find an appropriate balance between the individual person’s rights to privacy with the right of everyone to know and share information. When evaluating a request we will establish whether results include outdated information about the user and whether the information is of public interest, for instance whether it relates to financial fraud, professional negligence, criminal convictions or the conduct of public officials.”

Larry Page, Google’s CEO has expressed his concern to the Financial Times regarding the decision of the European Court, stressing that the judgment risks damaging the next generation of digital start-ups and reinforces the repressive actions of those governments which attempt to limit the free flow of information on the Internet.

The company also announced that it is working on setting up a committee of experts for providing advice on how to manage the new facility dedicated to the right to be forgotten.

 

 

As previously mentioned in this blog, the 49th Working Group session on electronic commerce of the United Nations Committee on international trade law was held in New York from the 28th April to the 2nd May 2014.

At the start of the session Giusella Finocchiaro, the Italian Uncitral representative for electronic commerce was unanimously elected as chairperson.

The WG is working on a detailed document on Electronic Transferable Records, which could form the new law model. This work is drawing to a conclusion.

The basic principles that motivated the WG have been reaffirmed; namely those of technological neutrality and non-discrimination between paper and electronic documents, keeping any impact on national law regulations to a minimum.

The 50th session of the WG will be held in Vienna from the10th to the 14th November 2014.

On the 22nd of April 2014 the Marco Civil, the Brazilian “Internet Constitution”, was granted final approval by the Brazilian Senate. The law, which regulates the rights and obligations of network users, was signed by President Dilma Rousseff at the opening of the “NetMundial” conference, a two day event dedicated to worldwide network governance.

After a work project lasting five years the regulations protecting privacy, freedom of expression and net neutrality were approved in Sao Paolo. With specific regard to net neutrality, the Brazilian Internet Constitution is considered by civil liberty activists as a revolutionary document in Internet history. The regulations will in fact prevent telecommunication companies from setting up preferential channels to band access as a prerogative of some services and to the detriment of others, as is an emerging trend in the business strategies of connectivity providers worldwide.

The law process speeded up after Edward Snowden’s revelations from which it emerged that the United States were monitoring President Rousseff’s communications.

However, as regards datagate, the Brazilian law proves to be less effective on comparison with its first formulation.

In fact one of the most contested innovations contained in the bill, namely the idea of preventing the storage of Brazilian citizens’ data on servers located abroad, was deleted from the main body of the regulation before Senate approval.

By virtue of the removal of the above mentioned proposal, another article of the regulations has been strengthened, which provides that companies that collect user data generated in Brazil must submit to the Brazilian government regulations on Data Protection, regardless of the location of the servers where the information is stored.

The Marco Civil also contains provisions against the attribution of liability to intermediaries, formalizing that providers are not responsible for the content published online by users, a hotly contested topic for years in Europe but on which Brazil had not yet legislated.

Under the new legislation, service providers will only be liable for third party content if they fail to ensure the removal of material pursuant to a court order.

As we have read in the press, the moment of the President’s signature was accompanied by applause and clamour from the NetMundial audience which was made up of experts and representatives of the major worldwide network companies.

In a speech which briefly preceded Rouseff’s signature, Tim Berners-Lee, the inventor of the World Wide Web, expressed the hope that other governments would follow Brazil’s example and join together in signing the paper described as a wonderful example of how governments can play a positive role in the advancement of civil rights on the Internet and in maintaining an open network.

Following the President’s speech, the European Commissioner Neelie Kroes also expressed her enthusiasm and defined the Marco Civil as “real cause for celebration”.

 

In Italy there is an ongoing and ever more widespread outcry on the part of traders and business people against TripAdvisor, from Federalberghi (the hoteliers’ association), which speaks of a “genuine emergency” caused by malpractice that through blackmail and the threat of fear severely disrupts the activity of Tour Operators, to the Sos albergatori association which uses the Pirtadvisor app in an attempt to flush out misleading reviews.

There are also those who have come out in open revolt against the American portal and display a decidedly blunt sign at the entrance to their premises plainly stating “TripAdvisor users not welcome”.

The problem is the subject of long-standing debate and is first and foremost legal: Decree Law 70/2003 (from the European directive 2000/31/Ce) orders that the owners of websites are not responsible for any information sent by users, unless said owners are aware that such activity or information is illegal or that although aware of such facts and following the request of the Judge they fail to act immediately to remove or to prevent access to such information.

It is for this precise reason why TripAdvisor and other similar sites are under no obligation to verify the identity of the writer or the information received. Consequently the only possible protection to be obtained is when the violation has already taken place; namely to demand removal of the review, either directly or through a lawyer and to ask for payment of damages or to sue in the case of defamation or the violation of the right to personal identity.

We present here a video interview with Professor Giusella Finocchiaro, Fabio Stragiotto, global  product development payments at UniCredit, Antonella Vanara, account  manager at SIA and Giovanni Vattani, head of payment systems at Enel, about the impacts of oncoming regulation on e-payments, e-mandate and e-identity.

This discussion took place at the EBADay Business Forum in Milan in partnership with SIA.

Click HERE for the video interview .

posted by Giusella Finocchiaro on aprile 29, 2014

Privacy

(No comments)

Google has paid a one million euro fine levied by the Italian Data Protection Authority for its Street View service. Although the fine was imposed on the18th December 2013, its enactment has only recently been made public.

The disputed facts date from 2010 when the D.P.A. intervened after numerous reports from people complaining of being photographed without their consent by Google Street View cars.

In fact, at that time Mountain View cars were operating around Italy without being readily identifiable and as a consequence people in the places covered had no say in deciding whether to avoid being photographed or not.

On the 15th October 2010 the D.P.A. ordered Google to make its cars easily identifiable by using clearly marked signs or stickers and in addition three days before the start of shooting to publish on its website a list of the places visited by the Google cars and also the parts of the big cities which would be covered by them.

The D.P.A. additionally ordered that the same announcement should be published by Google in at least two local newspapers and that the information contained should also be broadcast by at least one radio station in each region visited.

These measures were promptly adopted by Google.

The sanctioning procedure has now been concluded with the issue of an order of injunction in which the D.P.A. has imposed a one million euro fine. The sum was determined on the basis that the data unlawfully collected was destined for such a sizable and significantly important database as the Street View service.

In establishing the sum, the D.P.A. has opted to use the regulation terms of the privacy Code which aims to make fines sanctions effective when levied on large-sized enterprises.

It would appear that Google has already paid the fine.

A recent decision by the Italian Data Protection Authority authorizes the use of the graphometric signature on tablets in the banking sector.

The system, which has been submitted for preliminary examination by the Italian D.P.A., is somewhat complex, split into different phases and involves a number of different parties.

The technology used is also able to detect the characteristics of a customer’s signature online by means of an analysis of certain criteria which can be deduced from the signature, such as the speed of the stroke, its pressure, acceleration, inclination and so on.

The system is intended to be used by financial promoters for customer authentication and for subsequent operations. There are two main phases in the process: firstly the collection of the specimen signature to be used as a tool for comparison in order to safeguard the customer, and secondly the signing of documents with the electronic signature.

As set out in the decision, the specimen signature together with the customer’s identification data is transmitted by the bank through secure encrypted channels to the certifier, who validates the request and issues the digital certificate associated to the applicant. All subsequent signings will thus be transmitted in encrypted mode to the certifier’s server which verifies the correspondence by means of the specimen signature and ensures that the tablet serial number is in fact listed.

This system would allow a reduction in the risk of cases of fraud, in particular those related to identity theft.

As usual the Authority draws attention to the adoption of special measures in order to protect personal data. With particular regard to the use of mobile devices, the D.P.A. recommends that the processing of biometric user data should be carried out adopting all appropriate security measures in order to reduce to a minimum the risk of unauthorised software installation or to avoid contact with malware.

According to the D.P.A. remote wiping must also be adopted, which would guarantee that in cases where tablets have been tampered with, lost or stolen, their content would be deleted remotely.

Moreover, processing of biometric data is subject to customer consent. The D.P.A. underlines the importance that consent, where required, must be free and responsible.

Finally, The D.P.A. draws attention to the need to ensure that biometric data is not preserved for a duration exceeding the purposes for which it was collected and subsequently processed. Any extension to the retention time may be justified by specific laws.

Further requirements under existing law are reaffirmed including notification of process and obligation to designate external parties as data processors.

  • Recent comments

  • Popular posts

    • None found