Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

posted by Giusella Finocchiaro on ottobre 17, 2017

Privacy

(No comments)

Here is the article by Giusella Finocchiaro and Laura Greco, published in Agenda Digitale on 1st September 2017.

Much has already been said on the new data protection requirements introduced by Regulation (EU) 2016/679 of the European Parliament and the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (and coming into full force from 25th May 2018).

At first reading, the stringent and precautionary nature of the new legislation was already evident, being characterised by an approach based on the risk assessment of data processing and the accountability of the processing subjects.

As confirmation, it is enough to take a look at the considerable number of obligations the Regulation imposes on data controllers and processors. Compliance with the Regulation particularly aims to organise the entire data processing procedure on the principles of privacy by design and default, with the objective of ensuring that both technological and organisational security measures are adequate compared to the potential risks to which data are exposed during processing.

In the framework of the obligations directed at measuring the risks relating to processing activities, one (particularly) stands out for its relevance and challenging nature, namely, the so called Data Protection Impact Assessment (DPIA), a preventive measure that obliges controllers to verify whether processing might expose personal data to high risk, taking into consideration the specific characteristics of the processing itself involved: namely, its nature, subject, context and purpose as well as the use of new technologies. Although strongly recommended for all types of processing, the DPIA is not mandatory except in cases specifically indicated in the Regulation or in the legislation of Member States.

One particular field in which the DPIA appears not only to be suitable but also essential for data controllers is the work sector. In fact data processing carried out in a work environment seems to fall into under the heading of systematic monitoring of data regarding vulnerable subjects.

The term “vulnerable” is not used at random. Working Party art. 29 uses this term to define employees in the “Guidelines on Data Protection Impact Assessment (DPIA)” adopted on 4th April 2017, where the work environment is considered at risk for the rights of data subjects when taking into account the imbalance of bargaining power in favour of the data controller. Working Party art. 29, which had already given indications in the past with regard to the rights of employees in the field of data protection (see opinion 8/2001, WP48 and working document WP55 of 2002) dedicates its recent opinion 2/2017 to the subject of data processing in the work environment.

In this document the Group of European DPAs updated its considerations on the subject matter in light of the new provisions and in particular, of the new obligations introduced by the Regulation.

Confirming that data processing in the work environment must necessarily comply with the principles of transparency, necessity and minimisation, the Group underlines that consent cannot be considered a requirement for safe and reliable legitimacy since workers cannot consider themselves completely free to give consent to or oppose data processing due to the contractual relationships that bind them to their employer. Hence, in the Group’s opinion, other legal bases would be preferable such as the implementation of the work contract, the controller-employer’s compliance with a legal obligation or his legitimate interest.

However, identifying the conditions which make data processing legal is not sufficient where employee monitoring is concerned: there is the need for a clear, understandable and comprehensive policy – the Group confirms – which keeps employees fully informed of monitoring activities and their related purposes.

And it is right here, between the pillars of lawfulness of data processing and transparency that the DPIA fits in, the risk-based safeguard measure, which combines a proportionality test of the legitimate interest of the employer, the technologies used to assure protection of this and the rights of privacy and secrecy of employee communications. According to the Working Party, the introduction of any technology designed to monitor and control workers should be preceded by a DPIA in order to verify whether the data processing (and the ways in which it is carried out) are commensurate with the risk the employer must face.

Following a theoretical presentation of the framework of the Regulation, its fundamental principles and innovations, the Group of DPAs closely examines a series of data processing scenarios that may occur in an organisation’s routine procedure, with particular reference to the use of new technologies. The Group focuses in particular on those technologies that permit the monitoring of employees not only at their work place but also at their homes and, more generally, in their private lives. This happens for example where BYOD (Bring Your Own Device) technologies are used, which allow workers to use their own personal devices for work purposes. The mixed use of such devices might create the risk of processing information outside the work sphere. Therefore, in order to avoid such an eventuality, the Group recommends adopting appropriate measures which would make identifying the use of the device possible.

Finally, in outlining the protection afforded to workers, the European DPAs not only take into account the advanced technological context but also the business world: processing carried out by a business group based in different Member States may mean the transfer of employee data to third countries. In such cases – as well as in the case of the use of applications and cloud-based services that imply a cross-border flow of personal data – data transfer will be legal on condition that the third country data importer assures an adequate level of data protection.

To summarise: legality, transparency, proportionality, balancing of interests, minimisation. These are the key words (and the pillars) of data processing in the work environment.

In addition, it is worth keeping in mind that art. 88, paragraph 1 of the Regulation provides that Member States may “by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context”. This leads to a further reflection on the adequacy of the modifications made to law no. 300, 20th May 1970, (“Workers’ Statute”) by the recent Jobs Act reform. Therefore, there needs to be evaluation of whether the new provisions are in effect sufficient in light of the Working Party recommendations and given the scenarios envisioned, or whether further action by the Italian legislator will be necessary.

 

 

In a piece published on the 15th April 2017 in the Quotidiano Nazionale (a daily which features articles from three Italian newspapers, Il Resto del Carlino, Il Giorno and La Nazione), Giusella Finocchiaro offered her thoughts on data protection and minors.

“Can children and adolescents sign up to Facebook or other social network accounts?

If being of age is a legal requirement for concluding a contract, then, why should it not be the case for signing up to a social network account? What is the age required for giving valid consent to the processing of personal data? Under Facebook regulations it is 13 years of age and under Italian law it is 18.

Then, why are so many Italian children and adolescents signed up to social networks? The answer is simple: according to the majority of subscription contracts, it is not Italian law which is applicable but the law governing the social network, which means, in the case of Facebook, the law of the United States of America and of the State of California.

Which law takes precedence? This is the most classical legal problem on the Internet, namely, determining which law is applicable and the jurisdiction. The new European Regulation n. 2016/679 on the Protection of Personal Data, which represents the new European law on data protection and is directly applicable from 25th May 2018, solves the problem with a partial compromise. It provides that European law takes precedence and that 16 is the minimum age to sign up (with an option for each Member State to set a lower age, provided that it is not below 13 years). Where the child is below the age of 16, parental consent is given or authorised.

According to certain recent Italian decisions in similar cases (the posting of pictures of their own children on social networks), the consent of both parents is needed. It is clear that it will not be very difficult to get round this provision. However, as the European Regulation provides for, it is the social network itself which will need to keep a check on things, by using available technology”.

 

 

posted by Giusella Finocchiaro on novembre 10, 2015

Privacy

(No comments)

The recent “Facebook” decision by the European Court of Justice can be interpreted from two different perspectives, which are not (however) mutually exclusive. The first interpretation is of a legal-technical nature, while the second is political.

Let us start with the first. The facts are known as are the conclusions. The United States is not considered to be a country that guarantees an adequate level of protection in accordance with the Directive on personal data protection, dir. 95/46.

The path is outlined in art. 25 of the Directive, which is hereinafter quoted for convenience and clarity, in order to better understand the past (the decision) and the future (the currently open directions).

Article 25

Principles

1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer, may only take place if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.

4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.

5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.

6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.

Member States shall take the measures necessary to comply with the Commission’s decision”.

 

In the past the Commission had deemed the level of protection afforded by the Safe Harbour framework to be appropriate, but this decision by the Court shows its disagreement and invalidates the Safe Harbour.

This does not imply, however, that the transfer of personal data to the United States can no longer take place. It can take place on the basis of the express consent of the interested party or on the basis of the Binding Corporate Rules. Therefore either the interested party may give their consent for the transfer or the data controller may adopt management rules approved by the Data Protection Authority that will allow the transfer.

So, what is the difference then? The difference is that it will not be possible to use the Safe Harbour framework, i.e. transfer data to the United States without consent or without pre-approved rules, that is assuming the data to be protected in the United States in the same way as they are in Europe.

From a strictly legal-applicative point of view all comment ends here. Undoubtedly, there will be higher management costs for those who transfer data from Europe to the United States, but there will certainly be no ban.

On the other hand, the political interpretation of the decision which follows roughly a year after the Google Spain case is far more problematic. As mentioned above, in the Court’s opinion, the United States does not provide an adequate level of data protection.

Essentially the Court states that the level of protection of personal data is higher in Europe and that it is the European law which should be applied to European subjects’ personal data (apologies for this simplification, obviously the decision refers to data transfer from Europe under certain conditions). Similar assertions can be found in the Google Spain decision.

The Court anticipates the contents of art. 3 of the forthcoming European regulation for the protection of personal data with another decision which is also political. Then again, personal data protection has constitutional significance in Europe (article 8 of the Charter of Fundamental Rights), but not in the USA. This obviously reflects a different scale of values in two regions of the world, albeit very similar to each other if compared to the Asian region. This of course has a cost, which big players such as Google and Facebook can much more easily afford than small ones. And it underlines that Europe and the United States have not (yet) reached a political agreement on the question.

 

 

posted by Giusella Finocchiaro on gennaio 26, 2015

Privacy

(No comments)

The Google service that allows virtual exploration of spectacular places is about to arrive in Italy.

At the request of the Mountain View colossus, the Italian Data Protection Authority has given authorization for partial exemption from the obligation to inform the public, but has set strict rules for photo shoots.

The most beautiful places in Italy including beaches, museums, parks and archaeological sites will soon be visitable at a distance thanks to Google Special Collects, a collection of virtual environments devised to popularize the most magnificent corners of the world.

Images are captured with similar equipment to that used for the Google Street View service, but with one difference, namely the special cameras capable of 360 degree shots are not mounted on cars, but on the backpacks of special “trekkers”, that is operators appointed by Google to “map out” places without the use of vehicles.

In their request to the Authority, Google stated that in museums and other places with limited access, recordings would be made during closing times to the public with the aim of limiting accidental filming of visitors and of protecting their privacy. In outdoor locations times will be chosen when passersby are less likely to be encountered. The American corporation will also take action to black out faces and other identification features such as vehicle license plates which might have been recorded, before making the images available on the Google Maps service.

In granting Google partial exemption from informing the public, the Authority has obliged the corporation to take further precautions to protect the public and to implement simplified measures to inform the public of all ongoing filming activities.

In particular, on the three days before beginning recordings, Google will have to publish information on its website in Italian about shooting locations. A further announcement will also have to be posted on websites and any other communication outlets of the organizations involved seven days before filming. In physical locations Google operators will have to see to informing the public of the upcoming recording of images by means of special notices or signs posted at the entrances to sites, in order to allow visitors to exercise their right not to be photographed.

In addition, the “trekkers” who carry photographic equipment will need to be recognized by stickers or other clearly marked distinguishing features to be attached to clothing and equipment, so as to clearly indicate that they are collecting images to be published online on Google Maps through the Google Special Collects service in Street View.

Google will also have to ensure the training of their personnel involved in these operations concerning compliance with the legislation on the protection of personal data.

 

Google has presented a new tool for the “right to be forgotten”, by means of which users will be able to request the cancellation of certain results associated with their name.

Following the recent decision by the EU Court of Justice which has established that users can ask search engines to remove results linked to their name, Google has released a new tool for requesting the removal of the content.

Commenting on the indications contained in the judgment, Google has announced that a request for removal can be forwarded by any citizen who considers the information in the results associated with a search relating to their name to be unsuitable, irrelevant or no longer relevant, or even excessive in relation to the purposes for which such information has been published.

On the web page carrying the form, the company advises that “For the duration of implementation of this decision we will evaluate each individual request and try to find an appropriate balance between the individual person’s rights to privacy with the right of everyone to know and share information. When evaluating a request we will establish whether results include outdated information about the user and whether the information is of public interest, for instance whether it relates to financial fraud, professional negligence, criminal convictions or the conduct of public officials.”

Larry Page, Google’s CEO has expressed his concern to the Financial Times regarding the decision of the European Court, stressing that the judgment risks damaging the next generation of digital start-ups and reinforces the repressive actions of those governments which attempt to limit the free flow of information on the Internet.

The company also announced that it is working on setting up a committee of experts for providing advice on how to manage the new facility dedicated to the right to be forgotten.

 

 

As previously mentioned in this blog, the 49th Working Group session on electronic commerce of the United Nations Committee on international trade law was held in New York from the 28th April to the 2nd May 2014.

At the start of the session Giusella Finocchiaro, the Italian Uncitral representative for electronic commerce was unanimously elected as chairperson.

The WG is working on a detailed document on Electronic Transferable Records, which could form the new law model. This work is drawing to a conclusion.

The basic principles that motivated the WG have been reaffirmed; namely those of technological neutrality and non-discrimination between paper and electronic documents, keeping any impact on national law regulations to a minimum.

The 50th session of the WG will be held in Vienna from the10th to the 14th November 2014.

On the 22nd of April 2014 the Marco Civil, the Brazilian “Internet Constitution”, was granted final approval by the Brazilian Senate. The law, which regulates the rights and obligations of network users, was signed by President Dilma Rousseff at the opening of the “NetMundial” conference, a two day event dedicated to worldwide network governance.

After a work project lasting five years the regulations protecting privacy, freedom of expression and net neutrality were approved in Sao Paolo. With specific regard to net neutrality, the Brazilian Internet Constitution is considered by civil liberty activists as a revolutionary document in Internet history. The regulations will in fact prevent telecommunication companies from setting up preferential channels to band access as a prerogative of some services and to the detriment of others, as is an emerging trend in the business strategies of connectivity providers worldwide.

The law process speeded up after Edward Snowden’s revelations from which it emerged that the United States were monitoring President Rousseff’s communications.

However, as regards datagate, the Brazilian law proves to be less effective on comparison with its first formulation.

In fact one of the most contested innovations contained in the bill, namely the idea of preventing the storage of Brazilian citizens’ data on servers located abroad, was deleted from the main body of the regulation before Senate approval.

By virtue of the removal of the above mentioned proposal, another article of the regulations has been strengthened, which provides that companies that collect user data generated in Brazil must submit to the Brazilian government regulations on Data Protection, regardless of the location of the servers where the information is stored.

The Marco Civil also contains provisions against the attribution of liability to intermediaries, formalizing that providers are not responsible for the content published online by users, a hotly contested topic for years in Europe but on which Brazil had not yet legislated.

Under the new legislation, service providers will only be liable for third party content if they fail to ensure the removal of material pursuant to a court order.

As we have read in the press, the moment of the President’s signature was accompanied by applause and clamour from the NetMundial audience which was made up of experts and representatives of the major worldwide network companies.

In a speech which briefly preceded Rouseff’s signature, Tim Berners-Lee, the inventor of the World Wide Web, expressed the hope that other governments would follow Brazil’s example and join together in signing the paper described as a wonderful example of how governments can play a positive role in the advancement of civil rights on the Internet and in maintaining an open network.

Following the President’s speech, the European Commissioner Neelie Kroes also expressed her enthusiasm and defined the Marco Civil as “real cause for celebration”.

 

In Italy there is an ongoing and ever more widespread outcry on the part of traders and business people against TripAdvisor, from Federalberghi (the hoteliers’ association), which speaks of a “genuine emergency” caused by malpractice that through blackmail and the threat of fear severely disrupts the activity of Tour Operators, to the Sos albergatori association which uses the Pirtadvisor app in an attempt to flush out misleading reviews.

There are also those who have come out in open revolt against the American portal and display a decidedly blunt sign at the entrance to their premises plainly stating “TripAdvisor users not welcome”.

The problem is the subject of long-standing debate and is first and foremost legal: Decree Law 70/2003 (from the European directive 2000/31/Ce) orders that the owners of websites are not responsible for any information sent by users, unless said owners are aware that such activity or information is illegal or that although aware of such facts and following the request of the Judge they fail to act immediately to remove or to prevent access to such information.

It is for this precise reason why TripAdvisor and other similar sites are under no obligation to verify the identity of the writer or the information received. Consequently the only possible protection to be obtained is when the violation has already taken place; namely to demand removal of the review, either directly or through a lawyer and to ask for payment of damages or to sue in the case of defamation or the violation of the right to personal identity.

We present here a video interview with Professor Giusella Finocchiaro, Fabio Stragiotto, global  product development payments at UniCredit, Antonella Vanara, account  manager at SIA and Giovanni Vattani, head of payment systems at Enel, about the impacts of oncoming regulation on e-payments, e-mandate and e-identity.

This discussion took place at the EBADay Business Forum in Milan in partnership with SIA.

Click HERE for the video interview .

posted by Giusella Finocchiaro on aprile 29, 2014

Privacy

(No comments)

Google has paid a one million euro fine levied by the Italian Data Protection Authority for its Street View service. Although the fine was imposed on the18th December 2013, its enactment has only recently been made public.

The disputed facts date from 2010 when the D.P.A. intervened after numerous reports from people complaining of being photographed without their consent by Google Street View cars.

In fact, at that time Mountain View cars were operating around Italy without being readily identifiable and as a consequence people in the places covered had no say in deciding whether to avoid being photographed or not.

On the 15th October 2010 the D.P.A. ordered Google to make its cars easily identifiable by using clearly marked signs or stickers and in addition three days before the start of shooting to publish on its website a list of the places visited by the Google cars and also the parts of the big cities which would be covered by them.

The D.P.A. additionally ordered that the same announcement should be published by Google in at least two local newspapers and that the information contained should also be broadcast by at least one radio station in each region visited.

These measures were promptly adopted by Google.

The sanctioning procedure has now been concluded with the issue of an order of injunction in which the D.P.A. has imposed a one million euro fine. The sum was determined on the basis that the data unlawfully collected was destined for such a sizable and significantly important database as the Street View service.

In establishing the sum, the D.P.A. has opted to use the regulation terms of the privacy Code which aims to make fines sanctions effective when levied on large-sized enterprises.

It would appear that Google has already paid the fine.

  • Recent comments

  • Popular posts

    • None found