This is the interview Giusella Finocchiaro gave to Vanity Fair and which was published in issue 39/2016 of the weekly.
What laws do we have to protect us?
«Quite a few. Both of these recent incidents, for example, contain a series of civil offences that range from the violation of privacy legislation to the violation of a person’s fundamental rights. There are a number of possible offences that could be brought before a criminal court such as instigation to commit suicide, unlawful interference in a person’s private life and the handling of child-pornography material».
Who to press charges against? And how effective is it?
«Those to take action against are the authors, those who put the videos online. Then, naturally, action may also be taken against service providers, namely those companies which provide access to the Net, but only on certain conditions: they’re under no obligation to monitor in advance what’s made available online, nonetheless they’re legally required to remove contents if there’s provision to do so on the part of the judicial authority or of any other competent authority».
But can everything be blocked and for always?
«The possibility can’t be ruled out that the video has been downloaded by other users and that it keeps on circulating. Of course these other users are committing a crime as well. In practice, it’s a constant game of catch-up: in the digital dimension it’s extremely easy to even reproduce multiple copies of a message».
Should providers be given more responsibilities?
«Certainly, but not with a control system, because it’s very laborious. A mechanism to allow users to contact providers would be useful, because in this way, when they received a complaint, providers could verify and remove contents in a very short space of time».
What advice would you give to make good use of the Net?
« Never forget that when you access the Net you leave a strictly private dimension and you enter a very public one».
We present here an interview published in december 2015 on the CINECA Consortium Magazine.
Do the legal principles covering the Net derive from general legal principles of from made-to-measure laws?
The general legal principles are always the same, of course. There would be no sense in trying to find a made-to-measure solution and a made-to-measure law for each specific problem, without due consideration for the overlying framework. It’s not always true, therefore, that, in order to regulate new technologies, new laws have to be made.
We need to get away, too, from the common idea that technology runs ahead while the law limps along behind. The reality is quite different. Take the laws on electronic signatures, for example. In Italy, the law arrived ahead of technology and even ahead of the need.
The principle has recently been affirmed according to which the law should be technologically neutral. On the basis of this principle, the legislator should not condition the market by favouring one technology over another, nor should he condition the development of technology. This approach is “functional” in the sense that it regulates, not the object, but the function. We must avoid constraining any specific form of technological or commercial development. Rather, we need to set out general principles that will remain unvaried for a certain period of time, and will not be constrained by changing technologies.
Apart from the electronic signature, another emblematic case is that of laws for the protection of consumers over remote sales contracts. What is involved, clearly, is a way of selling, not a specific technology. As far as the law is concerned, therefore, it is not important to make a distinction between purchases made using, for example, an App, or those made through a traditional website.
Speaking of users’ rights, the privacy and copyright laws are well known, but people are also invoking the right to be forgotten. What is this about?
The right to be forgotten is not a right in itself but it is nevertheless a restatement of other rights that are recognized by the law. Traditionally, the right to be forgotten describes a person’s right not to have republished information, even if it was legitimately published at the time, relating to events that happened a considerable length of time ago.
In Internet, obviously, the time involved is not that between publication and republication of the information, but the time that has lapsed since the item was published. The time factor regards, not just news items, but events which took place a long time ago, though for which this fact is not evident because no time context is given. In these cases, jurisprudence has suggested there may be an infringement of an individual’s right to his or her personal identity.
The problem is to ensure that the proper weight is given to the information, in order to avoid the person’s identity being distorted by the Net. As we saw from a decision by the Supreme Court, no. 5525 of 5 April 2012, this goal can be achieved by placing the information in context. It is not a right to be forgotten, then, but a right to a proper context.
The underlying theme, but one that emerges strongly, is that of the protection of an individual’s identity, in all its multiple forms.
What is at issue, then, is not the question of a specific news item about a specific individual and a specific event that can be retrieved through Google, but the protection of a person’s identity in the Internet, which is often perceived as a sole archive. It is not a sole archive, but it is a major source of information and sometimes the only one accessible.
“The Law in the Net”, but also “The Net in the Law”: how has Internet affected or modified the principles of “Jus Commune”?
Generally speaking, the principles of “Jus Commune” remain as before, but it cannot be denied that the advent of new technologies has brought fresh challenges for legal scholars.
What we have said about the right to be forgotten is a good example. In the real, physical world, the key element of this is the concept of “republication”. With Internet, on the other hand, the issue is the time the information stays available. Here it is not a question of drawing public attention back to a past event. The point is that, potentially, the past event has always remained there. So in this case the need that the law has to satisfy is a different one. It is no longer a question of republishing or not, it is a question of how a publication, that was maybe made quite legitimately many years earlier, is to be presented now.
A Net without borders: how have international regulations been affected by Internet?
The same general considerations apply. It is clear that the advent of Internet has drawn international attention to the need to regulate certain situations. I am thinking first of all of regulations aimed at encouraging the use of Internet as a trading tool and, as a consequence, the regulations set up for the protection of consumers.
A separate chapter belongs to the international conventions created to facilitate cooperation between the forces of law and order in relation to crimes committed via computer systems. I am thinking, for example, of the Budapest Convention of the European Council of 23 November 2001 on cybercrime.
Which judge has jurisdiction over disputes in Internet?
It depends on the nature of the dispute. The same procedural rules apply as in the real, physical world. The problem with internet is that the proper jurisdiction is not always easy to identify.
You are a teacher at Bologna University. How, in your opinion, has Internet revolutionized the world of the university? Is it simply a question of having new tools available for the administration and for the students, or is there more to it than that? Has there been a change of mentality, for example?
There are pros and cons to using Internet, in the university world like any other. Clearly, immediate access to a wider range of information has speeded up research processes. There is wider access to study texts. But it has to be said that the information stored on the Internet is disorderly. All the information on the net appears at the same level. From an academic point of view, research via the Internet poses problems for students, who are not always able to assess the reliability of the sources they are consulting. Consultation of texts in the library, on the other hand, allows more control over the information. It makes it easier to distinguish between original and secondary sources.
Turning now to the changes that Internet has brought to administrative aspects, we have to remember that publicity, that is to say the means of spreading awareness of information, is not the same on and off the net. On the Internet, anyone can access it without limits, unless restrictions to access have been expressly placed – reserved areas, passwords and so on. There are also no temporal limits. So publication online and publication offline are, legally, two very different things. Bologna University has adopted an innovative regulation on the publication of its official acts. The time of publication is limited to three years, and the regulations also cover the means of access and the essential nature of the content that is to be published. Transparency doesn’t mean publishing everything on Internet. Let’s remember that it’s a storehouse, not a structured archive of knowledge.
You were among the first in Italy to deal with these questions. Today you are a leading international expert, with major appointments and awards. What attracted you in the first place, and how would you sum up this experience today?
I must say that, from my professional viewpoint, I always prefer not to draw up a balance of what has been done. I prefer to look ahead to the things I still have to do. I always hope to make further improvements. I can certainly say that I am satisfied with having chosen to study a branch of law that is a continual source of new stimuli.
In the first place, I was pushed by curiosity for a new aspect of law. I was also fired by a passion for technical innovation. I therefore discovered, in my specialized field, a fascinating aspect of the legal profession: creativity in law. I believe, therefore, that I have been very lucky, not least because I have always found motivation and interest for my work. Nevertheless, however satisfied I may be, I am very much aware that a lot of new challenges lie ahead.
We present here the interview with Mr Giovanni Buttarelli, European Data Protection Assistant Supervisor.
“Saving jobseekers from themselves”, is the purpose of the German draft law which will regulate the use of information concerning job applicants collected on the internet by employers. What is your opinion on restricting by law the use of personal data that can be collected online?
This is an item on the agenda of the Data Protection Supervisors and lawmakers. In Germany for example, particular attention is devoted to this issue, because the German legislation is particularly detailed and advanced regarding data protection of workers, but the problem is also increasing in other countries. As an expert appointed by the Council of Europe, I wrote the new draft of recommendations that should replace Recommendation (89) 2 about data processing in job relationships. A Recommendation of the Council of Europe is not a simple invitation, it is an act addressed to the fifty or so states of the Council, who, by voting for it, commit themselves to putting it into effect. In Italy the Council of Europe recommendations have been mentioned in the delegated law about the adoption of the D.Lgs consequent to law n.675 and even in the 2003 Code itself as directive criteria for the production of ethical behavior codes. This document of mine, accompanied by research, refers to the necessity for specific new rules regarding this point. Up to now we have worked with very general criteria of transparency and accuracy, with the obligation to inform and with the evaluation of the principle of incompatibility and purpose, but these criteria are no longer sufficient because practices may be widely varied today.
Actually, it is already illegal to access social network pages under false pretences such as, for example, delegating someone to use an account or requesting job-seeker friendship on Facebook through deceit. However, even if the employer was openly present on the social network in a transparent way, the problem would occur in any case. Social networks are used in order to socialize with a limited number of people and usually for personal reasons. Therefore, we should make this kind of evaluation, perhaps drawing a distinction between social networks used for entertainment and those used for professional relationships, such as Linked_In.
Facebook’s CEO said that privacy is no longer a social norm for new generations. Yet, in Germany the proposal of teaching how to defend personal data in schools is under consideration. Is the European Supervisor considering the opportunity of teaching privacy?
The 32nd Annual International Conference of Data Protection and Privacy Commissioners recently held in Jerusalem started off with this Facebook statement in order to overturn it and to maintain that it is totally inappropriate. Even Facebook’s attitude demonstrated the opposite of what its CEO had asserted. It was not by chance that they have recently solved several serious privacy issues and in all probability they will solve others in the coming weeks. The fact that people are enthusiastic about new communication systems does not mean that it is correct to consider privacy outdated. For the younger generations this may well be true now, but not necessarily in the future, when they will have to face the consequences of those problems related to a lack of information regarding privacy on social networks.
First of all, we should find an easy way to communicate privacy to the younger generations. Pedagogical approaches must be avoided. We should not speak over their heads, trying to teach young people how to use new technologies. Paternalism will not work at all. Thus we will have to develop a better understanding of the new languages and adapt the information on privacy to the communication devices which people ordinarily use to exercise their rights. Bureaucratic forms will never be used, a user-friendly pop-up window probably will also on smartphones. For this reason the new European Commission’s Communication on the future of European law regarding this issue, draws great attention to educating the younger generations to warning and risk but also to opportunities of having new devices which are more dynamic, functional, immediate and easier to use when exercising individual rights and deleting information, for example in the event of migration from one social network to another.
Privacy by design is considered one of the most effective systems to avoid privacy violations due to the launch of new software online. Will the new European regulation order companies to add privacy consultancy in designers’ work?
Definitely yes. The European Commission’s Communication which was published in all EU languages on the 4th of November, announces the commitment of the Commission to insert privacy by design in the principles of the new discipline.
It is currently under discussion whether to consider it an independent principle or a notion that can be translated later into different practices.
What is certain is that this principle should help us to face problems from the beginning of every project in order to avoid the difficulty of developing data protection systems subsequently, when all the choices have already been made. It is therefore necessary to have technological support to solve problems of privacy, not only through privacy-oriented software but also through the creation of devices which will automatically fulfill privacy requirements, such as the erasure of data by overwriting, or setting of alerts which would allow people to know when further data use is incompatible with the original purposes, or, in addition, something that would prevent search engines from making a personal profile based on a data collection concealed from the user.
Geolocalization through GPS devices is the cause of a recent alert about privacy online. However, IP addresses have always contained localization information. Will the next European regulation specifically consider this point?
There is already an advanced regulation regarding this issue. Directive 2002/58, recently reviewed by the e-privacy Directive which must be acknowledged by Member States before May 2011, touches on these points and with all probability it will not be modified by the new European regulation. So, it will be a pillar for several years to come.
Today, the regulation already requires the approval of the userdata subject, who should be adequately informed, and the possibility of terminating a value-added service involving geolocalization. The issue is also being approaching with an eye to the retention of this kind of data in the so-called data-retention Directive. Today, for police and justice purposes, recorded data is stored for one or two years (depending on whether the data source is the telephone or telematic), which can lead to a possible excess of filing of personal communication activities.
It should also be considered that geolocalization is today mainly controlled through telephone systems, but in the near future, thanks to intelligent transport, it will operate independently of mobile telecommunication systems and will be used in the field of vehicular traffic for services such as toll payments, city centre access and safety systems. For instance, we will be able to use these devices for sending alarm messages in case of an accident. Therefore, we will once again need to have a balance between the benefits of innovative systems and the guarantee that our data will only be used on one off basis and will not be stored. In any case, it should only be used for the specific purposes of the services and not for marketing or filing.
The subject of company accountability was one of the most important topics discussed at The 32nd Annual International Conference of Data Protection and Privacy Commissioners in Israel. How will this issue be integrated into the new European regulation?
Not as a new principle, nor as an extra cost for public bodies and for the private sector. It will, however, help to give a sense of responsibility to data controllers and it will have an influence on the Data protection Authorities themselves, who will have to be more selective and must not be entirely responsible for enforcement. Our approach is to maintain the principles we have followed since 1995, while making them more dynamic and suitable for new technologies. The main point is to do things in a more responsible way; data controllers should not consider these principles as something to comply with only when there is a problem, a complaint or an appeal. They should consider their duties as something to be put into practice on a day-to-day basis. They should take on the responsibility of transforming into internal procedure everything which is necessary to adhere to the principles of law, which would mean redistributing roles and tasks, creating an internal policy and in case of appeal, complaint or inspection by the authorities, they should instantly be able to demonstrate they have been adhering to these principles. So, we will no longer have a situation in which data controllers choose not to fulfill their privacy obligations and run the risk of incurring fines, thinking that an inspection may never arrive. Instead we will have a new scenario in which the data custodian controller is conscious that protection of privacy is a daily obligation. An obligation which, if not correctly carried out, may lead data controller to face serious legal consequences. Therefore, this is something both new and not new at the same time.
[ Please note that the acronyms of the Italian legislative documents have been left in their original form.
D. Lgs. may be translated as Legislative Decree].