The Privacy Shield agreement, which regulates cross border data transfer flows between the European Union and the United States and which recently replaced the previous Safe Harbor agreement, is once again under discussion.
Only a few months after the text came into force, the European Court of Justice has been called upon to decide on the adequacy of the level of protection guaranteed by the Privacy Shield agreement.
A number of companies working in the digital sector and performing the transfer of personal data abroad (among which the by now well known Digital Rights Ireland Ltd.) argue that the Privacy Shield agreement does not offer an adequate level of protection, contrary to what was deemed to be the case by the European Commission, which on the 12th July 2016 implemented the adequacy decision, making legitimate the transfer of data towards the United States and those American organizations endorsing the new agreement.
In particular, the claimants maintain that the EU-US Privacy Shield does not fully implement those principles and rights regarding personal data protection included in directive 96/46/EC (which will be repealed from 2018 by means of recent EU Regulation 679/2016) and consequently, does not adequately safeguard the rights of European citizens. In the appeals it is also brought into question that the agreement does not exclude indiscriminate access to electronic communications by foreign authorities, thus in violation of the right to privacy, to the protection of personal data and the freedom of expression as set out in the Charter of Fundamental Rights of the European Union.
For the abovementioned reasons the said companies appealed challenged the Commission’s adequacy decision in accordance with art. 263 TFUE, which grants interested parties the right to appeal against the Commission’s acts and obtain their annulment within two months from their entry into force or their publication.
It is worth recalling that the Article 29 Working Party had already expressed its fears regarding certain aspects of the agreement, which had not been modified, despite repeated requests for review. Immediately following the implementation of the Privacy Shield agreement, in a statement on the 26th July 2016, the Group of European DPAs underlined that no concrete security measures to prevent the general collection of data had been provided and that the independence of the role and powers of important redress bodies (such as the Ombudsperson) had not been guaranteed.
As a consequence, the new system does not seem to have helped to establish a climate of certainty regarding the legal framework regulating cross border data transfer flows to the United States, a country, which has clearly not yet gained the trust of European operators. The decision by the Court of Justice is now awaited since it might either consider the appeals inadmissible due to a lack of legitimization or groundless motivations or decide to uphold them.
The Italian Supreme Court has found the Zecca dello Stato (The State Institute of Printing and Minting) guilty of monitoring its employees’ web surfing data, emails and phone calls, in violation of a number of provisions of the Statuto dei Lavoratori (Workers’ Statute of Rights, L. 300 of 1970).
With its decision of the 19th September 2016, n. 18302, the Court of Cassation established the illegality of the storage activity on the company server of employees’ emails, phone calls and web surfing data without prior application of the authorization procedure provided for by the Workers’ Statute of Rights and the Code for the protection of personal data.
The facts of the case on which the decision is based are as follows: in 2011 the Italian Data Protection Supervisor had emphasized with a disciplinary provision, that the Internet service provided by the Istituto Poligrafico e Zecca dello Stato (The State Institute of Printing and Minting) for its own employees not only prevented access to websites not inherent to work activity, but also stored every access, or attempt to access, any website, thus allowing the reconstruction of every single worker’s web browsing activity. In addition, the employees’ web surfing data were stored on the system for a length of time varying anywhere from six months to a year.
The Supervisor had also noticed the illegality of the storage system of employees’ sent and received emails on the company’s server, which allowed full view of them to the system administrators without any specific information on privacy having been provided in regard to the matter.
It had also been pointed out that the State Institute of Printing and Minting implemented a method of telephone traffic monitoring through the VoIP system which also in this case allowed the recording and prolonged storage of traffic data without providing any adequate privacy information for its employees.
Therefore, the Supervisor had considered that the activity of the State Institute of Printing and Minting violated L. n. 300 of 1970, arts. 4 and 8 of the Workers’ Statute of Rights as it made possible the disclosure of employees’ sensitive data without having acquired their prior consent (and consequently also in violation of arts. 11, 113 and 114 of the Code for the Protection of Personal Data). Therefore the provision prohibited the State Institute of Printing and Minting from storing and categorizing employees web surfing data in addition to their emails and phone calls, obliging the Institute to inform those involved about the ways in which their personal data were processed. The Supervisor had also required that the identities of the system administrators with authorization to access the company’s databases should be made public (and therefore known to the company’s employees) and that there should be the guarantee of all accesses made by the administrators being revealed in full.
In 2011 the Court of Rome rejected the appeal by the State Institute of Printing and Minting against the Supervisor’s provision, clarifying that, as provided for by art. 4 of the Workers’ Statute of Rights, employers are only allowed to use monitoring systems for requirements of organisation and production in agreement with the trade unions or in compliance with legal obligations, whereas the use of such systems is prohibited if it is carried out for monitoring the activity of employees. With reference to other previous decisions, the Court pointed out that the necessity to protect the company (and its activity) cannot legitimise suppressing fundamental employee rights such as the right to privacy.
Consequently, the State Institute of Printing and Minting appealed against the decision to the Supreme Court, maintaining that those controls not directed at work activities but rather at other employee conduct in the workplace, which might expose the business assets of the company to serious danger and which might be potentially harmful for third parties, with consequent liability on the part of the employer, fall entirely outside the scope of application of the provisions of the Workers’ Statute of Rights. This risk is all the more significant in that the Institute carries out public interest activities such as the printing of the Gazzetta Ufficiale (Italian Official Journal) and of the Raccolta ufficiale degli atti normativi della Repubblica italiana (the Official Compendium of Legislative Acts of the Italian Republic), the production of personal identification documents, security and anti-counterfeiting systems, legal tender and so on.
However the Court of Cassation considered that the significance of the public role entrusted to the State Institute of Printing and Minting does not justify violation of the current legislation, which aims to protect guarantees for constitutionally recognised workers’ rights. To this effect, the Judge emphasised the second paragraph of art. 4, which provides that monitoring systems required for organizational reasons or for safety in the workplace, but which also allow the distance monitoring of employee activity, may only be installed with the prior agreement of company trade union representatives or, in their absence, of the shop stewards’ committee. In the absence of an agreement and at the request of the employer, the Ispettorato del lavoro (the Labour Inspectorate) mediates, setting out where necessary the procedure for the use of such systems.
Therefore, rejecting the appeal and confirming the observations of the Court of Rome’s decision, the Court of Cassation underlined the necessity to strike a balance between the employer’s rights, in particular the right to conduct business and to protect the company’s business assets, and the protection of worker rights, first and foremost the right to privacy.
On the 14th of April 2016, more than four years after the European Commission proposal, the European Parliament approved at second reading the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The incessant technological progress of the last few years, the result product of an information society which has become increasingly more intrusive in people’s private lives, had on the one hand highlighted the inadequacy of European data protection legislation Directive 95/46/EC, formulated in the first stages of the digital revolution and on the other underlined the regulatory fragmentation that the implementation of the Directive had caused in the Member States. Thus, the Regulation meets the long awaited need to reform the legislation on personal data protection extending the number of rights for data subjects compared to those provided by the Directive and to bring into line the different legislations of the Member States, as a means to also strengthening the internal European market. In that sense the choice of the European legislator to adopt the instrument of the Regulation is a significant one in that, in contrast with the Directive it does not require acts of transposition, as it can be directly and identically applied in each Member State.
Among the most significant recommendations introduced by the Regulation, of particular relevance seems to be the new local scope of application in accordance with art. 3. Directive 95/46/EC previously provided for the regulation to be applicable by means of the national legislations when personal data were processed in the framework of the activities of a data controller’s establishment physically present in the European Union. Therefore, the fundamental criterion for defining the scope of applicability of the Directive was the physical location in which the data were processed. Today, this criterion seems to have been overturned by art. 3, paragraph 1 of the Regulation, which defines the applicability of the act “regardless of whether or not the processing takes place in the Union”. Already over the last two years, from the Google Spain ruling to the recent Schrems decision, the orientation, which has become definite in the European Court of Justice’s case-law, has highlighted a trend towards a less restrictive interpretation of this criterion.
In fact, it seems that the will has also arisen to extend European legislation to cases in which data controllers are non-European subjects and data are mainly processed outside Europe. Now, art. 3 of the Regulation seems in a certain sense to have codified the Court’s broadened interpretation by providing multiple connecting criteria that also allow those cases of data processing which previously had been difficult to include, to be drawn into the sphere of application of the regulatory provision. The Regulation is now applicable not only to data processing performed in the context of the activities of a data controller’s establishment within the Union, but also in the case of a data processor’s establishment. Moreover, it is applicable when the data processing activities are related to an offer of goods or services, even if free of charge, to interested data subjects within the European Union, or when they are related to the monitoring of the such data subjects’ behaviour, even if the data controllers or processors are not settled in the European Union.
The reform introduces various innovations, among which the provision of a new range of rights for data subjects (for example the right to be forgotten and the right to data portability), the placing of more responsibilities on subjects involved in the processing of personal data (in particular the obligation for data controllers to carry out privacy impact assessments and to notify of data breaches), new safeguards for the transfer of data abroad in addition to the confirmation of the two regulatory authorities represented by the Data Protection Officer and the Supervisory Authority.
With regard to coordination with the European legislation (the Regulation will be applicable after a two year period from the date of entry into force), the Italian legislator will have to choose which of the two alternative routes to follow: either the direct application of the Regulation, which would imply the abrogation of all national provisions incompatible with the European legislation, or the integration of the current Italian Personal Data Code, despite the inevitable risks of erroneous transpositions or misinterpretations of the European provisions.
It is unnecessary to resort to international rogatory in order to tap BlackBerry mobile system chats nor is it necessary to use requisition measures.
This is what the Third Criminal Division of the Italian Supreme Court (ruling no. 50452/15) established with its appeal judgment issued in relation to the appeal on the part of certain defendants who had been placed under preventive detention by the Court of Rome due to their being implicated in drug trafficking.
The detention order was founded on various evidence, including chats on BlackBerry mobile systems, which related to importing a 10 kilo consignment of cocaine to Italy.
The defendants involved in this phone tapping brought the question before the Italian Supreme Court, claiming that the chats which had been tapped could not be considered as evidence, since they had taken place on BlackBerry’s mobile systems, which have their head office in Canada. Therefore, in their opinion, an international rogatory would have been required in order to legally acquire the content of the chats. Moreover, according to the defence, conversations in a chat context could not be considered as “phone conversations” as they are in fact a stream of computer data. On these grounds requisition measures regarding computer data (according to art. 254bis of the Italian Criminal Procedure Code) should have been carried out rather than a procedure of phone tapping.
In response to the first point, the Supreme Court asserted that it is a well-established principle that international phone calls routed to a specific Italian telephone “junction” should not be subject to international rogatory as all activity involving reception and recording takes place on Italian territory. This principle was also correctly applied by the Collegio di Cautela* in relation to the use of Blackberry chats. In this regard, the Supreme Court emphasized that computer interceptions had been correctly carried out on PIN codes, while the subsequent request to the Canadian company regarding ID data associated with the intercepted PIN codes had related to data that do not enjoy special protection.
Consequently, the Supreme Court considered it irrelevant that BlackBerry was Canadian, as the communications in question took place in Italy as a result of them transferred over an ICT platform located in Italy.
Conversely, the Court considered as unfounded the objection regarding the failure to implement requisition measures for the computer data. The judgment clarifies that, even if held by Internet service providers, requisitioning IT documents or IT devices excludes per se the concept of “communication”. Requisitioning will be specifically required when it is necessary to acquire documents for purposes of evidence, by means of inspections to be carried out on data contained in those documents. The Supreme Court asserted that “with regard to the use of chats on the BlackBerry system, it is correct to acquire contents by means of tapping according to art. 266bis c.p.p. and subsequent, as even if they are not simultaneous, online conversations constitute a flow of communication”.
Although the Court upheld the defendants’ appeal on the basis of considerations that go beyond the analysis of this post, the Court rejected the abovementioned specific technical objections, pointing out that: “even the most careful interpretation of the delicate relationship between the computer interception system and new technologies has observed that tapping BlackBerry chats takes place by using traditional systems, i.e. monitoring a phone’s PIN (or IMEI), which is uniquely associated with a nickname, underlining how tapping is managed at a technical level at the company’s Italian head office”.
The text of the Supreme Court judgment is available HERE.
*Second-instance Court empowered to hear appeals of decisions on preventive measures
We present here an interview published in december 2015 on the CINECA Consortium Magazine.
Do the legal principles covering the Net derive from general legal principles of from made-to-measure laws?
The general legal principles are always the same, of course. There would be no sense in trying to find a made-to-measure solution and a made-to-measure law for each specific problem, without due consideration for the overlying framework. It’s not always true, therefore, that, in order to regulate new technologies, new laws have to be made.
We need to get away, too, from the common idea that technology runs ahead while the law limps along behind. The reality is quite different. Take the laws on electronic signatures, for example. In Italy, the law arrived ahead of technology and even ahead of the need.
The principle has recently been affirmed according to which the law should be technologically neutral. On the basis of this principle, the legislator should not condition the market by favouring one technology over another, nor should he condition the development of technology. This approach is “functional” in the sense that it regulates, not the object, but the function. We must avoid constraining any specific form of technological or commercial development. Rather, we need to set out general principles that will remain unvaried for a certain period of time, and will not be constrained by changing technologies.
Apart from the electronic signature, another emblematic case is that of laws for the protection of consumers over remote sales contracts. What is involved, clearly, is a way of selling, not a specific technology. As far as the law is concerned, therefore, it is not important to make a distinction between purchases made using, for example, an App, or those made through a traditional website.
Speaking of users’ rights, the privacy and copyright laws are well known, but people are also invoking the right to be forgotten. What is this about?
The right to be forgotten is not a right in itself but it is nevertheless a restatement of other rights that are recognized by the law. Traditionally, the right to be forgotten describes a person’s right not to have republished information, even if it was legitimately published at the time, relating to events that happened a considerable length of time ago.
In Internet, obviously, the time involved is not that between publication and republication of the information, but the time that has lapsed since the item was published. The time factor regards, not just news items, but events which took place a long time ago, though for which this fact is not evident because no time context is given. In these cases, jurisprudence has suggested there may be an infringement of an individual’s right to his or her personal identity.
The problem is to ensure that the proper weight is given to the information, in order to avoid the person’s identity being distorted by the Net. As we saw from a decision by the Supreme Court, no. 5525 of 5 April 2012, this goal can be achieved by placing the information in context. It is not a right to be forgotten, then, but a right to a proper context.
The underlying theme, but one that emerges strongly, is that of the protection of an individual’s identity, in all its multiple forms.
What is at issue, then, is not the question of a specific news item about a specific individual and a specific event that can be retrieved through Google, but the protection of a person’s identity in the Internet, which is often perceived as a sole archive. It is not a sole archive, but it is a major source of information and sometimes the only one accessible.
“The Law in the Net”, but also “The Net in the Law”: how has Internet affected or modified the principles of “Jus Commune”?
Generally speaking, the principles of “Jus Commune” remain as before, but it cannot be denied that the advent of new technologies has brought fresh challenges for legal scholars.
What we have said about the right to be forgotten is a good example. In the real, physical world, the key element of this is the concept of “republication”. With Internet, on the other hand, the issue is the time the information stays available. Here it is not a question of drawing public attention back to a past event. The point is that, potentially, the past event has always remained there. So in this case the need that the law has to satisfy is a different one. It is no longer a question of republishing or not, it is a question of how a publication, that was maybe made quite legitimately many years earlier, is to be presented now.
A Net without borders: how have international regulations been affected by Internet?
The same general considerations apply. It is clear that the advent of Internet has drawn international attention to the need to regulate certain situations. I am thinking first of all of regulations aimed at encouraging the use of Internet as a trading tool and, as a consequence, the regulations set up for the protection of consumers.
A separate chapter belongs to the international conventions created to facilitate cooperation between the forces of law and order in relation to crimes committed via computer systems. I am thinking, for example, of the Budapest Convention of the European Council of 23 November 2001 on cybercrime.
Which judge has jurisdiction over disputes in Internet?
It depends on the nature of the dispute. The same procedural rules apply as in the real, physical world. The problem with internet is that the proper jurisdiction is not always easy to identify.
You are a teacher at Bologna University. How, in your opinion, has Internet revolutionized the world of the university? Is it simply a question of having new tools available for the administration and for the students, or is there more to it than that? Has there been a change of mentality, for example?
There are pros and cons to using Internet, in the university world like any other. Clearly, immediate access to a wider range of information has speeded up research processes. There is wider access to study texts. But it has to be said that the information stored on the Internet is disorderly. All the information on the net appears at the same level. From an academic point of view, research via the Internet poses problems for students, who are not always able to assess the reliability of the sources they are consulting. Consultation of texts in the library, on the other hand, allows more control over the information. It makes it easier to distinguish between original and secondary sources.
Turning now to the changes that Internet has brought to administrative aspects, we have to remember that publicity, that is to say the means of spreading awareness of information, is not the same on and off the net. On the Internet, anyone can access it without limits, unless restrictions to access have been expressly placed – reserved areas, passwords and so on. There are also no temporal limits. So publication online and publication offline are, legally, two very different things. Bologna University has adopted an innovative regulation on the publication of its official acts. The time of publication is limited to three years, and the regulations also cover the means of access and the essential nature of the content that is to be published. Transparency doesn’t mean publishing everything on Internet. Let’s remember that it’s a storehouse, not a structured archive of knowledge.
You were among the first in Italy to deal with these questions. Today you are a leading international expert, with major appointments and awards. What attracted you in the first place, and how would you sum up this experience today?
I must say that, from my professional viewpoint, I always prefer not to draw up a balance of what has been done. I prefer to look ahead to the things I still have to do. I always hope to make further improvements. I can certainly say that I am satisfied with having chosen to study a branch of law that is a continual source of new stimuli.
In the first place, I was pushed by curiosity for a new aspect of law. I was also fired by a passion for technical innovation. I therefore discovered, in my specialized field, a fascinating aspect of the legal profession: creativity in law. I believe, therefore, that I have been very lucky, not least because I have always found motivation and interest for my work. Nevertheless, however satisfied I may be, I am very much aware that a lot of new challenges lie ahead.
This conference is one of the biggest fora for international lawyers of the Asia Region and about 300 lawyers from all over the world will be participating.
The theme of the biennial conference this year is “International Law and the Changing Economic & Political Landscape in Asia”. The conference is aimed to reflect the various recent political and economical developments in the Asian region that would require reappraisals, reconsiderations, new legal dimensions, and profound understanding.
The Electronic Transactions Development Agency of Thailand is the host of a session panel dedicated to Privacy issues which will be held Thursday, 26 November 2015. Giusella Finocchiaro will attend the Discussion panel as speaker. For more information please visit the Asian Society of International Law website.
The recent “Facebook” decision by the European Court of Justice can be interpreted from two different perspectives, which are not (however) mutually exclusive. The first interpretation is of a legal-technical nature, while the second is political.
Let us start with the first. The facts are known as are the conclusions. The United States is not considered to be a country that guarantees an adequate level of protection in accordance with the Directive on personal data protection, dir. 95/46.
The path is outlined in art. 25 of the Directive, which is hereinafter quoted for convenience and clarity, in order to better understand the past (the decision) and the future (the currently open directions).
1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer, may only take place if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.
4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.
5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.
6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.
Member States shall take the measures necessary to comply with the Commission’s decision”.
In the past the Commission had deemed the level of protection afforded by the Safe Harbour framework to be appropriate, but this decision by the Court shows its disagreement and invalidates the Safe Harbour.
This does not imply, however, that the transfer of personal data to the United States can no longer take place. It can take place on the basis of the express consent of the interested party or on the basis of the Binding Corporate Rules. Therefore either the interested party may give their consent for the transfer or the data controller may adopt management rules approved by the Data Protection Authority that will allow the transfer.
So, what is the difference then? The difference is that it will not be possible to use the Safe Harbour framework, i.e. transfer data to the United States without consent or without pre-approved rules, that is assuming the data to be protected in the United States in the same way as they are in Europe.
From a strictly legal-applicative point of view all comment ends here. Undoubtedly, there will be higher management costs for those who transfer data from Europe to the United States, but there will certainly be no ban.
On the other hand, the political interpretation of the decision which follows roughly a year after the Google Spain case is far more problematic. As mentioned above, in the Court’s opinion, the United States does not provide an adequate level of data protection.
Essentially the Court states that the level of protection of personal data is higher in Europe and that it is the European law which should be applied to European subjects’ personal data (apologies for this simplification, obviously the decision refers to data transfer from Europe under certain conditions). Similar assertions can be found in the Google Spain decision.
The Court anticipates the contents of art. 3 of the forthcoming European regulation for the protection of personal data with another decision which is also political. Then again, personal data protection has constitutional significance in Europe (article 8 of the Charter of Fundamental Rights), but not in the USA. This obviously reflects a different scale of values in two regions of the world, albeit very similar to each other if compared to the Asian region. This of course has a cost, which big players such as Google and Facebook can much more easily afford than small ones. And it underlines that Europe and the United States have not (yet) reached a political agreement on the question.