Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

posted by admin on novembre 15, 2017

Accountability, Privacy

(No comments)

The following is an analysis of a proposal for a regulation “for a framework on the free flow of non-personal data in the European Union”.

The objective of the regulation is the liberalisation of data flows. It is worth noting that this liberalisation suffers from two intrinsic limitations in the proposal: on the one hand it only refers to non-personal data, which, for clear reasons of consistency, are defined as “data other than those defined in art. 4, Regulation EU 2016/679”; and on the other hand it solely pertains to the movement of data within the European Union borders, whereas it in no way affects the exchange of data outside the Union.

The Commission identifies two main obstacles to businesses and public administrations having full freedom to choose the location where they store and manage their data.

The first obstacle is represented by the unjustified restrictions on data localisation imposed by public authorities in Member States. Over the years, the reasons which have moved Member States to impose the mandatory local storage of their data on national businesses and public administrations, include maintaining higher levels of security and facilitating easier monitoring by national authorities. For example, this includes the storage measures for financial statements and accounting data provided for in Germany, Denmark, Belgium and other northern European countries, which require that data be filed within national borders. In the same way, in countries such as Bulgaria, Poland and Romania data localisation requirements are imposed on winnings and user transactions. In Bulgaria for example, an applicant for a gaming license must assure that all data related to operations in Bulgaria is retained on a server located within the country. In addition, even when no specific territorial restriction is in place, business practice and common sense have in any case led in the direction of favouring localised data storage, turning down the chance of alternative cross- border offers.

The second obstacle to data liberalisation derives from private market limitations, which prevent data portability across IT systems by means of so-called vendor lock-in (aka proprietary lock-in or customer lock-in) practices. This widespread business phenomenon (e.g. Microsoft, Apple, Google, Nvidia, even hotels!) has its origin in providers wanting to create a condition of artificial dependence, which makes customers virtually totally dependent on them for the goods or services they provide. Customers are put in such a position that they cannot purchase goods or services from a competitor without incurring both the substantial costs and cumbersome and inconvenient organisational difficulties involved in switching to a new provider. Providers implement this sort of “forced loyalty” both by means of adopting technologies or standards differ from those used by competitors and the inclusion of contractual conditions which are particularly penalising in case of a switch.

Thus, in order to curb the spread of such practices and arrangements, with this proposal the Commission wants to tackle the problems through four lines of action.

Firstly, the proposal introduces a general principle of free circulation of data among Member States which allows businesses free choice of where to process or store their data. Legally provided restrictions will have to be be carefully scrutinised and will only be legitimate in cases when public and/or national security are at stake.

Secondly, with the intention of reassuring national legislators, the proposal guarantees that the competent authorities (of each Member State) will have access to data stored or processed in another Member State on the same conditions of access guaranteed nationally.

Thirdly, the proposal encourages the elaboration of self-regulatory codes of conduct which would smooth portability conditions and therefore, for example, switches of cloud service providers. The aim is that of also building a sort of “right to data portability” for non-personal data, in the same way as that provided for by the privacy Regulation for personal data. The need is to make sure that that customers’ freedom of choice is in place not only at the start of a contractual relationship, but that it is maintained and made technically possible for the entire duration of the relationship.

Lastly, the proposal establishes a central point of contact for each Member State, in order to guarantee the successful application of the new rules on the free flow of non-personal data.

In conclusion, there is no doubt that the regulation proposal is aimed first and foremost at businesses and public administrations, with significantly lower impact on individual citizens. However, if it is seen in the light of and in coordination with the European data framework, the proposal takes on much more general relevance. In fact, thanks to this new formulation, a number of the principles contained in the privacy Regulation, such as those regarding free data circulation and data portability, would be strengthened as a result of an extension of their scope of application.

 

 

posted by Giusella Finocchiaro on ottobre 17, 2017

Privacy

(No comments)

Here is the article by Giusella Finocchiaro and Laura Greco, published in Agenda Digitale on 1st September 2017.

Much has already been said on the new data protection requirements introduced by Regulation (EU) 2016/679 of the European Parliament and the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (and coming into full force from 25th May 2018).

At first reading, the stringent and precautionary nature of the new legislation was already evident, being characterised by an approach based on the risk assessment of data processing and the accountability of the processing subjects.

As confirmation, it is enough to take a look at the considerable number of obligations the Regulation imposes on data controllers and processors. Compliance with the Regulation particularly aims to organise the entire data processing procedure on the principles of privacy by design and default, with the objective of ensuring that both technological and organisational security measures are adequate compared to the potential risks to which data are exposed during processing.

In the framework of the obligations directed at measuring the risks relating to processing activities, one (particularly) stands out for its relevance and challenging nature, namely, the so called Data Protection Impact Assessment (DPIA), a preventive measure that obliges controllers to verify whether processing might expose personal data to high risk, taking into consideration the specific characteristics of the processing itself involved: namely, its nature, subject, context and purpose as well as the use of new technologies. Although strongly recommended for all types of processing, the DPIA is not mandatory except in cases specifically indicated in the Regulation or in the legislation of Member States.

One particular field in which the DPIA appears not only to be suitable but also essential for data controllers is the work sector. In fact data processing carried out in a work environment seems to fall into under the heading of systematic monitoring of data regarding vulnerable subjects.

The term “vulnerable” is not used at random. Working Party art. 29 uses this term to define employees in the “Guidelines on Data Protection Impact Assessment (DPIA)” adopted on 4th April 2017, where the work environment is considered at risk for the rights of data subjects when taking into account the imbalance of bargaining power in favour of the data controller. Working Party art. 29, which had already given indications in the past with regard to the rights of employees in the field of data protection (see opinion 8/2001, WP48 and working document WP55 of 2002) dedicates its recent opinion 2/2017 to the subject of data processing in the work environment.

In this document the Group of European DPAs updated its considerations on the subject matter in light of the new provisions and in particular, of the new obligations introduced by the Regulation.

Confirming that data processing in the work environment must necessarily comply with the principles of transparency, necessity and minimisation, the Group underlines that consent cannot be considered a requirement for safe and reliable legitimacy since workers cannot consider themselves completely free to give consent to or oppose data processing due to the contractual relationships that bind them to their employer. Hence, in the Group’s opinion, other legal bases would be preferable such as the implementation of the work contract, the controller-employer’s compliance with a legal obligation or his legitimate interest.

However, identifying the conditions which make data processing legal is not sufficient where employee monitoring is concerned: there is the need for a clear, understandable and comprehensive policy – the Group confirms – which keeps employees fully informed of monitoring activities and their related purposes.

And it is right here, between the pillars of lawfulness of data processing and transparency that the DPIA fits in, the risk-based safeguard measure, which combines a proportionality test of the legitimate interest of the employer, the technologies used to assure protection of this and the rights of privacy and secrecy of employee communications. According to the Working Party, the introduction of any technology designed to monitor and control workers should be preceded by a DPIA in order to verify whether the data processing (and the ways in which it is carried out) are commensurate with the risk the employer must face.

Following a theoretical presentation of the framework of the Regulation, its fundamental principles and innovations, the Group of DPAs closely examines a series of data processing scenarios that may occur in an organisation’s routine procedure, with particular reference to the use of new technologies. The Group focuses in particular on those technologies that permit the monitoring of employees not only at their work place but also at their homes and, more generally, in their private lives. This happens for example where BYOD (Bring Your Own Device) technologies are used, which allow workers to use their own personal devices for work purposes. The mixed use of such devices might create the risk of processing information outside the work sphere. Therefore, in order to avoid such an eventuality, the Group recommends adopting appropriate measures which would make identifying the use of the device possible.

Finally, in outlining the protection afforded to workers, the European DPAs not only take into account the advanced technological context but also the business world: processing carried out by a business group based in different Member States may mean the transfer of employee data to third countries. In such cases – as well as in the case of the use of applications and cloud-based services that imply a cross-border flow of personal data – data transfer will be legal on condition that the third country data importer assures an adequate level of data protection.

To summarise: legality, transparency, proportionality, balancing of interests, minimisation. These are the key words (and the pillars) of data processing in the work environment.

In addition, it is worth keeping in mind that art. 88, paragraph 1 of the Regulation provides that Member States may “by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context”. This leads to a further reflection on the adequacy of the modifications made to law no. 300, 20th May 1970, (“Workers’ Statute”) by the recent Jobs Act reform. Therefore, there needs to be evaluation of whether the new provisions are in effect sufficient in light of the Working Party recommendations and given the scenarios envisioned, or whether further action by the Italian legislator will be necessary.

 

 

posted by admin on ottobre 2, 2017

Privacy, Right to oblivion

(No comments)

Time is not the only element which needs taking into consideration when examining cases concerning the right to be forgotten, since in addition to which, the public role of the parties involved and the current relevance of the news itself are also important factors that need taking into account.

Although the time elapsed since the facts reported in the press is the most important element in evaluating whether an application for the “right to be forgotten” will be successful, in a recent decision the Italian DPA has pointed out that other circumstances also need to be evaluated.

The decision concerns the appeal made by a high-ranking public official who requested Google to remove certain search results obtained by typing in his name. The point in question was a link to articles reporting news of a court case dating back 16 years, which had terminated with the conviction of the official, whose name had then been fully cleared in the course of the following years. One of the articles, the removal of which had been requested, had been published at the time of the facts while other more recent ones had picked up the story again at the time of the public official’s appointment to an important new post.

The Italian DPA stated that in evaluating a case involving the right to be forgotten it is necessary to take into account all search results found by typing in the first name and second name of the data subject concerned, which are also associated with other descriptive terms, such as the office held or the circumstances of the conviction.

This is an interpretation in line with the widely known decision by the European Court of Justice of 13th May 2014, known as “Google Spain”, in which the judges handed down a ruling ordering the search engine to remove from the list of results of a search made starting with the name of a person, those links to web pages published by third parties and containing data relating to that person, also in the case in which the name or the data are not previously or simultaneously withdrawn from the web pages and also when their being made available on those web pages is legal to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.

According to the ruling all urls reachable through a search “starting from the name” must be considered, and so without excluding the possibility that other descriptive terms may be linked to the name in order to find more specific results.

Once this important point had been clarified, the DPA ordered Google to deindex the url with the single direct link to the only article carrying the news of the plaintiff’s criminal conviction. In fact, the DPA considered that, due to the time elapsed and the fact that the plaintiff’s name had been cleared, the news was no longer relevant to the current situation.

Conversely, with regard to the other articles indicated by the applicant, the DPA recognised that, although referring to the same court case, these “contain the story in a broader context of information, in which other information is also provided”, which is connected to the public role held by the interested party and that those results were without doubt of public interest “in addition due to the role in public life held by the applicant”. Therefore, with regard to the request for their removal, the DPA dismissed the complaint as unfounded.

 

 

posted by admin on settembre 15, 2017

Privacy

(No comments)

On July 18th, Quotidiano Nazionale, the Italian daily newspaper that groups together three other dailies, Il Resto del Carlino, Il Giorno and La Nazione, published an analysis by Professor Giusella Finocchiaro of the legal implications relating to the unauthorised online publication of photographs taken from an email box.

It is neither possible nor right to comment on the technical-legal aspects of a sentence, the motivations of which are still not known and which will only be filed within the next 90 days. This is the reason we must wait. We have read that the Court of Milan has acquitted three bloggers accused by the Public Prosecutor of illegally stealing photographs of George Clooney and Elisabetta Canalis’s party from the email account of one of the party’s guests. But we have no further details. The precise nature of the charges concerned unauthorised access to an IT system, illegal interception of communications and violation of correspondence. From the first press leaks we read that on the one hand the judge appears to have partly opted for acquittal because the case was unfounded and on the other hand has deemed the conduct of the accused to constitute the less serious offence of disclosure of other parties’ correspondence, consequently acquitting the accused, since, in the absence of a formal complaint from the aggrieved parties, the offence would not have been prosecutable.

Thus, partly (at least), basically technical reasons. We do not even have any knowledge of the evidence produced in court and the presentation of electronic evidence in the trial is still ground to be fully explored. Of course a general consideration does need to be made: the Internet is not the Wild West and all the rules including procedural rules are also valid online. The same rules that apply outside the Web also apply on the Web, with the difficulties that this at times entails (we only need to remember the case of Tiziana Cantone). So, if the judges have decided on acquittal we can be in no doubt that there is appropriate legal reasoning. But certainly, unauthorised distribution of photographs or a violation of correspondence, which have been satisfactorily proven during the proceedings, are illegal both on and outside the Internet.

 

 

posted by admin on giugno 15, 2017

Privacy

(No comments)

The Article 29 Working Party of the European Data Protection Authorities (DPAs) has published a report on the public consultations held inside the Working Group in particular regarding critical aspects of the Privacy Regulation such as the concept of “consent”, compliance with notification of data breach and the profiling process.

As we know, the European Regulation 2016/679 on the processing of personal data, which has been in force since 24th May 2016, will take full effect from 25th May 2018. So, with the aim of taking prompt action to put in place the implementation of the GDPR, the Article 29 Working Party has organized a number of Fablab workshops with the objective of opening up dialogue with  representatives of European industry, the civil society, relevant associations and the academic world. More than 90 participants took part in the last Fablab session, which took place on April 5th and 6th in Brussels, where they discussed the priority issues of the European Regulation with the European DPAs.

With regard to the subject of “consent”, which constitutes the main legal basis for the processing of personal data, it emerged from the workshop that in certain cases the definition of “consent” contained in the Regulation might not in fact be a reliable basis for the use of personal data. Specific concerns have been raised about the processing of the personal data of a minor, since there is currently no way to either verify the exact age of individuals who give their consent online, or to confirm the identity of persons who declare online that they have parental responsibility.

With regard to consent for the processing of personal data for scientific research purposes, uncertainty was expressed about the secondary use of these data.

Participants also expressed uncertainty about the possibility of the withdrawal of already given consent and the possible consequences faced by those who refuse to grant it. Specific concerns were expressed about the situations in which those individuals who do not give their consent are not able to avail themselves of a particular service.

Further issue concerns have been raised about deals with data breach notifications. Participants asked for greater flexibility on the contents of notifications given the damage to their reputations companies which are victims of such attacks might suffer. They also asked for greater clarity both about methods of notification and the recipients of the notification in cases concerning data of data subjects from different Member States. Is notification required to be given to the Authorities of each Member State involved?

In addition, the workshop participants discussed the question of profiling as a particular form of processing of personal data. There are numerous types of profiling which differ from sector to sector and which cannot be subject to the same provision. For this reason, specific guidelines for each type of profiling have been requested. In addition the guidelines will have to take into account the different objectives for which profiling is made. On this subject, doubts have been expressed about whether there should be limitations to the types of data that can be used. In particular  regarding the personal data of minors. Participants also raised objections about there being no clear distinction between profiling processes based on human intervention and those which are completely automated.

The complete meeting report is available on the European Commission webpage dedicated to WP29.

 

In a piece published on the 15th April 2017 in the Quotidiano Nazionale (a daily which features articles from three Italian newspapers, Il Resto del Carlino, Il Giorno and La Nazione), Giusella Finocchiaro offered her thoughts on data protection and minors.

“Can children and adolescents sign up to Facebook or other social network accounts?

If being of age is a legal requirement for concluding a contract, then, why should it not be the case for signing up to a social network account? What is the age required for giving valid consent to the processing of personal data? Under Facebook regulations it is 13 years of age and under Italian law it is 18.

Then, why are so many Italian children and adolescents signed up to social networks? The answer is simple: according to the majority of subscription contracts, it is not Italian law which is applicable but the law governing the social network, which means, in the case of Facebook, the law of the United States of America and of the State of California.

Which law takes precedence? This is the most classical legal problem on the Internet, namely, determining which law is applicable and the jurisdiction. The new European Regulation n. 2016/679 on the Protection of Personal Data, which represents the new European law on data protection and is directly applicable from 25th May 2018, solves the problem with a partial compromise. It provides that European law takes precedence and that 16 is the minimum age to sign up (with an option for each Member State to set a lower age, provided that it is not below 13 years). Where the child is below the age of 16, parental consent is given or authorised.

According to certain recent Italian decisions in similar cases (the posting of pictures of their own children on social networks), the consent of both parents is needed. It is clear that it will not be very difficult to get round this provision. However, as the European Regulation provides for, it is the social network itself which will need to keep a check on things, by using available technology”.

 

 

posted by Laura Greco on maggio 15, 2017

Privacy

(No comments)

The Italian Court of Cassation has recently been called on to deal with the issue of whether payment descriptions for bank transfers qualify as sensitive data, in cases in which they specify indemnity payments for illness or disability using the wording “allowance ex L. 210/1992”, (the law which grants allowances to parties who have suffered irreversible complications due to mandatory vaccination and blood transfusions, or in cases of decease, to their families).

The Supreme Court judges have expressed conflicting decisions in several such cases. In all the examined cases, the matter concerned the relations between the Region, which issues the allowance and authorizes the bank transfer, and the ill or disabled party’s bank, which is the recipient of the allowance on behalf of its current account holder.

In the case of the first decision dating from 2014 (judgement n. 10947 of 19th May 2014), the Court considered the payment description, which quoted the above-mentioned legislative references, as sensitive data and thus determined that both the Region and the bank had unlawfully processed personal data since they had not adopted security measures for the transmission and dissemination of said data, such as encryption techniques and non-identifiable codes, as provided for by Art. 22, 6° par. of the Personal Data Protection Code.

In the second decision (judgement n. 10280 of 20th May 2015), which is clearer and better developed than the previous one, the Supreme Court judges overturned their first approach and followed a quite different decision-making process. Firstly, they rejected the concept that payment descriptions for allowances filled out in such a way constituted sensitive data, as the law quoted provided that the recipients of these allowances could either be the parties directly affected or otherwise their families. Since the payment of the allowance did not depend on the illness of the party who actually received it, the judges concluded that the information was not sufficient to reveal the recipient’s state of health and, therefore, did not constitute sensitive data.

Secondly, according to the Supreme Court, it was not a question of the Region rendering the data transferred to the bank public, as this would have implied – in conformity with Art. 4, lett. m) of the Code – disclosure of the data to unspecified parties, whereas in this case the disclosure was only made to the bank of the current account holder who was the beneficiary of the allowance.

Furthermore, the judges considered that references to Art. 22, 6° par. of the Code were groundless, since, as correctly quoted, the adoption of encryption techniques is only required in specific cases where the data originate from directories or registries and the aim is to manage and consult them. Neither could the bank be considered to have the responsibility for adopting these measures for three different reasons: firstly, the provision is only applicable to public bodies; secondly, private entities are only obliged to adopt encryption measures in relation to sensitive data which would reveal a state of health and were processed with electronic systems, both of which conditions are missing in the present case; finally, communicating to a client of the bank’s his/her personal data does not constitute processing of personal data.

Finally, in the opinion of the Court, the role of the bank was that of the current account holder’s representative and it received the payment from the Region on his/her behalf: thus, the payment was to be considered as being directly effected by the debtor (the Region) to the creditor (the recipient of the allowance). Therefore, the Supreme Court considered both the Region’s and the bank’s conduct to be within the law and acknowledged there had been no illegal processing of personal data.

This question has recently once again been deliberated by the 1st Civil Division of the Court of Cassation, which has issued two interlocutory orders (no. 3455 and no. 3456 registered on 9th February 2017) delegating the “Sezioni Unite” (the Joint Divisions), the task of devising a solution to this conflict of case law. On this occasion the Supreme Court has abstained from expressing its own opinion one way or the other with regard to the different interpretations of case law regarding this issue, and has simply commented on the nature of payment descriptions as “sensitive data”. The Court has pointed out that, even if payment can be made both to the family and the ill or disabled party, only the latter would receive payment in instalments (whereas family would receive a lump sum). This particular method of payment would clearly identify the recipient of the payment as the victim of illness or disability and for this reason the indication of a payment in instalments would constitute sensitive data.

We will have to wait to see how the Joint Divisions will solve this conflict of case law we have just described and in particular whether they opt for a broad or restrictive interpretation of the concept of sensitive data.

 

 

posted by admin on marzo 1, 2017

Privacy

(No comments)

ratingBlackMirrorThe Italian Data Protection Authority has established that a “reputation rating” project violates the provisions of the Personal Data Protection Code and impacts negatively on human dignity.

The project, which was devised by an organisation structured as an association and a company appointed for its management, is based on a web platform and a database which gathers vast amounts of personal data either uploaded by users or obtained from the web, on various types of individual – from job candidates to business people, freelance professionals and private individuals. By means of a specific algorithm the system would then be able to objectively measure people’s reliability in the economic and professional fields, by assigning a score (“rating”) to their online reputation.

The DPA observed that the system would create significant problems in relation to privacy due to the confidential nature of the information, the pervasive impact on the interested parties and the method of processing. Essentially, the system implies the massive collection – also online – of information open to significantly impacting on the economic and social representation of thousands of people. Such processed reputation ratings might have serious repercussions on the lives of those who had been rated, since it might influence other people’s choices as well as jeopardising access for rated parties to services and benefits.

The DPA also expressed a number of doubts about the objectivity claimed for the ratings, stressing that the company could not prove the effectiveness of the algorithm used to regulate the settings of the “ratings”, which would be calculated without rated parties having any chance to freely give their consent. Given the complexity and sensitivity of measuring situations and variables which are not easy to classify, any rating might be based on incomplete or flawed documents and certificates with the consequent risk of creating inaccurate profiles which do not correspond to the real social identity of the rated parties.

Moreover, the DPA was concerned about the unreliability of allowing an automated system to decide upon such complex and sensitive issues relating to individuals’ reputations.

The system’s security measures which are principally based on “weak” authentication systems (user ids and passwords) and on encryption techniques only for judicial data, were found to be totally inadequate in the DPA’s opinion. Finally, further critical issues were detected in the time period for data storage and privacy policies for interested parties.

Therefore, in conclusion, the DPA has banned all present and future processing operations related to the reputation rating project.

 

 

posted by admin on dicembre 15, 2016

Privacy

(No comments)

The Privacy Shield agreement, which regulates cross border data transfer flows between the European Union and the United States and which recently replaced the previous Safe Harbor agreement, is once again under discussion.

Only a few months after the text came into force, the European Court of Justice has been called upon to decide on the adequacy of the level of protection guaranteed by the Privacy Shield agreement.

A number of companies working in the digital sector and performing the transfer of personal data abroad (among which the by now well known Digital Rights Ireland Ltd.) argue that the Privacy Shield agreement does not offer an adequate level of protection, contrary to what was deemed to be the case by the European Commission, which on the 12th July 2016 implemented the adequacy decision, making legitimate the transfer of data towards the United States and those American organizations endorsing the new agreement.

In particular, the claimants maintain that the EU-US Privacy Shield does not fully implement those principles and rights regarding personal data protection included in directive 96/46/EC (which will be repealed from 2018 by means of recent EU Regulation 679/2016) and consequently, does not adequately safeguard the rights of European citizens. In the appeals it is also brought into question that the agreement does not exclude indiscriminate access to electronic communications by foreign authorities, thus in violation of the right to privacy, to the protection of personal data and the freedom of expression as set out in the Charter of Fundamental Rights of the European Union.

For the abovementioned reasons the said companies appealed challenged the Commission’s adequacy decision in accordance with art. 263 TFUE, which grants interested parties the right to appeal against the Commission’s acts and obtain their annulment within two months from their entry into force or their publication.

It is worth recalling that the Article 29 Working Party had already expressed its fears regarding certain aspects of the agreement, which had not been modified, despite repeated requests for review. Immediately following the implementation of the Privacy Shield agreement, in a statement on the 26th July 2016, the Group of European DPAs underlined that no concrete security measures to prevent the general collection of data had been provided and that the independence of the role and powers of important redress bodies (such as the Ombudsperson) had not been guaranteed.

As a consequence, the new system does not seem to have helped to establish a climate of certainty regarding the legal framework regulating cross border data transfer flows to the United States, a country, which has clearly not yet gained the trust of European operators. The decision by the Court of Justice is now awaited since it might either consider the appeals inadmissible due to a lack of legitimization or groundless motivations or decide to uphold them.

 

 

  • Recent comments

  • Popular posts

    • None found