The long-awaited measure of the Italian Data Protection Authority in the field of biometrics recognition and graphometric signature was recently signed and published on the Register of measures (decision no. 513 of 12 November 2014).
The measure governs the processing of biometric data for purposes of computer authentication, access control and underwriting documents. An analysis on the changes introduced will be soon published on our blog.
You can find the document (in Italian) on the Italian Data Protection Authority website.
posted by Giusella Finocchiaro on aprile 14, 2014
A recent decision by the Italian Data Protection Authority authorizes the use of the graphometric signature on tablets in the banking sector.
The system, which has been submitted for preliminary examination by the Italian D.P.A., is somewhat complex, split into different phases and involves a number of different parties.
The technology used is also able to detect the characteristics of a customer’s signature online by means of an analysis of certain criteria which can be deduced from the signature, such as the speed of the stroke, its pressure, acceleration, inclination and so on.
The system is intended to be used by financial promoters for customer authentication and for subsequent operations. There are two main phases in the process: firstly the collection of the specimen signature to be used as a tool for comparison in order to safeguard the customer, and secondly the signing of documents with the electronic signature.
As set out in the decision, the specimen signature together with the customer’s identification data is transmitted by the bank through secure encrypted channels to the certifier, who validates the request and issues the digital certificate associated to the applicant. All subsequent signings will thus be transmitted in encrypted mode to the certifier’s server which verifies the correspondence by means of the specimen signature and ensures that the tablet serial number is in fact listed.
This system would allow a reduction in the risk of cases of fraud, in particular those related to identity theft.
As usual the Authority draws attention to the adoption of special measures in order to protect personal data. With particular regard to the use of mobile devices, the D.P.A. recommends that the processing of biometric user data should be carried out adopting all appropriate security measures in order to reduce to a minimum the risk of unauthorised software installation or to avoid contact with malware.
According to the D.P.A. remote wiping must also be adopted, which would guarantee that in cases where tablets have been tampered with, lost or stolen, their content would be deleted remotely.
Moreover, processing of biometric data is subject to customer consent. The D.P.A. underlines the importance that consent, where required, must be free and responsible.
Finally, The D.P.A. draws attention to the need to ensure that biometric data is not preserved for a duration exceeding the purposes for which it was collected and subsequently processed. Any extension to the retention time may be justified by specific laws.
Further requirements under existing law are reaffirmed including notification of process and obligation to designate external parties as data processors.
posted by Giusella Finocchiaro on ottobre 29, 2013
The decision named “Sistema per la sottoscrizione in forma elettronica di atti, contratti e altri documenti relativi a prodotti e servizi offerti da una banca” of 12th September 2013 gives much cause for reflection.
It is interesting to note when expressly referring to the technical rules relating to electronic signatures, how the Italian D.P.A. emphasizes the instrumentality of personal data, including biometric data, in order to generate graphometric signatures as advanced electronic signatures.
Moreover, the Italian D.P.A. highlights how the handling of data can be an effective instrument of proof, in case of dispute.
In fact, the decision reads:”(…) the use of the proposed solution could effectively contribute to lending greater certainty in legal relationships existing with users through the guarantee of authenticity, non-repudiation and integrity of documents signed electronically”.
The decision expressly mentions the provisions of the law requiring the written form for bank contracts and confirms the suitability of the graphometric signature in meeting the requirement of the written form ad substantiam. In addition, the Italian D.P.A. makes an important statement of economic policy of law, arguing that the graphometric signature ”complies with society’s legitimate organisational needs”.
Finally, the decision draws attention to the necessary safety precautions to be taken to reduce the risk of unauthorised software installation or the modification of the configuration of the systems used. It is additionally necessary to adopt security policies especially in cases where the data controller makes use of external parties and in any case obtain from the installer a written description of the steps taken, in order to certify their compliance with enforceable regulations.
Some general clarifications should be made, however.
The Italian D.P.A.’s decision on the graphometric signatures is not as yet the general decision the market expected.
The Italian D.P.A.’s decision is still one of an individual nature (referring to Fineco): that is to say one concerning a specific request.
The Italian D.P.A. general decision cannot of course refer to specific solutions.
The importance of this decision is evident, however.
It is the first decision of the Italian D.P.A. on graphometric signatures as advanced electronic signatures for the signing of contracts in the banking sector. In the other two decisions of the Italian D.P.A. dated 31st January last (referring to Unicredit and Cariparma) the graphometric signatures are considered a mechanism of authentication. Identification, of course, remains visual.
It confirms that the “graphometric signatures” can be “advanced electronic signatures”.
It also confirms it to be a very popular procedure in the market and that there should also be the maximum attention focused on the safety of the process. And many indications in this regard can be drawn from this decision.
Finally, it confirms the viability of graphometric signatures in mobility.
- Heavy fines for privacy violations for five money transfer companies
- Italian Government’s answer to the dramatic rise in cybercrime
- Italian DPA: reputation rating harms human dignity
- Recognise reliable sources of information as the antidote to “post-truth”
- France: from 2017 the “right to disconnect” comes into force.
- Accountability (1)
- Anonymity (4)
- computer crimes (14)
- Consumer rights (19)
- Copyrights (17)
- digital identity (12)
- E-commerce and contracts (24)
- Economic competition (2)
- Electronic signatures (20)
- Events (6)
- Internet control (11)
- Interviews (3)
- Labour law and digital world (1)
- Legal profession (7)
- Media (3)
- New technologies (9)
- Privacy (48)
- Responsibility of providers (23)
- Right to oblivion (8)
- Senza categoria (3)
- telemarketing (1)