Given the increasingly greater use of devices and technologies for the collection and processing of biometric data mainly for purposes of personal identification, control of access and signing of electronic documents, the Italian Data Protection Authority’s action aims to provide a uniform framework which can be used as the basis for recommending technological choices, adapting processing to the requirements of the Privacy Code and verifying compliance with safety standards.
Biometric data are by their very nature, directly and unequivocally related to an individual and are generally constant over time, which indicates the profound relationship between a person’s body, behaviour and identity. For this reason the adoption of biometric systems for the collection and processing of data may entail specific risks for fundamental rights and freedom as well as for an individual’s dignity.
However, within the varied landscape of technological biometric systems and with a view to simplifying legislation, the Italian Data Protection Authority has identified certain types of data processing which present less risk and which, unlike other types, do not require preliminary verification by the Authority. Exemption is granted on condition that all necessary measures and appropriate technical precautions are taken to achieve the security objectives identified by the measure and that the general requirements of legitimacy provided for by the Privacy Code are met.
There is no need to apply for preliminary verification for the following four types of processing:
In the signing of electronic documents, analysis of biometric data connected with applying a handwritten signature can be used for those graphometric signature systems which form the basis of a solution for advanced electronic signatures. Processing is only permitted with the express consent of the person concerned, which is given on signing up for a graphometric signature service and remains valid for all documents to be signed until it is annulled. Consent is not necessary in the public sphere, where specific institutional objectives are to be pursued. However, alternative systems will still have to be made available, such as paper or electronic forms of signature which do not involve the use of biometric data; in digital authentication the biometric characteristics of a person’s fingerprints or voiceprint can be used as credentials to also access databases and computer systems without the user’s consent; when controlling physical access, it will be possible to process the biometric characteristics of fingerprints or the topographical layout of the hand to allow access to areas considered” sensitive” or to only allow qualified operators access to dangerous machinery and equipment. It will also be possible for processing to be made without the consent of the user; to help facilitate processes, it will be possible to use fingerprints and the topographical layout of the hand to allow physical access for users to physical areas in the public domain (e.g. libraries) or the private sphere (e.g. reserved airport areas). Also in this case, use is only permitted with the consent of the parties concerned and alternative arrangements will in any case still have to be provided for those who refuse to provide their biometric data and refuse permission for the processing of biometric data.
In consideration of the complexity of the matter in relation to the regulations on the processing of personal data, the Italian Data Protection Authority has attached to its provision a document containing the “Guidelines on biometric recognition and graphometric signatures”, which has already been presented for public consultation and a special form to be used for communicating with the Authority in the event of violations of biometric systems. In fact, in order to prevent possible theft of biometric identity, all data breaches or cyber incidents that might impact significantly on biometric systems and the data collected must be communicated to the Italian Data Protection Authority within 24 hours of being discovered.
While awaiting publication of the provision in the Official Gazette, we invite you to browse through it and its relative attachments on the website of the Italian Data Protection Authority.
On 3 April 2014 the Proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (eIDAS) has been approved by the European Parliament.
Main principles of the Regulation are reported below (see also THIS POST).
One of the objectives of the Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States.
The principle of mutual recognition should apply if the notifying Member State’s electronic identification scheme meets the conditions of notification and the notification was published in the Official Journal of the European Union.
The Regulation reaffirms the principle that an electronic signature should not be denied legal effect on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic signature. However, it is for the national law to define the legal effect of electronic signatures, except for the requirement provided in the Regulation according to which a qualified electronic signature should have the equivalent legal effect of a handwritten signature.
The Regulation lays down conditions under which Member States shall recognise electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State, lays down rules for electronic trust services, in particular for electronic transactions and establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificates services for website authentication.
The Regulation shall apply from 1 July 2016 and the Directive 1999/93/EC on electronic signatures is repealed with effect from 1 July 2016.
The Italian press have recently reported on the first case of fraud in Italy through the unlawful use of a digital signature.
According to reports, a Rome businessman discovered through a check carried out at the Chamber of Commerce in 2011 that all his company’s shares had been registered without his knowledge to a man by name of David Henry Antinucci, who in this way had become the sole member of the company and had also appointed himself sole director, with the authority to transfer the company’s headquarters.
With the appointment of the new sole director, the deeds of conveyance had been transmitted to the Chamber of Commerce via the Internet by an accountant’s office by means of the activation of an electronic smart card with a digital signature, which is obligatory for company communications with the Italian Register of companies. In this case the smart card had been registered in the Rome businessman’s name but had not been requested by him.
The probe conducted by the IT investigation section of the Special Telematic Fraud Unit of the Italian Financial and Tax Police has led to the identification of three suspects, including Antinucci, who now face prosecution for personation, false statements or proof given to the electronic signature authenticator regarding their own and other people’s identities and capacities in addition to forgery of public documents, private documents and electronic documents.
According to the investigation, Antinucci was aided and abetted in the fraud by the owner of a business consultancy firm who appears to have been a total tax evader for 16 years. The two men are alleged to have used a photocopy of the businessman’s ID card to activate two smart cards at a certification services agency after filling out the appropriate form.
The owner of the agency declared that he had had direct contact with the two men to issue the smart cards and that they had informed him that the businessman would not be present to sign the smart cards in person as he was abroad on business. The accountant who forwarded the requests to the Chamber of Commerce said he had worked in good faith on the documentation he had been sent by the owner of the agency and had not checked it further.
From what we read in the press, the judges are convinced that neither the agency owner nor the accountant are criminally involved in the scam, although they are guilty of carelessness when initiating the procedure.
However, the accountant has been reported for violation of the rules of discipline to his professional association for failing to verify the authenticity of the signatures which were not added in his presence when transferring the shares.
In the light of this reconstruction, we can say with some certainty that this case arouses a certain level of interest not only because of the novelty of the method apparently used for the fraud but also for the different positions of responsibility which emerge in relation to the various individuals involved in the case.
An email is an electronic document with an electronic signature, since the username and password are included in the definition of an electronic signature according to art. 1 lett.q of the Italian Digital Administration Code.
This is what the Court of Prato correctly states in its decision of 15th April 2011, which has been recently published.
Thus, the evidential value of an email is freely assessable in court, given its objective characteristics of quality, safety, integrity and unchangeability.
In the case in question, the judge ruled that an email did not qualify as evidence.
The ruling focused on the legal status of this type of document when evaluating the evidential relevance of an email produced in proceedings in opposition to an injunction as a demonstration of a promptly expressed complaint regarding defects encountered in a piece of machinery.
According to the Court of Prato, the email sent without the presence of a mechanism of certification does not provide positive identification of the sender and does not prove the message was received by the recipient.
However, there is no doubt that an email can be classified as a document with an electronic signature “as the username and password used to access the mailbox are included in the collection of data utilized as methods of identifying information under ‘Art. 1, Lett. q) of the Italian Digital Administration Code”-
Consequently, the evidential value of the email in question is freely assessable in formulating the ruling also in consideration of the further procedural findings, firstly the failure to refuse to accept and to promptly contest the facts therein represented.
In the case under examination the recipient had from the outset refused to accept the circumstances asserted by the email in question and in the absence of further suitable evidence to confirm its content, this led to a negative appraisal in terms of evidence. The opponent’s claims were therefore rejected.
The decision is nevertheless of great importance as it reaffirms that emails are documents complete with an electronic signature.
On July 4th the draft of the technical regulations on electronic signatures in Italy was published on the Digit PA website. Following the procedure already in use, the draft will be submitted for public comment. Comments can be sent to: fea @ digitpa.gov.it. until July 19, 2011
As is already known, the new technical regulations will replace those technical regulations approved by the dpcm (Prime Ministerial Decree) of March 30, 2009.
The most important regulations are the following:
- provisions for various safe devices for generating qualified signatures and digital signatures respectively.
- Specific provisions for remote-signing.
-Legislation for the advanced electronic signature.
With regard to the advanced electronic signature in particular, technical rules have long been awaited to give content to Article. 21, paragraph 2 of the CAD.
Firstly, the draft specifies that the realization of advanced electronic signature solutions is free and not subject to any prior authorization. Thus, the provider is under no obligation to record advanced electronic signature solutions.
Secondly, there are two types of providers of electronic signature solutions: those who provide advanced electronic signature solutions for themselves and those who realize solutions for supply to third parties.
The advanced electronic signature is still technologically neutral and its solutions must ensure:
a) the identification of the signatory of the document; b) the unique connection of the signature to the signatory; c) the signatory’s exclusive control of the signature generation system; d) the possibility of verifying that the document has not been altered after been signed; e) the possibility for the signatory to obtain evidence of what has been signed; f) identification of the provider of the advanced electronic signature solutions.
There are any number of obligations for those who offer advanced electronic signature solutions, including that of precise identification of the user, of informing him of the precise terms and conditions relating to the use of the service, including any restrictions on its use, and of only activating the service following the signing by the user of a declaration of acceptance of the service conditions. There is one important exception for the field of health services in which the declaration by the user of acceptance of the service conditions provided for by paragraph 1, letter a) of this article can also be made orally, with the procedure of consent provided for by Article. 81 of Legislative Decree of June 30, 2003, no.196.
Finally, the managers’ duties of advertising and transparency regarding the technological solutions adopted and the obligations taken on by users have been made more stringent.
Emails are electronic documents signed with an electronic signature, (in that) usernames and passwords are to be be considered as an electronic signature, in accordance with the definition given by Italian law (Digital Administration Code, legislative decree 82/2005, art. 1, lett. q).
This principle was (correctly) confirmed in the decision given by the Prato Court, on April 15, 2011.
Therefore, whether or not emails can be used as evidence must be decided by the judge, case by case.
The judge must observe the following criteria: quality, security, integrity and inalterability of the document.
In the case decided by the Prato Court, emails were not considered as evidence.