The Supreme Court has spoken out its opinion in on the issue of automated phone calls generated by computerized telemarketing systems stating that it is forbidden to bother users with silent calls.
The Italian Supreme Court (ruling no. 2196/2016) dismissed an appeal by the ICT company Reitek Spa and Enel Energia against a decision expressed by the Italian Data Protection Authority. In 2013 the Authority required Enel Energia, in accordance with art. 143, par. 1, let. b) and art. 154, par. 1, let. c) of the Italian Personal Data Protection Code, to take all necessary measures including those of a technical nature to prevent the system from making recurrent “silent calls” by prohibiting repeat calls to the same number within at least a 30 day period.
The judgment had been given following protests from a number of users, who complained about receiving phone calls in which, once they answered the phone, there was no operator on the other end to reply. This phenomenon is the result of an organizational problem for companies which make commercial calls. In order to connect users to telemarketing operators, the majority of these companies employ automated call forwarding systems. However, automated systems sometimes direct a number of calls to call centers which exceed the actual availability of operators. As a consequence the user’s phone rings, but no one on the other end replies.
The Supreme Court upheld the Court of Rome’s decision which had dismissed the first appeal by the two companies on the grounds that the way in which personal data were processed through telemarketing systems was unlawful. As it aimed at optimizing the rate of successful calls, the method behind these systems placed the risk and discomfort caused by receiving “silent” calls squarely on the user alone.
The Supreme Court specified that it had been expressed on more than one occasion that, according to art. 4 and art. 11 of the Italian Data Protection Code, personal data are to be processed in a fair and relevant fashion and their use must not exceed that for which they have been collected.
The plaintiffs had complained that only very few users had been affected by the problem, however, their motivations were found to be irrelevant. In fact, in the Court’s opinion, stating – as Enel Energia had done – that the phenomenon of silent calls had been limited by the basis of system algorithms to a 3% threshold, was extraneous. “The objection does not change the terms of the issue, nor are they altered by Reitek’s remark regarding the minimal number of user complaints about “silent” calls received by the Authority as the infringement was connected to the chosen method of multiple calls, which makes it clear that the risk of discomfort was borne exclusively by the recipients of such calls”.
Ultimately, in the Supreme Court’s opinion, this is the only relevant point in considering the method used for processing personal data to be excessive in relation to the interests or rights and fundamental liberties of the persons involved.
The Court also dismissed the plaintiffs’ motivation, according to which, on the basis of art. 130, par. 3-bis, consent for the processing of personal data is not required if users are registered on lists of telephone subscribers and have not exercised their right to object by registering on the Public Objection Register (the so-called opt-out system). In regards to this, the Court highlighted that art. 130, par. 3-bis, must be interpreted in accordance with e-privacy directive 2002/58/CE which allows the use of the opt-out system for calls with an active operator, but never for automated calls. In practice, the European directive is addressed to direct marketing, conducted through the use of a telephone with an operator, whereas automated call systems that generate “silent calls”, are excluded precisely because they lack an operator.
Read the Nymity interview with Giusella Finocchiaro examining the recent Italian Supreme Court decision on silent telemarketing calls.
An information handbook has been published on marketing and the consumer’s right to privacy.
The Italian Data Protection Authority has published: “UP WITH ADVICE, DOWN WITH SPAM. From phone to supermarket: privacy proof marketing”, a handbook on defence strategies to adopt against intrusive advertising, designed to inform the consumer and to urge companies to develop marketing strategies which respect user rights. Its contents describe the actions citizens can take to prevent their purchases from being spied on or to stop unwanted telephone marketing calls and SMSs. In addition there is an analysis of the problems relating to the techniques of persuasion used for phones, emails and social networks, and those relating to the operation of the Register of Objections. With regard to this the President of the Authority, Antonello Soro, hopes for “a rapid legislative review of the Register of Objections which would make consumer protection more incisive”.
In addition, the handbook sets out the rules necessary for conducting marketing activity that does not violate the rules of privacy and establishes a relationship of trust and listening to consumer needs. The Authority reminds that “respect for consumers and proper use of their personal data – from those needed to contact them to more sensitive information such as tastes and preferences –mark out companies who see their customers merely as “prey”, from those who choose to operate transparently, placing the emphasis of their business on both the quality of their products and services and the trust of their customers”.
A coalition of Authorities for the protection of personal data of the Global Privacy Enforcement Network (GPEN) has urged distribution platforms to oblige app developers to inform users about any personal data that will be collected and how such data will be used before they download apps.
On 9 December 2014 the Italian Data Protection Authority along with 22 other global authorities sent an open letter to the operators of 7 specific app marketplaces, Apple, Google, Samsung, Microsoft, Nokia, Blackberry and Amazon.com urging them to make available to users a policy statement on the use of personal information before downloading apps.
“Apps make life easier”, according to Antonello Soro the Italian Data Protection Authority President “but all too often we inadvertently allow them access to an increasingly wide range of particularly sensitive personal data, not only phone contacts or photos, but also geographic location, or, as in the case of medical apps, health data. The risk is one of permanent digital monitoring which we are gradually getting accustomed to”.
The decision to publish the open letter follows the investigation conducted by GPEN last May, the results of which showed that many of the most downloaded apps request access to a wide range of data but do not provide adequate explanations for the reasons behind these requests.
In particular, out of a total of over 1200 applications analyzed globally, three-quarters of them request one or more permissions, generally regarding location data, the ID of each device, access to other accounts, the functions of video footage and phone contacts.
In 59% of cases it was difficult for the authorities to find any privacy practice information before installation. In many cases there is either very little information available before downloading on the aims of the data collection or about its subsequent use, or a link is provided to a web page where there is a privacy statement that does not correspond to the specifications of the app.
Only 15% of the apps under examination were found to have transparently clear privacy policies. In the best cases the apps offer concise and clear explanations of what the app will do or will not do with the data collected based on the individual permissions requested.
The text of the open letter has been published in English on the website of The Italian Data Protection Authority.
The long-awaited measure of the Italian Data Protection Authority in the field of biometrics recognition and graphometric signature was recently signed and published on the Register of measures (decision no. 513 of 12 November 2014).
The measure governs the processing of biometric data for purposes of computer authentication, access control and underwriting documents. An analysis on the changes introduced will be soon published on our blog.
You can find the document (in Italian) on the Italian Data Protection Authority website.
Google has paid a one million euro fine levied by the Italian Data Protection Authority for its Street View service. Although the fine was imposed on the18th December 2013, its enactment has only recently been made public.
The disputed facts date from 2010 when the D.P.A. intervened after numerous reports from people complaining of being photographed without their consent by Google Street View cars.
In fact, at that time Mountain View cars were operating around Italy without being readily identifiable and as a consequence people in the places covered had no say in deciding whether to avoid being photographed or not.
On the 15th October 2010 the D.P.A. ordered Google to make its cars easily identifiable by using clearly marked signs or stickers and in addition three days before the start of shooting to publish on its website a list of the places visited by the Google cars and also the parts of the big cities which would be covered by them.
The D.P.A. additionally ordered that the same announcement should be published by Google in at least two local newspapers and that the information contained should also be broadcast by at least one radio station in each region visited.
These measures were promptly adopted by Google.
The sanctioning procedure has now been concluded with the issue of an order of injunction in which the D.P.A. has imposed a one million euro fine. The sum was determined on the basis that the data unlawfully collected was destined for such a sizable and significantly important database as the Street View service.
In establishing the sum, the D.P.A. has opted to use the regulation terms of the privacy Code which aims to make fines sanctions effective when levied on large-sized enterprises.
It would appear that Google has already paid the fine.
posted by Giusella Finocchiaro on aprile 14, 2014
A recent decision by the Italian Data Protection Authority authorizes the use of the graphometric signature on tablets in the banking sector.
The system, which has been submitted for preliminary examination by the Italian D.P.A., is somewhat complex, split into different phases and involves a number of different parties.
The technology used is also able to detect the characteristics of a customer’s signature online by means of an analysis of certain criteria which can be deduced from the signature, such as the speed of the stroke, its pressure, acceleration, inclination and so on.
The system is intended to be used by financial promoters for customer authentication and for subsequent operations. There are two main phases in the process: firstly the collection of the specimen signature to be used as a tool for comparison in order to safeguard the customer, and secondly the signing of documents with the electronic signature.
As set out in the decision, the specimen signature together with the customer’s identification data is transmitted by the bank through secure encrypted channels to the certifier, who validates the request and issues the digital certificate associated to the applicant. All subsequent signings will thus be transmitted in encrypted mode to the certifier’s server which verifies the correspondence by means of the specimen signature and ensures that the tablet serial number is in fact listed.
This system would allow a reduction in the risk of cases of fraud, in particular those related to identity theft.
As usual the Authority draws attention to the adoption of special measures in order to protect personal data. With particular regard to the use of mobile devices, the D.P.A. recommends that the processing of biometric user data should be carried out adopting all appropriate security measures in order to reduce to a minimum the risk of unauthorised software installation or to avoid contact with malware.
According to the D.P.A. remote wiping must also be adopted, which would guarantee that in cases where tablets have been tampered with, lost or stolen, their content would be deleted remotely.
Moreover, processing of biometric data is subject to customer consent. The D.P.A. underlines the importance that consent, where required, must be free and responsible.
Finally, The D.P.A. draws attention to the need to ensure that biometric data is not preserved for a duration exceeding the purposes for which it was collected and subsequently processed. Any extension to the retention time may be justified by specific laws.
Further requirements under existing law are reaffirmed including notification of process and obligation to designate external parties as data processors.
posted by Giusella Finocchiaro on ottobre 29, 2013
The decision named “Sistema per la sottoscrizione in forma elettronica di atti, contratti e altri documenti relativi a prodotti e servizi offerti da una banca” of 12th September 2013 gives much cause for reflection.
It is interesting to note when expressly referring to the technical rules relating to electronic signatures, how the Italian D.P.A. emphasizes the instrumentality of personal data, including biometric data, in order to generate graphometric signatures as advanced electronic signatures.
Moreover, the Italian D.P.A. highlights how the handling of data can be an effective instrument of proof, in case of dispute.
In fact, the decision reads:”(…) the use of the proposed solution could effectively contribute to lending greater certainty in legal relationships existing with users through the guarantee of authenticity, non-repudiation and integrity of documents signed electronically”.
The decision expressly mentions the provisions of the law requiring the written form for bank contracts and confirms the suitability of the graphometric signature in meeting the requirement of the written form ad substantiam. In addition, the Italian D.P.A. makes an important statement of economic policy of law, arguing that the graphometric signature ”complies with society’s legitimate organisational needs”.
Finally, the decision draws attention to the necessary safety precautions to be taken to reduce the risk of unauthorised software installation or the modification of the configuration of the systems used. It is additionally necessary to adopt security policies especially in cases where the data controller makes use of external parties and in any case obtain from the installer a written description of the steps taken, in order to certify their compliance with enforceable regulations.
Some general clarifications should be made, however.
The Italian D.P.A.’s decision on the graphometric signatures is not as yet the general decision the market expected.
The Italian D.P.A.’s decision is still one of an individual nature (referring to Fineco): that is to say one concerning a specific request.
The Italian D.P.A. general decision cannot of course refer to specific solutions.
The importance of this decision is evident, however.
It is the first decision of the Italian D.P.A. on graphometric signatures as advanced electronic signatures for the signing of contracts in the banking sector. In the other two decisions of the Italian D.P.A. dated 31st January last (referring to Unicredit and Cariparma) the graphometric signatures are considered a mechanism of authentication. Identification, of course, remains visual.
It confirms that the “graphometric signatures” can be “advanced electronic signatures”.
It also confirms it to be a very popular procedure in the market and that there should also be the maximum attention focused on the safety of the process. And many indications in this regard can be drawn from this decision.
Finally, it confirms the viability of graphometric signatures in mobility.
On June 6th, 2012 and not without raising criticism in some quarters, the Italian Parliament elected the new Italian Data Protection Authority (Garante per la protezione dei dati personali).
The Italian DPA is a collegiate body comprising four members elected by the Parliament for a seven-year term.
The Collegiate Panel of the Italian DPA is currently composed of:
Ms. Licia Califano (University professor), Ms. Giovanna Bianchi Clerici (journalist and former MP), Ms. Augusta Iannini (judge), Mr. Antonello Soro (MP and doctor).
On June 19th, 2012 the members of the DPA unanimously elected Mr. Antonello Soro as President and Ms. Augusta Iannini as Vice President.
- Italian Government’s answer to the dramatic rise in cybercrime
- Italian DPA: reputation rating harms human dignity
- Recognise reliable sources of information as the antidote to “post-truth”
- France: from 2017 the “right to disconnect” comes into force.
- UE: proposed new measures for the protection of private life and personal data in electronic communications as an addition to the privacy regulation
- Accountability (1)
- Anonymity (4)
- computer crimes (13)
- Consumer rights (19)
- Copyrights (17)
- digital identity (12)
- E-commerce and contracts (24)
- Economic competition (2)
- Electronic signatures (20)
- Events (6)
- Internet control (11)
- Interviews (3)
- Labour law and digital world (1)
- Legal profession (7)
- Media (3)
- New technologies (9)
- Privacy (48)
- Responsibility of providers (23)
- Right to oblivion (8)
- Senza categoria (3)
- telemarketing (1)