The Italian Supreme Court has found the Zecca dello Stato (The State Institute of Printing and Minting) guilty of monitoring its employees’ web surfing data, emails and phone calls, in violation of a number of provisions of the Statuto dei Lavoratori (Workers’ Statute of Rights, L. 300 of 1970).
With its decision of the 19th September 2016, n. 18302, the Court of Cassation established the illegality of the storage activity on the company server of employees’ emails, phone calls and web surfing data without prior application of the authorization procedure provided for by the Workers’ Statute of Rights and the Code for the protection of personal data.
The facts of the case on which the decision is based are as follows: in 2011 the Italian Data Protection Supervisor had emphasized with a disciplinary provision, that the Internet service provided by the Istituto Poligrafico e Zecca dello Stato (The State Institute of Printing and Minting) for its own employees not only prevented access to websites not inherent to work activity, but also stored every access, or attempt to access, any website, thus allowing the reconstruction of every single worker’s web browsing activity. In addition, the employees’ web surfing data were stored on the system for a length of time varying anywhere from six months to a year.
The Supervisor had also noticed the illegality of the storage system of employees’ sent and received emails on the company’s server, which allowed full view of them to the system administrators without any specific information on privacy having been provided in regard to the matter.
It had also been pointed out that the State Institute of Printing and Minting implemented a method of telephone traffic monitoring through the VoIP system which also in this case allowed the recording and prolonged storage of traffic data without providing any adequate privacy information for its employees.
Therefore, the Supervisor had considered that the activity of the State Institute of Printing and Minting violated L. n. 300 of 1970, arts. 4 and 8 of the Workers’ Statute of Rights as it made possible the disclosure of employees’ sensitive data without having acquired their prior consent (and consequently also in violation of arts. 11, 113 and 114 of the Code for the Protection of Personal Data). Therefore the provision prohibited the State Institute of Printing and Minting from storing and categorizing employees web surfing data in addition to their emails and phone calls, obliging the Institute to inform those involved about the ways in which their personal data were processed. The Supervisor had also required that the identities of the system administrators with authorization to access the company’s databases should be made public (and therefore known to the company’s employees) and that there should be the guarantee of all accesses made by the administrators being revealed in full.
In 2011 the Court of Rome rejected the appeal by the State Institute of Printing and Minting against the Supervisor’s provision, clarifying that, as provided for by art. 4 of the Workers’ Statute of Rights, employers are only allowed to use monitoring systems for requirements of organisation and production in agreement with the trade unions or in compliance with legal obligations, whereas the use of such systems is prohibited if it is carried out for monitoring the activity of employees. With reference to other previous decisions, the Court pointed out that the necessity to protect the company (and its activity) cannot legitimise suppressing fundamental employee rights such as the right to privacy.
Consequently, the State Institute of Printing and Minting appealed against the decision to the Supreme Court, maintaining that those controls not directed at work activities but rather at other employee conduct in the workplace, which might expose the business assets of the company to serious danger and which might be potentially harmful for third parties, with consequent liability on the part of the employer, fall entirely outside the scope of application of the provisions of the Workers’ Statute of Rights. This risk is all the more significant in that the Institute carries out public interest activities such as the printing of the Gazzetta Ufficiale (Italian Official Journal) and of the Raccolta ufficiale degli atti normativi della Repubblica italiana (the Official Compendium of Legislative Acts of the Italian Republic), the production of personal identification documents, security and anti-counterfeiting systems, legal tender and so on.
However the Court of Cassation considered that the significance of the public role entrusted to the State Institute of Printing and Minting does not justify violation of the current legislation, which aims to protect guarantees for constitutionally recognised workers’ rights. To this effect, the Judge emphasised the second paragraph of art. 4, which provides that monitoring systems required for organizational reasons or for safety in the workplace, but which also allow the distance monitoring of employee activity, may only be installed with the prior agreement of company trade union representatives or, in their absence, of the shop stewards’ committee. In the absence of an agreement and at the request of the employer, the Ispettorato del lavoro (the Labour Inspectorate) mediates, setting out where necessary the procedure for the use of such systems.
Therefore, rejecting the appeal and confirming the observations of the Court of Rome’s decision, the Court of Cassation underlined the necessity to strike a balance between the employer’s rights, in particular the right to conduct business and to protect the company’s business assets, and the protection of worker rights, first and foremost the right to privacy.
The Italian Data Protection Authority (DPA) has rejected an appeal by an ex-terrorist, who had requested the de-indexation of web pages reporting serious crimes he had committed between the end of the 1970s and the beginning of the 1980s.
Having served his sentence, in 2009 the man had requested Google to remove a number of URLs and search suggestions shown by their “autocomplete” function, which, when typing in the man’s name and surname, called up the term “terrorist”.
Given that Google took no action regarding the claimant’s request, the ex-terrorist turned to the Italian DPA complaining that the continued presence on the Internet of contents dating so far back in time and which were a misrepresentation of his current way of life, was causing serious harm both to his personal and professional life. Maintaining that he was not a public figure but a free citizen, the claimant demanded the right to be forgotten.
The DPA rejected his appeal on the grounds that the information, for which de-indexation was requested, refers to particularly serious crimes that come under those indicated in the Guidelines on the implementation of the right to be forgotten adopted in 2014 by the European Privacy Authorities; crimes for which requests for removal require more stringent evaluation.
The DPA further emphasized that in the case submitted, all the information has acquired historical value and is in the public mind. Indeed it refers to one of the darkest periods of recent Italian history, during which the claimant had not only been a supporting actor but had essentially played a leading role.
Moreover, despite the considerable length of time, which had passed since the circumstances in question, there is still a very high level of public interest in that period of time and those events, as demonstrated by the topicality of the references accessible through the same URLs.
Therefore, declaring that it was of paramount importance for the public interest to have access to the information in question, the DPA adjudged the request for removal of the URLs indicated by the claimant and indexed by Google to be unfounded.
It is unnecessary to resort to international rogatory in order to tap BlackBerry mobile system chats nor is it necessary to use requisition measures.
This is what the Third Criminal Division of the Italian Supreme Court (ruling no. 50452/15) established with its appeal judgment issued in relation to the appeal on the part of certain defendants who had been placed under preventive detention by the Court of Rome due to their being implicated in drug trafficking.
The detention order was founded on various evidence, including chats on BlackBerry mobile systems, which related to importing a 10 kilo consignment of cocaine to Italy.
The defendants involved in this phone tapping brought the question before the Italian Supreme Court, claiming that the chats which had been tapped could not be considered as evidence, since they had taken place on BlackBerry’s mobile systems, which have their head office in Canada. Therefore, in their opinion, an international rogatory would have been required in order to legally acquire the content of the chats. Moreover, according to the defence, conversations in a chat context could not be considered as “phone conversations” as they are in fact a stream of computer data. On these grounds requisition measures regarding computer data (according to art. 254bis of the Italian Criminal Procedure Code) should have been carried out rather than a procedure of phone tapping.
In response to the first point, the Supreme Court asserted that it is a well-established principle that international phone calls routed to a specific Italian telephone “junction” should not be subject to international rogatory as all activity involving reception and recording takes place on Italian territory. This principle was also correctly applied by the Collegio di Cautela* in relation to the use of Blackberry chats. In this regard, the Supreme Court emphasized that computer interceptions had been correctly carried out on PIN codes, while the subsequent request to the Canadian company regarding ID data associated with the intercepted PIN codes had related to data that do not enjoy special protection.
Consequently, the Supreme Court considered it irrelevant that BlackBerry was Canadian, as the communications in question took place in Italy as a result of them transferred over an ICT platform located in Italy.
Conversely, the Court considered as unfounded the objection regarding the failure to implement requisition measures for the computer data. The judgment clarifies that, even if held by Internet service providers, requisitioning IT documents or IT devices excludes per se the concept of “communication”. Requisitioning will be specifically required when it is necessary to acquire documents for purposes of evidence, by means of inspections to be carried out on data contained in those documents. The Supreme Court asserted that “with regard to the use of chats on the BlackBerry system, it is correct to acquire contents by means of tapping according to art. 266bis c.p.p. and subsequent, as even if they are not simultaneous, online conversations constitute a flow of communication”.
Although the Court upheld the defendants’ appeal on the basis of considerations that go beyond the analysis of this post, the Court rejected the abovementioned specific technical objections, pointing out that: “even the most careful interpretation of the delicate relationship between the computer interception system and new technologies has observed that tapping BlackBerry chats takes place by using traditional systems, i.e. monitoring a phone’s PIN (or IMEI), which is uniquely associated with a nickname, underlining how tapping is managed at a technical level at the company’s Italian head office”.
The text of the Supreme Court judgment is available HERE.
*Second-instance Court empowered to hear appeals of decisions on preventive measures
According to the Court of Ivrea (Italy) insulting remarks directed against colleagues and superiors posted on Facebook are a sufficiently serious cause for justifying the dismissal of an employee.
With an injunction issued on the 28th January 2015, the Court of Ivrea rejected an appeal by a former employee asking to be reinstated at work following lawful dismissal for misconduct. The employee had been fired for posting seriously offensive comments on Facebook against his employers and some women colleagues.
While admitting to posting the offensive remarks on his Facebook account, the claimant had applied to the Court claiming that such conduct could not be considered sufficiently serious to justify his dismissal and in addition to reinstatement demanded damages.
This is the second procedure in which the employee has taken legal action to ask to be reinstated at work at the same company. The work relationship had already been terminated in 2012. However, certain contractual irregularities had prompted the man to file an appeal and at the end of 2012 the Court had accepted his request, annulling the terms of the fixed-term contract that he had stipulated with the company and condemning the latter to reinstating the claimant and in addition to the payment of all wages accrued.
Consequently, in 2014 the company had rehired the employee, but had decided to exempt him from effectively resuming work, thus the employee had begun to receive a salary without having to work.
Paradoxically this condition, which to some might seem advantageous, led the employee to libel his employers on Facebook. In fact the man published the letter of reinstatement on the social network, accompanying it with some highly insulting remarks against his superiors who had reinstated him and also against some women colleagues.
As the Ivrea Court judge stressed, the posts were not restricted to the “friends” of the claimant, but “could potentially have been seen by about a billion social network users” and were only removed after a cease and desist order on the part of the company. All these factors carried weight in the judge’s final decision, according to which the seriousness of the former employee’s misconduct is considered “severe enough to preclude even temporary continuation of the work relationship”.
In the judge’s decision it is explained that the insults, especially the sexist insults directed at the women colleagues, who were totally unconnected to the previous litigation between the employers and the employee, indicate “the will of the claimant to defame both the company and also some of its employees, in a manner which was potentially gravely damaging to their reputations”.
The claimant failed in his attempt to justify his behaviour as “a reaction, even though an excessive and abnormal (but instinctive) one”. The judge underlined that if it had been provoked by an instinctive gesture –although rash – the employee would have taken prompt action to eliminate the post and would not have waited more than two weeks to do so, as in fact happened. This lengthy period of time that the comments remained online also seems to suggest that the claimant had absolutely no perception of the serious nature of his misconduct.
In light of these considerations, the Court dismissed the claimant’s appeal and ordered him to pay the company’s legal costs, amounting to 3,500€.
This decision by the judge of the Court of Ivrea confirms the case law regarding lawful dismissal for misconduct for defamatory posts which offend employers, as already established by the Court of Appeal of Turin (judgment of 17th July 2014, n. 164) and the labour section of the Court of Milan (order of 1st August, 2014).
Law decree n. 69/2013 provides that “providing wi-fi access to the Internet does not require user identification”.
It is also explained that when the provision of Internet access is not the core business of the service provider, art. 25 of d. lgs. 1.8.2003, n. 259 and art. 7 of d. l. 27.7.2005 do not apply. This means that neither authorization from the Ministry of Telecommunications nor a licence from the Police Authorities are required.
In point of fact, wi-fi should already have been considered free after the abrogation of the Pisanu Decree Law, however interpretations of the regulatory framework were not unanimous.
Now there is no longer any doubt and a typical Italian anomaly not found in other countries has finally been eliminated.
Italian Law decree n. 69/2013, art. 17-ter, provides for establishing a public digital identity management system for both companies and private citizens. The system is known as SPID (Sistema Pubblico per la gestione dell’Identità Digitale).
The new provision modifies art. 64 of the Italian Code for digital administration.
Following the arrival of the SPID system, should identity controls be required, public administration will only be able to grant on line access if identity is certified by either electronic identity card or national service card or by means of SPID.
Public administration may also choose to adopt alternative systems to verify user identity providing these systems are capable of identifying users requesting their services.
Therefore, the choice of system is left to the discretion of public administration.
The law decree provides that companies may also choose to use the SPID system to manage the digital identity of their users.
The new technical rules on electronic invoices have recently been published in the Italian Official Journal.
Here follow the complete references and the link: DM 3 aprile 2013, n° 55 , “Regolamento in materia di emissione, trasmissione e ricevimento della fattura elettronica da applicarsi alle amministrazioni pubbliche ai sensi dell’articolo 1, commi da 209 a 213, della legge 24 dicembre 2007, n. 244″.
The new rules impose an exclusively electronic form of invoicing management on public administration suppliers.
Public administration departments will have to implement adequate working procedures for receiving e-invoices as they will no longer be able to accept invoices issued or transmitted in a paper form.
One of the first 2011 year-end considerations to attract a certain interest on the Internet is that regarding the increase of online identity thefts in Italy.
In fact, in 2011 many Italian public figures have found their names associated with social networking profiles managed by unknown parties. Among the latest to be affected is the new Minister for Economic Development Corrado Passera who had a tweet attributed to him after the new economic measures had been passed, that was later revealed to come from a fake account.
But not only well-known personalities are hit by identity thieves. In an interview with the Adnkronos agency, Sabrina Castelluzzo, the person in charge of the computer crimes section of the Postal and Communications Police Service said that of the crimes committed online in Italy, identity theft is the most frequent. “This year alone we have received 2,900 complaints regarding this crime all over Italy,” explained Ms. Castelluzzo “and 1,400 have been fielded by other police departments. The investigations have enabled us to press charges of Identity Theft against 198 people, while at least 2,600 checks have been carried out on the Internet. “
According to Ms. Castelluzzo identity theft is an especially widespread crime as it is often a “crime vehicle” which comes in useful when committing more serious crimes such as misuse of credit cards or bank accounts through credentials extorted by means of phishing. However, with regard to the creation of fake profiles on social networks, identity theft is often linked to crimes such as defamation and stalking.
Although the news has not attracted particular media response, the draft of the so-called Development Decree which has been circulating in the last few days would also have an impact on the protection of personal data.
Among other things art. 94 of the decree provides for nothing less than a change in the concept of personal data, adding a significant limitation on legal persons. In fact personal data would now come to mean “any information concerning a natural person and only regarding the electronic communications sector, any information concerning a legal person, body or association subscribing to an electronic communications service available to the public, provided that those persons can be identified or are identifiable even indirectly, by reference to any other information, including a personal identification number. “
Therefore the concept of interested party would also be changed. It would identify the natural person and the legal person, body or association subscribing to an electronic communications service available to the public, limited to the processing of personal data in the field of electronic communications.
Besides the debatable wording of the rule, which raises doubts about its interpretation, the theoretical framework and consequently the practical concept of personal data has been radically changed.
The innovations do not stop here, although the following are less significant.
In fact, there are also new provisions for digital prescriptions and electronic health records (Articles 129 and 130), and from 1 January 2013 school reports and certificates will be issued in an electronic format and made available on the web, by email or other digital formats (Art. 132) Leave certificates for employees whose children are off school ill will also be online (art. 131). As for transport, tickets for buses, trams or other local forms of transportation will be issued in an electronic format (Art. 137).
Finally, the draft decree contains regulations for the increase in the use of Certified email (Article 134), which must be adopted by all companies, not just those constituted in a corporate form. With regard to professionals already affected by this obligation, professional registers are also expected to publish “in any and every case” the certified email addresses of their members.
These predictions are not in fact final and we will follow their procedures and practical implications, which do however, arouse immediate interest and will soon be the subject of lively debate.