Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which start from already well-known privacy concepts and give a brief guide to the new legislation.

What is meant by consent to the processing of personal data?

According to the new definition in the GDPR, consent of the data subject means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (art. 4, par. 1, n. 11). Analysis of the definition shows that consent represents an indication of will, expressed in affirmative and unambiguous terms. Therefore, it can only be a statement or a positive action on the part of the data subject and not, conversely, merely passive conduct, such as hypothetical silent consent, for example. Moreover, in the same way as the Italian privacy Code, the GDPR requires consent not only to be unambiguous but also: free (given in the absence of constrictions); specific (one for each processing purpose) and informed (the data subject must receive an appropriate privacy notice on the processing of his/her personal data).

Who must ask for consent for the processing of personal data?

The data controller or, if specifically instructed, the data processor must have the consent of the data subject when they want to process his/her data. The GDPR places the actual burden of proof on the data controller. Art. 7, par. 1 specifies that the data controller shall be able to demonstrate that the data subject has consented to the processing of his/her personal data.

When is consent for personal data necessary?

Consent by the data subject is one of the many legal bases provided by the GDPR alternately, to legitimise the processing of personal data carried out by the controller. This means that consent must be obtained whenever one of the alternative legal bases listed in art. 6 of the GDPR cannot be used. These are essentially “equivalent circumstances” to consent, in the presence of which personal data may be processed even without consent from the data subject.

What are the equivalent circumstances to consent by the data subject?

In addition to consent, art. 6 of the GDPR lists five different legal bases which mainly take up the alternatives already provided for by the Italian privacy Code. Processing will be lawful even in the absence of consent if: a) it is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract; b) it is necessary for compliance with a legal obligation to which the controller is subject; c) it is necessary in order to protect the vital interests of the data subject or of another natural person; d) it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

In the last case, it will be the duty and responsibility of the controller to balance his/her legitimate interest with the rights of data subjects and justify that his/her interest overrides the interests of the various data subjects.

What might the legitimate interests of the controller be?

Recitals 47, 48 and 49 of the GDPR list examples of activities that might be considered the legitimate interests of a data controller and which override those of data subjects.

Among these is fraud prevention and direct marketing (which occurs when the controller uses the contact data the data subject has given him/her in the context of the sale of a product or a service without asking for the data subject’s consent and provided that the data subject, adequately informed, had not refused it). The processing of data for internal administrative purposes or in order to assure the security of networks and information may also be considered to be covered by legitimate interest.

Are there particular conditions for the processing of “sensitive” data (so called special categories of data)?

For the processing of special categories of data (sensitive data), the general rule is that of explicit consent (explicit consent is also applied when the data controller wants to adopt automatic decision-making processes, including profiling, which have legal consequences for data subjects).

In this case, the GDPR also provides a series of “equivalent circumstances” which waive the need to collect consent (art. 9). Some of these are particularly innovative, among which when processing is necessary for: the purposes of complying with obligations of labour law, social security and social care; the purposes of preventive or occupational medicine; for reasons of public interest in the field of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

What is new with regard to child’s consent?

The GDPR inserts an ad hoc provision for child’s consent, which however only refers to the offer of information society services.

Considering the wide variety of content and digital services to which children have access thanks to the use of the Internet, the GDPR wishes to strengthen the protection of children from the dangers of the Internet. Therefore, Art. 8 specifies that consent given by a child for the processing of his/her personal data in the context of a service offered by an information society, is only lawful when the child is at least 16 years old (Member States may provide by law for a lower age provided that it is not below13 years).

Where the child is below the age of 16, processing will be lawful only if and to the extent that consent is given or authorised by the parents or holder of parental responsibility over the child.

What are the conditions for the collection of consent?

In light of the definition of consent (a free, specific, informed and unambiguous indication of will), the GDPR specifies the conditions controllers must fulfill in order to guarantee the collection of legitimate consent.

Consent can be given with a written or an oral statement.

When consent is given in writing, in the context of a declaration which also includes other matters, consent to data processing must be presented in a manner which is clearly distinguishable from the other matters.

The formulation of consent must be in an intelligible and easily accessible form, using clear and plain language.

Moreover, the data controller must take into consideration that consent given by the data subject can be withdrawn at any time as easily as it was given.

How to create a GDPR compliant consent form?

To briefly summarise: in order to create a GDPR compliant consent form:

1) this must be a clear and unambiguous act: it can be collected in writing including by electronic means, or with an oral statement;

1.1) this implies that consent is not constituted by: silence, inactivity or pre-ticked boxes.

1.2) on the contrary, consent can be obtained through: specific boxes to tick (not pre-ticked) when visiting an Internet website; choosing technical settings for information society services or another statement or conduct which clearly indicates the data subject’s acceptance of the proposed processing of his/her personal data.

2) must be formulated in clear, plain and intelligible language;

3) there must be separate consents for each processing purpose (marketing and profiling are distinct purposes);

4) when a child is involved: the age of the child must be verified or parental consent must be asked for;

5) for special categories of personal data, consent must be explicit;

6) data controllers must take appropriate measures to demonstrate that the data subject has consented to processing of his/her personal data and also to inform the data subject of his/her right to withdraw his/her consent at any time and that it is as easy to withdraw as to give consent.

 

 

The privacy regulation (Regulation (EU) 2016/679) will shortly be directly applicable across Europe, which means that businesses, public administrations and private citizens will all be rushing to make sure they comply with the provisions of the new regulation. To make it easier to understand such a complex and highly structured text as the GDPR, we provide a set of simple factsheets here with a Q&A formula, which starting from already well-known privacy concepts, give a brief first guide to the new regulation.

What is a privacy notice?
A factsheet known as a privacy notice refers to that set of information which must be provided to data subjects (namely natural persons whose data are processed) to allow them to understand who is collecting their personal data, what will be done with them, how, by whom and who they will be shared with.

Who is responsible for providing the privacy notice?
The privacy notice must be provided by the data controller or the data processor, when specifically instructed to do so by the data controller.

What are the contents of a privacy notice?
The GDPR provides a thorough description of the contents of the privacy notice in art. 13, par. 1 and art. 14, par. 1.

Some of these contents were already provided for in the Italian Privacy Code, among which are for example the indication of: a) contact data of the data controller and of any data processor when used; b) the purposes of processing (e.g. entering into contracts, marketing, profiling, etc.); c) whether the provision of personal data is mandatory or not and the consequences (should such mandatory data not be provided); d) the rights of data subjects.

Besides this information, the GDPR provides further relevant information in the privacy notice which the controller is required to provide to data subjects in order to proceed with processing their data, such as: a) contact data for the Data Protection Officer when appointed; b) the legal basis for the processing (e.g. consent, public interest, performance of contracts and so on) and in cases where this constitutes legitimate interest for the controller, specify its contents; c) whether the data will be transferred to countries outside the EU and which instrument the transfer will be carried out with (e.g. adequacy decision; BCR, standard contractual clauses); d) the period of time for which the data will be stored or the criteria used to determine it; e) the existence of automated decision-making (including profiling) and the logic it is based on.

When must the privacy notice be given?
The privacy notice must be provided to data subjects at the moment in which their data are collected, therefore before the start of any kind of processing. The GDPR only exempts data controllers from the obligation of providing privacy notices in cases in which data subjects already have all the information at their disposal (art. 13, par. 4).

Conversely, however, in cases where the data have not been obtained from the data subject, data controllers must provide data subjects with the above listed information (in addition specifying the source of the data) within a month of collecting them or at any rate from the moment of their communication (to a third party or to the data subjects themselves).The GDPR also provides for certain circumstances for exemption in this situation (art. 14, par. 5) which refer to those cases in which: a) data subjects are already in possession of all relevant information; b) the provision of such information would prove impossible or would involve excessive effort; c) the collection or disclosure is laid down by law; d) the data must remain confidential subject to an obligation of professional secrecy. It is the duty and therefore, the responsibility of the data controller to assess whether there is one of the above-listed circumstances.
In addition data subjects must be provided with a new privacy notice should the data controller decide to process the collected data for different purposes from those originally communicated.

How must the privacy notice be provided?
In this case too the GDPR gives a clearer definition of the procedure for formulating and providing the privacy notice.
The privacy notice is generally provided in writing or by other means, which can also be electronic (where appropriate). Only in cases when the data subject requires it, may the privacy notice be provided orally.
With regard to its formulation, the GDPR specifies that the privacy notice must be: concise, transparent, intelligible and easily accessible. Essentially, it must be formulated in clear and plain language, in particular when the information is specifically addressed to a child (art. 12, par. 1).
In addition, with the precise aim of guaranteeing the highest level of transparency and to make it easily legible, the GDPR clearly explains that the information may be provided in combination with standardised icons to give an intuitive and easily understandable overview of the processing procedure.

posted by admin on dicembre 15, 2017

Privacy

(No comments)

The European Parliament has endorsed the opening of negotiations between the Parliament itself and the Council concerning the procedure for adopting the proposal for the Regulation on Privacy and Electronic Communications.

The current directive on e-Privacy was last reviewed in 2009 and the proposal for review, which was submitted on the 10th January 2017, replaces this directive with a Regulation which complements and particularises the European framework on data protection bringing it into line with the General Data Protection Regulation (“GDPR”) which will apply from 25th May 2018.

The Regulation on Privacy and Electronic Communications submitted by the Commission, will increase the protection of people’s private life and open up new opportunities for business. The measures presented aim at revising current rules, extending the scope to all communication service providers. The rules on privacy will now also apply to new operators who provide electronic communication services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage and Viber. The current e-Privacy Directive, which now only applies to traditional communication service providers, will be updated.

The objective is to increase trust in and the security of the Digital Single Market striking the right balance between a high level of protection for consumers and the opportunity for businesses to innovate. In addition, the proposal provides that personal data processing carried out by European institutions and bodies will ensure the same level of protection as that guaranteed by single Member States, as laid down in the General Data Protection Regulation (GDPR) and it defines a strategic approach to questions regarding the cross-border transfer of personal data.

 

 

posted by Laura Greco on maggio 15, 2017

Privacy

(No comments)

The Italian Court of Cassation has recently been called on to deal with the issue of whether payment descriptions for bank transfers qualify as sensitive data, in cases in which they specify indemnity payments for illness or disability using the wording “allowance ex L. 210/1992”, (the law which grants allowances to parties who have suffered irreversible complications due to mandatory vaccination and blood transfusions, or in cases of decease, to their families).

The Supreme Court judges have expressed conflicting decisions in several such cases. In all the examined cases, the matter concerned the relations between the Region, which issues the allowance and authorizes the bank transfer, and the ill or disabled party’s bank, which is the recipient of the allowance on behalf of its current account holder.

In the case of the first decision dating from 2014 (judgement n. 10947 of 19th May 2014), the Court considered the payment description, which quoted the above-mentioned legislative references, as sensitive data and thus determined that both the Region and the bank had unlawfully processed personal data since they had not adopted security measures for the transmission and dissemination of said data, such as encryption techniques and non-identifiable codes, as provided for by Art. 22, 6° par. of the Personal Data Protection Code.

In the second decision (judgement n. 10280 of 20th May 2015), which is clearer and better developed than the previous one, the Supreme Court judges overturned their first approach and followed a quite different decision-making process. Firstly, they rejected the concept that payment descriptions for allowances filled out in such a way constituted sensitive data, as the law quoted provided that the recipients of these allowances could either be the parties directly affected or otherwise their families. Since the payment of the allowance did not depend on the illness of the party who actually received it, the judges concluded that the information was not sufficient to reveal the recipient’s state of health and, therefore, did not constitute sensitive data.

Secondly, according to the Supreme Court, it was not a question of the Region rendering the data transferred to the bank public, as this would have implied – in conformity with Art. 4, lett. m) of the Code – disclosure of the data to unspecified parties, whereas in this case the disclosure was only made to the bank of the current account holder who was the beneficiary of the allowance.

Furthermore, the judges considered that references to Art. 22, 6° par. of the Code were groundless, since, as correctly quoted, the adoption of encryption techniques is only required in specific cases where the data originate from directories or registries and the aim is to manage and consult them. Neither could the bank be considered to have the responsibility for adopting these measures for three different reasons: firstly, the provision is only applicable to public bodies; secondly, private entities are only obliged to adopt encryption measures in relation to sensitive data which would reveal a state of health and were processed with electronic systems, both of which conditions are missing in the present case; finally, communicating to a client of the bank’s his/her personal data does not constitute processing of personal data.

Finally, in the opinion of the Court, the role of the bank was that of the current account holder’s representative and it received the payment from the Region on his/her behalf: thus, the payment was to be considered as being directly effected by the debtor (the Region) to the creditor (the recipient of the allowance). Therefore, the Supreme Court considered both the Region’s and the bank’s conduct to be within the law and acknowledged there had been no illegal processing of personal data.

This question has recently once again been deliberated by the 1st Civil Division of the Court of Cassation, which has issued two interlocutory orders (no. 3455 and no. 3456 registered on 9th February 2017) delegating the “Sezioni Unite” (the Joint Divisions), the task of devising a solution to this conflict of case law. On this occasion the Supreme Court has abstained from expressing its own opinion one way or the other with regard to the different interpretations of case law regarding this issue, and has simply commented on the nature of payment descriptions as “sensitive data”. The Court has pointed out that, even if payment can be made both to the family and the ill or disabled party, only the latter would receive payment in instalments (whereas family would receive a lump sum). This particular method of payment would clearly identify the recipient of the payment as the victim of illness or disability and for this reason the indication of a payment in instalments would constitute sensitive data.

We will have to wait to see how the Joint Divisions will solve this conflict of case law we have just described and in particular whether they opt for a broad or restrictive interpretation of the concept of sensitive data.

 

 

posted by admin on marzo 31, 2017

computer crimes

(No comments)

The Italian DPA has imposed fines totalling over 11 million euros on five money transfer companies which had unlawfully processed more than one thousand users’ personal data in order to bypass anti money-laundering regulations.

These companies collected and transferred to China sums of money belonging to Chinese businessmen, violating both the anti money-laundering law and the data protection law. By using the technique of structuring (i.e. the technique of breaking up large amounts of money into several smaller transactions below the anti money-laundering legal threshold), companies allocated money transfers to more than 1,000 customers, who were completely unaware of these transactions, by illegally using their data.

These serious violations came to light during an investigation by the Procura di Roma (the Rome Public Prosecutor’s Office). The Currency Police Unit of the Italian Financial Police, authorised by the Judicial Authorities, ascertained that the names of the people these money transfers were registered to did not correspond to the real senders. In addition, in certain cases the transaction forms turned out not even to have been signed or to have been filled out by people who were either deceased or non-existent. The personal data used were taken from photocopies of id documents, which were stored in specific folders to be used when needed. Money transfers were carried out within seconds of each other and involved sums of money which were just under the legal threshold and addressed to the same recipient.

Due to this infringement of the Data Protection Law committed by the companies, the Italian Data Protection Authority was obliged to intervene and, in view of the seriousness of the violations, the number of parties involved whose personal data had been processed without their consent and the importance (and size) of the database, has imposed the following fines: 5,880,000 euros for the multinational corporation and fines of 1,590,000 euros, 1,430,000 euros, 1,260,000 euros and 850,000 euros respectively for the other four companies, for a total of over 11 million euros.

 

 

posted by admin on marzo 1, 2017

Privacy

(No comments)

ratingBlackMirrorThe Italian Data Protection Authority has established that a “reputation rating” project violates the provisions of the Personal Data Protection Code and impacts negatively on human dignity.

The project, which was devised by an organisation structured as an association and a company appointed for its management, is based on a web platform and a database which gathers vast amounts of personal data either uploaded by users or obtained from the web, on various types of individual – from job candidates to business people, freelance professionals and private individuals. By means of a specific algorithm the system would then be able to objectively measure people’s reliability in the economic and professional fields, by assigning a score (“rating”) to their online reputation.

The DPA observed that the system would create significant problems in relation to privacy due to the confidential nature of the information, the pervasive impact on the interested parties and the method of processing. Essentially, the system implies the massive collection – also online – of information open to significantly impacting on the economic and social representation of thousands of people. Such processed reputation ratings might have serious repercussions on the lives of those who had been rated, since it might influence other people’s choices as well as jeopardising access for rated parties to services and benefits.

The DPA also expressed a number of doubts about the objectivity claimed for the ratings, stressing that the company could not prove the effectiveness of the algorithm used to regulate the settings of the “ratings”, which would be calculated without rated parties having any chance to freely give their consent. Given the complexity and sensitivity of measuring situations and variables which are not easy to classify, any rating might be based on incomplete or flawed documents and certificates with the consequent risk of creating inaccurate profiles which do not correspond to the real social identity of the rated parties.

Moreover, the DPA was concerned about the unreliability of allowing an automated system to decide upon such complex and sensitive issues relating to individuals’ reputations.

The system’s security measures which are principally based on “weak” authentication systems (user ids and passwords) and on encryption techniques only for judicial data, were found to be totally inadequate in the DPA’s opinion. Finally, further critical issues were detected in the time period for data storage and privacy policies for interested parties.

Therefore, in conclusion, the DPA has banned all present and future processing operations related to the reputation rating project.

 

 

posted by admin on novembre 15, 2016

computer crimes

(No comments)

This is a summary of the interview given by Prof. Giusella Finocchiaro to Vanity Fair, in which she was invited to explain certain legal aspects underlying some particular recent news items regarding online privacy.

Social media allow a choice of the level of visibility for each post published, however for uses such as that of videos illegally circulated online judicial measures are required. Giusella Finocchiaro, the first attorney at law in Italy to teach Internet law, explains how.

Two cases recently appeared in the news in the space of just 24 hours. Firstly, the suicide of a 31-year-old woman, whose hard core videotape had been circulating illegally on the web for more than a year and the case of a 17-year-old girl, whose girl friends recorded and posted a video of her while she was being raped in a disco. Both of these cases raise the question of what the limits of privacy on the Internet are. The head of the Italian Data Protection Authority, Antonello Soro, spoke of « the risk of being pilloried that the Net exposes us to, given the lack of adequate user awareness of the nature of its unlimited space and of the damaging effects that violent communication or the ferocity of ruthless mockery on the part of others may cause».

Lack of legislation was not in question Soro did not speak of a lack of legislation but rather of the need for «appropriate response procedures on the part of the different platforms» and also of another fundamental need: namely «to cultivate respect among people on the Internet». Investment in digital education is fundamental also according to Giusella Finocchiaro, (attorney at law and Professor of Private and Internet law at the University of Bologna, the first chair for this subject in Italy, as laws exist and the legal course followed by Tiziana Cantone (the woman who committed suicide) was the correct one, but timescales remain lengthy and not all people know how to protect themselves.

 

 

posted by admin on luglio 15, 2016

Right to oblivion

(No comments)

The Italian Data Protection Authority (DPA) has rejected an appeal by an ex-terrorist, who had requested the de-indexation of web pages reporting serious crimes he had committed between the end of the 1970s and the beginning of the 1980s.

Having served his sentence, in 2009 the man had requested Google to remove a number of URLs and search suggestions shown by their “autocomplete” function, which, when typing in the man’s name and surname, called up the term “terrorist”.

Given that Google took no action regarding the claimant’s request, the ex-terrorist turned to the Italian DPA complaining that the continued presence on the Internet of contents dating so far back in time and which were a misrepresentation of his current way of life, was causing serious harm both to his personal and professional life. Maintaining that he was not a public figure but a free citizen, the claimant demanded the right to be forgotten.

The DPA rejected his appeal on the grounds that the information, for which de-indexation was requested, refers to particularly serious crimes that come under those indicated in the Guidelines on the implementation of the right to be forgotten adopted in 2014 by the European Privacy Authorities; crimes for which requests for removal require more stringent evaluation.

The DPA further emphasized that in the case submitted, all the information has acquired historical value and is in the public mind. Indeed it refers to one of the darkest periods of recent Italian history, during which the claimant had not only been a supporting actor but had essentially played a leading role.

Moreover, despite the considerable length of time, which had passed since the circumstances in question, there is still a very high level of public interest in that period of time and those events, as demonstrated by the topicality of the references accessible through the same URLs.

Therefore, declaring that it was of paramount importance for the public interest to have access to the information in question, the DPA adjudged the request for removal of the URLs indicated by the claimant and indexed by Google to be unfounded.

 

 

posted by admin on maggio 9, 2016

digital identity

(No comments)

THE ITALIAN DPA HAS RULED IN FAVOUR OF THE APPEAL BY A USER, TO WHOM FACEBOOK HAD NOT GRANTED A BAN ON FAKE PROFILES CREATED TO HIS DETRIMENT

Facebook will be accountable for fake profiles created on its platform and offer full cooperation and transparency. In the last few days the Italian DPA has published a provision from last February concerning a dispute between a well-known doctor from Perugia and Facebook Ireland Ltd. The complaint presented in November 2015 and originated from an attempt at extortion carried out on the pages of the famous social network.

The doctor had been the victim of activities amounting to threats, attempts at extortion, impersonation and the unlawful breaking into a computer system by a Facebook user, who, after requesting online friendship and obtaining acceptance from the doctor, started an “electronic correspondence with him, which at first was of a confidential nature, but which subsequently aimed to pursue criminal ends”. The criminal had created a fake account using photos and personal data of the Perugia doctor and had attempted to blackmail him with threats of sending obscene photomontages showing child pornography material to friends, acquaintances and colleagues. The doctor, who had not given in to these blackmail attempts, asked Facebook to take appropriate steps to eliminate the fake profiles and to provide him with all the relevant information necessary to limit as quickly as possible the damage suffered by his image.

According to the doctor’s lawyers, Facebook did not take the appropriate action on the matter, not granting satisfactory and complete access to the required data. In particular, Facebook simply made available through its “download tool” service a set of data, which were not clearly intelligible as they only referred to code numbers. Furthermore, the data set was incomplete as it simply referred to data from the claimant’s valid Facebook account and did not include data processed by the fake account and shared on the social network.

Therefore, the DPA established that Facebook Ireland Ltd, which is in possession of the information required by the doctor, must communicate “to the claimant in an intelligible form all data relating to him that are held with regard to the Facebook profiles opened in his name”. The social network must close down the fake profile in order to facilitate any possible investigation into establishing the identity of those responsible for the attempt at extortion.

Following the expiry of the thirty day term to comply with the DPA’s provisions, Facebook will have about two weeks to file opposition before the Court of Perugia, failing which the penalty will consist of a fine and up to two years’ imprisonment.

 

 

It is unnecessary to resort to international rogatory in order to tap BlackBerry mobile system chats nor is it necessary to use requisition measures.

This is what the Third Criminal Division of the Italian Supreme Court (ruling no. 50452/15) established with its appeal judgment issued in relation to the appeal on the part of certain defendants who had been placed under preventive detention by the Court of Rome due to their being implicated in drug trafficking.

The detention order was founded on various evidence, including chats on BlackBerry mobile systems, which related to importing a 10 kilo consignment of cocaine to Italy.

The defendants involved in this phone tapping brought the question before the Italian Supreme Court, claiming that the chats which had been tapped could not be considered as evidence, since they had taken place on BlackBerry’s mobile systems, which have their head office in Canada. Therefore, in their opinion, an international rogatory would have been required in order to legally acquire the content of the chats. Moreover, according to the defence, conversations in a chat context could not be considered as “phone conversations” as they are in fact a stream of computer data. On these grounds requisition measures regarding computer data (according to art. 254bis of the Italian Criminal Procedure Code) should have been carried out rather than a procedure of phone tapping.

In response to the first point, the Supreme Court asserted that it is a well-established principle that international phone calls routed to a specific Italian telephone “junction” should not be subject to international rogatory as all activity involving reception and recording takes place on Italian territory. This principle was also correctly applied by the Collegio di Cautela* in relation to the use of Blackberry chats. In this regard, the Supreme Court emphasized that computer interceptions had been correctly carried out on PIN codes, while the subsequent request to the Canadian company regarding ID data associated with the intercepted PIN codes had related to data that do not enjoy special protection.

Consequently, the Supreme Court considered it irrelevant that BlackBerry was Canadian, as the communications in question took place in Italy as a result of them transferred over an ICT platform located in Italy.

Conversely, the Court considered as unfounded the objection regarding the failure to implement requisition measures for the computer data. The judgment clarifies that, even if held by Internet service providers, requisitioning IT documents or IT devices excludes per se the concept of “communication”. Requisitioning will be specifically required when it is necessary to acquire documents for purposes of evidence, by means of inspections to be carried out on data contained in those documents. The Supreme Court asserted that “with regard to the use of chats on the BlackBerry system, it is correct to acquire contents by means of tapping according to art. 266bis c.p.p. and subsequent, as even if they are not simultaneous, online conversations constitute a flow of communication”.

Although the Court upheld the defendants’ appeal on the basis of considerations that go beyond the analysis of this post, the Court rejected the abovementioned specific technical objections, pointing out that: “even the most careful interpretation of the delicate relationship between the computer interception system and new technologies has observed that tapping BlackBerry chats takes place by using traditional systems, i.e. monitoring a phone’s PIN (or IMEI), which is uniquely associated with a nickname, underlining how tapping is managed at a technical level at the company’s Italian head office”.

The text of the Supreme Court judgment is available HERE.

 

*Second-instance Court empowered to hear appeals of decisions on preventive measures

  • Recent comments

  • Popular posts

    • None found