Editorial Director: Giusella Finocchiaro
Web Content Manager: Giulia Giapponesi

posted by admin on marzo 1, 2017

Privacy

(No comments)

ratingBlackMirrorThe Italian Data Protection Authority has established that a “reputation rating” project violates the provisions of the Personal Data Protection Code and impacts negatively on human dignity.

The project, which was devised by an organisation structured as an association and a company appointed for its management, is based on a web platform and a database which gathers vast amounts of personal data either uploaded by users or obtained from the web, on various types of individual – from job candidates to business people, freelance professionals and private individuals. By means of a specific algorithm the system would then be able to objectively measure people’s reliability in the economic and professional fields, by assigning a score (“rating”) to their online reputation.

The DPA observed that the system would create significant problems in relation to privacy due to the confidential nature of the information, the pervasive impact on the interested parties and the method of processing. Essentially, the system implies the massive collection – also online – of information open to significantly impacting on the economic and social representation of thousands of people. Such processed reputation ratings might have serious repercussions on the lives of those who had been rated, since it might influence other people’s choices as well as jeopardising access for rated parties to services and benefits.

The DPA also expressed a number of doubts about the objectivity claimed for the ratings, stressing that the company could not prove the effectiveness of the algorithm used to regulate the settings of the “ratings”, which would be calculated without rated parties having any chance to freely give their consent. Given the complexity and sensitivity of measuring situations and variables which are not easy to classify, any rating might be based on incomplete or flawed documents and certificates with the consequent risk of creating inaccurate profiles which do not correspond to the real social identity of the rated parties.

Moreover, the DPA was concerned about the unreliability of allowing an automated system to decide upon such complex and sensitive issues relating to individuals’ reputations.

The system’s security measures which are principally based on “weak” authentication systems (user ids and passwords) and on encryption techniques only for judicial data, were found to be totally inadequate in the DPA’s opinion. Finally, further critical issues were detected in the time period for data storage and privacy policies for interested parties.

Therefore, in conclusion, the DPA has banned all present and future processing operations related to the reputation rating project.

 

 

posted by admin on novembre 15, 2016

computer crimes

(No comments)

This is a summary of the interview given by Prof. Giusella Finocchiaro to Vanity Fair, in which she was invited to explain certain legal aspects underlying some particular recent news items regarding online privacy.

Social media allow a choice of the level of visibility for each post published, however for uses such as that of videos illegally circulated online judicial measures are required. Giusella Finocchiaro, the first attorney at law in Italy to teach Internet law, explains how.

Two cases recently appeared in the news in the space of just 24 hours. Firstly, the suicide of a 31-year-old woman, whose hard core videotape had been circulating illegally on the web for more than a year and the case of a 17-year-old girl, whose girl friends recorded and posted a video of her while she was being raped in a disco. Both of these cases raise the question of what the limits of privacy on the Internet are. The head of the Italian Data Protection Authority, Antonello Soro, spoke of « the risk of being pilloried that the Net exposes us to, given the lack of adequate user awareness of the nature of its unlimited space and of the damaging effects that violent communication or the ferocity of ruthless mockery on the part of others may cause».

Lack of legislation was not in question Soro did not speak of a lack of legislation but rather of the need for «appropriate response procedures on the part of the different platforms» and also of another fundamental need: namely «to cultivate respect among people on the Internet». Investment in digital education is fundamental also according to Giusella Finocchiaro, (attorney at law and Professor of Private and Internet law at the University of Bologna, the first chair for this subject in Italy, as laws exist and the legal course followed by Tiziana Cantone (the woman who committed suicide) was the correct one, but timescales remain lengthy and not all people know how to protect themselves.

 

 

posted by admin on luglio 15, 2016

Right to oblivion

(No comments)

The Italian Data Protection Authority (DPA) has rejected an appeal by an ex-terrorist, who had requested the de-indexation of web pages reporting serious crimes he had committed between the end of the 1970s and the beginning of the 1980s.

Having served his sentence, in 2009 the man had requested Google to remove a number of URLs and search suggestions shown by their “autocomplete” function, which, when typing in the man’s name and surname, called up the term “terrorist”.

Given that Google took no action regarding the claimant’s request, the ex-terrorist turned to the Italian DPA complaining that the continued presence on the Internet of contents dating so far back in time and which were a misrepresentation of his current way of life, was causing serious harm both to his personal and professional life. Maintaining that he was not a public figure but a free citizen, the claimant demanded the right to be forgotten.

The DPA rejected his appeal on the grounds that the information, for which de-indexation was requested, refers to particularly serious crimes that come under those indicated in the Guidelines on the implementation of the right to be forgotten adopted in 2014 by the European Privacy Authorities; crimes for which requests for removal require more stringent evaluation.

The DPA further emphasized that in the case submitted, all the information has acquired historical value and is in the public mind. Indeed it refers to one of the darkest periods of recent Italian history, during which the claimant had not only been a supporting actor but had essentially played a leading role.

Moreover, despite the considerable length of time, which had passed since the circumstances in question, there is still a very high level of public interest in that period of time and those events, as demonstrated by the topicality of the references accessible through the same URLs.

Therefore, declaring that it was of paramount importance for the public interest to have access to the information in question, the DPA adjudged the request for removal of the URLs indicated by the claimant and indexed by Google to be unfounded.

 

 

posted by admin on maggio 9, 2016

digital identity

(No comments)

THE ITALIAN DPA HAS RULED IN FAVOUR OF THE APPEAL BY A USER, TO WHOM FACEBOOK HAD NOT GRANTED A BAN ON FAKE PROFILES CREATED TO HIS DETRIMENT

Facebook will be accountable for fake profiles created on its platform and offer full cooperation and transparency. In the last few days the Italian DPA has published a provision from last February concerning a dispute between a well-known doctor from Perugia and Facebook Ireland Ltd. The complaint presented in November 2015 and originated from an attempt at extortion carried out on the pages of the famous social network.

The doctor had been the victim of activities amounting to threats, attempts at extortion, impersonation and the unlawful breaking into a computer system by a Facebook user, who, after requesting online friendship and obtaining acceptance from the doctor, started an “electronic correspondence with him, which at first was of a confidential nature, but which subsequently aimed to pursue criminal ends”. The criminal had created a fake account using photos and personal data of the Perugia doctor and had attempted to blackmail him with threats of sending obscene photomontages showing child pornography material to friends, acquaintances and colleagues. The doctor, who had not given in to these blackmail attempts, asked Facebook to take appropriate steps to eliminate the fake profiles and to provide him with all the relevant information necessary to limit as quickly as possible the damage suffered by his image.

According to the doctor’s lawyers, Facebook did not take the appropriate action on the matter, not granting satisfactory and complete access to the required data. In particular, Facebook simply made available through its “download tool” service a set of data, which were not clearly intelligible as they only referred to code numbers. Furthermore, the data set was incomplete as it simply referred to data from the claimant’s valid Facebook account and did not include data processed by the fake account and shared on the social network.

Therefore, the DPA established that Facebook Ireland Ltd, which is in possession of the information required by the doctor, must communicate “to the claimant in an intelligible form all data relating to him that are held with regard to the Facebook profiles opened in his name”. The social network must close down the fake profile in order to facilitate any possible investigation into establishing the identity of those responsible for the attempt at extortion.

Following the expiry of the thirty day term to comply with the DPA’s provisions, Facebook will have about two weeks to file opposition before the Court of Perugia, failing which the penalty will consist of a fine and up to two years’ imprisonment.

 

 

It is unnecessary to resort to international rogatory in order to tap BlackBerry mobile system chats nor is it necessary to use requisition measures.

This is what the Third Criminal Division of the Italian Supreme Court (ruling no. 50452/15) established with its appeal judgment issued in relation to the appeal on the part of certain defendants who had been placed under preventive detention by the Court of Rome due to their being implicated in drug trafficking.

The detention order was founded on various evidence, including chats on BlackBerry mobile systems, which related to importing a 10 kilo consignment of cocaine to Italy.

The defendants involved in this phone tapping brought the question before the Italian Supreme Court, claiming that the chats which had been tapped could not be considered as evidence, since they had taken place on BlackBerry’s mobile systems, which have their head office in Canada. Therefore, in their opinion, an international rogatory would have been required in order to legally acquire the content of the chats. Moreover, according to the defence, conversations in a chat context could not be considered as “phone conversations” as they are in fact a stream of computer data. On these grounds requisition measures regarding computer data (according to art. 254bis of the Italian Criminal Procedure Code) should have been carried out rather than a procedure of phone tapping.

In response to the first point, the Supreme Court asserted that it is a well-established principle that international phone calls routed to a specific Italian telephone “junction” should not be subject to international rogatory as all activity involving reception and recording takes place on Italian territory. This principle was also correctly applied by the Collegio di Cautela* in relation to the use of Blackberry chats. In this regard, the Supreme Court emphasized that computer interceptions had been correctly carried out on PIN codes, while the subsequent request to the Canadian company regarding ID data associated with the intercepted PIN codes had related to data that do not enjoy special protection.

Consequently, the Supreme Court considered it irrelevant that BlackBerry was Canadian, as the communications in question took place in Italy as a result of them transferred over an ICT platform located in Italy.

Conversely, the Court considered as unfounded the objection regarding the failure to implement requisition measures for the computer data. The judgment clarifies that, even if held by Internet service providers, requisitioning IT documents or IT devices excludes per se the concept of “communication”. Requisitioning will be specifically required when it is necessary to acquire documents for purposes of evidence, by means of inspections to be carried out on data contained in those documents. The Supreme Court asserted that “with regard to the use of chats on the BlackBerry system, it is correct to acquire contents by means of tapping according to art. 266bis c.p.p. and subsequent, as even if they are not simultaneous, online conversations constitute a flow of communication”.

Although the Court upheld the defendants’ appeal on the basis of considerations that go beyond the analysis of this post, the Court rejected the abovementioned specific technical objections, pointing out that: “even the most careful interpretation of the delicate relationship between the computer interception system and new technologies has observed that tapping BlackBerry chats takes place by using traditional systems, i.e. monitoring a phone’s PIN (or IMEI), which is uniquely associated with a nickname, underlining how tapping is managed at a technical level at the company’s Italian head office”.

The text of the Supreme Court judgment is available HERE.

 

*Second-instance Court empowered to hear appeals of decisions on preventive measures

We present here an interview published in december 2015 on the CINECA Consortium Magazine.

Do the legal principles covering the Net derive from general legal principles of from made-to-measure laws?

The general legal principles are always the same, of course. There would be no sense in trying to find a made-to-measure solution and a made-to-measure law for each specific problem, without due consideration for the overlying framework. It’s not always true, therefore, that, in order to regulate new technologies, new laws have to be made.

We need to get away, too, from the common idea that technology runs ahead while the law limps along behind. The reality is quite different. Take the laws on electronic signatures, for example. In Italy, the law arrived ahead of technology and even ahead of the need.

The principle has recently been affirmed according to which the law should be technologically neutral. On the basis of this principle, the legislator should not condition the market by favouring one technology over another, nor should he condition the development of technology. This approach is “functional” in the sense that it regulates, not the object, but the function. We must avoid constraining any specific form of technological or commercial development. Rather, we need to set out general principles that will remain unvaried for a certain period of time, and will not be constrained by changing technologies.

Apart from the electronic signature, another emblematic case is that of laws for the protection of consumers over remote sales contracts. What is involved, clearly, is a way of selling, not a specific technology. As far as the law is concerned, therefore, it is not important to make a distinction between purchases made using, for example, an App, or those made through a traditional website.

Speaking of users’ rights, the privacy and copyright laws are well known, but people are also invoking the right to be forgotten. What is this about?

The right to be forgotten is not a right in itself but it is nevertheless a restatement of other rights that are recognized by the law. Traditionally, the right to be forgotten describes a person’s right not to have republished information, even if it was legitimately published at the time, relating to events that happened a considerable length of time ago.

In Internet, obviously, the time involved is not that between publication and republication of the information, but the time that has lapsed since the item was published. The time factor regards, not just news items, but events which took place a long time ago, though for which this fact is not evident because no time context is given. In these cases, jurisprudence has suggested there may be an infringement of an individual’s right to his or her personal identity.

The problem is to ensure that the proper weight is given to the information, in order to avoid the person’s identity being distorted by the Net. As we saw from a decision by the Supreme Court, no. 5525 of 5 April 2012, this goal can be achieved by placing the information in context. It is not a right to be forgotten, then, but a right to a proper context.

The underlying theme, but one that emerges strongly, is that of the protection of an individual’s identity, in all its multiple forms.

What is at issue, then, is not the question of a specific news item about a specific individual and a specific event that can be retrieved through Google, but the protection of a person’s identity in the Internet, which is often perceived as a sole archive. It is not a sole archive, but it is a major source of information and sometimes the only one accessible.

“The Law in the Net”, but also “The Net in the Law”: how has Internet affected or modified the principles of “Jus Commune”?

Generally speaking, the principles of “Jus Commune” remain as before, but it cannot be denied that the advent of new technologies has brought fresh challenges for legal scholars.

What we have said about the right to be forgotten is a good example. In the real, physical world, the key element of this is the concept of “republication”. With Internet, on the other hand, the issue is the time the information stays available. Here it is not a question of drawing public attention back to a past event. The point is that, potentially, the past event has always remained there. So in this case the need that the law has to satisfy is a different one. It is no longer a question of republishing or not, it is a question of how a publication, that was maybe made quite legitimately many years earlier, is to be presented now.

A Net without borders: how have international regulations been affected by Internet?

The same general considerations apply. It is clear that the advent of Internet has drawn international attention to the need to regulate certain situations. I am thinking first of all of regulations aimed at encouraging the use of Internet as a trading tool and, as a consequence, the regulations set up for the protection of consumers.

A separate chapter belongs to the international conventions created to facilitate cooperation between the forces of law and order in relation to crimes committed via computer systems. I am thinking, for example, of the Budapest Convention of the European Council of 23 November 2001 on cybercrime.

Which judge has jurisdiction over disputes in Internet?

It depends on the nature of the dispute. The same procedural rules apply as in the real, physical world. The problem with internet is that the proper jurisdiction is not always easy to identify.

You are a teacher at Bologna University. How, in your opinion, has Internet revolutionized the world of the university? Is it simply a question of having new tools available for the administration and for the students, or is there more to it than that? Has there been a change of mentality, for example?

There are pros and cons to using Internet, in the university world like any other. Clearly, immediate access to a wider range of information has speeded up research processes. There is wider access to study texts. But it has to be said that the information stored on the Internet is disorderly. All the information on the net appears at the same level. From an academic point of view, research via the Internet poses problems for students, who are not always able to assess the reliability of the sources they are consulting. Consultation of texts in the library, on the other hand, allows more control over the information. It makes it easier to distinguish between original and secondary sources.

Turning now to the changes that Internet has brought to administrative aspects, we have to remember that publicity, that is to say the means of spreading awareness of information, is not the same on and off the net. On the Internet, anyone can access it without limits, unless restrictions to access have been expressly placed – reserved areas, passwords and so on. There are also no temporal limits. So publication online and publication offline are, legally, two very different things. Bologna University has adopted an innovative regulation on the publication of its official acts. The time of publication is limited to three years, and the regulations also cover the means of access and the essential nature of the content that is to be published. Transparency doesn’t mean publishing everything on Internet. Let’s remember that it’s a storehouse, not a structured archive of knowledge.

You were among the first in Italy to deal with these questions. Today you are a leading international expert, with major appointments and awards. What attracted you in the first place, and how would you sum up this experience today?

I must say that, from my professional viewpoint, I always prefer not to draw up a balance of what has been done. I prefer to look ahead to the things I still have to do. I always hope to make further improvements. I can certainly say that I am satisfied with having chosen to study a branch of law that is a continual source of new stimuli.

In the first place, I was pushed by curiosity for a new aspect of law. I was also fired by a passion for technical innovation. I therefore discovered, in my specialized field, a fascinating aspect of the legal profession: creativity in law. I believe, therefore, that I have been very lucky, not least because I have always found motivation and interest for my work. Nevertheless, however satisfied I may be, I am very much aware that a lot of new challenges lie ahead.

 

 

posted by Giusella Finocchiaro on novembre 10, 2015

Privacy

(No comments)

The recent “Facebook” decision by the European Court of Justice can be interpreted from two different perspectives, which are not (however) mutually exclusive. The first interpretation is of a legal-technical nature, while the second is political.

Let us start with the first. The facts are known as are the conclusions. The United States is not considered to be a country that guarantees an adequate level of protection in accordance with the Directive on personal data protection, dir. 95/46.

The path is outlined in art. 25 of the Directive, which is hereinafter quoted for convenience and clarity, in order to better understand the past (the decision) and the future (the currently open directions).

Article 25

Principles

1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer, may only take place if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.

4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.

5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.

6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.

Member States shall take the measures necessary to comply with the Commission’s decision”.

 

In the past the Commission had deemed the level of protection afforded by the Safe Harbour framework to be appropriate, but this decision by the Court shows its disagreement and invalidates the Safe Harbour.

This does not imply, however, that the transfer of personal data to the United States can no longer take place. It can take place on the basis of the express consent of the interested party or on the basis of the Binding Corporate Rules. Therefore either the interested party may give their consent for the transfer or the data controller may adopt management rules approved by the Data Protection Authority that will allow the transfer.

So, what is the difference then? The difference is that it will not be possible to use the Safe Harbour framework, i.e. transfer data to the United States without consent or without pre-approved rules, that is assuming the data to be protected in the United States in the same way as they are in Europe.

From a strictly legal-applicative point of view all comment ends here. Undoubtedly, there will be higher management costs for those who transfer data from Europe to the United States, but there will certainly be no ban.

On the other hand, the political interpretation of the decision which follows roughly a year after the Google Spain case is far more problematic. As mentioned above, in the Court’s opinion, the United States does not provide an adequate level of data protection.

Essentially the Court states that the level of protection of personal data is higher in Europe and that it is the European law which should be applied to European subjects’ personal data (apologies for this simplification, obviously the decision refers to data transfer from Europe under certain conditions). Similar assertions can be found in the Google Spain decision.

The Court anticipates the contents of art. 3 of the forthcoming European regulation for the protection of personal data with another decision which is also political. Then again, personal data protection has constitutional significance in Europe (article 8 of the Charter of Fundamental Rights), but not in the USA. This obviously reflects a different scale of values in two regions of the world, albeit very similar to each other if compared to the Asian region. This of course has a cost, which big players such as Google and Facebook can much more easily afford than small ones. And it underlines that Europe and the United States have not (yet) reached a political agreement on the question.

 

 

posted by Giusella Finocchiaro on gennaio 26, 2015

Privacy

(No comments)

The Google service that allows virtual exploration of spectacular places is about to arrive in Italy.

At the request of the Mountain View colossus, the Italian Data Protection Authority has given authorization for partial exemption from the obligation to inform the public, but has set strict rules for photo shoots.

The most beautiful places in Italy including beaches, museums, parks and archaeological sites will soon be visitable at a distance thanks to Google Special Collects, a collection of virtual environments devised to popularize the most magnificent corners of the world.

Images are captured with similar equipment to that used for the Google Street View service, but with one difference, namely the special cameras capable of 360 degree shots are not mounted on cars, but on the backpacks of special “trekkers”, that is operators appointed by Google to “map out” places without the use of vehicles.

In their request to the Authority, Google stated that in museums and other places with limited access, recordings would be made during closing times to the public with the aim of limiting accidental filming of visitors and of protecting their privacy. In outdoor locations times will be chosen when passersby are less likely to be encountered. The American corporation will also take action to black out faces and other identification features such as vehicle license plates which might have been recorded, before making the images available on the Google Maps service.

In granting Google partial exemption from informing the public, the Authority has obliged the corporation to take further precautions to protect the public and to implement simplified measures to inform the public of all ongoing filming activities.

In particular, on the three days before beginning recordings, Google will have to publish information on its website in Italian about shooting locations. A further announcement will also have to be posted on websites and any other communication outlets of the organizations involved seven days before filming. In physical locations Google operators will have to see to informing the public of the upcoming recording of images by means of special notices or signs posted at the entrances to sites, in order to allow visitors to exercise their right not to be photographed.

In addition, the “trekkers” who carry photographic equipment will need to be recognized by stickers or other clearly marked distinguishing features to be attached to clothing and equipment, so as to clearly indicate that they are collecting images to be published online on Google Maps through the Google Special Collects service in Street View.

Google will also have to ensure the training of their personnel involved in these operations concerning compliance with the legislation on the protection of personal data.

 

posted by admin on dicembre 22, 2014

Privacy

(No comments)

A coalition of Authorities for the protection of personal data of the Global Privacy Enforcement Network (GPEN) has urged distribution platforms to oblige app developers to inform users about any personal data that will be collected and how such data will be used before they download apps.

On 9 December 2014 the Italian Data Protection Authority along with 22 other global authorities sent an open letter to the operators of 7 specific app marketplaces, Apple, Google, Samsung, Microsoft, Nokia, Blackberry and Amazon.com urging them to make available to users a policy statement on the use of personal information before downloading apps.

“Apps make life easier”, according to Antonello Soro the Italian Data Protection Authority President “but all too often we inadvertently allow them access to an increasingly wide range of particularly sensitive personal data, not only phone contacts or photos, but also geographic location, or, as in the case of medical apps, health data. The risk is one of permanent digital monitoring which we are gradually getting accustomed to”.

The decision to publish the open letter follows the investigation conducted by GPEN last May, the results of which showed that many of the most downloaded apps request access to a wide range of data but do not provide adequate explanations for the reasons behind these requests.

In particular, out of a total of over 1200 applications analyzed globally, three-quarters of them request one or more permissions, generally regarding location data, the ID of each device, access to other accounts, the functions of video footage and phone contacts.

In 59% of cases it was difficult for the authorities to find any privacy practice information before installation. In many cases there is either very little information available before downloading on the aims of the data collection or about its subsequent use, or a link is provided to a web page where there is a privacy statement that does not correspond to the specifications of the app.

Only 15% of the apps under examination were found to have transparently clear privacy policies. In the best cases the apps offer concise and clear explanations of what the app will do or will not do with the data collected based on the individual permissions requested.

The text of the open letter has been published in English on the website of The Italian Data Protection Authority.

 

posted by admin on novembre 25, 2014

Electronic signatures

(No comments)

The long-awaited measure of the Italian Data Protection Authority in the field of biometrics recognition and graphometric signature was recently signed and published on the Register of measures (decision no. 513 of 12 November 2014).

The measure governs the processing of biometric data for purposes of computer authentication, access control and underwriting documents. An analysis on the changes introduced will be soon published on our blog.

You can find the document (in Italian) on the  Italian Data Protection Authority website.

 

 

  • Recent comments

  • Popular posts

    • None found