g-docweb-display Portlet

Speech delivered by the President of the italian data protection Authority, Francesco Pizzetti, on the occasion of the presentation to Parliament ...

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

[doc. web n. 1426858]

Discorso del Presidente Francesco Pizzetti - Relazione 2006 - 12 luglio 2007

Speech delivered by the President of the italian data protection Authority, Francesco Pizzetti, on the occasion of the presentation to Parliament of the 2006 Annual report – Rome, 12 july 2007

 

Ladies and Gentlemen!

The second year of activity of our collegiate panel is over.

It was a year full of significance, marking the tenth year of activity for the Garante. This is a relatively short span for man, and an even shorter one for an institution. Still, in such a short time span the culture of personal data protection has taken hold in our country to a greater extent than in any other European state.

Last year we drew your attention to the growing importance of data protection in today´s society.

Technological evolution causes us all to live in a world that is increasingly "split" into a tangible reality – where people and things have a measurable, positive kind of physicality and set up relationships giving rise to information, however are not bounded by such information – and an intangible reality – the one created by technological innovation and the networked revolution, where people and things turn into information flows and set up relationships that only consist in data exchanges.

Our task is attaining ever greater importance. Ensuring adequate data protection is proving day by day an increasingly essential prerequisite for democracy to work and fundamental rights and freedoms to be made real.

Getting assurances that our data is protected and safeguarded both before and when moving on the network is fundamental in order to prevent new technologies from becoming a threat – turning us all into the inhabitants of an out-of-control, disquieting technological world.

Being aware of the demand for security, which fathers the claim for increasingly pervasive surveillance tools, we highlighted the risk that society might jeopardise its own freedom – and thus, its very soul – for the sake of defending itself and its body.

Gazing at our country, we emphasized the proliferation of major databases without suitable safeguards.

Being aware of the requirements vested in justice and the press, we called for clear-cut rules, fine-tuned measures, increased flexibility in our powers so as to tackle such a complex scenario without having to continuously threaten the imposition of bans or – which is even worse – criminal punishments.

Paying due attention to the claims made by citizens and, on the other hand, the public administration, we reiterated that – subject to openness requirements – data protection is essential in managing public services so as to get rid of the formal constraints of bureaucracy and come to terms with the digital age.

Considering consumers and workers, we called for the market, businesses, and employers not to overlook data protection. We are aware of the requirements arising out of production and economics, however we cannot accept that data protection is only regarded as a cost or a nuisance.

Finally, looking in particular at youths, we underlined the need for a veritable "innovation culture" – so that nobody is at risk of becoming unknowingly a tool in the hands of those organising and managing new technologies.

In the light of the above considerations, we developed an ambitious plan in the past year, which led us to carry out work on several fronts at the same time.

We came here today in order to give an account of the work done so far – and also to stress that we are committed more than ever to go ahead along these lines.

 

2. The experience of the past year showed how grounded the alarm we sounded was.

The liability of major databases to penetration via unlawful means in the absence of adequate barriers came up as a major source of concern because of the relevant mechanisms and dimensions.

There has been a disproportionate increase in the inappropriate use of video cameras, videophones, and – generally speaking – misleading techniques to capture and process data that at times is highly sensitive.

Information theft affects both the man in the street and VIPs. It is too often the case that the misappropriation of data and their use – based on a clever strategy aimed at polluting our societies – makes justice less just, security less secure, democracy less free, economic and financial activities less competitive, society as a whole less credible.

All this is poisoning our country.

In Italy, there is a data protection emergency that has attained similar dimensions to those of other national emergencies – such as the environment, power supply, and infrastructures – that deeply impact also on the image and reputation of our country.

Caught in the middle of a chaotic, bewildering discussion, the arguments of those clamouring for more data in order to provide increased security and tax justice are challenged on a daily basis by the objections grounded on the dangers related to the lack of adequate safeguards.

An equally difficult dilemma is sometimes faced in the media sector as well.

Freedom of the press is a must in any democracy. However, one cannot rely on freedom of the press to allow gathering information by unlawful means and unacceptably deceptive methods. It is too often the case that the right to inform and be informed is relied upon to justify the conduct by someone who – though having no relationship with the media world – collects data and information  to blackmail or condition others under the threat of disclosing such data and information.

Indeed, the Garante is at risk of getting involved in a tug-of-war based on the spur of the moment.

This is wrong. This is bound to be wrong.

The Garante is often faced with an unacceptable dilemma.

Ought we to take action, and maybe run the risk of looking like so many censors or being charged with turning a cold shoulder to the demand for security and tax equity – of being a sort of hyper-Guarantor?  Ought not we rather to give up all ambitions of effective action, and thereby run the risk of being regarded as a useless, weak institution?

Let me make this point once again: our task consists in protecting and defending citizens, their rights and freedoms, their demand for living and working without being continuously under control and on file.

That there cannot be freedom without security is out of the question; however, it is even more unquestionable that security is not worth the loss of all freedoms. Let me say, once again, that data protection is not and will never be "at variance" with the need for security; nevertheless, let me reiterate that data protection is a fundamental component of any system based on democratic safeguards.

 

3. Technological innovation raises new challenges by the day. The world of computers and bits is totally different from the one we learned to cope with thanks to the experience gained by past generations.

Actions, words, and images are turned into a wealth of data that endlessly multiplies – like a prism – the thousand different facets of tangible reality.

Every individual is broken down and disassembled into as many pieces as the data and items of information relating to him or her. You only have to enter your name in a search engine to realize all this.

On the network, the data has a life of its own that is unbounded and makes it impossible to envisage all the purposes and contexts of its use.

In this intangible world, you may take on a different identity; add  pieces of information, whether genuine or not; communicate with others in a circular manner; be at the same time a producer and the recipient of information.

In the global communication world, in the world of YouTube and Google, everything takes on a different dimension and has a different kind of impact.

How should the rules on the world of information be applied to blogs, whose number is increasing on the Net day by day?

What does the right to oblivion mean when one is faced with search engines keeping and making available data and information on individuals for a basically indefinite time?

What is the point in exercising one´s own rights when data move on the Net and it is impossible to have them erased or rectified if they are inaccurate or in breach of our dignity?

What is the difference between using images for personal vs. public purposes in the world of video cameras and video phones, which allow posting pictures and videos on the Net in real time?

How can health records or sensitive medical data be protected when the information is processed electronically?

How can we help our fellow citizens in using these innovations without leaving them defenceless against tools about whose invasiveness and boundless potential they are often unclear?

We cannot accept that the Internet is regarded by our children as a sort of "toy land", where everything is nice and permitted.
This is the new frontier.

It is a frontier that is difficult to protect – for at least two reasons.

Firstly, because technologies evolve unrelentingly.

Secondly, because the context is a global one.

This requires shared rules at world level, and one must come to terms with the constraints applying to national and European legislation.

 

An Authority Both National and European, Turning Its Gaze Towards the World

4. A question that keeps coming up is what is the role of independent authorities and what is their legal basis under the constitutional system of Italy.

It is impossible to answer this question without looking at the European and international context. The authorities like the Garante have been set up in the first place as supervisory authorities in charge of monitoring compliance by Member States with the approach taken from time to time in building up and strengthening the Union.

These are the foundations of our authority as well.

But there is an important plus: we are an integral part of a system that has led the protection of new fundamental rights to unprecedented heights.

From the start, the development of a shared European framework for data protection has been grounded on respect for and protection of human dignity. The inclusion in the Nice Charter of a provision specifically strengthening both this new right and the role of our authorities was but the last step in this process.

More recently, also in connection with the enlargement of the European area of freedom and justice and the stepwise integration of security systems, the data protection frontier attained a new dimension.

It is increasingly important for data and intelligence to be exchanged by judicial and law enforcement authorities in compliance with common rules that are shared by all Member States.

New legislation to ensure respect for citizens´ constitutional rights is necessary also in these areas.

Additionally, the development of a "bulimic" syndrome for data collection and storage must be prevented – otherwise the EU might be turned into the land of people controlled and spied upon.

National data protection authorities and the European data protection supervisor have been working in this direction. The recently established Working Party on Police and Justice, whose chairmanship was committed to the Italian authority, marks an important step forward in order to extend data protection principles to justice and security.

 

5. After the 09/11 events, the world entered the age of global terror.

The increasing emphasis put on the enhancement of security co-operation should be mirrored by the shared sensitivity towards citizens´ rights irrespective of nationality.

This has resulted into a state of tension between the US and the EU.

The US authorities have acquired data on financial transactions performed by European citizens (as per the  Swift case) as well as personal information concerning passengers on board flights to/over the US (this is the PNR case) without affording suitable supervision and protection or adequately informing the EU and its citizens on the purposes and mechanisms of this processing.

Some steps forward were made at the end of June. The German presidency of the EU and the Vice-President of the European Commission, Mr. Frattini, negotiated amendments to the number and acquisition mechanisms of the data related to passengers; as for the use of financial transactions information, they were assured that the US is ready to accept a distinguished European person to carry out supervisory activities directly in the US territory.

Though commendable, these steps are as yet insufficient. European supervisory authorities will carefully assess their impact.

However, these events point to the increasing need for supervisory authorities to work together – also at international level.
This is the spirit in which we are going to work over the next year, when it will be our turn to organize the European conference of data protection authorities.

 

The Work Done in 2006

Focus on Citizens

6. In the past year, our work was focused on affording the highest degree of protection to citizens – in line with the traditional stance taken by the Garante, also thanks to the commitment and professionalism shown by its Office.

In 2006, 630 provisions were adopted by the collegiate panel of the authority, of which 435 concerned complaints; 13 opinions were rendered by the Garante to Government; 350 inspections and controls were carried out; 158 administrative breaches could be established; in 11 cases information was preferred to judicial authorities; 2,717 reports and claims were handled; 679 queries could be dealt with.

Most of the measures adopted were intended to safeguard citizens as such, consumers, and users.

6.1. Only think, for instance, of the provisions setting out the rules to be complied with by call centres in order for them to adequately carry out advertising activities and prevent the insufferable occurrence of unsolicited calls and/or the provision of unsolicited services.

Other provisions concerned technologies that – though deployed to provide better services to citizens – are potentially capable to locate or profile citizens surreptitiously. Reference can be made to the decisions concerning the use of electronic tickets in public transportation services; the monitoring of credit reference agencies and the mechanisms for telephone operators to access such agencies; the sending out of unsolicited faxes for advertising purposes; and the many decisions focusing on the appropriate use of video surveillance systems.

6.2. Considerable attention was paid to the protection of sensitive data, in particular those related to health and sex life.

Let me recall here that we blocked the dissemination on the Internet of medical data related to identified persons; we banned a few real estate agencies from storing their clients´ data by racial origin, religious beliefs, and sex preferences; we decided that a Region should be prohibited from disseminating, on its website, the medical data related to about 4,500 handicapped people.
Special importance should also be attached to a decision setting out some general principles to be followed by health care agencies to safeguard people with disabilities.

Other measures concerned the relationship between personal data protection and freedom of the press.

Reference can be made, in the first place, to the provisions whereby the Garante prevented the TV broadcasting of medical data collected surreptitiously in order to establish the alleged use of drugs by politicians contacted in front of the Lower House, as well as by youths filmed in the restrooms of a disco.

The decision concerning politicians was much criticised, because it was alleged that its purpose was to afford them special protection. Actually, it is the other way round. We took that decision "even though" it concerned politicians. Indeed, it was important to spell out that enhanced protection is necessary when you handle medical data, and that these data may be never be acquired deceitfully.

It was actually even more important to explain how socially dangerous it can be to make use of fraudulent mechanisms to lay hands on biological samples concerning individuals, given the information that can be derived on their health and life expectancy. This danger is all the more serious nowadays, when the tests in question can become a large scale phenomenon and foster a highly risky "do-it-yourself" approach.

 

Journalism and Personal Rights

7. A great deal of attention was paid to the relationship between journalism and personal data protection, with particular regard to the weaker part of the population – children and innocent bystanders or victims.

In many cases, our action took the shape of soft ruling initiatives – such as press releases and statements made by members of our collegiate panel, or the participation in upgrading the ethics rules contained in the "Charter of Treviso" that is specifically focused on protecting children. Another major contribution in this area consisted in publishing an updated version of "Privacy and Journalism" – a booklet containing the thorough collection of the measures adopted by the Garante over the past few years.

I would also like to refer to another significant measure taken to protect children – when we reiterated the prohibition against disclosing the data on adoption without the parents´ consent.

Mention should also be made of the warning issued by the Garante in connection with the difficult situation experienced by a whole school that had been involved in an investigation into paedophilia cases, and of the criticisms levelled by the Garante against the publication of a picture showing a lifeless foetus.

Some of these provisions tackled directly the inescapable tension between freedom of the press and privacy protection.

This is the context applying – first and foremost – to the recent decision whereby the Garante blocked the dissemination of pictures taken by violating a person´s domicile – irrespective of the public role vested in the person in question.

It was re-affirmed thereby that the inviolability of a person´s domicile is a general principle.

As for the relationship between privacy and journalism, two provisions of a general nature were adopted in June 2006 and March 2007, respectively, and they were the source of a lively debate.

Those provisions concerned the publishing of information on the sex preferences and life of several persons – both well-known and less well-known; there were people from the world of politics and entertainment as well as the man in the street, but all of them were somehow involved in the wiretapping activities carried out during judicial investigations. This case has highlighted a few questionable issues that have to be addressed by the Garante, the journalistic world, and Parliament alike. There are at least two issues in need of clarification: who should be in charge of protecting privacy and personal dignity; and what type of measure should be taken and what sanctions imposed.

Currently, the applicable regulatory framework envisages three stakeholders: the Board of Journalists, which has developed an ad-hoc code of practice setting out specific rules to protect freedom of the press; the Garante, which may take action, also ex officio, in the form of urgent and/or prohibitory measures; and judicial authorities, both civil and criminal (depending on the specific case).

One can legitimately wonder whether this complex system is to be left in place or maybe amended, and it is equally justified to wonder about the role to be played by the Garante – which is currently seen as the foremost bastion of protection, which protection courts can afford less expeditiously and on the basis of a more complex (procedural) machinery.

Additionally, in terms of sanctioning powers it is unquestionably appropriate to amend the legislation in force and enable the Garante to impose sanctions other than criminal ones – as such sanctions might take on an ominous meaning in connection with the press.

For instance, it might be provided that the Garante can award – in equity – compensatory damages subject to the parties´ acceptance; additionally, it might be ordered that the relevant decision be published in a manner commensurate to that of the original piece of news.

Other issues to be addressed have to do with the usage of the data collected for judicial purposes and their dissemination by media – in particular as for wire tapping records.

Once again, fundamental values are at stake.

There is the judge´s right/obligation to carry out investigations and gather evidence in accordance with the mechanisms provided for by the law; there are the rights of defence, which entail full knowledge of the evidence and information held by the prosecution; there is the journalists´ right to publish information that is in the public interest; there is people´s right to respect for and protection of their own data, in particular if they concern sensitive information or relate to innocent bystanders who have been mentioned by chance in the evidence gathered for the case; there is children´s and family members´ right not to have their own personality and sensitivity violated on the slightest pretext.

These issues have not been coped with adequately so far.

The failure by Parliament to address some of the issues we raised in the past year required the Garante to strike the difficult balance between opposing requirements. Thus, we hope that the ongoing discussion will lead shortly to clear-cut conclusions in the appropriate law-making fora.

Meanwhile, the Garante cannot but recommend the press and media in general to take due care and stick stringently to the relevant code of practice whenever handling pieces of information that can hurt people´s and their families´ feelings and dignity.

 

Databases and Safeguards

8. We have ever paid attention to the impact of data protection on the overall system, working as an authority "specialising in data processing issues" that considers itself an essential part of modern democracy.

Inspection and control activities were especially intense and daunting.

As regards the telecommunications sector, we carried out 16 inspections – of which 3 in 2007 – concerning the 4 main telephone operators in Italy. The measures we ordered them to take were aimed at: a. securing the exchanges of information between telephone operators and judicial authorities as related to wiretapping, including traffic and location data; b. protecting the data and call records related to the individual users; c. laying down the technical and organisational arrangements required to ensure that the data could be stored appropriately.

This exercise is expected to be concluded by the next autumn, when a general provision setting out rules and time schedules for traffic data retention will be finally adopted.

Almost in parallel to the inspections concerning telephone operators, the Garante continued and completed the inquiries into Italy´s largest police database (CED).

This investigation lasted several months and resulted into issuing three separate provisions.

Among the main measures ordered by the Garante in the said provisions, reference can be made to the following: reducing the number of entities authorised to access and enter data; introducing access authentication procedures, including the use of biometrics; introducing security systems to report any abnormalities.

It can be argued that if the arrangements and protection systems at issue had been in place in the past, many of the unlawful accesses and violations found in the course of our inquiries would not have taken place – or would not have taken place to the same extent.

This is why our Authority will continue and enhance its checks in this highly sensitive sector.

This is why we plan to start – as soon as possible – collaboration and supervisory activities in respect of intelligence services so as to prevent any future lowering of guard.

We also intend to continue our determined efforts with regard to the security measures to be taken by judicial offices.

We have encountered difficulties so far in achieving significant results, which was due not so much – or not only – to non-compliance by individual offices, but rather (let me say: above all) to the widespread dearth of human and financial resources that has long been a feature of justice.

The inspection currently in progress at the Court of Rome – so far, 4 on-the-spot inspections have been carried out, and as many inspections are on schedule – confirms that this is actually the case.

Still, we are not going to give up; therefore, we will continue putting some pressure on judicial offices, the Higher Council of the Judiciary, and the Ministry of Justice.

 

9. The scope of our action is larger than that.

We have long been requesting the Ministries of the Interior and Justice to issue the decrees they are required to draft in order to specify the existing databases that are in operation for judicial and security purposes.

We reiterate our request. In the absence of an official, well-defined list, the Garante is unable to ensure the appropriate controls.

Additionally, in the coming year we are going to focus our efforts on financial and credit institutions, and thereafter on large-scale service providers and social security and insurance bodies.  Indeed, the economic and social costs citizens may incur because of the lack of adequate security measures are especially high in all the above sectors – in particular as for banks and financial institutions.

 

10. A highly complex issue that has long been shunned is at the crossroads between database management and the collection and use of information for security and judicial purposes.

I mean the processing and preservation of biological samples and DNA identification codes.

It is widely appreciated that any issue related to the use, processing and preservation of DNA is a source of considerable concern on account of the highly sensitive information that can be derived from a genetic data – which does not belong to the data subject only, but to the data subject´s biological group as a whole.

The privacy Code envisages an ad-hoc authorisation – which was recently issued by the Garante – to regulate the collection, processing and storage of DNA samples, in particular for scientific and/or research purposes.

Conversely, there is no legislation applying to DNA processing in the fields of security and justice.

The experience gathered recently in connection with an inspection carried out at the Parma special investigative unit (RIS) allowed us to get first-hand knowledge about the existence of databases containing gene samples and codes that are kept by entities in charge of investigations and judicial police tasks.

It is necessary for us to draw Parliament´s attention to the urgent need for passing legislation that can provide a suitable legal basis for activities that are currently out of all control.

This is all the more urgent in view of implementing the Treaty of Prüm, whereby each EU Member State is expected to set up its own genetic database.

Needless to say, we expect to be actively involved in the relevant process from the start.

Finally, we wish to reiterate that one has to be vigilant in order to prevent the inappropriate use of DNA data in insurance-related activities and in the employment sector, as well as the inadmissible trivialisation of the use of the data in question.

 

Privacy-Friendly Public Administration

11. 2006 was the data protection year for the public administration – it was the year they were supposed to issue regulations applying to the processing of sensitive data.

It was a daunting job, which required our Authority to evaluate and give opinions on 106 regulations – including 14 templates; however, it did enable the public administration in Italy to look inside itself and turn data protection into a basic organisational tenet.

Now, the Garante plans to focus its efforts and resources on checking that the public administration does apply those regulations and update them as necessary.

This is the same spirit in which we worked with the revenue office – which is a difficult sector, as the fight against tax evasion is leading to the large-scale collection and processing of data.

The Garante will in no way hamper the relevant actions; however, we consider it to be our institutional duty to verify that our rules are complied with.

To that end we have been working with the Revenue Office for some time, and a working party was also set up.

As many as 7 opinions were rendered by the Garante to the Revenue Office, of which 5 in the first months of 2007; we have always recommended that the use of personal data should be minimized and the useless duplication of databases prevented.

As regards security, the Garante required adequate authentication procedures to be in place with regard to the persons in charge of the processing.

Indeed, there have been cases in which data have been accessed unlawfully – not only data related to politicians and/or VIPs, but also data concerning the man in the street.

We have already planned a set of inspections and collaborative initiatives with regard to the databases used by the agencies attached to the Ministry of Economy.

Finally, special attention will be paid in this sector to the use of ID documents, health cards, and electronic services cards – partly to prevent useless duplications.

 

Simpler, More Effective Data Protection for Workers and Businesses

12. As regards the employment sector and the business world, let me recall the guidelines adopted  in respect of specific issues – in particular, the employer-employee relationship in the private and in the public sector, and the use of Internet and e-mails at the workplace.

These are important provisions as they have to do with work sectors new technologies have impacted considerably on; once again, the Garante took steps in the stead of Parliament, which would be in a better position to adequately tackle these problems by safeguarding freedom of enterprise and, on the other hand, employees´ right to privacy.

This is also the rationale of the provision setting out guidelines for SMEs. However, such guidelines are also focused on simplification in accordance with the criteria set out in section 2 of the Data Protection Code – whereby simplification is mentioned as a fundamental component of sound data protection provisions.

The Garante decided to lay down data protection mechanisms that could be adequate and proportionate to the size of a business and its specific activity. We believe that one should not hammer out regulatory amendments – maybe under the pressure put on Parliament or Government by the individual stakeholders. Rather, it is appropriate to take targeted action, which should envisage – as also required by the European directive – a layered approach in terms of protection levels and measures, without ever excluding any sector as a whole from the scope of the legislation in question.

This is why we cannot but express our disagreement with the recent decision by the Lower House whereby enterprises with less than 15 employees would be excluded from the scope of application of data protection legislation as for the activities related to standard management and accounting functions.

We hope that the above piece of legislation will be reconsidered by the Senate and would like to reiterate that we are ready to collaborate in devising other, more appropriate solutions.

Finally, we wish to emphasize that we are ready to contribute our experience to the sensible simplification exercise undertaken by Government in the sectors mentioned in the "Action Plan for Simplification and Rule-Making Quality" that was adopted recently, and we seize today´s opportunity for reiterating that we wish to be involved in that exercise as appropriate.

 

13. The considerations made so far pave the way to a broader analysis.

European and domestic legislation on data protection is focused first and foremost on the protection of individuals.

This is conferring strength and concreteness on what is considered nowadays a fundamental right in the EU; however, in some cases it has resulted into passing domestic legislation that is basically aimed at affording the highest possible degree of ex ante protection to any individual concerned by a possible "risk situation".

This is also the approach followed by the Garante.

Still, we are aware that it is necessary to avoid both regulatory excesses and the proliferation of sector-related rules, which are often of a markedly bureaucratic and formal nature – without paying due attention to the different contexts and situations on which those rules are intended to impact.

It is necessary to refrain from excessively burdensome red tape and financial requirements, such as might give rise to resistance and passive non-compliance by the relevant practitioners – which ultimately lowers the safeguards afforded to citizens.

The proportionality principle, which is a data protection pillar, should allow adequately safeguarding this fundamental right without imposing useless or excessive costs on the addressees of the relevant measures.

This is why we are interested in introducing layered data security measures; we would like to recall that it is necessary and, where appropriate, revise Annex B to the Data Protection Code, in which those measures are currently laid down. Updating security measures is mandated not only by technological development, but also by the experience the Garante has gathered so far.

Finally, it is important to keep continuously in touch with the relevant stakeholders, including consumer and enterprise associations; this should not be limited to a formal consultation procedure, but rather give rise to effective co-operation mechanisms.

 

14. We plan to foster the adoption of codes of practice to a further degree; this is a flexible type of self-regulation, which is well suited for the requirements and specific features of the sectors concerned.

Although some codes of practice were adopted in the past years, there is a long stretch of road ahead.

After several years of hard work, the code of practice applying to lawyers and private detectives is about to be finalised.

Additionally, we believe work should be started in order to draft new codes – including sectors that have not been referred to in the Data Protection Code.

Reference can be made in particular to distance selling and, generally speaking, marketing activities.

In view of enhancing responsible data protection practices, it is appropriate to reiterate the need for introducing privacy officers – at least in more than moderately sized enterprises and establishments.

Privacy officers can give rise to a network of permanent counterparts and also co-operate with the Garante at a highly technical level.

 

Sustainable Data Protection in A Globalised Economy

15. Pursuing the protection of personal data by paying due attention to the requirements of business and development entails tackling the issue of transborder data flows – more generally, data flows outside the EU.

Many countries still lack an adequate data protection level, which is hampering the development of seamless economic and commercial relationships in the age of globalisation.

This is increasingly impacting also on Italian businesses insofar as restructuring processes are  leading certain economic sectors (first and foremost, financial institutions) to the establishment of strong multi-national entities.

Our Civil Code and data protection legislation are hindering the adoption of flexible safeguards such as those already in place in other EU countries.

It is necessary to devise suitable solutions by involving the business world in this exercise and – where appropriate – drawing Parliament´s attention to the need for new legal rules.

 

Educating to Privacy

16. The Garante has also committed itself to communication initiatives with particular regard to the new generations.

The European data protection day was dedicated to youths.

We are pleased to notice that privacy has finally attained sufficient importance to justify its being included – this year – among the issues to be addressed by candidates to the high school diploma.

We are going to enhance both our presence in schools and the attention paid to youths, as it was recently the case when we filed an appearance in the Peppermint case as for the peer sharing of music files.

In attempting to strengthen all channels for communicating and disseminating our values, we will continue fostering the initiatives undertaken by a member of the Garante´s collegiate panel – who has set up a Laboratory in order to give rise to a broader view of privacy, i.e. one that is also focused on developing less strained interpersonal relations; workshops and meetings were held at several Universities and schools.

 

Institutional Relationships

17. Let me finally make a few considerations on the relationships between the Garante and other institutions.

Under the law, the Garante is empowered and required not only to report to Parliament, but also to issue opinions on any regulatory instruments drawn up by Government where they touch upon data processing mechanisms.

We are calling upon Government to pay due attention to our role.

We hope that ever closer ties will be developed between our authority and Parliament, and we wish that this institutional relationship could be shaped via mechanisms both more articulate and more thorough than those currently implemented – that is, parliamentary hearings and the submission of our Annual Report. We are pleased to remark, however, that Parliament has been paying significant attention to the Garante over the past few months. Whilst we were summoned to 4 hearings in 2006, there have already been 6 hearings where our attendance was requested in 2007.

We believe it is also important to keep continuously in touch with Regions and – generally speaking – all local administrative bodies.

The ties established between the Garante and other institutions play a key role; this is also the case with the close relationships that have long been developed with other supervisory authorities and consumer associations, which have ever been quite attentive to our work. We plan to do the same with other trade associations.

Our position within the institutional framework requires us to be always on citizens´ side and work so as to enhance the legal and social standards of our country.

We plan to go ahead in this direction with the pride arising out of the awareness that we are at the leading edge of modern constitutional law – but also working in a pragmatic, concrete  perspective.

We will help citizens, businesses, and economy in general to live and grow amidst the competitiveness and tensions of a global world, without ever having to give up the values of democracy – in fact, by strengthening those values.

This is our task. This is our commitment.