Speech delivered by the President of the italian data protection Authority, Francesco Pizzetti, on the occasion of the presentation to Parliament ...
[doc. web n. 1536850]
Speech delivered by the President of the italian data protection Authority, Francesco Pizzetti, on the occasion of the presentation to Parliament of the 2007 Annual report -Rome, 16 july 2008
Mr. Chairman of the Chamber of Deputies,
Ladies and Gentlemen,
The Italian DPA had to tackle new phenomena and extraordinarily important issues in 2007 as well.
The demand for security continues to be appreciated as a priority.
Technologies develop relentlessly.
The ease with which information can be collected and used breaks down everyone's identity into a thousand different pieces that are continuously shifting to give rise to new images, none of which provides a clue to one's real self.
Search engines pile up web pages by the day filled with traces and information on us – they are the modern kaleidoscopes of a reality we nourish but cannot master.
Our role is becoming ever more complex and indispensable.
The recognition of data protection authorities by the Charter of Rights and the Lisbon Treaty, and what is happening, in particular, in the justice and police sector show that data protection authorities are indispensable components of a "new European institutional and political order" that is taking shape with some difficulties.
The annual conference of European data protection authorities that took place last Spring in Rome re-affirmed that data protection is a fundamental feature of our societies whilst it is paced with the various stages of today's culture and civilization.
Our authorities are called upon to work at all levels and with a growingly dynamic, proactive stance.
We feel we are, indeed we are an institution skilled in data protection that is part of a country which must be capable to rely on us as a vehicle for modernization and growth.
All our activities during 2007 went in this direction.
The Work Done in 2007
A change in our role can be appreciated by comparing the data for 2007 with those related to 2006.
Our DPA focused mainly on provisions applying to major areas of societal life and the activities of both public and private databases.
About 500 decisions were issued by the authority's collegiate panel in 2007, featuring an enhanced quality as well as pointing to the increased importance of our activity as a whole.
Fewer requests were received by individual citizens to know whether and how personal data are used and have such data erased, where appropriate. The overall number of complaints fell from 435 in 2006 to 316 in 2007 – which shows that there is increased compliance with the law by citizens, companies, and public bodies as well as that many disputes are settled amicably and/or are brought to court.
The remarkable increase in the replies to claims and reports – which rose from 2717 in 2006 to 3078 in 2007 – testifies to the growing number of issues that are broader in scope whilst advisory and guidance activities were also on the rise. Reference should be made additionally to the work done by the citizens' bureau, which had to deal with several thousands of phone calls and e-mails. Special importance should be also attached to the 135 replies provided in 2007 to questions related to the processing of sensitive and/or judicial data.
Notified administrative breaches rose from 158 in 2006 to 228 in 2007; the decrees imposing fines and/or penalties went from 32 to 45, whilst the criminal breaches reported to judicial authorities rose from 11 in 2006 to 15 in 2007.
Inspections and controls increased from 350 to 452, of which 370 were based on the six-month plans whilst 82 were case-related; especially interesting as well as more difficult and demanding inspections rose from 9 to 24. On the whole, a 30% increase in inspections could be observed compared to 2006.
The sums levied in connection with fines imposed directly by the DPA amounted to Euro 814,625, whilst Euro 185,000 were levied to extinguish offences related to non-compliance with security measures. These figures are especially significant if one considers that the pecuniary sanctions the Garante is empowered to levy are far from hefty.
The collegiate panel of the authority rendered 16 opinions to the Government and Parliament, of which 8 concerned databases and the computerisation of public administrative bodies. Eighteen opinions had to do with regulations adopted by public bodies in connection with the processing of sensitive and/or judicial data.
Several missions were carried out abroad, of which many were especially significant – reference can be made to the 5 international conferences the DPA took part in whether as organisers, chairpersons, or speakers/contributors on innovative issues.
Considerable importance should be attached to our work within the framework of the Article 29 Working Party, the Schengen, Europol, and Eurodac Joint Supervisory Authorities, the Chair of the Working Party on Police and Justice, the Council of Europe, and the OECD.
Parliament heard our DPA on several occasions; let me refer to the hearings on the so-called biological will, the Schengen database, consumer fraud, the Register of Tax Registers. In the capacity of Italian DPA, or else as Chair of the WPPJ, we took part in hearings held at the LIBE Committee of the European Parliament on issues concerning the use of fingerprints for passports (including children's passports) and the profiling of migrants on ethnic and/or racial grounds.
To recap, we tried to be a DPA "on the move" – open to change, keen to always strike the right balance between safeguarding citizens' rights and fostering societal freedom and security.
The Italian DPA in a Changing Country
Looking at the work done, we feel justified in saying that we made good use of the all but plentiful resources made available to our authority.
There has been – also recently – no dearth of criticisms levelled against our allegedly timid interventions, but we consider these criticisms to be both without justification and unfair.
The data contained in the book that comes along with my report show that we worked on a large scale in the past year, covering multifarious issues and taking prompt steps to protect all citizens – whether they were VIPs or not.
This has been also made possible by the commitment of our Office, for which we as the collegiate panel wish to express our deepest thanks. At the same time, we wish to acknowledge the professionalism shown by the Financial Police, which provides a stronghold to our activity thanks to their Specialised Corps and the officers seconded to our DPA.
Let us now take some of your time to tell you how we view our mission in today's Italy – in a major European country that is experiencing enormous changes.
- A country that is coping with a widespread demand for protection, arising in part from the growing numbers of non-EU citizens and/or new EU citizens in an aging society;
- A country that is tackling a difficult economic crisis, but is very much in need of development and modernization;
- A country that is desirous of probing into and getting to know everything, but has yet to find a way out of the short-circuit between justice, the press and privacy;
- A country where highly aggressive marketers bring about insufferable interferences with one's daily life, whilst highly sensitive industry sectors such as credit, health care, financial administration, and services remain as yet largely indifferent to data protection;
- A country where young people are "Internet natives", whilst we are no more than "Internet migrants", and live through a new, virtual "World of Magic" – oblivious that the Net is a vehicle for spreading ideas, arts and creativity as well as perverted and contemptible views.
Our agenda includes major issues that also touch upon our role: simplifying procedures and abating costs; ensuring openness in administrative activities and due information of the public opinion; affording security and safety to society; providing for the careful use and efficient protection of any personal data that is collected and used for judicial purposes; vindicating our rights and life-style vis-à-vis the changes brought about by technology.
These are the issues we intend to focus on, whilst keeping in mind that it is also through our work that people can be afforded the opportunity to live better and with greater freedom.
The demand for simplifying laws has been voiced for several years in Italy – by doing away with cumbersome procedures and excessive costs for citizens and businesses.
The requests for simplifying data protection legislation – which at times rely on groundless cost assessment exercises, but deserve being taken into account in any case – were met a few days ago by an important decision. The provisions applying to information notices were simplified; it was clarified in what cases consent was required and the supplier-to-supplier and supplier-to-customer relationships were made easier.
This was a daunting task, which was undertaken following other sector-related simplification measures that had been adopted in the course of the past year – e.g. as for the processing of personal data by insurance companies or the mechanisms for customer care staff to inform users.
We also put forward a proposal to amend our DP Code so as to allow the DPA to regularly update the technical specifications set forth in the Security Policy Document. This should enable quicker responses to the requirements coming from businesses and the industry in general.
Another amendment proposed by our DPA would enable major Italian and multinational companies to use their own corporate rules with a view to cross-border data flows, also in Italy. This is what might be termed "affirmative simplification" and can be expected to ultimately create a level playing field vis-à-vis other major EU countries.
However, this is just the beginning of the story.
We are aware that the more complex and difficult reality is, the more rules should be clear and understandable to all.
It is necessary to take preventive measures in order to protect rather than step in at a later stage to punish.
This is why we continue in our work concerning Guidelines. Our objective is to address the main issues coming from the individual sectors, foster good practices, and highlight the most frequent errors.
It is several months since we adopted the "Practical Guidance and Simplification Measures for SMEs" as well as Guidelines on Employer-Employee Relationships in the Private Sector.
Over the past year, we adopted three additional Guidelines applying to "Employer-Employee Relationships in the Public Sector", "Customer Relations in the Banking Sectors", and "Publishing and Disseminating Documents and Instruments by Local Authorities." Guidelines on "Data Processing within the Framework of Clinical Drug Trials" are expected to be finalised shortly.
We plan to foster the so-called prior checking, i.e. the preliminary assessment of data processing operations that require special precautions – in particular because they involve sensitive and/or judicial data. Recent provisions adopted by our DPA with regard to the processing of biometric data in health care confirm the soundness of this approach.
Especially beneficial to our country was also a decision adopted jointly with the Authority for Electricity and Gas, whereby all new competitors were enabled to access the customer database held by ENEL – which was a precondition for the actual liberalisation of this sector.
Special importance should be also attached to our decisions on circulation of the information related to creditworthiness of natural and legal persons.
Simplification and Communication
We plan to enhance our simplification efforts by also promoting institutional communication.
We will keep youths and schools in our focus. The topic selected for the 2008 data protection day was, again, students; we worked with the Ministry of Education to draw up Guidelines for the appropriate use of cellphones and their video cameras, if any, during school classes. We trust that we will carry on this excellent co-operation also with the new Minister, for the sake of the education of new generations.
We plan to foster the use of graphical symbols to facilitate understanding that personal data are at issue.
We are thinking of two new symbols, consisting in a closed padlock and an open padlock, respectively – the former to signify that the data must be processed exclusively for the purposes for which the data has been provided; the latter to allow using the data for other purposes, which must be specified in an ad-hoc information notice.
This is a further step forward, after the small camera icon used to draw attention to places under video surveillance, and the receiver/envelope symbols used in telephone subscriber directories.
Privacy should not mean complicated red tape, or drawing up small-font forms to grab citizens' consent without really providing meaningful information. Simplicity, transparency, ease of understanding for the way in which our data are collected and processed – these are the only tools to ensure that citizens are actually protected and safeguarded.
The second point to be made has to do with transparency.
We want to be know-alls to pass judgments on all and sundry. In our country, the implications of this phenomenon are approaching the danger level by now – and this is not related simply to the dissemination of tapping records and, generally speaking, judicial investigation data.
In the entertainment society, there is a multiplication of talk shows based on facts and events from politics, social life, personal relationships - they take stories often quite private in nature into the limelight and give rise to a sort of electronic forum. Information collected in the course of judicial investigations and/or medical treatments or diagnoses, which is closely related to an individual's bodily and mental conditions, is fed to a discussion that is bound to be superficial. We are talking about issues that should be tackled on the basis of factual information in the appropriate forums by those equipped with the tools and skills that allow grasping their full meaning and import.
To cut a long story short: too many trials are celebrated on the media, there is too much mixture between factual reality and reality show.
Once again, we would like to call upon the media, first and foremost, to stop and consider.
This is no real information, no real transparency; this is no service rendered to public opinion and democracy. It is unfair that, for the sake of entertainment disguised as transparency, or even for the sake of morbid interests, one should claim the legitimacy of intruding with an individual's most intimate, confidential sphere in any and all cases.
The Garante is equipped with very few tools to tackle this phenomenon.
Still, we never fail to take steps whenever necessary. In most cases, we issue warnings and recommendations; in especially serious cases, we have prohibited or blocked the processing at issue.
To quote just a few: we prohibited dissemination of the images related to the interviews between technical experts and the children involved in the Rignano Flaminio case; we took steps against a TV-channel that had broadcast the images of Meredith Kercher's lifeless body; we ordered news and/or information that had ceased to be of any general interest to be removed from the websites of dailies and magazines – in particular if such information consisted in audio recordings.
Many decisions taken by our DPA had to do with cases involving non-VIPs, in particular following publication of news/reports on local interest pages of dailies. Let me only refer to an order whereby we banned publication of a lady's name in an awful case that took place at a hospital in Campania, where she had applied for an abortion.
Protecting individuals also means calling upon Parliament – in particular, the Chairs of both Chambers – to take the appropriate measures to prevent data and facts from being reported in the parliamentary questions that are published on the Net after several years – although such data and facts were useful for the Parliamentary debate of those days, they may continue to be prejudicial to the individuals mentioned therein.
Transparency and Public Administration
Transparency is the buzzword also with a view to fostering general access to the information held by institutions, in particular the public administration – this applies to performance standards, civil servants' conduct and wages, the respective tasks, and the activities performed both in and off the workplace.
This is where we recently took steps by issuing two much debated decisions.
On the one hand, we blocked posting on the Net of the data related to all Italian taxpayers.
This was necessary not only because the data had been posted in the absence of the appropriate legal preconditions and authorisations, but also because the data had been disseminated without any safeguards to prevent search engines – indeed, any and all entities in the whole world – from getting, modifying, or misusing those data.
On the other hand, we addressed publication of data on wages and qualifications of senior officials from the Civil Service as well as on the consultants/advisors hired by the civil service. Unlike the former case, here the publication decision relied on the appropriate legal basis – indeed, the legislation in force required public administrative bodies to publish a large portion of the data in question online. Additionally, we requested certain additional safeguards to be implemented in view of publication of the data on the Net.
Some might argue that we are using a double standard, but actually it is easy to overlook the differences between individual cases.
Transparency between Citizens and Institutions
"Transparency" of the public sector need not entail publication of a huge amount of data and information.
It may be the case that, given the purposes to be achieved, the data and information are excessive and/or excessively broad in scope and might give rise to misunderstanding or be seriously prejudicial to an individual's dignity. Only consider the decision whereby we ordered the data related to lists of persons with disabilities to be erased from the website of the Apulia region.
On the other hand, there may cases in which the data made available are not enough for an informed opinion to be developed. I can quote, for instance, the posting on the Net of data related to the consultancy services contracted out by local municipalities – here, reference was only made to the consultant's name and the respective fee, however no information was provided on the task committed and/or the actual efforts required to discharge such task.
We have to do with a significant, unprecedented alliance between privacy and transparency. The fundamental principles of our legislation put emphasis on the purpose sought with the data to be provided, which have to be determined in accordance with necessity, proportionality, and purpose-specification criteria. The same principles can apply to genuine, effective transparency.
It is no chance that in some countries such as the UK there is a single authority in charge both of protecting privacy and of ensuring access to public records.
This is a profitable alliance, which might suggest conferring both tasks on the same authority also in our country.
At all events, it is unquestionably a mistake to regard privacy as opposed in principle to transparency. In fact, privacy is a staunch supporter of "good transparency".
If transparency is so wide-ranging and pervasive as to only give rise to superficial analyses, then it is in reality a kind of "opaque transparency" – damaging society and democratic co-existence. This is another reason why we will not fail to play our watchdog role and always voice our views for the sake of a "really transparent transparency" – ultimately of "democracy grounded on correctly informed public opinion."
Digital Administration and Network Protection
Let me make a few considerations on the use of electronic network and computerised services by the public administration.
The Italian DPA shares the view that it is necessary to "cut" on paperwork, expedite procedures, and digitalise the public administration.
However, computerisation and posting of the information must not jeopardise security, accuracy, and reliability of that information. Protecting the electronic transmission networks used by the public administration is a must, especially whenever – as is often the case – sensitive data are processed.
Let me only refer to the online health care example. Making accessible, at times modifiable, the data contained in electronic health records vis-à-vis a high number of operators may give rise to major risks for patients because of errors or even misuse.
Of course, this also applies to several other categories of data – from census registers to economic and financial transactions between citizens and the public administration, including the crediting and payment of retirement benefits.
We very much welcome the intention of making it easier for everyone to access online services by increasing the number of e-kiosks partly with the help of the so-called "federated networks"; however, we request that our authority be heard as for the implementing mechanisms. We wish to collaborate with public institutions as well as be citizens' watchdogs.
We all know that the beginning of this century was marked by an upsurge in the demand for security whilst both old and new fears have been surfacing.
In Italy, like in Europe, there is a veritable proliferation of regulatory and organisational measures to strengthen controls aimed at protecting people and society as a whole.
The growing number of the institutions and bodies competent at local level for ensuring ordre public along with the new trend towards creating "security federalism" – or rather "federal security" – warrant the adoption of technical data protection measures with particular regard to major police databases.
Following the many cases in which unauthorised access to such databases was achieved, we made many efforts in helping the data processing centre at the public security department to secure their data.
Unfortunately, not all our instructions have been implemented in full as yet. A recent piece of legislation enabled all local municipality police agents not only to access the data – which was partly already the case – but also to enter data directly in the database – which makes it absolutely imperative to fully implement our measures including such adjustments as might prove necessary. We must prevent unauthorised accesses, the feeding of inaccurate or deliberately wrong information, or misuse of the data.
We call upon the Minister for Home Affairs to seek our involvement in implementing the new legislation at issue.
Let us recall, once again, that data protection is no hindrance to security – in fact, it is instrumental to the achievement of "secure security".
We experience this daily, even apart from police activities. Whenever we start auditing major databases, be they private or public, we find that protective measures are flawed. We have been working for some months on the databases of the Revenue Service, and we are currently performing in-depth investigations into the databases held by the various agencies that are related to the Ministry of Economy. Unfortunately, we still encounter a considerable number of criticalities.
It is fundamental to expeditiously establish how many large-sized public databases are in existence and what types of database are available.
A country that does not even know how many databases have been set up and is incapable to protect them is a backward country, in which not only citizens at large, but judicial practitioners, security bodies, and the financial administration are exposed to serious dangers – and I am quoting only some of the sectors in which major cases of information theft and/or misuse occurred over the past few years.
Video Cameras and Other Tools for Acquiring Personal Data
In our cities, video cameras and – broadly speaking – remote monitoring tools are used by now on a large scale.
In 2004, we addressed this issue by a decision setting out different requirements for the video cameras installed by private entities as opposed to those deployed by municipalities and other local authorities and/or security and police authorities.
After a few years, the scenario has changed. The 2008 Budget Act introduced tax deductions for the shopkeepers installing video cameras to protect their business. Local municipalities and regions grant funds and organisational support to private entities that establish connections between their video camera systems and local police offices. Finally, the decree recently passed on security issues widened the scope of competence of mayors to also include these matters. It is therefore necessary to update the guidance provided by the Garante as recently as four years ago.
The video surveillance issue is part of a broader picture, i.e. the growing use made by law enforcement of data processed in the private sector. The most recent as well as best known case has to do with airline passenger data, which also in Europe must be made available to the police at any time upon request.
Our authority may not turn a cold shoulder to these developments. We have long been trying to clarify that the growth of these new control mechanisms must meet real needs; that the data, once collected, must only be available to the entities that are entitled to access them; that the data must be protected against unauthorised use and access; that the data should be retained for no longer than is absolutely necessary; and that citizens must be informed on the safeguards they can rely upon.
Use of Biometrics
Still more complex issues are related to the collection, retention and use of biometrics, in particular DNA data; we have paid special attention to such issues at both international and national level. Our inspections and the instructions issued to the Parma RIS [Special Investigations Unit] concerning the processing of biological samples (as many as twenty thousand such samples are kept by the RIS) proved an important experience. Our activity at European level also led to substantial results, in particular with regard to the provisions set out in the Prüm Treaty as for the use of genetic data and the establishment of ad-hoc databases.
Within this framework, I drew the EU Council's attention to the implementing rules of the Treaty, also in my capacity as Chair of the WPPJ.
We drafted a detailed opinion on the bill providing for the creation of a database at the Police Department including only DNA markers as well as for the setting up of a lab where genetic samples would be processed and kept – at the Ministry of Justice.
We urgently need clear-cut regulatory provisions on DNA databases to set out retention periods; the purposes for which the samples and/or markers may be kept; the deadlines for destroying the samples/markers; and the rules applying to use of the data in question.
Finally, one more point should be made in respect of the use of biometrics.
This type of information, also in the form of fingerprints, is used to an increasing extent both in the workplace and in other sectors. We as DPA cannot but call upon all the parties, once again, to make use of these tools in moderation – they are potentially in breach of individuals' dignity. It is absolutely necessary not to use this technology on the basis of discriminatory principles, especially of an ethnic or religious nature, which are in conflict with our Constitution as well as with the Charters of fundamental rights to which our country is a party.
If children are involved, even stronger precautions must be in place. In particular, it should be clarified beyond any doubt that biometrics may only be used if there is no alternative at hand and in any case exclusively for proven purposes related to the protection of children and their integrity – including bodily integrity. This is a requirement stemming from the Italian tradition of respect for individuals and the law. Further, it is a requirement arising from European and international partnerships.
Data Protection in Courts and Judicial Premises
Our DPA has tackled issues related to justice several times.
One first issue we are keen to address is whether and how citizens' data are protected in courts and judicial premises by all judicial and legal practitioners.
Only think of how many sensitive data may be involved in a claim for judicial separation, in a dispute over the estate of a deceased, in a petition for a prohibition order, or in labour disputes – not to mention the data collected in judicial investigations and/or processed in criminal proceedings.
The inspections we carried out in respect of the Court of Rome – although they only concerned the departments dealing with civil and labour matters – confirmed that data protection in courts and judicial premises is little more than wishful thinking.
This is why we imposed certain measures on the court of Rome.
This is why we repeatedly issued guidance for judicial offices and courts as to the need for enhancing protection measures and also set out specific organisational steps. Above all, this is why we called upon the Ministers of justice over the past few years and the Italian Higher Council of the Judiciary to pay due attention to these very serious problems.
Organisational difficulties, lack of resources, understaffing – these are the well-known problems affecting justice, and they all have been referred to in order to delay adoption of the measures we had requested; however, there have been some signals hinting to the increased attention paid to these issues, in particular by the magistrates that regularly carry out inspections at judicial offices and districts.
We reiterate that it is necessary to stop being stingy with the resources allocated to justice. This is another way to signify the importance attached to the effectiveness of justice and the actual protection of citizens' rights.
Telephone Wiretapping and Internet Traffic Data
The issues related to telephone wiretapping, the use of telephone and Internet traffic data, and the many different items of information acquired in the course of investigations and/or used in criminal proceedings are to be considered with special attention.
It has been too often the case over the past few years that the information gathered during investigations has been published and disseminated outside courts.
Taking account of the manner and the extent to which this has taken place, one can argue that it is unquestionably a very Italian-style abnormality – indeed, it has sparked a lively debate that has not subsided so far and does not seem to be likely to do so in the near future.
The issues in question are clear-cut.
One first issue has to do with whether and to what extent information acquired in the course of pre-trial investigations may be disclosed publicly – at times even before the trial is started.
One should not forget that wiretapping and, generally speaking, the use of Internet traffic data, as well as being investigational tools, are some of the most privacy-intrusive techniques. Indeed, they impact considerably on freedom of communication, which is regarded as a fundamental right by article 15 of Italy's Constitution and may only be limited on the basis of a reasoned decree/decision taken by a judicial authority in accordance with the safeguards set forth in the law.
Publishing the contents of wiretapping and other reports may only be justified on account of freedom of the press, which is also a right enshrined in our Constitutional charter. This means that one should always comply in full with the code of practice adopted by journalists; that the information in question may not be obtained unlawfully or deceitfully; that the journalist should always consider whether disclosure of the information is actually in the public opinion's interest; that one should always take care not to violate people's dignity; that the protection afforded to public figures, though reduced in scope, includes nevertheless respect for their private lives.
Our DPA has addressed these issues repeatedly, and in some cases it has issued measures that have been hotly debated. We welcome the circumstance that the bill recently tabled on wiretapping empowers the Garante to order publication of measures punishing misbehaviour of the press and/or the media. We had long requested for this power to be conferred on our DPA, because we considered it would be effective partly on account of its being applicable to any decision concerning information and communication matters.
Another key issue to be tackled is whether the range of criminal offences for which the investigational techniques in question may be implemented as well as the actual number of the interceptions that are performed are disproportionately large. We have clarified repeatedly that the Italian DPA has no competence to decide on these issues; however, it is hardly disputable that there is a very high number of interceptions performed in Italy, and that the retention periods of telephone and Internet traffic data were exceptionally long until very recently.
What we are fully entitled to reaffirm is that these data, just like any judicial data, must be protected with the help of less ambiguous as well as more effective legal constraints along with suitable technical measures. Should wiretapping be deployed in one single case in Italy, its use should be subject to specific safeguards and precautions in that case as well.
We have worked hard by setting out heavy-weight measures for telephone operators and accurate instructions for judicial offices. In particular, we recommended that the latter should carry out tapping activities in a single location, encrypt their communications with telecom operators, take technical measures aimed at logging data access, and strictly limit the range of people entitled to access this information.
This is why we reiterate our call for adding the missing piece to the bill on interceptions, i.e. the obligation to take specific, stringent technical measures to protect the data – possibly to be set forth in co-operation with our DPA.
We also call upon the Minister of Justice to allocate the necessary resources for judicial offices to protect citizens' data. To that end, we do hope that such funds as might be derived from reducing the number of interceptions will be used specifically to enhance protection measures.
Justice and Court-Appointed Experts
Another decision was adopted recently by our DPA to sort out things in one of the most sensitive areas in terms of procedural issues – namely, the activities of court-appointed experts and assistants. Both may act upon the instructions of different judicial authorities and/or in connection with different judicial proceedings, whereby they gather a huge amount of information. We need clear-cut rules on data retention periods, the mechanisms for keeping and/or destroying the data, the cases and mechanisms for matching information collected in respect of different assignments and/or upon the instructions of different judicial authorities.
The rules we set out are quite specific – namely, an expert should never make use of the information he/she has become apprised of except in order to deliver such information exclusively to the judicial authority he/she is to report to; matching of the data collected in connection with different investigations is allowed on condition all the judicial authorities concerned give their consent thereto; after delivering the information to the relevant judicial authority, such information may not be used any longer and must be erased in accordance with specific terms and mechanisms.
We hope that our decision along with the Code of practice that is about to be adopted on the investigations by defence counsel will sort out things in an area that has been so far basically beyond the pale.
Vindicating Rights vis-à-vis New Technologies
Technologies attracted much of our DPA's attention and efforts also during the past year.
One of the most dynamic areas has to do with the technologies that enable monitoring individual behaviour.
Let us only consider monitoring on means of transportation. There are obvious benefits – improved service; more effective time management; enhanced security.
However, the risks are also obvious – an employee that is monitored may be led to behave recklessly for the sake of sticking to the time schedule and escaping possible reprimands by the employer.
Similar considerations apply to geo-location systems.
Being locatable on a 24/7 basis can be quite helpful if, for instance, you are in need of help. However, it may be suffocating if one has the legitimate expectation and intention of living without being constantly in fear of a hovering "electronic eye" that spies on you.
Our DPA has already tackled these new types of monitoring of individuals, in particular with regard to public services. We are very well aware of the need for new rules to be issued shortly.
We are reflecting on these topics in close co-operation with the DPAs from other EU countries.
Communication Technologies and the New Media
As regards communications and network technologies, we took some important decisions to determine the maximum retention periods for telephone and Internet traffic data – in so doing, we actually took steps in advance of the so-called Frattini Directive. Reference can also be made to the decision whereby we prohibited private companies from systematically monitoring users' navigation on the Internet.
We also issued provisions aimed at making life easier for citizens, such as those related to itemized phone bills including no blanked numbers, unsolicited services, and unsolicited phone calls.
Jointly with the other European DPAs, we continuously supervise the development of new services and opportunities on the Net.
We welcome innovations such as those brought about by Google – satellite-based geo-location, holding users' medical data in protected sites, storing users' e-mail traffic in dedicated sites. However, we can also appreciate that these innovations are fraught with some risks.
We follow attentively the development of Youtube and the new social networks – such as Myspace, Facebook, Asmallworld – which allow millions of people to exchange information, news, and images that are bound to remain available forever on the Net. This may actually expose young and less young people to major risks, in particular when applying for a job they may covet, since youths often use these technologies recklessly and without being aware of their implications.
We feel bound to provide clear-cut guidance on all these developments, partly in order to ensure that users are better aware and informed in using the technologies at issue.
The future is with us – even what was regarded as a very remote possibility up to a few years ago.
Proof is given by the ever quicker dissemination of the so-called "behavioural advertising", which uses Internet navigation patterns to send targeted advertising – based on the user's tastes, interests, and behaviour.
The same applies to geo-marketing, which can follow our movements thanks to satellite monitoring so as to present us with the products and services that are best suited to our tastes in the different locations.
This is the fascinating as well as difficult world we live in. It is the world of cybercrime, which was recently addressed by an international Convention Italy is required to abide by – however, it is the world of boundless virtual freedom as well, allowing people from all over the world to get and stay in touch.
It is the world of hyper-speed, which increasingly challenges the time and space conventions man has become accustomed to over the years.
To us, as data protection authorities, this is the most advanced frontier – and this is where we have to strike the right balance every single day.
* * *
Mr. Chairman of the Chamber of Deputies,
Your Excellencies, Ladies and Gentlemen,
A new legislature has just started and a new government was recently formed.
Our country expects unambiguous as well as firm responses to the multifarious problems we all are involved in.
Our DPA is ready to meet up the challenge with the strength of its experience and is fully aware of the increasingly demanding expectations to be met.
We have tried to enhance both our professionalism and our effectiveness over the past year, partly by modifying our internal organisation and simplifying our operational arrangements.
Still, we need to be empowered to impose penalties to a greater extent – this point will be the subject of a further submission we will shortly send to both Parliament and the Government; we trust they will not turn a cold shoulder to our requests.
We wish to assure that we will actively collaborate with all institutions in Italy's best interests.
We promise our citizens that they will always be able to count on us as the unflinching champions of their rights.