Annual Report for 2008 ' Summary
Annual Report for 2008 – Summary
Main Legislative and Regulatory Developments
Transposition of Directive 2006/24/EC – The legislation on traffic data retention was amended with the DPA's contribution to transpose directive 2006/24/EC. Currently, traffic data may be retained further with a view to law enforcement purposes for twenty-four months (telephone traffic data) and twelve months (electronic communications traffic data) – irrespective of the given offence at issue. The legislative amendments better clarified the role of the Italian DPA in this sector and introduced specific punishments in connection with the failure to comply with traffic data retention requirements (section 162-bis of the DP Code).
Simplified Requirements Applying to Security Measures and Notification – Simplified arrangements were introduced in 2008 concerning certain data protection requirements to be met by self-employed professionals and SMEs (including handicrafts); more specifically, a few provisions in the DP Code were amended to do away with cumbersome procedures applying, in particular, to the adoption of minimum security measures. The mechanisms to notify the Italian DPA of processing operations were also simplified further, in particular by specifying what information should be included in the notification form (in line with Article 17 in directive 95/46/EC). Additionally, specific decisions were issued by the DPA to contribute to this simplification exercise by ensuring that individuals' rights could be upheld (see below).
Cross-Border Data Flows – A major regulatory innovation had to do with cross-border data flows to third countries. Further to a request submitted by the Italian DPA to Parliament, wording was added to the DP Code to expressly refer to the use of binding corporate rules in this connection. Accordingly, section 44 of the DP Code now provides that data transfers to third countries are allowed if authorised by the DPA on the basis of adequate safeguards for data subjects' rights “as determined by the Garante also in connection with contractual safeguards, or else by means of rules of conduct as in force within the framework of companies all belonging to the same group.”
Sanctions – Significant amendments were brought about in respect of the sanctions the Italian DPA is empowered to impose. Such amendments, which considerably expanded the powers vested in the DPA, focus mainly on administrative sanctions as the criminal punishments envisaged in the DP Code were left basically unchanged. Generally speaking, the amendments in question consisted in : a. increasing the fines applying to the individual breaches; b. introducing new categories of punishable conduct; c. introducing mechanisms to better adjust sanctions to the given circumstances by having regard to seriousness of the conduct, importance and/or size of the database that is affected by the violation, involvement of a large number of data subjects, and the offender's financial status.
Term of Office of the Members of Independent Supervisory Authorities – Pending enactment of a piece of legislation that was to streamline the regulations applying to independent supervisory authorities, Parliament levelled the term of office of all members/commissioners of such authorities – which was set at seven years and made non-renewable.
Cybercrime Convention – In the past year, Italy ratified Council of Europe's Cybercrime Convention of 2001. The ratification instrument did not include a general clause to be incorporated into criminal procedural rules to ensure the adequate protection of fundamental human rights, in particular of the “proportionality principle” as per Article 15 of the Convention. This requirement had been highlighted by the Italian DPA, inter alia in pursuance of the Opinion rendered on the draft Convention by the Article 29 Working Party; the suggestion put forward by our DPA was that an ad-hoc clause should be added to each legal provision regulating investigational and preparatory activities in criminal proceedings whereby any investigations and procedural steps taken by the competent judicial and/or police authority would have to take account of relevance and non-excessiveness of the data and proportionate arrangements should be made. The ratification instrument also amended the provisions on traffic data (section 132 of the DP Code) by enabling police authorities, under specific circumstances, to order IT and/or Internet service providers and operators to retain and protect Internet traffic data – except for contents data – for no longer than ninety days, in order to carry out pre-trial investigations or else with a view to the detection and suppression of specific offences. The order issued by police authorities must be notified to and validated by the competent public prosecutor.
Use of Telephone Subscriber Directories for Promotional Purposes – A governmental decree introduced a temporary derogation from the legislation in force on telephone subscriber directories that lifted the consent requirement in order to process the data contained in such directories for advertising and/or marketing purposes. The new provisions allow the personal data contained in databases created from public telephone subscriber directories that had been compiled prior to 1 August 2005 to be used lawfully for promotional purposes until 31 December 2009 exclusively by such data controllers as had created the said databases prior to 1 August 2005. This derogation was received unfavourably by the Italian DPA as it impinges on the safeguards for data subjects that had been shaped, inter alia, via measures and provisions issued by our Authority.
Video Surveillance in Condos – The Italian DPA drew Parliament's and the Government's attention to the advisability of enacting legislation to regulate certain issues in connection with the processing of personal data resulting from the deployment of video surveillance equipment in condos (joint tenure apartment houses). More specifically, the DPA was in favour of regulating the decision-making process in view of the installation of video cameras in a condo along with the number of tenants' votes required to approve the relevant resolution.
Parliamentary Hearings - The DPA was heard several times in 2008 on major issues addressed by the competent parliamentary committees either within the framework of fact-finding initiatives or in the course of the debate leading to the adoption of bills that impacted on personal data protection. In particular, the authority was heard on issues dealt with by the Justice Committee at the Chamber of Deputies (Lower House), in the context of a hearing on the governmental bill to reform the legislation on interception of communications. The DPA also contributed to the issues arising from the processing of and access to taxpayers' registry data, during a hearing held before the competent bicameral Committee. Reference can be also made to two informal hearings on issues related to the insurance sector and on bills concerning introduction of a fraud prevention system in the consumer credit sector, respectively.
Main Decisions by the DPA
- Ensuring Security of Public and Private Databases
Processing of traffic data by telephone and Internet service providers: The Italian DPA adopted a general provision (dated 17 January 2008), pursuant to section 132 of the Italian Privacy Code, regarding the storage and processing of traffic data generated by telephone and Internet service providers. This was aimed at ensuring enhanced security in respect of the traffic data retained by providers for lawful reasons (including law enforcement purposes).
The measures developed by the Garante clarify who is to retain what data and lay down technical and organisational arrangements to ensure secure storage of the data in question.
In particular, it is clarified that Internet content providers, search engine managers, public bodies/organisations making available telephone and Internet networks to their staff and/or using servers made available by other entities, Internet cafés and similar establishments fall outside the scope of application of the retention obligations at issue – pursuant to the definitions set out in directive 2002/22/EC on universal service as well as in directives 2002/58/EC and 2006/24/EC. Several technical measures were set out in order to protect the data ‒ including strong authentication and biometrics procedures, fine-grained audit applied to databases and computer systems, encryption of databases, centralized and securitized log collection, and physical security measures for the protection of computer rooms and data centres.
Without prejudice to the regulatory amendments described above, telecom operators will have to implement the said measures by 30 April 2009.
This extension was granted by the Italian DPA by having also regard to the requests lodged in July by the trade associations of providers of electronic communications services, which had applied for a longer time span to fully implement the complex security measures in question.
System Administrators: The Italian DPA considered it is necessary to undertake a specific action addressing the so-called “system administrators”, to also highlight their importance in connection with the processing of personal data and raise the awareness of both data controllers and the public at large as for the sensitiveness of the tasks they discharge. In the course of the inspections carried out by the Italian DPA over the past few years, it could be appreciated that most companies and major public and private organisations attached considerable importance to system administrators, albeit with some significant exceptions – with the risk of underestimating the consequences resulting from the unsupervised activities of administrators, who are supposed to also monitor and control the appropriate use of IT systems. Accordingly, all the controllers of processing operations that are performed, in whole or in part, with the help of electronic tools were called upon to take due account of the need for considering the risks and criticalities related to selecting and tasking system administrators. At the same time, an initial set of organisational measures were laid down to make public and private bodies and organisations increasingly aware of the existence of certain technical functions, of the responsibilities vested in such functions and, in some cases, of the identity of the individuals working as system administrators in connection with the various services and databases at issue. Such measures include, in particular, the need for carefully assessing personal qualifications of candidates; appointing system administrators individually; keeping a list of the existing system administrators (in particular whenever human resource data are handled) and providing the relevant information to data subjects and staff alike; ensuring that systems are in place to log accesses (via computer authentication) to processing systems and electronic databases as performed by system administrators.
- Tax Data and Privacy
Dissemination of Tax Returns Data via the Internet by Italy's Revenue Office : The Italian DPA prohibited the Italian Revenue Office from posting the tax returns of all Italians on the Internet, a few days after the data had been made public on the Revenue Office's website. Dissemination of the data was found to be in breach of the sector-specific legislation, which allowed for different, less privacy-intrusive mechanisms to obtain information on taxpayers' income. Posting of the data on the Internet was also found to be disproportionate vis-à-vis the purpose of making available the information in question.
The consequences resulting from this blanket, un-filtered disclosure of the data concerning all Italian taxpayers were manifold. A considerable number of users in Italy as well as abroad was enabled to access a huge amount of data in the space of a few hours, since the data were available at a single source point; they could copy the data, generate their own databases, modify and/or process the data, create profiling lists, and circulate the data further with all the attending accuracy risks.
It could be also established that the Revenue Office had failed to request the Italian DPA's opinion – which is mandatory under the law – prior to adopting the decision to publish the data on the Internet.
Taxpayers' Register : A decision adopted in September 2008 took stock of the criticalities found by the Italian DPA following several inspections that had been carried out in respect of the taxpayers' register – where millions of records on Italian taxpayers are kept and may be accessed, via different tools, by a considerable number of users including public and private bodies – and set forth the technological and organisational measures required to enhance security of accesses and bring the processing into line with data protection legislation. Given that the main criticalities in question had to do with the lack of information on the overall number of access-enabled users, poor monitoring of the accesses and inappropriate use of passwords and user IDs, and the inadequate technological measures to ensure data security, the Italian DPA required regular monitoring of the access-enabled bodies and organizations; carrying out a survey of all data flows from and to the Register including the particulars of the entities enabled to access the Register, the applicable legal grounds, nature and type of the transferred data; partitioning the data that may be accessed to ensure that only such data may be viewed as the individual user is authorised to access; implementing alert systems to detect and prevent security breaches; implementing authentication/enhanced authentication mechanisms; logging the accesses and restricting the maximum number of accesses; implementing secure connection channels in case of web-based management of data flows; timely disabling users no longer entitled to access the relevant data.
- Simplification Measures
As already pointed out, the simplification exercise in respect of certain data protection requirements continued throughout 2008 with the contribution of the Italian DPA. Practical arrangements were laid down in a decision issued at the beginning of the year to further facilitate standard management and accounting tasks in both the public and the private sector, especially whenever no sensitive or judicial data are processed. To that end, simplified mechanisms were laid down in respect of information obligations vis-à-vis data subjects, without jeopardising the scope of the protection afforded by law. Additionally, data controllers were urged not to request the data subjects' consent if they only process personal data for standard management and/or accounting purposes, also in connection with fulfilling contractual, pre-contractual and/or regulatory obligations. In pursuance of the balancing of interests principle as well as in accordance with specific conditions, the DPA ruled that data controllers in the private sector were allowed to use the mail address information provided by a data subject they had delivered a product and/or a service to without that data subject's consent, if they pursued standard management and/or accounting purposes and the mailing was aimed to directly send their own advertising and/or direct selling materials or else carry out own market surveys and/or provide commercial communications. In yet another decision, the Italian DPA laid down simplified arrangements to implement minimum security measures in respect of certain data processing categories. This was aimed – in line with the provisions already laid down in simplification-oriented legislation (see above) – at affording an adequate security level by taking account of the features applying to small-sized businesses and the processing operations that are only aimed at accounting and/or management purposes.
- Health Care and Sensitive Data
Guidelines for Data Processing within the Framework of Clinical Drug Trials : These Guidelines were issued in 2008 to lay down the safeguards data controllers are required to afford when processing personal data related to patients undergoing clinical drug trials; a public consultation was subsequently launched concerning these Guidelines. The guidelines require, in particular, that data and biological samples should be retained for a shorter period; that more clear-cut distinctions should be drawn between consent to medical treatment and consent to the processing of personal data; that a specific clause be worded to obtain the patients' consent so as to enable data subjects to have their voice heard also in respect of any processing operations performed by other entities that collaborate in the given research, perhaps from abroad; that more stringent security measures should be adopted. The DPA also drafted a model information notice that could be used by the pharmaceutical companies sponsoring the studies to inform patients on processing of their data via the testing centres involved. As for security measures, they were upgraded in particular as for electronic data transfers; mandatory data access authentication procedures were laid down along with the use of data storage and archiving systems based on encryption and secure communication protocols to transfer data between testing centres, the pharmaceutical company's database, and study monitors.
Anti-Doping: Further to a report lodged by the Italian Professional Bikers' Association (ACCPI) complaining with the Italian DPA that the regulations applied by Italy's CONI (National Olympic Committee) to perform anti-doping controls in non-competition periods were in breach of Italy's privacy legislation, the Italian DPA issued a decision regarding the processing of personal data in the field of anti-doping. The DPA stressed that the processing of personal data by CONI (which is a public body) must comply with all the applicable legislation and take account of relevant international instruments. The DPA ordered CONI to amend the notice used to inform data subjects (athletes) so as to provide specific information on the data to be made available, by specifying whether this is to be done on a mandatory or optional basis and what consequences arise from the failure to make available such data, with particular regard to the detailed whereabouts information. The scope of communication of the data in question was to be also clarified, by specifying (the categories of) recipients and whether the data would be transferred abroad.
The work aimed at ensuring respect for data protection principles in connection with justice-related activities continued also in 2008. Within this framework, the DPA adopted “Guidelines on Data Processing by Court-Appointed Experts”, which clarify the obligations these professionals must respect in handling the major amount of personal data they process also with regard to different judicial proceedings. The “Code of Practice Applying to Defence Investigations by Legal Counsel and Private Detectives” was also adopted in 2008. This Code sets forth the safeguards legal counsel and private detectives should abide by when processing their clients' personal data – from the initial steps taken in preparation for bringing an action until the after-trial phase. More specifically, this Code lays down simplified arrangements in respect of information notices, stringent technical and organizational measures to protect the data, and a limited retention period as applying to the information collected for the said purposes.
- Business Information
The DPA issued a decision regarding the data processing carried out by a company managing own databases that are generated by extracting information from other filing systems (whether set up by public or private entities) to provide their customers – mostly business professionals and practitioners such banks, finance companies, information companies and agencies – with information-related services focused on the so-called business information in respect of given target entities (other companies, professionals, etc.). By a decision dated 30 October 2008, the DPA ordered the company to take any and all measures that were necessary as well as appropriate to safeguard data subjects in order to: a. prevent information that cannot be related directly to the given data subject, as it has to do with events concerning other entities, from being linked up with the said data subject; b. draw a distinction between the cases where, based on the available elements, no prejudicial items are found to relate to the target entity and the cases where the business reliability rate is set on “low”. Additionally, the DPA prohibited the company: a. From using information that is irrelevant and anyhow not directly related to the target entities; b. From providing their customers with data related to the number of queries performed in respect of the dossier on a given target entity; c. From processing the data taken from electoral rolls in order to perform consistency checks when providing their services; d. From processing the personal data related to taxpayers' returns as submitted for 2005 and stored following their publication by Italy's Revenue Office (see above paragraphs). The company was also ordered to erase the said data without delay.
- Electronic Communications
Electrical and Electronic Waste and Data Protection : By a decision dated 13 October 2008, the Garante drew the attention of legal persons, public administrative bodies, any other bodies and natural persons that do not destroy, but rather dispose of devices containing personal data after using them in discharging the respective tasks, to the need for taking suitable arrangements and measures, also with the help of third parties having the appropriate technical skills, in order to prevent unauthorised accesses to the personal data stored in the electrical and electronic equipment. Whoever plans to reuse and/or recycle waste electrical and electronic equipment or components thereof must make sure that no personal data is present and/or intelligible in the said equipment and obtain, where feasible, an authorisation to erase such data and/or make them unintelligible.
Itemised Billing : By a decision dated 13 March 2008, the Garante authorised all the providers of publicly available electronic communications services under section 124(5) of the Code to display the full numbers of communications in the itemised bills requested by their customers as from 1 July 2008, on condition they had enabled their users to perform communications and request services from any terminal by availing themselves of payment methods other than billing, and on condition they provided all their subscribers with appropriate information notices to be included in at least two bills and posted on the providers' web sites.
Telephone Marketing : Following several claims and reports related to unsolicited phone calls performed by and/or on behalf of several telephone operators and/or companies marketing goods and services, the Italian DPA prohibited a few companies specialising in developing and selling databases from further processing the personal data (i.e. the phone numbers) related to millions of users. The phone numbers at issue had been collected and used unlawfully, since no prior information had been given to data subjects who had not consented specifically to the transfer of their data to other companies.
This prohibition also applied to other companies that had purchased the databases from the companies in question in order to contact users and market their products and services via call centres. The prohibition orders followed several warnings and inspections by the DPA; the inspections had been carried out at the premises of the companies that had created and sold the databases, in respect of the telephone operators and companies that had purchased those databases, and at the call centres that had contacted the users in question.
Of note, one of the companies offered, on its website, the data of over 15 million of Italian families grouped by income and lifestyle without having informed the data subjects and obtained their consent with a view to communicating their data to third parties.
It should be recalled here that a recent legislative amendment (see Part 1) derogated from the above rules on subscriber consent, whereupon the personal data contained in databases set up from public telephone subscriber directories compiled prior to 1 August 2005 may be used lawfully for promotional purposes until 31 December 2009 exclusively by such data controllers as set up the said databases prior to 1 August 2005.
Location Data and “Check Boxes” Installed on Coaches : In a decision issued upon completion of prior checking activities, the Italian DPA authorised the processing of location data by local public transportation services. The Italian DPA also authorised processing of additional information related to the “driving pattern” and a few parameters (e.g. brake oil pressure at start and end of braking, vehicle speed during braking, etc.) as collected on the occasion of accidents via an “event data recorder”.
The Italian DPA authorised the processing operations in question upon compliance with a set of requirements: Data subjects (drivers) should be provided with detailed explanations on the nature of the processed data and the features of the system by having regard to the different purposes to be achieved; Access to the processed data should only be allowed to persons that had been entrusted therewith by the company and were lawfully entitled to access the data on account of their tasks; The data should be kept for no longer than necessary to achieve the purposes in question – by anonymizing, as appropriate, location information and processing such information exclusively as aggregate data with a view to monitoring and planning the public transportation service. As for “driving pattern” data, which would be processed in order to grant bonuses to the employees that adjust their driving patterns to corporate standards, the processing should take place by having regard to the applicable legal restrictions – in particular those set forth in section 10 of EC Regulation no. 561/2006 of 15 March 2006. The procedures to be put in place pursuant to section 4(2) of Act no. 300/1970 – whereby the agreement of trade unions must be obtained and/or a provision by the local agencies of the Ministry for Labour is required in view of monitoring employees remotely – should be complied with beforehand. The company will have to notify the processing to the Italian DPA as regards, in particular, location data, and also appoint the service provider as data processor under the terms of section 29 of the DP Code.
Online Archives of Newspapers: The DPA addressed a few complaints lodged by individuals against the availability of (past) newspaper articles via a newspaper's online historical archive. The requests pointed out that the archived reports no longer mirrored the current situation, as the individuals had subsequently changed their lives for better. The DPA found that the availability of the information in question served purposes of (historical) research and analysis; accordingly, the data subjects' consent was not required and the data could be lawfully processed beyond the time necessary to achieve the initial purposes. The processing as such is lawful and relevant; the data should not be erased and/or anonymised as requested by the complainants. However, the DPA's view was that data retrieval mechanisms of external search engines did impact on the complainants' rights disproportionately as they forever linked up the given individual to past events and behaviour; additionally, the information in question could be disseminated on the Internet for purposes unrelated to historical research due to the current retention mechanisms of search strings. As a consequence, the complaints were granted in part – i.e. it was decided that the web pages containing the complainants' personal data should not be indexed by the most popular external search engines using the complainants' names, but they should be left unchanged within the publisher's online archive (accessible via the publisher's website). Technical tools are currently available to meet this requirement (“Robots Exclusion Protocol”; use of the “Robots Meta Tag”). The publisher was ordered to comply within 60 days. The DPA reserved the right to carry out more in-depth inquiries into the broader implications of this issue, with the co-operation of all the relevant stakeholders.
Paternity Tests without Child's Consent for Judicial Purposes : A complaint addressed the case of a father who had performed a genetic test on his son without informing him, in connection with investigations he was carrying out to establish consanguinity. A private investigation agency had collected two cigarette butts binned by the man's son, acting on instructions of the man's legal counsel. The biological samples had been tested, without informing the data subject, to establish genetic compatibility between father and son. The Italian DPA ruled that a paternity/maternity test may not be performed without the child's consent if the test is not indispensable for judicial purposes. The DPA recalled that genetic data may only be collected and processed with the data subject's “prior, written” and informed consent. This requirement may only be derogated from to establish or defend a judicial claim; however, this only applies if the test is absolutely “indispensable” and is carried out pursuant to the conditions set forth by the Italian DPA – which include, in particular, an obligation to provide specific information to the data subject if the genetic test is aimed at establishing paternity/maternity. The DPA found that the son's data protection rights had been violated and prohibited both his father and the legal counsel from further processing the genetic information that had been unlawfully collected in the manner described above.
Business Information: Several complaints were lodged in the past year against a company managing the largest business information database in Italy, providing banks, financial agencies, professionals, and companies with information on business reliability and performance. As well as handling the many complaints concerning this topic, the Italian DPA tackled the broader issue via a decision that was targeted specifically at the company in question (see above).
Inspection activities were enhanced further in 2008, in line with the general upward trend reported for the previous years. The activities focused on issues of general interest for several categories of data subject. More specifically, demanding in-depth inspections were carried out into the processing operations performed by a. financial and taxation bodies; b. banking institutions; c. business information companies; d. telecom operators, as for unsolicited marketing; telecom operators, as for customer profiling based on traffic data; f. consumer credit organizations; e. companies re-using public data, in particular electoral lists and data contained in public registers of movable and immovable property. Many inspections were performed in respect of public and private entities using video surveillance systems, in order to check that the processing was lawful and compliant with the general decision issued by the Italian DPA in this connection. Importance should also be attached to the controls carried out on private hospitals processing sensitive data, as for the adoption of minimum security measures.