Address by the President of the Italian DPA, Mr. Antonello Soro On the occasion of presenting the Report to the Italian Parliament
Italian Data Protection Authority
ANNUAL REPORT 2012
Address by the President of the Italian DPA, Mr. Antonello Soro On the occasion of presenting the Report to the Italian Parliament
Mrs. President of the Chamber of Deputies,
Ladies and Gentlemen,
This is the first Report submitted by the new collegiate panel of the Authority – which I am honoured to chair – to this Parliament and Government.
On this occasion, I wish in the first place to reiterate our commitment towards carrying on our loyal and constructive cooperation with the institutions that have elected us.
1. Data Protection as a Foundation of Citizenship
This commitment is all the more necessary at a time when disenchantment and disillusionment are rife not only vis-à-vis institutions, but also in respect of the value of rights as such – since rights are often considered to give way to the many pressing needs arising out of the social and economic crisis.
To prevent this drift from continuing, I believe it is appropriate to reiterate the primacy of rights in line with the focus on the individual that is a key feature of our Constitutional Charter. Only in this manner may one nourish the ambition to bridge the growing social divide via a new concept of citizenship.
Given this context, data protection has taken up a growingly pivotal role in the digital society age, and it could not be otherwise – partly because of its having been "constitutionalized" via the Charter of Nice and because it is closely related to human dignity. Thus, data protection encompasses the individual as a whole and includes both the personal and the relational dimensions.
Looking at the experience gathered by the Authority over the past years – thanks, above all, to the commitment shown by our predecessors, whom I wish to thank most sincerely – the right to personal data protection has proven a mighty tool to foster freedom and equality in the face of old and new forms of social stigma or authoritarian surveillance. Indeed, it has proven to be a precondition to freely express oneself by respecting one's own identity.
This is why we wish to reiterate the need for a constructive exchange of views with Parliament and Government so as to prevent the scope of the entities protected by the provisions of the Code from being limited by way of legislation such as that adopted or tabled in the past Parliamentary Session.
I am thinking in particular of the proposals put forward to deprive individuals who act in a professional capacity of the safeguards laid down in the Code – so that the scope of the protection afforded to natural persons would be limited to consumers only.
Another equally questionable amendment was the one whereby legal persons, organizations and associations were placed outside the scope of the safeguards provided for in the Code, so that we had to issue a specific decision to sort out implementing issues and, more importantly, prevent inconsistencies with EU law.
Paradoxically, now that the new communication tools expose legal persons to growing risks that their image and reputation are bruised or misused, legal persons are deprived of a fundamental tool to protect themselves – in fact, this type of protection is still being requested from us.
However, we are aware that the approach to these issues is to be "updated" continuously so that regulations can be adjusted to the fast-paced evolution of our reality and can accommodate developments with the required degree of flexibility.
The legal armamentarium handed down by our tradition can barely keep up with these changes; thus, the institutional actors at both domestic and international level must keep up the dialogue with the various stakeholders in order to prevent the rise of a lawless society.
This is where independent supervisory authorities could leverage the "participation-based democracy" components that underlie the sector-specific EU legislation.
Indeed, independent supervisory authorities are marked – much more than other institutions – by their being firmly grounded in the EU law, so that they are parts of the European constitutional framework as well as the hubs of a supra-national system for the protection of rights that goes well beyond the conventional pattern of administrative decision-making powers. In fact, these authorities are growingly called upon not only to bridge the gap between citizens and institutions, but also to be places where citizens can become such institutions.
An example is provided by the advisory tasks committed to these authorities under the EU law, which is aimed ultimately at fostering a decision-making process that can reconcile different interests whilst making sure that such interests are voiced appropriately through procedural safeguards.
Consider, for instance, the provisions contained in EU data protection laws whereby codes of conduct may be adopted to regulate highly sensitive sectors on the basis of the exchange of views between representatives of industry and trade associations and independent data protection authorities so as to strike the best possible balance among the interests at stake.
2. Transparency and Informational Powers of Public Administrative Bodies
From this standpoint, we consider it indispensable to strike a balance between public sector transparency and citizens' privacy. Both are highly valuable to ensure the sound development of democracy and must be reconciled factually – which is what the Italian DPA called for in its opinion on the legislative decree concerning public sector transparency (no. 33/2013).
Strict compliance with privacy principles should prevent transparency from being inappropriately and instrumentally relied upon to legitimize discrimination caused by the disclosure of information on a person's health or life-style - as is necessary, for instance, when applying for exemptions to the payment of school canteen charges or other fees.
Preventing this "function creep" is what led the Garante recently to step in with regard to several municipalities that had posted the full text of decrees ordering coercive medical treatment in respect of various individuals.
Data protection and transparency are not and should not be seen as mutually conflicting; in fact, they complement one another: accuracy and quality of the information that is made public guarantee the "administrative truth" public bodies are required to uphold with a view to enabling democratic controls.
The regulatory instruments adopted by the Italian Revenue Service on which our DPA gave several opinions are proof, once again, that cooperation with our DPA is indispensable in the public sector and can factually reconcile privacy and effectiveness of administrative measures - which were aimed in this case at countering tax evasion.
The measures relating to the Taxation Register have raised several concerns in the public opinion.
The Garante sought the best possible reconciliation of two rights – namely, the right to privacy and the right to fair taxation – on the assumption that privacy is part of our freedom: just like an individual's freedom is bounded by societal freedoms, an individual's privacy can never be kept totally separate from the societal dimension of freedom.
We required the Revenue Agency to implement stringent security measures on account of the huge amount of data they handle; although the pooling of such data may be justified on compelling social grounds, these data may only be accessed selectively as no blanket controls are admissible.
We will not cease our supervision over the implementation of those measures.
The synergies between administrative measures and data protection are all the more necessary in light of the growing computerization of administrative activities and the proliferation of databases. These developments have occurred mostly in the absence of a national policy or strategy as they have followed a piecemeal pattern – which has resulted into setting up self-referential systems containing duplicate, at times inconsistent data in incompatible formats.
The implementation of a synergic approach is key also with regard to the "Digital Agenda" challenge, as this is the only way to make sure that it can turn into a fundamental driver of innovation and growth for the country as a whole and also lead to the recognition of new citizenship rights.
3. Exercising Power and Freedom
The informational power exercised by public administrative bodies is even broader in scope as regards the processing operations performed for purposes of ordre public and/or justice. This is exactly why it is fundamental to ensure that the provisions in the Code affording specific safeguards to citizens also in this area are implemented in full.
In particular, it is indispensable to implement Section 53 of the Code – which has been repeatedly called for by the Garante – whereby the databases set up for ordre public purposes should be "listed".
Nowhere else is the tension between power and freedom as perceivable as in processing operations for purposes of justice or ordre public.
Data protection is the precondition for exercising power fairly, especially when dealing with individuals that have been entrusted to the State's authority – such as prison inmates, convicts, or aliens detained in identification and deportation centres.
These individuals are veritably "naked" vis-à-vis public authorities on account of their being fragile – either by nature or because of the given circumstances.
It can be easily grasped that their difficult situation along with the disproportion between their weakness and the power vested in public authorities can endanger those fundamental rights individuals are entitled to even when serving sentences.
On the other hand, such rights are key features of citizenship as well as safeguards for human dignity that may not be derogated from – not even in a prison, and the less so in a juvenile prison, o during pre-trial detention, in a psychiatric ward or in an identification and deportation centre: this is why the Garante will focus all the more on these processing operations and on the need to foster full awareness of the relevant rights – above all – in these areas.
4. Data Protection, Individuals and Marketplace
If data protection is a prerequisite for a truly free and democratic society to exist, it can also represent – today more than in the past – an extraordinary safeguard against the unauthorized reconstruction of one's identity or the commercial exploitation of personal information.
Whilst biometrics are increasingly relied upon and bodies are thus turned into mere data, it is only the in-depth awareness of data subjects and the thorough assessment of compliance with principles such as relevance and non-excessiveness that can protect individuals against the risk that key information on them is surrendered to others – at times irrevocably.
This is all the more so with regard to the processing of personal data in the employment sector.
This is an area where we are striving to devise balanced solutions – partly in light of the debate at EU level and the opportunities made available by technological innovations – so as to reconcile the inescapable need to safeguard workers and their dignity with the requirements of businesses; this is ultimately aimed to ensure that all the appropriate measures are in place to prevent misuse of data and prejudicial effects for data subjects.
We will keep our focus on this area whilst we are well aware that additional cooperation with lawmakers will be necessary to devise solutions as issues continue to arise.
There is increasing need for our Authority to step in and protect citizens-consumers against marketplace forces and the attempt to gather information for profiling individuals and their habits and influence their decisions.
The regulatory framework has been modified repeatedly over the past few years so as to limit the safeguards afforded to citizens and expand what is "lawful business practice".
This applies to telemarketing, where the new rules have been shown to be unquestionably fraught with criticalities; as a result, consumers' exposure to intrusive marketing campaigns has undermined, first and foremost, their trust in market forces.
Recently we introduced simplified arrangements for this sector, whilst preserving citizens' mastery over their private sphere.
Conversely, the measures set forth by our Authority with regard to the so-called "black boxes" on motor vehicles consisted in clear-cut safeguards to prevent unjustified monitoring of drivers' whereabouts; this goes to show that the legitimate need to downsize corporate risks and counter fraud can be appropriately reconciled with the protection of citizens.
The creation of sector-specific databases for public utilities such as, in particular, telephony, power and gas utilities or the opportunity to easily access credit bureaux also require stringent safeguards for data subjects.
Such safeguards are aimed not only to prevent discrimination due to the imperfect assessment of the reasons underlying cases of non-performance or defaults, but also to ensure that the databases remain fully reliable.
The difficult task to strike a balance is made even more daunting by the crisis and economic difficulties; this is why our Authority is working to achieve viable solutions jointly with the various stakeholders.
There is need for a culture of security to become widespread among businesses as this is a fundamental corporate asset as well as a key to achieve consumers' trust – especially at a time when data have become valuable assets.
In order to meet corporate requirements whilst never losing sight of consumers' needs, we adopted recent guidelines to simplify the applicable arrangements.
Furthermore, we consider it helpful to start a dialogue with Parliament and Governmental bodies in order to revise the sanctioning system and security measures – which focus mostly on conventional processing systems.
Indeed, it is appropriate to bridge the existing gaps and do away with criticalities by taking account of the experience we have gathered so far; to that end, the necessary updates will have to be made so as to face the new challenges of data sharing and data breaches that are surfacing especially because of web-related developments. I am thinking, in particular, of digital identity theft and the risks brought about by cloud computing.
Our Authority has gained considerable insights in the security sector and can play a key role in this area. Let me refer to the new obligations for telephone and Internet services providers to notify – in some cases to users – any breaches that result into data loss and/or destruction.
After launching a public consultation, we issued guidelines in this respect to lay down data breach notification procedures and mechanisms.
These measures should be welcomed by businesses partly in view of additional, more stringent requirements that are expected to be set forth by the new European data protection regulation; entry into force of such Regulation will entail supplementary efforts by our Authority.
Still, we can count on our Office, which – though small-sized – includes young, highly qualified staff. Thanks to them, we managed to handle over 35,000 questions last year, handle about 4,500 complaints and reports, adopt over 460 collegiate decisions including opinions on draft regulatory instruments. We imposed 578 sanctions and carried out 395 inspections and inquiries – the latter were performed in part with the help of the special Privacy Unit at Italy's Financial Police, and I wish to thank them warmly for this along with their Commanding Officer.
5. Algorhythms Are Not Neutral
New technologies have freed us in part from the fetters of time and space, but they have also enslaved us in novel ways. This is why regarding them as natural propagators of democracy may be narrow-minded, misleading, and downright dangerous in some cases.
In the "always on" age, the total transparency fetish is surfacing as the antidote to obscurity in all its forms. The Internet is pushing up the demand and request for being informed in the name of the principle whereby nothing should escape communal attention.
Still, total transparency is not always the same as truth nor is privacy always invoked to keep unsavoury secrets in the dark. In fact, privacy is a fundamental requirement in political life as well as in private citizens' lives.
This does not mean that holders of public offices – especially if elected – may demand the same safeguards as private citizens, at least they may not do so with regard to the information that is functional to the public review of their work.
The Internet does provide an unprecedented opportunity for developing knowledge, exercising political rights and fundamental freedoms. However, Internet users may be driven unknowingly towards certain decisions if one considers that using or accessing the Web is possible within the boundaries set by leading Internet providers – who are free to decide how to rank information and whether a given informational item is worthy of mention.
Algorhythms are not neutral.
This is why one can hardly refer to the freedom of the Net as long as contents indexing criteria and search result parameters are not known and shared in full.
In short, we all risk finding only what others have decided we can find online – knowing only part of the picture, glimpsing at reality.
By the same token, the delusively easy socialization of the digital world may translate into new forms of loneliness and turn our gaze increasingly inwards.
6. The Commercial Exploitation of Identity
We all feed our data every day into the Web, not always knowingly. What is more, cloud computing entails that our data is transferred to systems located just about anywhere.
It is unquestionably helpful to have information always at one's fingertips and accessible by way of multiple devices such as smartphones and tablets; however, keeping control over one's own data may prove impossible.
This is all the more so if our location is traced not only online, but in our real life, which is thus bound to turn into a digitalized life where our whereabouts and habits are carefully logged.
Internet has become a staple commodity, indeed it has turned into our environment.
The integration of communication channels, the exposure of our biographies in a spaceless as well as timeless container impact on individuals and society in the sense that they modify the respective features, forms, and practices; they reduce and ultimately do away with the gap between real and digital identities.
Only think of the "Internet of Things", geolocation, pervasive video surveillance, or smart cities.
New visibility windows open up and whole chunks of our lives are in danger of being projected into a world where everyone has turned into a little "big brother" – let me only refer to Google Glass and facial recognition applications.
The increasingly close relationship between man and machines and widespread surveillance practices that are not always grounded in security requirements impact on our freedom and challenge time-honoured legal categories.
Against this backdrop, data protection can avert the danger that new technologies turn into evil-doing tools even though they can simplify our lives – because personal data are used recklessly to fuel a veritable "business" based on the commercial exploitation of personal information.
This type of exploitation is leading to the creation of mainstream identity models that jeopardise self-determination opportunities; on the other hand, the data collected in this manner fall easily outside individuals' control and are fed into the "databases" of entities that are basically profit-seekers.
In today's globalized world there is a huge number of individuals inputting their data on a daily basis as opposed to a handful of large-sized operators that work practically as monopolists; these are the so-called over-the-top operators that are leaders in their respective fields, such as Google among search engines, Facebook among social networking systems, or Amazon among online retailers. This is where the wealth of information circulating on the Web is channeled without whatsoever constraints.
Increasingly refined profiling techniques along with the stepwise matching of stored data already allow orienting production in accordance with consumers' expectations – and this will be even more the case in the coming years.
Internet giants are turning into exclusive brokers between consumers and producers.
The power vested in these entities may not be overlooked, given that they handle with States and supranational bodies on an equal footing, nor may one accept any longer the regulatory gap vis-à-vis the European contents and services industry.
This is why one should not allow personal data to be appropriated by data collectors, given that such data have become hugely valuable in both predictive and strategic terms; this is moreover the reason why one should demand transparency in processing operations again and again.
Affording protection is both difficult and complex whenever the reconciliation between the constitutional import of a right and the commodification of that right is left directly to users – who often can benefit from free-of-charge services.
Data subjects should become increasingly aware of this and play an active role in demanding and obtaining protection for their data and transparency in the processing of such data.
7. Neither Censorship Nor Lawlessness: The Net As A Democracy Factor
Posting comments compulsively on virtual bulletin boards as a result of an irrepressible need to share and exchange information is apparently lowering the threshold of privacy as to what may be disclosed or said about oneself or others. Indeed, the very boundaries of what is lawful and acceptable are becoming blurred; as a result, it is (too) often the case that a dissenting opinion turns into words of abuse and criticisms into offending language.
The online world loosens ethical constraints and enhances the impact produced by phenomena such as multimedia bullying, as shown unfortunately by recent news reports.
We regard this issue as a new, difficult frontier that is challenging, first and foremost, the consciences and skills of those in charge of public offices.
The Net can be used as a tool to disseminate abuse, threats, minor or major forms of violence – at times gender-oriented or targeted at women as such, or even at ethnic or religious minorities. The consequences are sometimes tragic.
These are offences that are far from reflecting freedom of expression and may turn the Net from a powerful democratization tool into a lawless space where rights can be breached at will.
Courts are trying to devise a framework of rules by affirming the jurisdiction of national courts over offences against the fundamental rights of nationals as well as by making providers – even if established outside the EU – liable for illicit contents if they fail to take down such contents once they have received notice of their presence. This happened, for instance, in the Google-Vivi Down case that was handled by a court in Milan.
One should consider how to make the main stakeholders accountable in order to reconcile the right to anonymity – which is a fundamental safeguard for freedoms, especially in non-democratic contexts – with criminal investigative requirements; we believe that not everything should be left to private initiatives as grounded exclusively in a market-driven logic.
We believe so because it has been too often the case that web monopolists have complied with the requests – including those involving censorship measures – coming from non-democratic governments.
At all events, we may no longer show leniency towards the verbal violence that can be found on the Web; this is first and foremost a cultural challenge all true Internet friends should take up.
We decided to devote the European Privacy Day to these issues and promoted a campaign jointly with the Ministry of Education, and also created a video tutorial to provide guidance to youths in a straightforward, non-bureaucratic format.
Still, we all are called upon to do more.
8. Right to Be Forgotten and Evolving Identities
The growing obscurity on the use of the data concerning us, which may remain on the Net for much longer than one intended, along with the fear that such data may be captured by search engines and used out of their context are fuelling the demand for recognizing and protecting the right to be forgotten.
This right should in no way hamper freedom of expression, transparency and the search for truth; accordingly, this right is not unlimited and has to be balanced against the right to impart and receive information and preserve societal and collective records.
From this standpoint, our Authority has long been requesting that daily newspapers should prevent indexation by generalist search engines of obsolete pieces of information a data subject considers to be prejudicial to him or her; alternatively, they should take measures to highlight any updates of such information.
These arrangements can ensure that one's identity is presented thoroughly without affecting the news item as such – since information is neither taken down nor erased.
In this perspective, the right to be forgotten translates into the right to obtain a fair, updated representation of one's own identity and can enhance, in turn, quality and accuracy of information. This is the balance struck quite clearly in the draft EU Regulation on data protection, where this "new" right is set forth as one of the key regulatory measures.
9. Dignity of Individuals and Freedom of the Press
Reconciling freedom of the press and dignity of individuals is a fundamental prerequisite for a society to be free, democratic and pluralist; on the other hand, such reconciliation is markedly impacted by technological evolution, which brings about unrelenting changes both in journalists' work and in the perception of privacy.
In particular, the multiplication of information sources makes professional ethics even more important in order to ensure that information is imparted responsibly and by respecting individuals' rights and freedoms.
Regarding investigative journalism and reporting, the growing trend towards celebrating trials in the media makes it all the more necessary to appropriately select what is publicly relevant information; moreover, such information should be imparted by respecting both privacy and the presumption of innocence principle.
Additional safeguards – on top of those set forth in the "Charter of Treviso" – should be in place vis-à-vis the weaker parties that are often mentioned in news reports such as children and victims, who should never be handled instrumentally.
The publication of investigational records should satisfy the public interest standard rather than voyeuristic prurience: one should be aware that not everything that is of interest to the public is automatically in the public interest.
This applies especially to wiretapping records; these are of the utmost importance in investigational terms, indeed they are indispensable in some cases, so that they should be handled with the utmost care. Leaked information may undermine investigations and violate the data subjects' dignity; moreover, one should refrain from practicing "transcription journalism", which translates ultimately into poor informational quality.
To foster accountability and awareness in journalistic activities whilst taking full account of the key role self-regulation can play in breathing life into ethical rules, we plan to start an exercise aimed possibly at updating the Journalists' Code of Practice; this exercise would seek ultimately to achieve the best possible reconciliation between freedom of the press and dignity of individuals.
On the other hand, we started a fact-finding survey of the procedures followed by prosecuting offices and the telecom operators involved as regards interceptions of communications in order to afford all possible safeguards to the parties in judicial proceedings - including third parties – whilst protecting the confidentiality of investigations. We expect to issue a decision in the coming weeks to outline solutions that can enhance the protection of the data processed in this context and prevent their unjustified disclosure.
10. Truly Strong Privacy: The European Challenge
The regulatory framework of data protection has been strengthened by the Treaty of Lisbon; however, data protection is weakened in practice by the criticalities due to overpowering international entities, unrelenting innovations, and new models of data sharing and handling.
Each national law is fraught with the limitation of failing to regulate phenomena like the Internet or cloud computing that are global in nature; thus, no shared solution can be found for issues that are at the crossroads between individuals' rights, lobbying interests vested in companies, and States' willingness to follow the strong drive towards security and the fight against crime.
Increasingly strong pressure is exerted by law enforcement authorities to access data that has been collected for utterly different purposes. The news from the USA cannot but increase our concerns.
The blanket, indiscriminate surveillance of citizens in the absence of whatever circumstantial evidence of crime – which reasonably involves European citizens as well – by way of telephone and Internet traffic data is truly a serious matter. This is so even if the underlying objective is countering terrorism.
The privacy-security tension is inherent in our times; however, the assumption that democracy can be protected by trampling on citizens' freedoms can undermine the very assets one is striving to protect.
Conversely, we continue stubbornly to believe that respect for fundamental rights is one of the key differences between democratic and authoritarian regimes. This is why we have immediately contacted the other EU authorities in order to wage a joint action.
Europe is no prey to a delusion if it tries to face these changes; in fact, the overhaul of data protection legislation – which is expected to be completed by the first months of 2014 – is meant to reaffirm the pivotal role played by European rules and overcome the considerable resistance coming from other countries and major corporations.
We should prevent these strong, influential lobbying actions from turning the review of privacy rules into a race to the bottom.
The EU is grounded in rights, not in market rules; rights are the only real check on the dangerous assumption that business is the measure of all things in life. Against this backdrop, data protection is indispensable as a value and is expressly and indissolubly related to the existence of a supervisory authority.
Before concluding, let me give my warmest thanks to the colleagues that make up the collegiate panel of our Authority along with me; we have struck on a note of mutual trust and collaboration from the start, and this has enabled us to achieve unfailingly shared solutions also thanks to the different accents we have emphasized.
I wish to also thank the Secretary General and all those who work in our Office, day by day, generously and skillfully, to meet the growing demand for protection coming from our citizens.
My colleagues and I have relied on our passion and commitment to be equal to this experience, which conjures up fundamental values of individuals along with preconditions for democracy and the new frontiers of technological evolution.
We have been keenly aware that our day-by-day activities can also contribute to facing this challenge – in fact, we are confident that the protection of personal data is not only a tool to promote individuals' development, but a basic constituent of citizenship amidst today's whirling changes.