ANNUAL REPORT 2014 – ITALIAN DATA PROTECTION AUTHORITY - PRESS MEMO
ANNUAL REPORT 2014 – ITALIAN DATA PROTECTION AUTHORITY
The Italian DPA's report on its 18th year of activity was submitted to Parliament on the 23rd June, 2015 by the President, Mr. Antonello Soro, the Vice-President, Ms. Augusta Iannini, and the members Ms. Giovanna Bianchi Clerici and Prof. Licia Califano.
The 2014 annual report takes stock of the work done by the DPA and outlines future areas of activity with a view to enabling actual, effective protection of personal data especially in the face of increasingly intrusive technologies to collect and use personal data.
KEY AREAS OF ACTIVITY
A list of the main areas of activity for the Italian DPA in 2014 cannot but include mass surveillance and terrorism-related issues including cyber-security; Internet and social media; the role played by major providers and online profiling; transparency in online activities of public bodies and the relevant safeguards for citizens; taxation and protection of citizens' privacy; use of new technologies in the workplace; protection of data used in a judicial context; unbridled telemarketing; consumer rights; public and private databases; schools and educational bodies; e-health; political parties and movements; retention of telephone and Internet traffic data.
The right to have online news archives updated was enhanced further whilst the principles were set forth to grant ‘right to be forgotten' requests following the EU Court of Justice judgment on Google.
The DPA stepped in to provide guidance on the use of smartphones and tablets supplied to employees as well as to enhance safeguards in online occupational recruitment.
Guidelines on the use of biometrics for access controls, user authentication (including PCs and tablets) and undersigning IT documents were issued.
Guidelines were also adopted on the online publication of public records and documents so as to achieve a balanced relationship between public transparency and citizens' privacy; violations of individuals' dignity were punished in this connection.
Specific measures were taken to enhance digital security in the public administration.
Mention should also be made of the commitment shown by the DPA in clamping down on so-called ‘silent calls' and protecting telephone subscribers against aggressive telemarketing practices – via requirements and sanctions imposed on this industry sector.
The relationship between privacy and freedom of the press was yet another focus of the DPA's activity with particular regard to judicial case reports and the disclosure of investigative materials – which may prove highly detrimental to the dignity of individuals, including children.
FACTS AND FIGURES
628 decisions were adopted by the Commissioners' panel.
The Garante replied to 4,894 questions, claims and reports, which concerned the following main areas: telemarketing (considerably on the rise), consumer credit, video surveillance, debt collection, insurance, employment, journalism, condominiums.
Decisions were issued on 306 formal complaints, which mainly concerned banking and financial companies, public and private employers, marketing issues, the publishing sector (including TVs), insurance companies, telephone and Internet operators, credit reference agencies, and managers of condominiums.
22 opinions were rendered by the Commissioners' panel to Government and the Parliament; they addressed, in particular, the computerization of judicial proceedings, IT initiatives for public administrative databases, and police and national security activities.
385 on-the-spot inspections were carried out, partly thanks to the support provided by the Privacy Squad of the Financial Police (Guardia di finanza); they concerned highly sensitive areas such as medical analysis labs, pharmaceutical companies, medical apps, the revenue service's IT system, Internet Exchange Points (IXPs), fake SIM card contracts, banks, major hotel chains, mobile payment systems, leading real estate brokers, telephone operators and call centres.
577 orders notifying administrative violations were issued, of which a considerable portion concerned unlawful data processing in the telemarketing sector without the data subjects' consent as well as the failure to notify data subjects and the Garante of data breaches suffered by telephone and Internet operators, the provision of no or inadequate information to users on the processing of their personal data, the unjustified retention of telephone and Internet traffic data, the failure to take security measures or provide documents requested by the Garante, and the failure to comply with orders issued by the Garante.
The administrative fines levied by the DPA totaled about Euro 5 million.
Criminal information was preferred to judicial authorities in 39 cases, in particular due to the failure to adopt minimal security measures to protect data.
As for our front-desk activities, over 33,200 queries were handled concerning, in particular, unsolicited promotional calls, Internet, the publication of documents and records by public bodies, video surveillance, and employer-employee relationships.
THE INTERNATIONAL PERSPECTIVE
No less substantial and focused was the work done by the Garante at international level. Reference can be made in the first place to the cooperation as a member of the ‘Article 29 Working Party', of which Antonello Soro is currently vice-president. Several opinions and documents were adopted by the Working Party in 2014 – on the Internet of Things, new profiling systems such as fingerprinting, Big Data, anonymization techniques for personal data, data breaches, the use of drones, the surveillance of communications for intelligence purposes, Passenger Name Records (PNR), specific rules for cross-border data transfers, and guidance on application of the EU Court of Justice's judgment in the Google-Costeja case concerning the right to be forgotten.
The EU DPAs also dealt with the reform of the EU data protection legal framework, which envisages a new General Data Protection Regulation (replacing Directive 95/46/EU) and a Directive to regulate data processing in the law enforcement sector.
The Garante followed the debate on this new legal framework unrelentingly, in particular by taking part as a technical expert in the meetings of the competent EU Council working group (DAPIX).
Reference should also be made to the work done by the Garante in the Council of Europe, which is revising its 1981 Convention for the protection of personal data and also published new Recommendations on the processing of personal data in the employment sector; additionally, the Garante contributed to other working groups, including OECD ones.
Finally, a substantial amount of work was carried out by the DPA as a member of the Schengen, Europol and Eurodac Joint Supervisory Authorities.
Rome, 23 June 2015