Profiling and Electronic Communications.doc
Profiling and Electronic Communications.doc
[doc. web n. 1636001]
Profiling and Electronic Communications
Decision by the Italian DP Authority dated 25 June 2009 as published in Italy´s Official Journal dated 11 July 2009
The Italian data protection authority,
Having convened today, in the presence of Prof. Francesco Pizzetti, President, Mr. Giuseppe Chiaravalloti, Vice-President, Mr. Mauro Paissan and Mr. Giuseppe Fortunato, Members, and Mr. Filippo Patroni Griffi, Secretary General;
Having regard to the Data Protection Code (legislative decree no. 196/2003, hereinafter "the Code") as published in Italy´s Official Journal no. 174 dated 29 July 2003;
Having regard to the records on file;
Having regard to the considerations submitted by the Secretary General pursuant to Article 15 of the Garante´s Rules of Procedure no. 1/2000;
Acting on the report submitted by Prof. Francesco Pizzetti;
1. Preliminary Considerations and Inquiries
This Authority carried out inquiries – including inspections – to monitor the activities performed by providers of publicly available electronic communications services (hereinafter, "providers") with a view to gathering information on the arrangements that are being implemented by the individual providers to "profile" their customers (so-called "customer base") – partly in connection with the categorization of data subjects by homogeneous groups (so-called "clusters").
The providers in question are those that make electronic communications services publicly available on public communications networks, whereby "electronic communications services" means such services as consist wholly or mainly in the "conveyance of signals on electronic communications networks" (see section 4(2)d. and e. of the Code).
The findings of the said inquiries show that the providers carry out profiling activities using personal data that are at times aggregated in accordance with pre-set criteria, which are established from time to time by the individual data controllers in the light of corporate requirements.
The data in question may include multifarious personal information such as contractual information and consumption data, which allows inferring additional information with regard to each data subject – e.g. consumption bracket, expenses by period, activated services per line, etc. .
The fact that a provider can rely on and process the said categories of data, albeit as aggregate data, means that a provider can rely on an information base that goes well beyond the individual items of information related to the each individual data subject. Indeed, by matching and using customer data a provider can gather information related to an individual user and/or resulting from data aggregation and clustering in order to monitor business trends as well as possibly to plan and implement marketing campaigns on the basis of the said analysis.
Profiling is one of the main activities performed by providers; accordingly, it is part and parcel of the activities that are structurally performed by them. Indeed, providers can implement the planning of corporate structures and services by relying on the findings of the business intelligence analysis that is directly related to such profiling activities.
Any data that is "anonymous" as per section 4(1)n. of the Code does not fall within the scope of application of this decision.
Profiling may concern either "identifiable" personal data or "aggregate" personal data that are derived from specific identifiable personal data – e.g. census or traffic data.
Accordingly, this decision applies to profiling performed on identifiable personal data and/or on aggregate personal data as resulting from specific identifiable personal data.
As clarified below, profiling performed on identifiable personal data is only allowed if – under section 23 of the Code – the data controller can provide written proof that the data subject had given his/her informed, free, and specific consent thereto. The consent in question obviously also applies to the processing of aggregate personal data.
Where the provider plans to rely on aggregate personal data for profiling purposes, and the data subjects´ consent has not been obtained in respect of such data, the provider will have to lodge a prior checking application with the Italian DPA since the processing carries specific risks for data subjects on account of the data at issue, the processing mechanisms, and/or the effects that may be produced by the processing.
Only in this manner will it be possible to establish, inter alia, whether processing of the said data may be authorised in the absence of the data subjects´ consent as per section 24(1)g. of the Code.
This decision leaves unprejudiced the provisions set forth in section 123 of the Code concerning data retention for billing purposes as well as those on retention and security of telephone and Internet traffic data with a view to the detection and suppression of criminal offences as laid down in section 132 of the Code, legislative decree no. 109/2008, and the general provision issued by this Authority on 17 January 2008 and published in Italy´s Official Journal no. 30 dated 5 February 2008 – as subsequently amended by the decision dated 24 July 2008, which was published in Italy´s Official Journal no. 189 dated 13 August 2008 (see www.garanteprivacy.it under web docs. 1482111 and 1538224, respectively).
3. Profiling Based on "Identifiable" Personal Data: Consent
Pursuant to the principles of data minimization (section 3 of the Code) and proportionality of processing (section 11 of the Code), profiling should be carried out by only using such data as is absolutely necessary to achieve the specific purpose, and anyhow by only processing data that is the subject of an appropriate information notice provided by the data controller, who must also be in a position to provide proof of the data subject´s free, specific consent thereto – as per sections 13 and 23 of the Code.
The above principles apply not only if the data are specifically collected by a provider for the purpose in question, but also if profiling is performed by means of data that had been collected initially for a different purpose – including provision of the given services.
4. Profiling Based on "Aggregate" Personal Data: Prior Checking
As for profiling that is performed by means of aggregate personal data, it should be considered first and foremost that the aggregation level varies with the level of detail of the individual parameters as determined by each data controller.
The risk this processing may entail to data subjects is related to the setting of the aggregation level as well as to the technical arrangements underlying the processing.
The aggregate personal data used for profiling purposes are derived from specific identifiable personal data, which are contained in several databases and systems and continue to be available to the data controller – who is required to retain them on account of various management and/or operational requirements as well as for different periods, including those set forth by the law (e.g. for billing purposes as per section 123 of the Code, or else for detecting and suppressing criminal offences as per section 132 of the Code and decree no. 109/2008).
Despite the aggregation performed on the data, the latter may not be considered to be anonymous; in fact, they fall under the scope of the definition of "personal data" as per section 4(1)b. of the Code – whereby "personal data" means any information related to an entity that is or can be identified, also indirectly, by reference to any other information including a personal identification number.
Therefore, if a provider plans to use aggregate personal data for profiling purposes and there is no proof that the data subjects consented thereto, the said provider will have to lodge a prior checking application with the Italian DPA.
The application will have to be lodged pursuant to section 17 of the Code by detailing the processing operations to be performed, the respective purposes and the categories of data to be used.
Having received the said application, the Italian DPA will issue a decision upon completing the prior checking procedure in order to
a. check that the minimum standards and conditions set forth herein are met;
b. lay down such additional specific measures as may prove necessary in order to bring the processing into line with the Code;
c. establish whether the provider(s) should be authorised to carry out profiling activities in the absence of the data subjects´ consent as per section 24(1)g. of the Code.
It should be pointed out that the assessment performed by the Italian DPA in respect of the prior checking application will rely on, without being limited to, the following minimum standards and conditions:
1. the personal data that are used for profiling activities, although deriving from detailed data that the data controller may hold further for management purposes and/or to meet operational requirements, perhaps arising out of the law, should only consist in aggregate personal data that do not allow immediately tracing back detailed information on the individual data subjects within the framework of profiling-focused systems;
2. the aggregate personal data that are used for profiling activities should be contained in one or more ad-hoc dedicated systems, which should be kept functionally separate from the systems that are the sources of the aggregate data as well as from such additional systems as may be used by the data controller for other purposes (e.g. marketing);
3. the aggregate personal data that are used for profiling activities should undergo processing aimed at preventing the individual data subjects from being immediately identifiable, irrespective of whether the data relate to a specific data subject or else to several data subjects;
4. the persons in charge of the processing operations for profiling purposes should be provided with authentication credentials with a limited scope, other than that applying to the persons performing further operations including those downstream the profiling as such;
5. the personal data that are used for profiling activities should be kept for a limited period and erased thereafter.
5. Additional Obligations
Subject to the requirements set forth herein, there are obligations vested in providers that are left unprejudiced.
In particular, a provider planning to process personal data (whether "identifiable" or "aggregate") for profiling purposes must notify the processing to the Italian DPA under section 37(1)d. of the Code by complying with the arrangements set forth in section 38 thereof.
Additionally, section 13 of the Code requires the data controller to inform data subjects on the purposes of the processing and the rights vested in them under section 7 of the Code.
It should be recalled here that failure to comply with legal requirements and/or the measures set forth herein may carry the punishments laid down in sections 161, 162(2bis) and (2-ter), 163, and 164-bis(2-4) of the Code – as introduced or amended by Act no. 14 dated 27 February 2009, which converted and partly amended the ordinance no. 207 dated 30 December 2008.
Section 161 deals with missing and/or inappropriate information notices, whereby breach of the provisions laid down in section 13 of the Code – requiring that the information to be provided to data subjects should also mention the purposes of the processing, including profiling – is punished by an administrative fine ranging from six thousand to thirty-six thousand Euro.
Failure to notify the processing or submitting an incomplete notification to the DPA are punished under the terms of section 163; in particular, whoever fails to timely notify the processing under sections 37 and 38, being required to do so, or else submits an incomplete notification is punished by an administrative fine ranging from twenty thousand to one hundred and twenty thousand Euro.
Section 162(2-bis) applies to the cases where a personal data is processed in breach of the provisions mentioned in section 167 – which also refers to section 17 of the DP Code concerning prior checking requirements; a fine ranging from twenty thousand to one hundred and twenty thousand Euro is imposed in all such cases. Additionally, under Section 162(2-ter) an administrative fine ranging from thirty thousand to one hundred and eighty thousand Euro is applied in case of non-compliance with decisions/orders issued by the DPA to set forth necessary measures under section 154(1)c. of the Code.
Finally, where one or more provisions concerning administrative breaches are violated repeatedly, also on different occasions, in connection with especially important and/or large databases, an administrative sanction is applied under section 164-bis(2) consisting in payment of a fine ranging from fifty thousand and three hundred thousand Euro. In especially serious cases and/or in the light of the offender´s economic status, the said fine may be increased as per paragraphs 3 and 4 of section 164-bis.
NOW, THEREFORE, BASED ON THE ABOVE PREMISES
THE ITALIAN DATA PROTECTION AUTHORITY,
Subject to the obligation vested in any provider that plans to process personal data, including "aggregate" personal data, with a view to profiling purposes to inform data subjects as per section 13 of the Code on the purposes at issue and the rights vested in data subjects under section 7 of the Code as well as to notify the processing in question to the Italian DPA under section 37(1)d. of the Code in accordance with the arrangements set forth in section 38 thereof,
Under section 143(1)b. and section 154(1)c. of the Code
A. providers of publicly available electronic communications services that plan to perform profiling activities by relying on "aggregate" personal data (also in the absence of specific consent thereto) to lodge a prior checking application with the Italian DPA pursuant to the procedure laid down in section 17 of the Code; the application should detail the processing operations to be performed along with the respective purposes and the categories of data to be used;
B. providers of publicly available electronic communications services that currently perform profiling activities by relying on "aggregate" personal data in the absence of specific consent thereto to lodge the prior checking application mentioned under A. above within the 30th of September, 2009.
It is ordered hereby that a copy of this decision be sent to the Ministry of Justice – Ufficio pubblicazione leggi e decreti in order for it to be published in the Official Journal of the Italian Republic.
Done in Rome, this 25th day of the month of June 2009
THE SECRETARY GENERAL