"Data Privacy". Intervista ad Antonello Soro
Intervista ad Antonello Soro, Presidente del Garante per la protezione dei dati personali
(di Vincent Manancourt, Politico.eu, 19 febbraio 2020)

CIAO CIAO, PRESIDENTE: Antonello Soro is due to be replaced as the head of Italy's privacy regulator - known as the Garante - on Tuesday. Well, that's the plan at least. Shifting arithmetic in Italy's parliament over the past year has already pushed the planned handover date back several times. Soro was due to be replaced in June, and then in December? and now there are doubts the new February 18 deadline will be kept.

How it works: Italy's legislature nominates four candidates -  two from each chamber - to the Garante?s board, after which the candidates decide among themselves who will take the top job. If there's a tie, the post goes to the oldest candidate (this feels very Italian).

Frontrunners: So far, the names on everyone's lips are right-wing firebrand Ignazio La Russa and Pasquale Stanzione, a former law professor. Both septuagenarians, Stanzione just about sees La Russa off in the age category. Did someone mention cordon sanitaire?

Whether or not Soro is finally replaced next week, he has overseen a period of huge change at the Garante - not least the introduction of the EU's flagship privacy regime, the General Data Protection Regulation (GDPR).

He is one of only a handful of regulators to have imposed multimillion euro fines under the regime, recently slapping two homegrown darlings - telecoms company TIM and the energy company - with large penalties. He has also set the agenda on TikTok, a Chinese-owned app targeted at kids, calling for a European data protection task force to look into the app.

Cyber Insights interviewed the former dermatologist. Here's what he said. (disclaimer: interview by email)

On those large fines for TIM and ENI: "Fines are never desirable... however there is often no alternative. It is the law that sets out when less punitive measures may be relied upon. A great philosopher used to say that the state should work to make itself useless. The same applies to the Garante."

On TikTok: "I believe it is necessary to shed full light on the features of the processing in question, which can impact national security and, on the other hand, children's privacy given that children would appear to be the target users for this social network. This is all the more necessary if one considers the jurisdiction where TikTok was created - and is mainly operating - that is, China."

On the one-stop-shop mechanism (cooperation tool under the GDPR whereby regulators in the country where a company is based take the lead on investigations): "There is little doubt that the procedures envisaged in the GDPR are complex and often not timely enough compared to the accelerated pace of our [life online]. In particular, the one-stop-shop mechanism is highly controversial and difficult to implement on account of the procedural challenges it entails."

In defense of the one-stop-shop: "One must acknowledge that the GDPR has attempted to reconcile proximity to individuals - who are enabled to approach the authority closest to them - with the need for coordinated enforcement by supervisory authorities. This is far from negligible."

On a European data protection regulator (an idea backed by several German regulators): "One could argue that the closer cooperation achieved among supervisory authorities will result in a more centralised approach to the protection of a right that is increasingly pivotal in Europe. However, one must certainly never endanger the independence [of] the EDPB." That would seem to rule out a model à la competition law, where enforcement of big cross-border cases is handled by the EU's executive arm, the European Commission.