On June 10, 2014, the Italian Data protection Authority (Garante per la protezione dei dati personali – “DPA”) presented its Annual Report for 2013. In its 17th annual edition of the Report, the Italian watchdog sets out the status of the implementation of privacy laws and indicates the operation prospects that are required to move towards genuine and effective personal data protection.
1. Highlights of the Annual Report 2013
The main DPA’s activities in 2013 concerned the following topics.
Global supervision in connection to the Datagate. Datagate stands for the revealed collecting of personal data of citizens by USA’s National Security Agency (NSA). The DPA raised concerns about espionage performed by the NSA and therefore sent a letter to the Italian Prime Minister, requesting him to support the adoption of the draft reform of the EU legal framework for data protection.
Transparency of the online public administration and safeguards for citizens. The DPA issued guidelines to make sure that transparency would not be in conflict with the right to privacy and data protection. For example, a dissemination of information on health and economically or socially disadvantaged beneficiaries of public allowances was prevented.
Problems caused by cyber bullying on social networks. On the occasion of the 2013 European Privacy Day, the DPA published a video on its website containing tips for knowledgeable use of social networks. Also a letter was sent to the Italian Ministry of Education to bring the growing problem of cyber bullying to his attention.
Confidentiality of taxpayers. In-depth prior checks were performed on the processing of data performed by the Italian Revenue Agency for purposes of the so-called “Redditometro” (i.e., an income meter tool). The DPA set forth various measures to be implemented, in order to address the many criticalities that were found. These comments related to, among the others, the quality and accuracy of the data used by the Italian Revenue Agency, the estimated expenses incurred by each taxpayer depending on multifarious life-style components, as well as the information to be provided to the taxpayers.
Mobile payments. The DPA launched a public consultation on the processing of personal data performed in connection with payments through the use of smartphones and tablets and, more broadly, through remote mobile payment services (the DPA has recently adopted a resolution on such matter which takes into account the outcome of the public consultation).
Use of biometric data. Significant actions were taken to regulate the use of the biometric signature in banks and the use of fingerprints in the workplace. The DPA found that the use of biometrics in order to check attendance of teachers and administrative staff in several schools was disproportionate, also in accordance with the principles set out by the Article 29 Data Protection Working Party’s Opinion 3/2012 on developments in biometric technologies.
Protection of minors in the media and on the internet. The use of webcams in a nursery school was banned in order to protect children’s privacy, the unfettered development of their personality, unrestrained relationships with their teachers and freedom of teaching.
Protection of data used for justice purposes. Measures and arrangements were made to stimulate the security of any personal data that is being collected and used as part of interception activities, carried out by the Telecommunications Interception Centres (“Centri Intercettazioni Telecomunicazioni”), which are attached to every prosecuting office in Italy, as well as to police offices tasked with performing interceptions for judicial authorities.
Video surveillance. Based on spot-checks, the DPA discovered several instances of unlawful processing of employees’ and customers’ data performed by department stores using video surveillance. However, a longer retention period for video surveillance images collected in some building yards and storage areas set up in Pompeii was approved with the objective of preventing mafia-related activities. Furthermore, the DPA required health care districts that had installed video surveillance equipment in the restrooms of their facilities for ruling out drug addiction cases to take measures and precautions such as to protect the privacy of any individual whose urine sample was being taken.
Unsolicited promotional calls. Inspections and injunctions against IT companies specialized in database services were carried out to counteract unregulated telemarketing and unsolicited marketing. Hefty fines were to be paid since these companies had failed to comply with previous orders. Moreover, automated pre-recorded calls to costumers for debt collection reasons were banned. Other developments related to telemarking (or customer care) activities concerned call centers located in third countries without adequate data protection levels compared to EU standards. Measures such as the obligation to provide information and notify the DPA in advance about the call centers relied upon, enables the DPA to assess the transfer of personal data outside the EU.
Marketing and spam. Guidelines were adopted on marketing and for countering spam, with special emphasis on the new frontiers of spamming such as social spam (via social network sites) or spam based on the viral (or targeted) marketing. A video tutorial and information page was made available on the DPA’s website (named “Spam: how you can defend yourself”).
Consent for direct marketing. The DPA adopted a general resolution providing clarifications on the consent requirement in case of processing of personal data for direct marketing purposes. In particular, the DPA made clear that a data controller obtaining a data subject’s consent for direct marketing purposes through automated mechanisms may also process this data according to traditional/non-automated mechanisms (e.g., by post or operator-assisted calls), unless the data subject objects, also in part, to this processing, provided that other requirements set forth by the resolution are met.
Consumer rights. Two banks were allowed to equip their financial promoters with tablets that could perform an analysis of the signature of any customer entering into financial agreements in electronic format. However, the companies involved in enabling and managing both systems were required to take special measures to protect the data they collected. Additionally, measures were created to provide bank customers the option to undersign such agreements through conventional mechanisms as well.
Data retention of telephone traffic data. With the help of the tax police, the DPA performed inspections on telephone companies and internet service providers to verify compliance with the law provisions on internet and telephone traffic data retention. Sanctions in case of non-compliance with previous orders by the DPA were imposed.
Data breach notification. The DPA adopted a resolution for the notification of personal data breach providing guidance on who is required to fulfill the relevant obligations, what measures could ensure minimum common security standards, the timeline and content of the notification.
2. A few Figures
Over 606 decisions were adopted by the DPA in 2013 (almost 38% more compared to 2012).
The number of on-the-spot inspections has increased by 4% compared to 2012, for a total of 411. The inspections concerned, in particular, call centers and unsolicited telemarketing; mobile payment services; profiling; data breaches; the tax revenue database; consumer credit; credit bureaus; the information system of Italy’s social security agency (INPS).
Interestingly, also the number of the breaches of the Italian data protection law registered an increase, with 850 breach found by the DPA compared to 580 in 2012 (i.e., 47% more). 56% of the breaches concerned the failure to provide adequate information to data subjects. Other breaches involved processing without data subjects’ consent (179 cases); failure to adopt security measures (24 cases); breach of telemarketing rules (19 cases); failure to notify processing operations to the DPA (12 cases); etc.
The fines levied on account of administrative sanctions amounted to over 4 million Euros.
In 71 cases the DPA informed criminal authorities in particular relating to the failure to adopt security measures to protect personal data.