Annual Report for 2006 - Summary
Annual Report for 2006 - Summary
Main Legislative and Regulatory Developments
- Act no. 38/2006 set up the National Centre for the Fight against Child Pornography on the Internet. Its tasks consist in collecting, from police forces, reports on sites disseminating materials that are related to the sexual exploitation of children; the Centre is also entrusted with keeping a register of such sites, their managers and the respective payees. The Centre collects the reports lodged by electronic communications providers with regard to contracts with companies and/or entities that disseminate or deal in the said materials. A Decree implementing this Act was recently issued by the Minister of Communications in agreement with the Minister for Reformation and Innovations, after consulting with the Garante, to set out the technical measures connectivity providers are required to take in order to prevent access to child pornography web sites.
- Act no. 281/2006 laid down measures concerning destruction of materials related to unlawful interception and “profiling” activities; such materials may not be used in a judicial proceeding and must be kept in a secure place as confidential information under the responsibility of the relevant public prosecutor – pending the decision to be handed down by the judge for pre-trial investigations concerning their destruction. This is aimed at preventing acquisition of the materials in question by unauthorised individuals. The Act leaves unprejudiced the Garante's power to establish and prevent the unlawful dissemination of data and/or documents and impose the applicable sanctions, also following exercise of access/rectification rights by data subjects.
- The 2007 Budget Act (Act no. 296/2006, paragraph 542) authorised an increase in the permanent staff in order to allow the DPA to better discharge its institutional tasks with particular regard to supervisory and control functions. The Garante was empowered to increase its staff by no more than 25% of the total number of staff referred to in the Data Protection Code, in compliance with the apportionments made for the next three years (amounting to 21.846 million Euro in 2007, 21.591 in 2008, and 21.986 in 2009).
Parliamentary Hearings: The Garante was heard several times by Parliament during 2006 with regard to major issues being debated by the competent Parliamentary Committees – in particular, technological innovations in the public administration and the impact of those innovations on the protection of privacy, with a view to ensuring citizens' trust in their relationships with institutions. Additionally, the Garante contributed to the Parliamentary inquiry into telephone wire tapping as for the issues related to compliance with security measures by judicial authorities and telecom operators as well as with regard to publication of the contents of lawful (i.e. authorised) interceptions. Reference can also be made to the hearing concerning the data protection safeguards the Garante had called for in respect of the new pieces of legislation aimed at countering tax evasion – in particular concerning the interlinking of different databases.
Opinions: Under section 154(4) of the DP Code, the Prime Minister and each Minister are required to consult with the Garante when drafting regulations and administrative instruments that are liable to impact on personal data protection. Within this framework, several opinions were rendered by the Garante in 2006 on major issues such as, in particular, coercive medical examinations in the absence of drug addiction; the electronic interlinking of information systems and automated archives managed by the agencies competent for migration matters; access to administrative documents; collection and retention of the data included in the national register of the entities authorised to apply medically assisted reproduction techniques; management of telephone subscribers' data in connection with the activities falling within the scope of competence of the Ministry for Home Affairs; and card fraud prevention.
Main Decisions by the DPA
Law Enforcement Databases
Databases set up for prevention and security purposes by police bodies were among the most significant areas of activity for the Italian Garante. In particular, the Garante focused on the so-called “joint police intelligence system” set up at the Public Security Department of the Ministry for Home Affairs. This database was set up pursuant to a statute and is managed jointly by the Italian police bodies.
The size of the database, the nature of the data it contains, and the high number of staff that are lawfully entitled to access it for prevention and/or investigation purposes make it a database of major national interest.
The Garante's action consisted in ordering the Public Security Department to take organisational and technical measures and precautions in order to enhance security levels, also with regard to the interlinking with databases held by public and private entities. The most significant measures in question are summarised below:
• Encryption for certain categories of filing system;
• Authentication and authorisation procedures, requiring strong authentication tools to be implemented - including the possible use of biometrics;
• Security auditing;
• High-integrity, high-reliability access and operational logs (certified logging systems);
• Digital workstations certification with a view to asset management and security;
• Appointing an in-house privacy officer in charge of managing both the IT security features of the database and the relationships with the Italian DPA.
This is the first stage of an investigation started by the Italian Authority in view of more in-depth analyses concerning the substance of the measures to be adopted, by having regard also to proportionality, purpose limitation etc. .
Additionally, the Garante requested the processing operations performed by law enforcement authorities to be listed in full in accordance with the requirements set out in the DP Code, so as to actually enable oversight and control over their operation – which is currently the case only with regard to the “joint police intelligence system”.
Reference should also be made to the inquiries carried out by the Garante in 2006 – which are partly still in progress – with regard to the discreet surveillance alerts entered in the national section of the Schengen Information System (SIS). These inquiries were aimed at verifying, in particular, compliance with the data protection requirements set out in the Schengen Convention as for data quality and accuracy of the information. The Garante also started investigating the mechanisms deployed for the EURODAC database by taking account both of the lawfulness of the processing and of the adequacy of the security measures to be implemented.
Following a report lodged with the authority, the Garante decided to collect preliminary information in order to assess, also via on-the-spot inspections, the data processing operations carried out by a special investigation squad of the Carabinieri, which allegedly had set up a database containing genetic information taken from crime scenes – to be used for judicial investigations.
The security measures applying to the processing of personal data by judicial authorities and offices were also addressed by the Garante in 2006, on the basis of a co-operative approach involving the relevant judicial authorities. In order to verify compliance with the applicable security requirements, the Garante decided to carry out on-the-spot investigations in some judicial offices.
Security in Telephone and Electronic Communications
In the past year, the Italian Garante carried out in-depth controls on both the processing of traffic data and some security features related to telephone and electronic communications.
The processing of traffic data has been the subject of ever-increasing interest partly because of the concerns raised in Italy by media reports on several judicial investigations into the unlawful processing of call data records.
Following a complaint lodged by an Italian citizen on account of the allegedly unlawful disclosure of his call data records, the Garante ordered the main Italian telephone operator to take specific measures and precautions in order to enhance security levels. Such measures were focused in particular on the authorisation systems and auditing capabilities of IT systems, which were partly ineffective in respect of technical staff with privileged access features – such as system administrators and database administrators.
The Garante also started an in-depth investigation into the systems deployed by the main telephone operators so as to get the full picture and set out effective measures – in pursuance of Section 132 of the DP Code – to be complied with in retaining such telephone and electronic traffic data as may only be used for judicial purposes.
Furthermore, the Garante took steps to enforce security measures in telephone systems in order to protect the information acquired by telephone operators in performing lawful interception activities and, more generally, in co-operating with law enforcement authorities. In particular, the Garante aimed at ensuring that information could be exchanged between telecom operators and judicial authorities via secure communication channels, or else via channels made secure by the adoption of IT technologies; banned any plaintext transmission via non-secure channels; and required the operators to only use e-mail with qualified digital signature and/or secure web-based services with SSL encryption protocols and strong authentication procedures.
As for the broader issue of security in electronic communications, the Garante initiated exchanges of views and co-operation actions with the other public authorities and institutions in charge of specific tasks in this area.
Data Protection and Internet Search Engines
The Garante took steps to enable data subjects to exercise their right to rectify the data contained on web pages by updating the information retrieved via Internet search engines – in accordance with the principle whereby everyone has the right to accurate self-representation on the Net, regardless of where the relevant information is posted. To that end, the Garante wrote to Google at the company's headquarters in California, USA - where the search engine servers are based – and called upon the company to devise solutions that could do away with persistence on the Net of obsolete and/or inaccurate personal information even after such information had been amended at the “source websites” from which the relevant pages were extracted. This initiative was based on the claim lodged by an Italian citizen, who had found that information on a criminal proceeding instituted against her continued to be available via Google's search engine even though she had been acquitted of all the charges; this was due to the many cache copies and the various abstracts produced by the search engine, which provided a distorted image of her situation compared with the correct one shown on the source websites. Although Google already has a mechanism in place that allows a website to delete obsolete links and/or non-existing URLs, this is not sufficient to adequately ensure the so-called “right to oblivion”. Google Inc. was also invited to post a clearer information notice on www.google.it, spelling out that the controller of the processing carried out by the search engine is the US-based company, and detailing how users can quickly have web pages erased or updated whenever such web pages have been modified at the source websites. A meeting was subsequently held with representatives from Google Inc. at the DPA's premises, and a fruitful dialogue was started.
In 2006, the public administration was required to take steps in order to adequately take into account and publicize the safeguards provided for in respect of the processing of sensitive and judicial data. The personal data protection Code requires public bodies to issue ad-hoc regulations in order to collect, use, and retain such sensitive and judicial data as are indispensable for their institutional activities. The regulations in question must specify and provide the public with information on what data is processed and for what purposes. This requirement applies, in particular, whenever specific guidance is not provided to that effect in the laws that, from time to time, authorise public bodies to discharge certain tasks which entail the processing of sensitive personal data. The obligation in question arises out of article 8(4) of directive 95/46/EC, which – as is well known – only allows processing the data at issue on specific grounds in the substantial public interest and by affording suitable safeguards. The draft regulations submitted by public bodies must be approved by the Garante.
As well as being necessary under the DP Code, drafting the said regulations provided the whole public administrative sector in Italy with a significant opportunity to further modernise its structures also in terms of the available safeguards and operational transparency. In this manner, the public administration could adjust its organisational and functional framework by having also regard to the respect for fundamental human rights and freedoms – which must be mirrored in all the activities carried out by public administrative bodies.
In assessing compliance with personal data protection legislation in different public sectors, the Garante could appreciate the growing social awareness of the need for protecting the fundamental right to personal data protection better and more specifically – also with regard to areas that had not been expressly taken into account yet.
In order to ensure the appropriate application of the DP Code, and in the light of the forthcoming deadline set in the law (i.e. 28 February 2007), the Garante enhanced its co-operation with Regions, local municipalities and universities in order to lay down the relevant draft regulations by also making available model drafts; this co-operation was also afforded to the Prime Minister's office and other public bodies by having regard to the respective institutional functions. In this manner, it was possible to ensure that the drafts submitted for the DPA's approval could be streamlined with the regulatory framework ever since their initial development; this resulted, in turn, into an increase in the number of favourable opinions, which could establish that the guidance provided in the course of the correspondence between the individual administrative offices and the Office of the Garante had already been taken into due consideration.
The comparative evaluation of 92 draft regulations afforded the Garante a wider gamut of inputs to systematically assess the mechanisms deployed by the public administration in processing sensitive personal data.
In particular, a few criticalities were found to be quite common, and in some cases this prevented a favourable opinion from being rendered in respect of the draft regulation submitted; more frequently, a favourable opinion was issued, however several “conditions” were laid down and this considerably increased the casework for the Authority. For instance, there was a tendency by some public administrative authorities to pursue the “legalization” either of a set of processing operations that did fall outside the scope of the relevant institutional competences or of processing mechanisms that were unquestionably disproportionate compared to the purposes to be achieved.
An especially demanding task consisted in assessing whether processing of the categories of sensitive and judicial data specified in the model drafts was actually indispensable. In many cases it proved necessary accordingly to eliminate certain categories of sensitive and/or judicial data, or else certain processing operations as set out in those drafts.
Opinions were rendered by the Garante, inter alia, on the draft regulations submitted by the Ministry for Home Affairs, the Ministry of Defence, the Ministry of Education, the National Research Council, the Court of Auditors, the Council of State, Regional Administrative Courts, as well as several local authorities and research bodies.
The Garante took steps with regard to a hospital in order to terminate the processing of data carried out by the hospital's Internet website, on which pictures of children affected by common child diseases had been posted. This case was found to entail the processing of sensitive data related to children, which may not be disseminated and are afforded enhanced safeguards in order not to jeopardise the harmonious development of their personalities. As also set out in the physicians' code of practice, it is prohibited for a health care practitioner to disseminate, via the press or other media, information that may allow identifying the data subjects; additionally, health care practitioners must ensure that patients may not be recognised whenever clinical and/or observation data concerning individual persons are published in scientific papers.
The Garante addressed the issues related to access to the so-called Holocaust Archives that are kept in Bad Arolsen (Germany). A draft regulation on access was developed during 2006 by representatives from the Governments of signatory countries to the 1955 Bonn Agreement (which regulated the establishment and operation of the archive) – including Italy. The Garante had no objections against access to the records on the spot for historical research purposes, subject to the safeguards detailed below. Conversely, duplication of the archives, as requested by some countries, would raise far more complex problems; in the our view, it would require an undertaking by all States (including non-EU countries such as USA and Israel) to afford at least equivalent safeguards – in particular by having regard to the rules applying in the EU to data transfers to third countries. At all events, the safeguards to be envisaged in connection with the archives are those set out in the European data protection directive as well as in the Code of practice developed in Italy with regard to the processing of personal data for historical research purposes.
Profiling: Hotels and Loyalty Cards
The Garante banned the processing carried out by a major hotel chain, which collected data related to customers' tastes, habits, length of stay, and other items of information in order to better know their customers and anticipate their requests – without providing adequate information notices to them and without the customers' consent to further processing operations (for marketing purposes and/or communications to other companies). The Garante prohibited any use of the data collected in the above manner, and required the hotel chain to reword the information notices, request consent for processing the data with a view to profiling and marketing activities, and lay down specific retention periods. Additionally, administrative sanctions were imposed on account of the inappropriateness of the information notices and the failure to notify the processing to the Garante as required by the law.
In another case concerning a major retailer, the Garante prohibited the processing of personal data that were collected with a view to issuing “loyalty cards” to customers and were unlawfully used also for marketing purposes. The Garante ordered that the information notices should be reworded to specify that the purposes sought included profiling and communication of customers' data to a bank. In particular, the Garante prohibited the company from making the issuance of loyalty cards conditional upon the customers' consenting to the processing of their data for marketing and profiling purposes.
The Garante has been receiving complaints and requests for clarification with regard to the processing of data in connection with condominiums ever since it was set up. After issuing specific decisions in the past years, all the different items were consolidated in a general decision that was drafted in 2006 partly following a public consultation – so as to give rise to a veritable “Vademecum” for condominiums. This Decalogue provides guidance on how to comply with data protection rules in the different situations related to life in a condominium (such as, for instance, the prohibition against publicly posting a list of defaulting tenants, or the precautions to be taken in processing sensitive data).
Guidelines Applying to the Collection and Use of Personal Data by Private Sector Employers
A unified framework of guidelines applying to the processing of employees' personal data was laid down by the Garante in December 2006, also following several requests for information and complaints lodged by employees, trade unions, and trade associations.
The main points made in the guidelines concern: a) the need to only process indispensable personal data (data minimization principle), which also applies to the arrangements concerning visible badges and similar contrivances; b) the need to adequately inform employees on the use of their data, their data protection rights, and how to exercise them; c) the need for the employees' consent prior to disclosing their personal data to third parties (also when posting their personal information on billboards and similar devices); d) the need to refrain from the blanket use of biometrics, which must be reserved for specific, adequately documented cases (e.g. access by certain employees to high-security or dangerous areas) and requires the Garante's prior checking; e) the need for taking special precautions in handling employees' sensitive data, which must be kept separate from other non-sensitive information
These general guidelines apply to the private sector and will be followed by additional, more specific instruments addressing, for instance, the use of e-mail services and Internet at the workplace.
Credit Reference Agencies
Following inspections carried out in respect of credit reference agencies (CRAs, or credit information systems, as they are called in Italy), the Garante issued six provisions in which the processing carried out by such CRAs was found to be unlawful. This was related, in particular, to the circumstance that several telephone operators used to carry out checks on customers' creditworthiness and reliability by means of the information derived from CRAs – at the time of stipulating the relevant contracts. In this manner, the data collected by the CRAs for the purposes of protecting credit and reducing the attending risks were disclosed to entities that were not authorised to access such data. Additionally, the information notices provided to data subjects were found to be incomplete and the security measures were inadequate. In some cases excessive data were processed compared to those required in order to verify timeliness of payments.
In another decision, the Garante addressed the retention period of the so-called “positive” information, i.e. the data concerning regular payments of instalments and/or the extinguishment of debt. The Garante specified that the maximum retention period may not be in excess of thirty-six months in these cases.
A decision adopted by the Garante in October 2006 provided an opportunity for setting forth some general principles in respect of e-ticketing. The decision specifically concerned e-ticketing in Rome and Milan, where integrated transportation systems have been in place for some years. Such systems share several features (e.g. smart cards are used in both cases by subscribers; a centralised data base has been set up for management purposes and for the analysis of aggregate data), including the possibility to collect additional data (other than those provided by the subscribers in signing up for the service) via the smart cards. Such additional data are stored on the smart card chip (validation data and a given number of validations), on the validation machines at the entrance stations (chip identification data such as serial number, subscription number, and validation data) and in the central database (subscribers' ID data, card chip serial number, validation data from machines). The main guidelines provided, to be possibly adjusted in future also in the light of technological developments, are the following:
• Validation data (time/place) may be stored on the e-ticket (smart card), but only if not excessive (4-5 validations are enough for the relevant purposes);
• Other data (such as the e-ticket serial number) may be stored on validation machines, but only temporarily - e.g. for 24 h to match those data with black lists (stolen cards, expired subscriptions, etc.);
• There should not be any centralised storage of an user's ID data associated with the respective e-ticket data: statistical analysis and service improvement do not require personal information. A limited retention period (72 h) is acceptable in order to manage malfunctioning / problems; thereafter, the data must be anonymised to ensure data protection and freedom of movement. This leaves unprejudiced the possibility to store the data centrally for longer periods in identifiable format if this is required on specific grounds (e.g. need for in-depth investigations in a concrete case).
Unsolicited Telephone Services
Following a considerable number of claims, reports and enquiries pointing to the occurrence of repeated violations related to the activation of unsolicited telephone contracts, cards and/or services, the Garante considered it necessary to lay down framework safeguards that could ensure respect for citizens' fundamental rights and freedoms. Different cases were at stake: mobile phone cards activated on behalf of unwitting data subjects; activation of unsolicited carrier pre-selection; or additional telephone services activated either by one's provider or by another provider. The Garante stressed that all the entities involved in processing such data are required to ensure that the data are collected and stored for specific, explicit and legitimate purposes and processed, also thereafter, fairly and lawfully by complying with the provisions contained in the DP Code as well as with any other relevant piece of legislation as related to data processing – including the requirement to identify subscribers to and purchasers of pre-paid mobile phone cards before activating the respective services, i.e. at the time the electronic cards are delivered and/or made available. To that end, suitable procedural mechanisms were recommended.
Codes of Practice
Work continued throughout 2006 on the draft code of practice applying to the Internet, with the participation of a large number of representatives from trade associations and the relevant industry sector. The codes of practice applying to other sectors (private detectives, investigations carried out by defence counsel in connection with criminal proceedings) are also under way.
In the light of the importance of this tool, an ad-hoc regulation was published in the Official Journal to clarify the mechanisms whereby the Garante can foster the adoption of codes of practice in sectors of substantial public interest that require specific regulations (e.g. employer-employee relationships and marketing). The regulation also sets out the criteria to be fulfilled in order for a given trade/industry association to be regarded as actually representative of the respective sector.
The Garante issued an interim order to block use of the personal data that served as the basis for a TV programme concerning a drug test performed on 50 MPs without their being aware thereof. The Garante found that medical data had been processed unlawfully in this case, especially by having regard to their collection – irrespective of the dissemination of such data via the TV programme. The persons concerned had not been informed about the explicit purposes of the processing, and their biological samples had been collected in a misleading, unfair manner. Based on these grounds, the Garante prohibited the collection, storage and use of the data in question.
In connection with a prior checking application, the Garante took the opportunity to clarify the data collection safeguards to be implemented by the companies offering interactive advertising services on digital terrestrial TV. The Garante ruled that collecting and using the data for such purposes was lawful on condition specific arrangements and measures were taken prior to offering the services in question. Reference was made, in particular, to the need for providing a detailed information notice via an ad-hoc screenshot prior to collecting the data, as for both use of the data and the rights afforded to data subjects under the law. Where required, the consent must be free and specific – e.g. an ad-hoc key will have to be pressed. In no case may a company set up a centralised database; the data may be kept for a limited period (6 months) and stringent security measures must be in place.
Media and Respect for Human Dignity. In June 2006, the Garante took steps ex officio and issued a general decision setting forth the requirements to be complied with following several instances in which newspapers had published transcripts of judicially authorised interceptions. The Garante stressed the need for reconciling citizens' right to be informed and freedom of the press, on the one hand, with respect for fundamental rights and freedoms of the individuals concerned – in particular, their right to privacy. The wiretap records published in full actually contained passages concerning personal and/or family relationships, or victims of the relevant offences; third parties that were not the subject of the specific criminal investigations were involved in some cases. The Garante recalled the provisions in force and referred to the need for complying with the principle whereby only information that is material to the case must be published and no reference should be made to relatives or other individuals having no connection with the specific case; respect for human dignity should be paramount, and special safeguards are required in respect of the information concerning a person's sex life. The decision was addressed to all data controllers in the journalistic sector and published in the Official Journal. All media were called upon to perform a more careful, in-depth, autonomous, responsible analysis as to whether any details that are disclosed are actually material. In the Garante's view, the reduced privacy expectation of public figures and/or holders of public offices must be reconciled with the journalist's inescapable duty to protect human dignity and third parties' rights.
435 formal complaints (regulated by sections 145-151 in the DP Code and related to failure to exercise access / rectification / erasure rights) were decided upon in 2006. Most complaints concerned processing operations by banks, financial companies and private credit reference agencies. However, some of the cases addressed in the past year allowed tackling new issues attracting special interest, in particular as regards the following:
- Two cases concerned the monitoring of employees in the private sector, in particular as for the storage of personal files in a company's computer and the monitoring of Internet navigation. In both cases, the Garante ruled that the processing carried out by the employers was unlawful because the employees had not been informed in advance about the possibility that this type of monitoring would be carried out as well as because the processing in question was excessive by having regard to the purposes to be achieved (i.e. ensuring the appropriate performance of job assignments). The Garante emphasized, in particular, that the monitoring could be limited to establishing the existence of “personal files” in the company's computer, without accessing the relevant contents, and to only verifying the duration of browsing, respectively.
Another interesting complaint was lodged by a lady alleging the unlawful use of her image made by a political party, which had posted bills containing her image on the occasion of an enrolment campaign. The lady had recognised herself in the image in question and applied to the Garante, which granted her complaint because the processing was found to be in breach of her personal identity. The relevant picture had been taken about twenty years before on the occasion of a public demonstration and its use was liable to represent the lady's personality in a different light from what corresponded to its current status. The Garante ordered the political party to immediately remove the bills and prohibited any future use of the image on websites, printed materials and/or propaganda materials.
A complaint concerning the sending of advertising e-mails allowed the Garante to reiterate the prohibition against sending such emails without the recipients' prior consent – also with regard to the initial contact emails. The Garante ordered the company in question to erase the complainant's personal data from its database and stressed that an email address may not be used unrestrictedly merely because it can be found on the Net.
The inspection activities by the Garante were enhanced in 2006, partly on the basis of the six-month inspection plans developed by the DPA. Overall, 350 inspections were carried out. They mostly concerned private entities and were aimed at checking compliance with the main requirements laid down in the data protection legislation. In particular, the Inspection Department focused on the processing of personal data by credit reference agencies; the processing of medical data by pharmaceutical companies and health care bodies; the online processing of personal data; and the processing aimed at the provision of goods and services via distance selling mechanisms. In performing such inspections, the Garante can also avail itself of a specialised squad within the Financial Police (Guardia di Finanza), which was entrusted with checking compliance with the requirements concerning notification, information notices, security measures, and enforcement of the resolutions adopted by the Garante.
Following the inspections, 159 proceedings were instituted with a view to the imposition of administrative sanctions; in 11 cases criminal information was preferred to judicial authorities. Criminal infringements concerned non-compliance with resolutions adopted by the Garante; failure to take minimum security measures; and the violation of the prohibition against the remote monitoring of employees. The administrative sanctions imposed are expected to yield minimum revenues amounting in 2006 to about Euro 600,000.