Address By Antonello Soro, President Of The Italian Data Protection Authority, On Submitting The 2013 Annual Report To The Italian Parliament
Address By Antonello Soro, President Of The Italian Data Protection Authority, On Submitting The 2013 Annual Report To The Italian Parliament
Rome, 10 June 2014
"BIG DATA AND GLOBAL SURVEILLANCE"
Mr. President of the Senate,
Ladies and Gentlemen,
The past year was especially important for our Authority. The right to the protection of personal data was the focus of considerable attention by institutions and, above all, the public opinion.
The international uproar and indignation caused by the news on IT espionage provided an opportunity for increased, renewed awareness of the rights at stake but were also a turning point as they gave rise to many disputes in a legal and political perspective as well as in inter-State relations, whilst they seriously undermined citizens' trust in the innovations brought about by the digital revolution.
Edward Snowden's revelations gave new momentum to the need for making data protection the foundation of citizenship: in a world where essential features of our lives are committed to technology without whatever constraints, protecting our data means protecting our lives and freedom.
The notion of privacy in its full-fledged dimension provides an extraordinary probe for today's social, legal and value framework as it allows grasping trends and conflicts, potentialities and risks, descrying new horizons and making decisions more knowledgeably.
The right to privacy as commonly known, that is the right to protect one's intimate sphere against the most diverse interferences, has taken on features that brought it increasingly closer to human dignity in the new world of all-pervasive, all-powerful technologies. It sums up all freedoms that pertain to individuals: the freedom to choose, to be different, the freedom not to be controlled, the freedom to unreservedly express one's creativity.
The changes brought about by the unrelenting evolution of technologies feature in all aspects of our daily lives and raise substantial challenges for our Authority.
It is exactly because we are tasked with safeguarding a right that is recognized as fundamental in the EU's legal order that our role of guarantor is a key one in today's society. We strive to strike the necessary balance between authoritative power and freedom, private life and information, privacy and security, individual and marketplace, privacy and transparency.
Against the backdrop of in-depth changes and taking account of the global effects produced by many events as well as of the geographical boundaries we are to respect, we appreciate how difficult it is to strengthen safeguards for citizens, make protection more effective, and impose rules on world-level business players.
It is unquestionable that the reconciliation of technology and protection of fundamental rights in the digital arena must be found at a supranational level – and the Resolution adopted by the UN General Assembly in November 2013 is especially important in this regard; however, there is little doubt that those vested with responsibilities and power are under the obligation to committedly and determinedly counter the distortions of this system.
This is why one cannot but be disappointed by the far from resolute approach shown by Governments in adopting the new European data protection regulation – it was a missed opportunity for achieving a sound legislative framework that might serve as a fundamental benchmark worldwide.
We urge the incoming Italian Presidency of the EU to give new momentum to this project.
Because of its playing a pivotal role in any democracy that aims at being truly liberal and putting the individual at the core of its framework, the right to the protection of personal data must be the beacon of all lawmaking activities.
Privacy and Security
The Datagate was the point of no return in the privacy-to-security relationship.
It is in a way the reverse of 11/9, which impacted so deeply on the perception of new threats and produced tolerance vis-à-vis growing restrictions on freedom for the sake of a reassuring concept of security that proved ultimately delusive.
The disclosure of the Prism case does show how risky it can be for democracy that major ISPs and anti-terrorism emergency legislation exist side by side in the same country – democratic as it may be.
Those risks are compounded by the vulnerability of the IT systems where whole chunks of our lives as well as our communications are stored, which are then made available to intelligence agencies pursuant to legislation grounded in "glass man"–style authoritarian principles – whereby if you have nothing to conceal if you have nothing to worry about.
Indeed, authoritarian regimes – of which there are as yet many in the world – have ever relied on interference with "the lives of others" as the main tool for their power: this is why defending privacy means, first and foremost, defending freedom.
This was highlighted most clearly by the EU Court of Justice, which invalidated the data retention directive by its judgment of 8 April because it found that it had breached the proportionality principle in balancing privacy against security. This balancing ought to consider the type of offence and the specific investigational requirements, and be subject to the review made by an independent third-party authority – whether a judicial or an administrative one.
It should be noted that this typically European approach is being endorsed increasingly also by the US Congress.
Protecting the systems where data is stored is a precondition for data protection.
This is all the more true if one considers databases that play a strategic role in terms of the quantity and quality of the information they contain – such as those run by the Ministry of the Interior for security purposes (from the anti-mafia database to the police data processing centre). Here our Authority worked to implement more stringent safeguards in the interests of both the citizens whose data are processed and of the investigations that rely on such data. Those safeguards are expected to also apply to the new DNA database.
Privacy and public security are mutually complementary not only because privacy reduces the vulnerability of systems and facilities that are instrumental to security, but also because massive data collections do not translate automatically into more effective and balanced investigations – given the difficulties encountered in handling a wealth of information that is far from selective in nature.
Cyber-threats raise the most daunting challenge to States currently.
Truly effective countermeasures cannot but be grounded in the appropriate selection of the targets to be monitored and the data to be gathered as well as in the taking of arrangements to ensure systems security.
We took steps to fulfil our mission – in line with the DP Code – also in connection with intelligence services. This is an area where individuals' rights are traditionally overridden by national security requirements – as shown, in particular, by the fact that intelligence agencies were given specific competences in this area and were accordingly empowered to systematically access all public and private databases under a decree by the Prime Minister's Office of 24 January 2013.
A Memorandum of Understanding was entered into with the DIS [Intelligence and Security Department] to gather information regarding the said processing operations, which must be accompanied by adequate safeguards exactly because of their invasive potential. Those safeguards must be set forth by the DPA as well – which was reiterated by the German Constitutional Court in its judgment No. 31/2013.
The MoU, which is unprecedented in Europe, is considerably important per se.
We hope it will be a "model" for the security policies implemented by the Government from now on.
Similar requirements in terms of data protection underlie the decision issued with regard to interception activities by public prosecutor's offices; without in any way impacting the exercise of judicial powers, the DPA laid down fundamental measures to protect the privacy of citizens whenever they are intercepted on whatever grounds. We encountered some resistances in this regard; still, we believe it is high time all the institutions involved should commit themselves to a greater extent.
The Digital Society: From Individual to Data
The mission we are called upon to discharge and the ambitious challenges ahead of us cannot but take account of the in-depth structural changes that have affected life-styles, labour and business processes, and the modernization of public administrative bodies. Information is collected continuously and unrelentingly whenever we strike any type of relationship.
From browsing behavior (visited pages, reading time, shared information) to the data collected by apps (quickest route, bodily functions, geo-location) or contained in email accounts, up to smart sensors capturing our mood, everything converges into increasingly customized and pervasive profiling that allows building up sophisticated digital identities via unprecedented mechanisms at an unbelievably fast pace.
Technological integration and permanent connectivity make it hugely simpler to collect, store and process information, so that a huge amount of data can be aggregated at a low cost without time or space constraints – only consider the potential of cloud computing.
We are always "on", and we are ready – often unwittingly – to surrender information in exchange for benefits or convenience. It is almost as if we were staring speechless at the "Wonderland" of digital products.
But, one is not surrendering just one's name; in fact, one is making away with the full picture of one's interests, opinions, movements – in short, one's life, which is then pieced together like a jigsaw puzzle to yield different identity profiles.
The digital space is no parallel reality, it is actually the dimension where an increasingly larger portion of one's real life is located. Every single move one makes day by day leaves a digital trace, which nobody can wipe out.
The representation of one's self is increasingly committed to fragmented information that is distributed over several databases, whose whereabouts are often unknown.
The very relationship between public authorities and individual is grounded to an increasing extent in the unrelenting collection of data and information regarding that individual and his or her network of relations – indeed, in the demiurgic function of algorithms.
Algorithms are used to categorize, match, process and build profiles; to file and index individuals as if they were obtuse abstractions suspended in an intangible limbo – unable to be free.
The digital individual – being de-materialized, disembodied – is meant to only correspond to the information relating to him or her, which information is selected, processed and disclosed (via search engines) by yet other entities.
Thus, that information becomes the only projection of one's self into reality – rather than being a virtual double that exists side by side with the real individual, it is the abridged representation of one's whole life as well as the sole social memory of that life. As such, it can influence individual memories and steer one's relations and destiny in a given direction – both during one's life and afterwards.
Surveillance in the Age of Big Data
How frail the data collected and stored in jumbo servers can be whilst individual and societal behavior can be scrutinized by working out billions of informational items is all the more evident if one considers the dangerous interplay between digital companies and espionage – which is one of the facts of life and was simply spotlighted by the Datagate. The data collected for commercial purposes become increasingly appealing for security purposes and this is leading to an inextricable tangle.
It is even more difficult to conceive of the power accruing to major companies that can count on huge information repositories and do business almost exclusively thanks to the value of data.
The fact that free-of-charge services are offered in exchange for the massive collection of information means that an ever smaller group of Internet providers are enabled to predict and direct individual decisions. This is the rationale underlying the sophisticated advertising that is targeted to users' browsing habits – so that users are presented exactly with what had raised their curiosity or interest.
In this manner, Internet giants are filling up all the room for brokering between producers and consumers and are acquiring a power that is bound to translate into a hugely influential political power. And this power is outside all rules of democracy.
The future is a further cause for concern, as new projects and applications are expected to impact our daily lives substantially – like wearable sensors or domotics smart agents that can keep track of our activities even at home. Each move we make might ultimately be stored in some database.
Surveillance is, by now, part of our life in all its aspects. Unfortunately, we have got used to it.
Think of the increasingly topical risks posed by drones for civil applications – devices mounting micro-cameras that can send, in real time, zoomed-in images also to smartphones. Or think of the thousands of video cameras that can rely on facial recognition or signal deviant/unusual behavior.
On all these fronts the Italian DPA has been working for some time both via the adoption of specific measures and by contributing to sector-specific rules.
Modern surveillance is more invasive exactly because it is subtler and more difficult to dodge – also in the workplace. One should be aware that the new technologies are impacting substantially also on the occupational environment, and that they are potentially more harmful than conventional remote surveillance techniques. Accordingly, it is necessary to strike a new balance, also by way of legislation, to reconcile freedom of enterprise and the right to privacy vested in all workers.
Legal as well as technological solutions are in demand – no question about that. Still, one should regard data protection as the ethical benchmark of technology and manage to handle change by respecting the individual.
The Dangers of the Net: From Hate Speech to Cyberbullying
New types of crime have developed from the Net – ranging from identity theft to highly organized cyber-crime. It is estimated that 500 billion dollar of information are leaked yearly including stolen IDs, pirated corporate secrets, broken down portals and stolen virtual money.
It is too often the case that data breaches affect systems that are vulnerable because obsolete, or websites that have been created without implementing top-level security standards.
Think of the recently reported Heartbleed case, which endangered personal information for millions of surfers including password and credit card data plus bank account information, whilst standard Internet services were also jeopardized such as email or social networks.
In yet other cases the Net is exploited as a channel for harassment and violence that is often targeted to the weaker parties. This type of conduct may give rise to specific criminal offences – in which case there should be no safe haven merely because such offences were committed online, and specific obligations should be imposed on any provider that is notified of the presence of unlawful or illicit contents. This is actually the stance taken both by the European Court of the Human Rights and – one month ago – by the Court of Justice of the EU.
Hate speech cases are on the rise, and this also applies to cyberbullying and grooming. The perpetrators often rely on the idea that there is safety in numbers or believe – unfoundedly – that they can remain anonymous. The victims' vulnerability is two-fold – they are poorly aware of the dangers posed by the Net, and are more exposed to the traumatic effects produced by violence on budding personalities.
Being a complex phenomenon that can hardly boil down to a criminal law policy issue, cyberbullying should be tackled by going beyond merely enforcement-focused approaches.
Priority should be given to the concept of a "gentle" or "mild" law, whereby the Net should be kept free from whatever censorship without turning from a space promoting freedom into a space where no law is observed and dignity and rights can be breached recklessly.
The Garante has long been working in this direction, especially in order to foster a "digital citizenship" culture that could make all Net surfers, in particular youths and children, better aware.
This is the reason behind our decision to devote the 2014 Data Protection Day exactly to digital education.
We need a change of tune: youths should no longer be exploited and seen exclusively as passive consumers of technology; in fact, they should be urged to understand what effects may be produced by a cavalier attitude towards the use (or misuse) of the Net and – above all – what risks lurk beneath the surface.
Schools can and must be at the forefront: ad-hoc educational projects are needed to teach youths to come to terms constructively with the new channels for expression made available by the Web.
For their part, teachers, trainers, parents and families must be helped in bridging the knowledge divide regarding the new tools and trends in communications.
On the other hand, one should foster the implementation of devices and systems that are privacy-compliant by design and can protect children – that is, it is necessary for technology to be placed at the disposal of the law.
An exchange of views has started, in particular with Parliament and other institutional stakeholders, and we expect that this will result into important guidance to counter phenomena that require everybody to act committedly and responsibly.
Our DPA: Between Tradition and Innovation Governance
In spite of the difficulties encountered, the principle that no safe haven exists, not even on the Web, is slowly making its way, so that nobody can get away with breaking the law.
Having established that Google had breached the Italian law, we imposed a 1-million Euro fine on Google, which promptly complied with the measures we had set forth.
A new proceeding was initiated against Google jointly with other EU DPAs to address the profiling activities performed by Google via user-related information.
Against this background, the recent EU CJ's judgment in the Google Spain case shifted the scales in favour of law over technology, but it also recognized – for the first time – that jurisdiction lies with a European country and it is accordingly necessary for the company to comply with the European data protection directive.
It should be recalled in this connection that both Google and Facebook recently signaled their willingness to carry out an in-depth re-haul of their privacy rules.
Google's decision on the right to be forgotten is to be welcomed, however it remains to be seen how individuals' rights will be reconciled in practice with societal and collective memories.
At all events, the DPA's role will remain a key one.
We have just entered a new, fascinating age where all the stakeholders are called upon to tackle the conflicts inherent in the Net with increased responsibility and strike a new balance between technical feasibility, legal acceptability, and ethical foundations of the digital society.
Additional risks to users arise from the proliferation of the apps that are downloaded daily; indeed, there is a high degree of fragmentation as regards app developers and marketers, whilst huge amounts of data are being collected with poor transparency and security standards.
This is why the DPA started a survey on the medical apps available as of now (totaling about 17,000 so far), as they offer customized treatments, monitor one's health, provide diagnosis and treatment services by processing sensitive data – one of the most intimate components of one's personal sphere.
On a different count, we took steps to enhance compliance by businesses via simplification measures that were aimed consistently to reconcile – in the best possible manner – citizens' rights with companies' requirements.
It is in this perspective that the DPA sought the involvement of all the relevant stakeholders to an ever-increasing extent by way of public consultations and working groups. This was aimed ultimately to foster a wide-ranging exchange of views on the solutions to be devised so as to mitigate, where necessary, disproportionate or poorly effective obligations.
An important decision was adopted concerning cookies in cooperation with telecom operators, setting out a new mechanism for users to give their consent to the use of their browsing data.
Comprehensive as well as innovative measures were introduced in respect of biometrics-based systems entailing major simplifications of the applicable requirements; a decision was adopted recently on mobile payment systems, which are unquestionably convenient but entail the pooling of a wealth of information in the hands of telecom operators, banks and other entities.
We took steps, once again, to ensure that market logic would not encroach unacceptably upon individuals' privacy and households on account of telemarketing activities; inspections were carried out and hefty fines were imposed on individual companies. Additionally, we tackled "silent calls" by way of an ad-hoc decision which did away with some unsavoury practices in this business sector without affecting companies' efficiency.
We adopted Guidelines on spam to address its subtler dangers – such as those arising from social networks; the Guidelines provide a unified set of measures not only to fend off intrusions by spammers, but also to help companies devise advertising campaigns in compliance with the applicable legislation.
In order to raise stakeholders' awareness, we stepped up communication and outreach activities; ad-hoc leaflets were published concerning privacy in social networks, at schools, in joint-tenancy buildings, cloud computing, and corporations.
The right to privacy comes into play not only with communications technologies, but also with bio-technologies. These technologies are hugely valuable, but they are sorely in need of a comprehensive legal framework.
From this standpoint, data protection does play a pivotal role in shaping the relationships between technology and nature, the body and its limitations. Only think of such hot topics as medically assisted reproduction – the recent tube swapping case at Pertini Hospital in Rome testifies to the sensitiveness of the issue – or the child-bearing mother's right to anonymity, or – generally speaking – the tension between adoptive and biological parenting.
As soon as Parliament is ready to enact legislation on these issues further to recent guidance coming from judgments by the Constitutional Court, the Garante will be ready to provide its contribution so as to reconcile the newborn's right to know his or her biological parent(s) with the biological parent(s)' right to remain anonymous.
Data Protection as a Driver of Development
Our DPA is especially keen to make sure that any improvements made to the public machinery do not impinge on safeguards for citizens.
Efficiency, transparency, productivity: these are the objectives legitimating and justifying the emphasis placed on the increased openness of public administration.
The more data is collected to curb public expenditure or enforce the law, the more are citizens entitled to demand that such data is used lawfully and by respecting the other rights enshrined in our Constitutional Charter.
Our DPA worked hard to ensure that data would be exchanged and made accessible in compliance with the applicable rules, this being a fundamental precondition for the data to be only used for legitimate purposes and – above all – protected against unlawful access.
We collaborated fruitfully to regulate strategic databases such as the one aimed at preventing fraud and identity theft; this also applies to the work done on the regulations implementing the national Register of the resident population, which is expected to contain all census data relating to all citizens and to be made accessible to all public administrative bodies – thus becoming the key founding stone of a digitalized public administration.
We attach priority importance to ensuring the security and integrity of databases; indeed, the specific purposes underlying those databases, the type of information they hold and the sheer numbers of the records make them increasingly liable to misuse.
A daunting task we had to tackle was that of setting forth rules and measures, both technical and organizational, to protect the information stored and archived in databases – for instance, we issued those measures in respect of SOGEI [a company providing accounting services to several public bodies] and issued an opinion enabling public administrative bodies to directly access the databases held by INPS [National Social Security Agency] for institutional purposes.
Especially important was the prior checking activity carried out on the so-called "Income-Meter".
Working with the Revenue Agency, we could strike the right balance between the legitimate requirement of countering tax evasion and citizens' right to have only information processed about them that is relevant to such requirement. This prevented taxpayers from being illegitimately profiled on the basis of their estimated expenses.
There are no conflicting interests as regards the managers or controllers of a database and the rights vested in the citizens whose data are stored in such a database.
Any infrastructure that is vulnerable to IT attacks is inefficient and poses a risk to its own operation and the activity of administrative bodies as well as to the quality of the services being offered and - under certain circumstances – even to the security of the State and citizens at large.
Thus, it is up to institutions to show, first and foremost, that a balance can be struck between efficiency, innovation and respect for rights.
This is all the more necessary if one considers the in-depth re-haul our country is about to undergo in order to fully implement the Digital Agenda.
Privacy and Transparency
The demand for transparency is on the rise because transparency is instrumental to the democratic oversight on the exercise of public authority and administrative activities. In this regard, the online publication of administrative records is indispensable to gauge how public authority is exercised, how institutions discharge their tasks, how competitive examinations and calls for tenders are handled, how and for what purposes public money is spent.
However, some fundamental safeguards must be in place to protect the dignity of individuals – without in any way leaving room for shady decision-making processes or partiality.
This is the rationale underlying the interpretation given by the Garante of the new rules on transparency; ad-hoc Guidelines were produced with advice on how best to implement the rules that require information on natural persons to be disclosed.
In particular, the Guidelines mention specific arrangements to ensure both transparency and the protection of personal data. Ultimately, this is aimed to prevent information from being tampered with or placed out of its context, as this may undermine not only individuals' rights but also the quality of that information.
The Guidelines also refer to specific safeguards applying to sensitive data, whose inappropriate disclosure on the Net might give rise to serious discrimination.
Privacy does not hamper, in fact it can enhance the transparency of public administrative action because it makes it necessary to appropriately select the information that is really instrumental to public oversight.
We do need transparency, but we can do without slapdash transparency: there should be no undermining of fundamental rights for the sake of demagogy.
Against this background, the Garante set forth comprehensive rules to ensure transparency in the way political parties handle citizens' data; additionally, we provided guidance to Parliament regarding disclosure of the donations made to political parties by individual citizens.
Privacy at the Crossroads between Democracy of Information and Media Exposure of Private Life
The pivotal role attained by the Net in the media system and the widespread dissemination of news via blogs and social media have brought about in-depth changes in the world of journalism. The mere fact that a piece of information is posted on the Net impacts considerably on that information and the effects produced on individuals, as it allows retrieving it even after many years – so that a certain event is conjured up and displayed in a partial perspective, because the information is no longer updated, and the multifarious complexity of one's life is downsized to that one moment or situation which may be misleading or anyhow poorly topical.
These issues were spotlighted during the preparatory work for the adoption of an updated code of practice for journalists, whose current text dates back to 15 years ago; views and opinions were exchanged thoroughly over a long time span with the office of the Chair of the board of journalists.
A draft was developed setting forth, in particular, measures aimed at reconciling right to be forgotten and freedom of the press; the attempt was made to apply fairness of processing principles to the gathering of information via hidden devices or misleading practices, and specific safeguards were devised for minorities and weaker parties such as children, sick people, individuals held in custody or refugees.
Further to the principles set forth by the Council of Europe, the draft introduced specific as well as comprehensive rules for forensic journalism with particular regard to any third parties involved, on whatever grounds, in a criminal proceeding on account of circumstances falling below the public interest threshold and relating to the individuals' most intimate sphere.
This applies, in particular, to the proposed rules on disclosure of information on an individual's private life – especially if that individual is not the subject of criminal investigations – whenever such information is obtained via highly valuable as well as invasive tools such as wiretapping or interception of communications.
As for the latter issue, the draft proposed that all items relevant to the public interest would be published, although by respecting the dignity of all the individuals involved and eliminating any details on those individuals' private lives, which are often of an intimate nature and irrelevant with a view to informing citizens appropriately. Rather than publishing the full transcript of tapped communications, priority should be given to the contents of such communications.
In spite of the substantial convergence of views during the drafting exercise, the National Council of the Board of Journalists decided not to approve the proposed draft.
We think an opportunity was missed to tackle many outstanding issues via self-regulatory instruments rather than by top-down legislation enacted by Parliament.
Also in 2013, the Panel of the Garante's Commissioners worked hard and unrelentingly.
606 collegiate decisions were adopted, including 222 decisions on right of access complaints and 22 opinions rendered to Government and Parliament. Almost 32,000 requests for information were handled; 850 violations were notified; over 411 inspections and surveys were carried out, partly thanks to the help provided by the Financial Police (Guardia di Finanza) – and I wish to thank them along with their Commander.
Much work was done, and more is coming, also at international level, where we collaborate fruitfully with the other DPAs.
We can rely on the valuable contribution of our Office including young as well as highly specialized staff, who work passionately and dedicatedly in spite of their small numbers.
But, faced with the complex issues we have to tackle daily and with the challenges arising anew in the many sectors committed to our oversight, we need urgently to strengthen the structure of our DPA so as to rise up to its new tasks.
We trust Government and Parliament to share and support our commitment in this direction.
In the digital society age, a great democracy must invest bravely into the protection of personal data to uphold citizens' rights along with the State's security.
In conclusion, let me thank my colleagues in the panel of the Garante's Commissioners. We consolidated our mutual trust and collaboration over the past year and this allowed us to achieve the results I have described so far.
I also wish to thank the Secretary General and all those in the Office who put their skills daily and unreservedly to the task so as to ensure that our DPA can operate effectively.
We strive to be increasingly equal to the challenges of our age in the interest of citizens and of our country as a whole.