Speech by the President of the Italian Data Protection Authority 2010...
Speech by the President of the Italian Data Protection Authority 2010 
Italian Data Protection Authority
Speech by the President of the Italian Data Protection Authority
On the occasion of submitting the DPA´s Annual report For the Year 2010
Rome, 23 June 2011
Mr. President of the Chamber of Deputies,
Ladies and Gentlemen,
This is the sixth Annual Report we are submitting to Parliament.
Many things have changed over the past few years in the protection of personal data – for two main reasons.
On the one hand, there has been a change in the relationship between the right to privacy and the protection of other rights – first and foremost the right to security and the right to knowledge, which are both key features of today´s world and are supported by the increasingly advanced developments of surveillance and communications technologies.
On the other hand, the development of telecommunications systems is affording new opportunities for acquiring, storing, and using data and information at increasingly lower costs.
The interaction of these two phenomena is raising ever new challenges to the protection of personal data.
This is why we are keen to play our role in a different manner by looking beyond the mere protection of individuals´ rights. We are striving to protect rather than to order; to warn and inform rather than to ban; to draw everyone´s attention – from citizens and institutions to businesses and social/cultural organisations – to the ongoing changes by helping them understand what is happening and be increasingly aware of the risks related to new technologies.
We intend to help everybody understand a world where citizens´ rights and duties along with business, social, and behavioural relations are taking on new dimensions, since no physical barriers are hampering communications and one can draw on world´s knowledge without time or space constraints.
Today´s reality is shaped by man´s creativity and inventiveness, but it requires understanding and governance to prevent man from becoming its captive.
This is why we placed our report under the heading "Of Men and Data".
Man and his data should not be kept separate: data is not merely the by-product of man´s capability to communicate and organize things; in fact, it is an essential component of man´s being.
1. Between Past, Present, and Future: How Our DPA Is Changing
The vision underlying our DPA´s activities has been changing over the past few years.
During the term of office of the preceding panel of commissioners, attention had already been paid to the leading features of technological innovations in those days; major decisions were issued concerning spam, video surveillance, and RFID technologies.
We enhanced our activities in this area by taking also account of electronic communications network and major public and private databases.
Time and resources were devoted to analyzing interception of telecommunications and access mechanisms to the highly valuable telephone traffic databases; our ultimate objective was to ensure that suitable security standards should be in place whilst leaving unprejudiced the limitations on the use of those tools, which may only be set forth by law.
We gave our contribution to regulating access to major databases that play a key role in our country – starting from the taxpayers´ register and police databases. We worked to secure – as much as possible – the huge amount of data and information held by judicial offices. Time and dedication were not spared to lay down rules applying to the electronic transmission of medical data. A daunting task was the one of supporting public bodies in adopting internal regulations to appropriately ensure that the sensitive and judicial data they held for institutional purposes would be processed on the basis of suitable precautions and security measures. Guidance and regulations were also necessary as well as quite helpful in respect of the use of electronic tools in the workplace to reconcile employees´ and employers´ rights.
We stepped in with regard to services that are no longer that new, like YouTube, as well as in respect of the newer, though already quite widespread, social networking services like those by Facebook; we addressed issues related to search engines, such as Google, along with highly sophisticated technology such as location and mapping services offered, for instance, by Google StreetView.
We have been endeavouring to strike the right balance between protecting rights and innovation so as not to hamper either the use of technology in order to curb tax evasion and reduce public expenditure or the deployment of more effective approaches in the public administrative sector - such as those related to the Digital Agenda and the dissemination of access points for citizens.
We had to address, once again, the use of CCTV cameras and remote monitoring tools, partly in connection with the deployment of integrated public-private surveillance systems including data transmission to the police; we had to lay down regulations and supervisory safeguards in respect of the relevant criticalities.
Mindful of consumer requirements as well as of business demands and the need for Italy to be competitive, we introduced several simplifications regarding both business information and security measures as well as in connection with employer-employee relationships.
We fostered and promoted dialogue with all stakeholders – citizens, institutional decision-makers, public administrative bodies, companies, consumer associations. We firmly believe that we are called upon to protect citizens and society rather than to punish.
Considerable attention was paid to codes of professional practice, in particular to address the processing of business information.
We worked out new soft law mechanisms – first and foremost our "Guidelines", which are aimed at recommending the appropriate conduct in especially complex areas. The number of these new instruments has been increasing to such an extent that we decided to collect them into a booklet; they were received favourably by citizens, business, and public and private organisations.
We have ever been ready to contribute our suggestions also in the drafting phase of regulations and general measures that impact on data protection, and this has been welcomed by the public bodies concerned.
2. The Importance of Prevention, Communication, and Outreach Activities for our DPA
We consider our prevention and communication activities to play a key role.
Ours is an independent supervisory authority whose existence is enshrined in European constitutional instruments; our task consists in ensuring that European directives and rules as applying to data protection are complied with also in Italy.
We know that a dynamic vision of personal data protection should focus nowadays on protecting individuals, groups, social systems, the very fabric of our communities. We are not the sole custodians of privacy legislation, nor are we the only ones in charge of ensuring compliance. Still, our institution is called upon to lead the way in developing both general and specialized know-how with regard to any activities and sectors where personal data is used - including the respective criticalities.
We have been paying unrelenting attention to all issues related to the processing of personal data and taken care to provide information and communication resources.
This is why we enhanced institutional communications, which have increasingly addressed specific areas.
Special attention was paid to youths – partly by means of ad-hoc publications concerning social networks, schools, and health care supported by suitable graphical formats – in the attempt to help them understand what is coming up and avert the dangers resulting from poor awareness of the available tools and the applicable rules.
This is why we also organized a public competition for schools called "Privacy 2.0 : Youths and New Technologies"; the winners will be awarded prizes on the occasion of the next European Data Protection Day.
3. Last Year´s Work: Consolidation
A substantial part of our work last year was focused yet again on "consolidating" data protection.
In many sectors, organisations can be said to be fairly familiar with the applicable rules and the decisions issued by our DPA over the years.
However, technological innovations and the expanding gamut of available services conjure up new issues continuously.
Special importance should be attached to some opinions our DPA rendered last year in respect of Ministerial regulations that applied to the most diverse activities – including the rules for air companies to provide passenger information to the police, for banks to access creditworthiness data relating to their customers, for the national register of students to operate, for the setting up of registers of the homeless, for the exchange of information between public bodies to issue driving licenses, or for pharmacies to book specialist visits and collect patients´ examination findings.
In all the above cases, regulating key features of the processing along with data retention periods translated into affording tangible protection to the rights and freedoms vested in air passengers, loan applicants, homeless people – who are entitled to respect for their decisions not to be domiciled permanently anywhere – or any patient relying on pharmacies to book medical or other services that are at times highly sensitive in nature.
We took steps in order to regulate major data flows between public and private bodies.
Indeed, the opportunities made available by IT services enhance the flow of data between public bodies and service providers and/or suppliers.
This was the case, for instance, of the granting of allowances to purchase Digital TV decoders, which made it necessary to rely on the registers of subscribers to the public TV broadcasting service in order to identify who was entitled to such allowances. The same applied to the data exchanges on medical certifications between INPS and INPDAP [two leading national social security agencies], which enabled both agencies to improve their services without placing burdensome obligations on citizens or breaching citizens´ privacy. Reference can also be made to the use of the information contained in the public register of motor vehicles (PRA) to remind car owners of their vehicle check-up obligations, or to grant tax reductions to certain categories of car buyers without any need for them to disclose details on the respective diseases.
All the above cases go to show that protecting privacy is far from being a hindrance to innovation and cost containment; in fact, it can improve quality of service substantially.
We also dealt with activities that play a key role for our country or are at all events especially important to foster scientific research.
We rendered opinions to ISTAT [National Statistics Institute] on the National Statistics Programme and granted authorisations to process medical data for purposes of pharmaceutical research and clinical / epidemiological trials, which prevented processing operations in these highly sensitive sectors from undermining data subjects´ dignity on account of the information at issue – which can disclose health conditions or a person´s conduct including their sex life. To that end, we suggested suitable data anonymisation and segregation mechanisms.
Last, but not least, one cannot but recall the new Guidelines on the reproduction of judicial decisions for legal information purposes along with our decisions on the submission of documentary evidence at trial.
The former are intended to meet the demand for clarification coming from publishers of law literature as for the obligation laid down in our DP Code to only publish certain judicial decisions upon anonymisation of the relevant personal data; the latter decisions explain that admissibility in trial of documents containing personal data that otherwise could not be produced is to be determined by courts rather than by the Italian DPA.
We addressed the implementation of major legislative innovations regarding the computerization of judicial proceedings and civil mediation activities.
In both cases, our co-operation went as far as to partly fill up the legal gaps in connection with the processing of data that by nature requires specific arrangements and safeguards to be in place. The Guidelines applying to the processing of personal data with a view to the web-based publishing of public administrative documents and records laid down general rules to reconcile transparency with protection of privacy.
We consider these Guidelines to be a significant step forward in an area that is evolving continuously.
Still, let us reiterate that the duty of transparency applying to public administrative bodies is not the same as the right to know any and all types of information held by those bodies.
This is why we recalled the difference between freedom of information rules applying to municipal councillors and the dissemination of such information on the media when we were recently called upon to decide whether it was lawful to disseminate data relating to buildings owned by public bodies.
Several decisions were issued in respect of the services sector; two among them deserve special mention – namely, the general decision on data processing in banks and the Guidelines on customer satisfaction in health care.
The former lays down – for the first time – rules applying to a sector where the increasingly widespread mergers and the multiplication of available services give rise to increasingly complex data flows and make it more difficult to keep track of transactions inside organisations that are often multinationals. Its main objective consists in protecting financial data flows by preventing loss and/or intrusions that may harm not only banks and their customers, but also the economic system as a whole.
The Guidelines on customer satisfaction in health care are a sort of new frontier for our DPA, which addressed this issue for the first time in its history.
The measures contained in the Guidelines are based on the assumption that participation in such surveys is always voluntary in nature; the scope of the inquiries must be limited to activities that are not directly related to the provision of health care services. The Guidelines are aimed at protecting patients without preventing the deployment of innovative approaches to assess quality of services and customer satisfaction.
4. Outstanding Issues
Last year we had to tackle, once again, issues that have long been a source of concern to our citizens as they entail unacceptable breaches of one´s private and household sphere.
I am referring to telephone services, in particular telemarketing activities.
An amendment made by Parliament to our DP Code – which we did not receive favourably, but had to comply with – resulted into changing the requirements applying to phone calls made for commercial/marketing purposes, which shifted from an opt-in to an opt-out approach. This means that, as of now, anyone may receive marketing calls unless they have registered with an ad-hoc "Opt-out Register" that is to be supervised by our DPA.
On our part, we clarified that – to better prevent misuse and protect citizens – marketing calls may only be made upon matching one´s list with the data contained in the Register except where the caller has obtained the called party´s explicit consent; additionally, we specified that this new system did not apply to phone calls made for political propaganda purposes.
The experience gathered over the past few months is pointing to flaws and shortcomings that are worse than we expected.
We received hundreds of complaints since last February, over twice as many as in 2010; more than 90% of those complaints concern breaches of the rules applying to the "Opt-out Register".
Not only are we appreciating the shortcomings that affect this system and its operation; in fact, it is proving increasingly difficult to determine the chain of responsibilities when one is faced with processing operations that involve several entities – from the companies concerned to the contractors´ call centres.
Users´ justifiable irritation grows by the day and climaxes for those users that keep on receiving unsolicited calls in spite of their having opted out via the Register.
Similar reactions could be observed with regard to the sending of unsolicited promotional faxes – another of the "seven plagues of Egypt" in this area, which actually is causing major problems to professionals and businesses in their daily activities.
We are not going to give up fighting against these types of misuse, which we consider to be insufferable forms of violence.
Several penalties were imposed by our DPA both in the past year and in the first months of 2011 regarding unsolicited faxes; heavy punishments are about to be also imposed to curb telemarketing in breach of the new regulations.
Still in the light of the experience gathered during the past few months, let us voice our concern for the proposed extension of the opt-out register requirement to postal marketing.
A reasonably balanced approach had been achieved in this area partly thanks to the simplifying measures our DPA had adopted. It would be preferable to leave the matter as it is in order to enable all – citizens and businesses – to reap the relevant benefits.
5. Simplifications and New Regulations
The same considerations apply with regard to the simplification measures that were introduced recently.
We are by no means against simplification; in fact, we support such measures.
We are not keen on a vision of data protection seen by business and society as red tape.
We fully support effective legislation that can tangibly protect citizens and keep pace with technological developments; we know that there are innovations to be brought about and constraints to be amended also in order to cope with implementing difficulties.
However, any initiatives that are taken in this area should be forward-looking and distinguish between what is necessary and what is – conversely – inappropriate because it may lower the level of safeguards and translate into new, cumbersome requirements and implementing difficulties.
In this perspective, we would like to make some points.
Firstly, it is necessary to update the minimum security measures that are laid down in a ministerial regulation dating back to some years ago.
It would be appropriate for this task to be committed to our DPA via a decision that could be adopted after consulting with the competent Ministries, to be published finally in the Official Journal of Italy´s legislation.
This approach would allow adjusting the security measures to technological evolution in a fast, flexible manner as they could be tailored to standards related to corporate size, data categories, purposes and risks of the individual processing operations.
As for the measures laid down in the decree that was recently enacted to foster "development", let us be quite frank: they entail amendments to our DP Code that are mostly inacceptable.
We have already voiced our concerns and criticisms on the occasion of a hearing before the Chamber of Deputies as well as via the media.
As well as being technically questionable, the provisions at issue limit the scope of application of the DP Code substantially in some areas whilst they reduce the safeguards afforded to citizens in other areas.
Many of the provisions in question produce effects that are actually the reverse of what was aimed at – far from simplifying things for business, they may enhance the opportunities for litigation, increase legal costs, and, above all, lead to potentially harmful processing operations.
We know that our considerations were taken into account – also by governmental bodies. We hope the final enactment will be mindful of our requests.
Let me now make an additional point.
EU Member States will be called upon to revise domestic laws in depth over the next few years in order to bring them into line with the new rules that are being developed at EU level; these rules are likely to be set forth in a Regulation as for corporate and business activities, i.e. they will be immediately binding on all Member States.
This is yet another reason why it would be best to only bring about such simplification measures and/or amendments as are absolutely necessary, and thus refrain from short-cuts or hasty innovations.
Our DPA is ready to co-operate with Parliament as required.
6. Freedom of the Press, Freedom of Expression, and Right to Privacy.
Regarding freedom of expression, one should acknowledge that respect is slowly growing for the basic rules that seek to protect individuals´ dignity – at least in the case of the Press. Still, this is not enough.
Indeed, we had to cope with some bad cases of news obsession – which were merely the tips of icebergs rooted in some TV programmes as well as in the web-based dissemination of news and images.
It sometimes happens that news reports of the most diverse kinds attain such levels of bad taste and are so much in breach of human dignity that they are miles away from whatever ethical or legal rules. It is no chance that media and communication experts have coined the wording "pornography of pain" to describe episodes such as those that took place in Italy with regard to the Avetrana or Potenza stories, the recent case in Ascoli Piceno, or even in cases of missing persons and children.
This veritable obsession does not care about age, gender, victims´ status, or even the materiality of the events reported; teasing and appeasing a prurient curiosity is the only objective, especially if gossip or similar news are the focus.
In yet other cases the attention is focused conversely on episodes that affect a large number of individuals, maybe because of fraud or misappropriation or in connection with events that have to do with the mismanagement of public property – see the case of council houses rented to private bodies; however, the point is that these cases are only covered to the extent they also involve a small number of V.I.Ps.
We stepped in several times both via our press releases and via our inquiries and specific measures.
The past year featured, once again, various judicial cases involving public figures – often fraught with major political responsibilities; this led to tense, at times conflicting relationships with media.
We were involved in some of these cases – in particular whenever excessive or unnecessary information had been disseminated.
Let me recall what our position has been consistently in this connection.
It is not up to the Italian DPA to question the use made by judicial authorities of items of evidence that are envisaged by the law, nor are we expected to step in if the information taken from judicial proceedings is clearly of public interest – especially if it has to do with public figures or else with individuals holding public offices, who are accordingly entitled to reduced privacy safeguards subject to the principle whereby personal data must be relevant and not excessive.
As for the rules to be relied upon in order to reconcile privacy and freedom of the press, we cannot but reiterate the need for media to fully comply with the principles contained in the relevant code of practice – whilst it is up to judicial authorities to lead the way in ensuring confidentiality of judicial proceedings and prosecuting those who breach such confidentiality.
Let me also remark – still on this issue of the relationships between freedom of the press, political journalism, and protection of public figures´ privacy – that recent episodes in the US, France, Germany, and the UK show that there is a widespread state of tension around this hotly debatable issue; indeed, the discussion has brought about (or widened) gaps between individual countries as well as between the public opinions in different countries.
Nor has it escaped anyone´s attention that some principles generally acknowledged by Italian media – such as the ban on displaying handcuffed individuals – are not respected to the same extent in other countries that are nevertheless regarded universally as the cradle of democracy and freedoms.
Considering our mission and the civic spirit we draw upon, let me also say that many more and better things can be done in Italy to make the press, justice, and politics more authoritative.
Still, there are a few preconditions to be met.
Firstly, judges should pass their judgments only and exclusively in court.
Secondly, public figures should be tried within a reasonable time limit as well as consistently with judicial requirements; at the same time, they should accept to make themselves accountable to citizens and electors in the public arena.
Thirdly, press and media practitioners should undertake full responsibility for the principles and guidelines applying to their profession.
This is yet another reason why it is so important for media and – even more so – talk shows to learn how to respect rules, starting from the Code of practice agreed upon by journalists themselves.
7. The Right to Privacy in the Age of Global Knowledge and Exposure
We are concerned by the increasingly widespread concept whereby no boundaries should apply to the wish or expectations to know, or to the right to disseminate data and information. A concept of transparency is taking shape that goes well beyond the relationships between citizens and government, or the need to monitor public officials´ conduct. The claim, indeed the belief that everyone has the right to know everything is bordering on a situation in which basically everyone will be monitoring everyone else.
The growing mistrust of institutions and private or public power structures along with the use of new communication channels (smartphones, social networks) are leading (especially) youths to claim their right to know all and post all.
Up to a couple decades ago, one was afraid that one´s life might be tampered with unlawfully and one´s conduct monitored along with that of relatives and friends; it was no chance that the protection of privacy was the focus of the so-called fourth-generation rights. Nowadays the reverse is true: self-exposure is the rule in blogs, on social networks, in TV shows, in any interviews given by individuals that have been involved in whatever news report on whatever grounds – including horrifying cases.
Ours is the world of self-exposure and total transparency, and we are getting ourselves unawares into the world of total control.
Mentioning the right to privacy and – even more so – the right to be forgotten is liable to be regarded increasingly as an unacceptable constraint placed on the right to know and be informed.
It is getting increasingly difficult to draw the line between freedom of the press and freedom of expression, on the one hand, and the right to know and impart knowledge on the other hand. We should absolutely clarify whether and to what extent one has the right to disseminate on the Net not only one´s own views and rants, but also other people´s.
The underlying concept is that accountability on the Net is overridden at all times by the freedom to know and impart knowledge. However, such a radical view cannot be accepted.
The difficulties we experience in defining what a blog is point to an issue that applies to any type of communication involving a basically unlimited amount of users in increasingly global virtual communities.
It is high time we should clarify this issue in depth.
We are in danger of becoming at the same time the controllers and the controlled – of being both victims and offenders.
Children are especially at risk of becoming victims, as they often use these technologies to a greater extent than the adults but are seldom fully aware of the possible consequences.
In a virtual reality that does not often allow telling users´ age, children are in danger of becoming unknowingly victims of their own accord because they may become accountable for actions they fail to fully grasp the import of – for instance, because they accept to purchase something, or become a prey to grooming activities, or share data, pictures and videos without considering current and future risks.
8. Technological Explosion and Data Protection Issues
It has often been said that one should manage to govern the Internet, whilst this can only be feasible at international level.
This is becoming necessary even apart from and beyond the Internet.
The explosion of web 2.0 technologies and communication systems that allow unprecedented, massive data transfers along with the remote use of potentially numberless applications are bringing about a change in paradigm.
One should only consider the systems that rely on cloud computing or else the so-called smartphones. Both entail a quality leap whose dimensions are yet to be grasped in full by most users.
9. Cloud Computing and Bulk Data Processing: Getting Lost in the Cloud
Cloud technology allows processing and storing data in server systems that may be located anywhere in the world, which is why they are exposed to several risks – from seismic events to computer piracy and other types of piracy up to terrorist attacks or unforeseeable social upheavals. Recent episodes like the failure affecting the servers of a major service provider in Italy (Aruba) – on account of a physical accident that was fortunately limited in scope – leave no doubts as to the topicality of such risks.
The risks due to the loss and/or theft of huge amounts of information are on the rise, and there have already been significant cases related to the widespread availability of electronic games (Sony). There is a growing number of entities that take part in these highly complex, pervasive processing operations.
Net neutrality; data breach notification; re-allocation of liability in complex data processing systems: these are but a few facets of an issue that plays an increasingly pivotal role in our society with a view to business development as well as for the sake of our freedoms and democratic coexistence.
Businesses and practitioners that are faced with the new wealth of services on offer are mindful first and foremost of the opportunity for reducing costs and/or keeping pace with technological developments – whilst they are poorly aware that cloud technologies entail the loss of physical control over data and application software.
This is why it is both urgent and fundamental to step up the general awareness of these scenarios.
10. Smartphones and Risks Related to Smartphone Apps: A New "Electronic Little Thumbling"
The risks related to smartphones and their applications result basically from the fact that smartphones are geo-located continuously and the data and information they contain – from phone books to agendas, pictures and notes – can be accessed, processed, stored and used by entities that are totally unknown to and unmanageable by us.
Believing that the risk of being monitored still consists in wiretapping, or that the only dangers we may be exposed to in our communications and movements consist in someone´s intercepting our phone calls or texting patterns, or else in locating our whereabouts via telephone traffic records, is tantamount to believing that the latest invention by man is the steam engine.
Things are quite different in reality.
A smartphone turns us – mostly without our being aware – into as many Little Thumblings who carry their white pebbles in their pockets and let them fall one by one to allow tracing their movements.
In fact, geo-location is but one of the effects produced by an inter-linked system that may be used in many different ways and for the most diverse purposes – via a veritable turmoil of applications that increase in number by the day and entail as yet unclear implications.
11. Informing on Risks
The advance of new technologies cannot and should not be stopped or hindered; however, it should be governed in order to protect all of us.
This is why we have long called upon institutions, companies, and users to raise their awareness in using technology.
This why we are publishing two booklets along with our Annual Report in order to describe the key features of the most advanced innovations available on the market.
This is also the reason why we are working on an information campaign to make these developments easier to understand by users; additionally, we are about to issue recommendations tailored to business requirements alongside specific guidance for the public administration and regulators – starting, of course, from Parliament and the Government.
Still, it is increasingly necessary for users to be informed directly by providers about the risks related to the available services. Rather than the current "static" information notice describing processing arrangements, one should quickly work out a "dynamic" notice on the risks arising from the specific processing operations.
We need to shift to a "risk notice" in the privacy arena as well – like the one that is issued in respect of drugs or to highlight the dangers of speed driving.
12. The Data Protection Frontier in A Changing World: What Role for the International Community?
The need for new rules to be introduced is by now undisputed in the European Union; however, the international community at large is also becoming increasingly aware of this requirement.
Against this backdrop one should place the new challenges arising from the demand for security that is as yet a feature of our world, where domestic and external tensions grow and get amplified continuously partly because of the major migration flows that result from the emerging demand for freedom and new opportunities.
There exist manifold connections between technological innovations and security.
Firstly – which is perhaps trivial – the entities in charge of security rely on technology to monitor citizens and regard the unavoidable reduction of personal freedom as the price to be paid for the sake of personal safety.
This is where one encounters data flows related to passengers and financial transactions, which are often a source of disagreement between States – especially in the presence of widely diverging legal systems.
Secondly, there is a link between security and telecommunications that has to do directly with safeguarding the Net and its use against attacks from the outer world – which may impact both on its physical structure and on communication flows.
Finally, security may be also invoked to demand and obtain monitoring of both the Net and the contents of communications.
This is where the danger arises of oppressive as well as repressive controls that may impinge on citizens´ freedoms and nullify the benefits brought about by the Net as a global communication tool.
Experience has shown in various recent cases that both the Net and its technologies play a key role in fostering freedom as they afford new, unprecedented channels for protesting and upholding peoples´ liberation.
Today´s Net is also a political arena for the fight between democracy and repression.
Only the international community can prevent boycotts and censorship from enhancing the authoritarianism of power via new repressive mechanisms; to do so, reliance on shared rules and rights is necessary.
At the same time, users should be protected against a Net where no rules exist and increasingly invasive technologies pile up by the day with potentially devastating consequences.
It is fundamental for shared, mutually supported principles to be relied upon in addressing the tension between security and control, protection and prohibition, freedom and oppression.
Given this complex as well as fascinating scenario, data protection is called upon to play a key role.
It is not simply that one should determine the fundamental rights related to using the Net – what is often referred to as the "Internet Bill of Rights".
Much more than this is needed.
One should determine – in a pragmatic fashion – both rights and the applicable duties and constraints and also clarify how, why, by what means and by whom such rights and duties should be laid down and enforced.
Only within a sound framework of principles and rules can one find one´s way to protect and foster both personal freedoms and societal rights in this new world "Of Data and Men".
13. The EU´s Role
The EU has a key role to play, indeed it has long been endeavouring to regulate the telecoms sector also with regard to security issues.
These endeavours include the review of the current EU data protection legislation in order to reconcile it with the new Treaties and the decisions (whether adopted or to be finalized shortly) concerning the digital agenda and the processing of personal data in connection with judicial and police co-operation.
Two main areas of concern can be pinpointed.
One has to do with the security concept and safeguards applying to data exchanges within the framework of European and international co-operation – in particular to counter terrorism and major forms of crime; in the EU´s case, this includes regulating migration flows and the intra-EU movement of individuals.
The latter issues are especially important as shown recently by events that took place in Italy and France.
The mutual recognition of personal identification data along with the exchange of information between Member States make up a key component of a European security system that should be based on shared rules and respect for the rights and safeguards cherished by the EU as a whole.
This is closely related in turn to the ongoing debate on the Schengen Agreement and other law enforcement agreements as well as on the rules for entry into the EU.
Frictions, misunderstandings and shortcomings should be prevented because affording full-fledged freedom of movement, respect for fundamental rights, mutual recognition of stay permits and the joint control of arrivals can be regarded nowadays as the very foundations of the area of freedom, security and justice.
A second area of concern has to do with the regulatory framework applying to telecommunications.
14. Italy´s Commitment
Italy should be especially mindful of these issues both in the preparatory phase of decision-making – by timely seeking Parliament´s involvement as per the mechanisms laid down in the Lisbon Treaty – and in the implementing phase – by quickly transposing and implementing European directives and decisions.
On both counts our country still leaves something to desire.
Let me only recall that Italy has yet to transpose the directives making up the so-called "telecom package", which lay down important requirements to ensure data protection in telephone and Internet communications; this is an area touching upon such major issues as behavioural advertising and the rules applying to marketing.
The same can be said in respect of the framework decision on data protection in the law enforcement sector as well as of the provisions contained in the Prüm Treaty on DNA-information processing.
Generally speaking, all the issues related to the use of the Net and new technologies should be considered more carefully by Italy – starting from the strategic issue of making available an adequately large bandwidth to cope with global communications requirements up to contributing meaningfully to the international forums where such issues are being debated.
Our DPA is ready to do its part in line with its traditional collaboration with Parliament, Government and regional and local authorities, which we actually intend to enhance.
15. Data Protection Authorities´ Current and Future Role: The European and International Dimension
All the European DPAs have long been involved in the current transition phase.
Our DPA has ever been on the forefront of this European and international activity. The fact that chairmanship of the European working group on police and justice was conferred on our DPA for the third time in a row testifies to our credibility and reliability within the EU.
The yearly workload is impressive: there are monthly meetings of the Article 29 Working Party (including representatives from all EU DPAs) and the European Working Group on police and justice; there are meetings of OECD and Council of Europe´s working groups; there are the annual International DP Conference and the European Spring Conference; meetings and workshops are held with DP authorities from other continents as well. The supranational dimension of data protection is increasingly daunting.
DPAs have been collaborating with the European Commission as well, in particular with Vice-Presidents Reding and Kroes, in outlining a new legal framework for data protection as well as specific regulations for the telecoms sector.
To do so, skills and specialized know-how are increasingly necessary that go well beyond what is required for enforcing legislation.
This is exactly why it is necessary for DPAs to be equipped with adequate resources and knowledge, and this requires stabilizing the current funding mechanisms for our DPA – which are based to date almost exclusively on yearly apportionments made by the State and other Authorities. Furthermore, it is necessary to carefully assess the professional, technical and human background of DPAs´ leaders.
As far as we are concerned, we have been preparing ourselves and our DPA for some time to cope with this scenario.
Indeed, operational mechanisms and structure of our DPA have evolved considerably on account of the unrelenting expansion of our scope of activity.
Three Secretaries General have been in office over the past years and we wish to express our deepest thanks to them for their valuable professional as well as passionate commitment.
Young, capable, highly motivated staff could be recruited via public competitions including technically knowledgeable colleagues, whose contribution is indispensable in the current situation. Our DPA can thus rely on highly qualified resources that make up its human capital along with the highly professional, specialized staff that have been working for the DPA since the early years.
A working method based on circulation and sharing of information allows junior and senior members of the staff to continuously enhance their knowledge and understanding of emerging phenomena.
The valuable contribution provided by the "Special Privacy Squad" of the Financial Police – for which we are especially thankful – allows us to carry out adequate enforcement initiatives to check compliance with the applicable rules on the spot. This is an asset all European DPAs would be keen to count on.
Finally, special attention was devoted to the European and international dimension also in terms of our internal organizational arrangements.
Ladies and Gentlemen,
This Year´s Annual Report is partly different from the previous ones.
We did not fail to report on the work done, but we tried to also outline the main features of the complex reality we have to work in along with the fundamental criticalities data protection is about to face in the coming years.
Furthermore, we decided to highlight the commitment shown in the past few years in order to strengthen our DPA so as to make available a top-quality resource in a key sector for our country.
This is, in our view, the best way to participate in the celebrations for the 150th anniversary of Italy´s unification – with our passionate as well as thoughtful commitment to work in a forward-looking perspective, which is what the President of the Republic has been unrelentingly urging us all to do.