Speech by the President of the italian data protection authority presenting the 2005 annual report to Parliament - July 7, 2006
[doc. web n. 1332401]
Speech by the President of the italian data protection authority presenting the 2005 annual report to Parliament - July 7, 2006
Mr. President of the Republic,
Messrs. Chairmen of the Houses of Parliament,
Ladies and Gentlemen,
In presenting, for the first time, the Authority's Annual Report, my colleagues and I are fully aware of the importance of this event as well as of the legacy received from the past members of the Authority's collegiate panels – chaired by such a major personality as Professor Stefano Rodotà. Those panels did build up and disseminate the culture of privacy throughout our country, and in referring to privacy I mean an advanced fundamental right safeguarding the freedom and dignity of individuals in an increasingly computerised society that features the increasingly widespread processing of personal data.
Over the past few years, the Garante has brought about a significant human and professional experience. Valuable women and men co-operated jointly with the Secretary General in developing skills and professional know-how, and I wish to thank them for their unrelenting commitment.
At European level, our Authority has taken on a leading role and – partly thanks to Stefano Rodotà's personal contribution – data protection has become by now a fundamental right of European citizens, first enshrined in the EU Charter of Fundamental Rights and subsequently incorporated in the Constitutional Treaty, which expressly provides for the activity of data protection supervisory authorities as the only "necessary" independent authorities.
The heritage we received is quite valuable, and we intend to fully uphold it because we believe that data protection is at the crossroads of interests, values, and rights in a mature democracy that is capable to respect the dignity of individuals.
The Protection of Personal Data in "Very Fast-Changing" Societies
Technologies are developing with unprecedented speed. The relationships between individuals and peoples take on a global dimension and are becoming so broad in scope that man's gaze is no longer capable to behold the horizon without the help of technology. The need to communicate with and reach out to all and everybody goes hand in hand with the aspiration towards a secure life that can be shielded against both old and new dangers.
The technology society, which had become a "fast-changing" society already during the past century, is turning by now into a "very fast-changing" society.
The gamut of our knowledge is increasingly insufficient to provide meaningful as well as convincing replies to the many questions faced by our conscience in the wake of technological development.
Looking at this unbelievable metamorphosis, one is bound to wonder whether man can lead and direct technological progress, steering the use of technology – which is a means – towards ends and results that can be at man's service and respect his dignity.
Technology can be both a wonderful tool to ensure freedom and the cause of unprecedented social differences.
This is where the fundamental values enshrined in the rules and behaviours focused on the right to privacy come into play.
The protection of personal data plays a fundamental role in the search for a harmonised, balanced relationship between man and technology – between the unrelentingly changing society and the individual's adaptation skills.
It is indispensable that there exist institutions capable to ensure that the data hoarded thanks to technology are not used against us, but rather only for us.
In a free, democratic society, the protection of the values and principles that are inherent in citizenship is the most effective means to counter a pessimistic view of progress.
Democratic compatibility and social acceptance of technologies require a framework of safeguards to be in place, which unquestionably must include data protection.
As mobility is becoming an increasingly prominent feature of social and personal life, so that one leaves bits and pieces of his own personality and existence, knowingly or not, in numberless places, there is an increasing need for an Authority that, protecting everyone's data against undue processing, allows keeping everyone's identity sheltered against artificial fragmentation and recomposition – which would ultimately turn each individual into a "thing".
Opportunities and Concerns
Thus, the protection of personal data lies on the thin line between trust and fear, between oppression and democracy.
Only if one is certain that truly necessary information is being requested, and that such information is protected and made unattainable to any entity that has no right to know it, may one exploit all the opportunities made available by technology without being afraid of them.
Why should one be afraid that one's credit card, used on the Internet, may be cloned, or that the recording of one's car plate may be used to track his movements and locate him anywhere?
Why should one be afraid of being eavesdropped, read, spied upon in making a phone call, sending an SMS or an email, or maybe visiting a website?
Why should one be afraid that when they buy a product, someone might analyse their choices to know and profile their taste, preferences, even purchasing attitudes?
Why must one be afraid of being requested biometric data and/or DNA data, even though this might be done to cure or protect them?
Why should we accept that the global village should be a lawless jungle in which information – whether correct or wrong, whether old or new – can be captured and disseminated without any possibility to check who does what for what purposes, or to request that this information be erased or rectified?
Why should we accept to lose our souls in order to salvage our body, and the other way round – why should we risk losing our bodies to save our souls?
These are dilemmas our societies should never – let me say it again, never! – be obliged to face.
Our Authority has been addressing all these issues also during the past year. We have been working in order to regulate, insofar as this is possible, the changes under way.
In especially sensitive areas, we strengthened regulatory, supervisory and inspection activities.
Out of the most innovative provisions we adopted, reference can be made here to those setting out the limitations and arrangements applying to the use of biometric data in the employment context; a general provision issued at the beginning of the past year on smart tags (RFID tags) and the subsequent decisions setting out restrictions on their use in banks and working places; the – unprecedented – initiative undertaken with regard to Google in order to ensure that Internet search engines comply with privacy principles, from data rectification to oblivion rights, irrespective of whether their controllers are established outside of the Italian territory.
The activities concerning Google America, which are actually in progress, are significant from another viewpoint as well. They are the first concrete steps to bring about safeguards for users that are adequate in the light of the current use of the Internet. In taking these steps, we are supported by the other European data protection authorities.
We are aware that the lack of supranational regulatory powers and the continued absence of the much-desired "Internet Constitutional Charter", albeit representing the expression of network freedom, are actually a major hindrance in view of ensuring effective protection in the IT world.
Exactly because of this awareness on our part, we decided to promote, at national level, the drawing up of a Code of Practice for Internet stakeholders, which hopefully will be finalised by the end of this year.
Enterprises and Employment in the Data Mesh
The economic system is also involved in this innovation process that is multiplying data processing operations.
In spite of this, the protection of personal data is often regarded by businesses as a constraint or even a hindrance.
This is likely accounted for by the legal instrumentarium, which in some cases is unspecific and uniform and therefore fails to fully perceive the differences between business activities and differently sized companies. Therefore, suitable simplification initiatives may be appropriate in this sector.
But there is one point to make quite clearly.
The protection of personal data is no "luxury" or "decorative" item one can do without. It is actually indispensable in a world where using data is a vital precondition for economic growth, indeed for the very survival of businesses.
If the order portfolio, provisioning systems, or the information on staff/consultants/customers are not protected, a key component of corporate assets, goodwill or the very value of a trademark may be endangered.
Data protection can and must be an "added value".
One often sees newspaper ads offering "secure" devices. As the awareness of the dangers and values at stake increases, businesses will increasingly offer products that promise total data security.
"Privacy compatibility" will be increasingly a key value also in terms of product quality.
Therefore, privacy is not merely a liability. It is actually an important resource.
This is why we especially welcomed the past Government's decision not to postpone the deadline for data controllers to adopt the so-called security policies. This indispensable instrument was regarded by some as "costly" and "bureaucratic".
But this is not the case.
In fact, it is aimed at a fundamental objective: to afford workers, citizens, users, and consumers the protection of fundamental individual rights. Let us only think of the risks workers are exposed to because of the use of unregulated production technologies, or else of the harm that may be caused to users or consumers on account of the unsecured use of their data.
But there is more to that: adoption of the security policy can be a driver for all stakeholders to absorb the culture of privacy.
There is room for simplification also in this sector. We are ready to discuss this possibility, which is why we met trade associations and started a public consultation among all relevant stakeholders.
Let us reiterate today that we wish to enhance dialogue with businesses, trade associations, trade unions, industry, users and consumers.
We wish to also support professional practitioners, by co-operating with the relevant councils and associations. To that end, we started consultations in view of drawing up a code of practice on the use of personal data in forensic activities, and we also liased with family doctors and managers of condos in view of adopting provisions that concern a huge number of citizens.
This is the spirit in which we have been monitoring implementation of the code of practice in the consumer credit sector – which totalled a turnover of over 76 billion Euro in 2005. We regulated marketing and profiling by major distribution chains as well as in the offer of different types of service, and prohibited any activities carried out without consumers' consent.
In this context one should put the general provision on the so-called "loyalty cards", which number over 30 million, and a provision by which we recently prohibited unlawful processing operations in the hotelling sector.
We followed, with the usual care, the issues related to protecting employees' personal data, which take on continuously new dimensions and significance; let me recall, in particular, the use of RFID devices, which may bring about a highly pervasive control on employees' lives.
Regarding the relationships between citizens and the economic world, reference can be made to the provisions adopted in respect of credit factoring companies, insurance companies, the appropriate use of electronic toll systems, and radio-cab services. Special care was taken in facilitating upgrade of anti-money laundering legislation.
Keeping in mind the need for safeguarding freedom of trade and movement, we issued new general authorisations and enforced the European Commission's decisions on data transfers towards third countries via the application of standard contractual clauses.
We will continue in our efforts, jointly with the other European authorities, to regulate transborder data flows. We believe that data protection should never turn into a barrier dividing Europe from the rest of the world.
This is why we have not refrained from meeting the main privacy officers from major multinational companies, in the search for solutions that could facilitate trade between EU and third countries without jeopardising the right to personal data protection.
Let me call upon large- and medium-sized companies in Italy to avail themselves of privacy officers, who are rather uncommon in Italy compared with other countries. This might mirror a certain difficulty in adjusting to an active, dynamic approach to data protection, which is nevertheless fundamental to ensure development of Italy as a whole.
Room for Privacy in the Public Administration
2005 was especially important a year as regards data protection in the Public Administration.
The transformation undergone by the Public Administration in the wake of technological innovation is multiplying computer networks and databases. Interlinking of such databases and networks for the sake of efficiency is quite tempting and might result into unrestrained data movement and unlimited access by operators.
The Garante tackled these issues in connection with the complex "Laziomatica" case. The provisions adopted and the sanctions imposed can be a reference point not only to Municipalities, but also to the public administration as a whole. We have shown that it is possible to let data move on networks without duplicating databases and/or directly, unreservedly accessing such databases.
Another highly difficult issue consists in the protection of sensitive data to be afforded by the public administration, which is institutionally required to process a huge amount of data related to citizens' health, ethnic origin, political opinions and/or trade union membership.
One of the greatest success stories of 2005, indeed of 2006 as well, was that we fostered and achieved compliance by the public administration with the obligation to issue regulations on the processing of sensitive data.
We are grateful to both the previous and the current Government for their commitment in meeting our requests; we regard the recently enacted postponement of the relevant deadline as based exclusively on objective grounds due to the amendments made by the new Government to the organisational arrangements applying to some Ministries and Departments.
Municipalities, Provinces, Regions, Universities, and Chambers of Commerce reacted favourably, as did many bodies in charge of functions provided for in our Constitutional Charter, all independent authorities, major nationwide agencies, and almost all Ministries.
On the whole, over fifty draft standard regulations applying to as many categories of public body were submitted, in addition to hundreds of regulations adopted by individual public entities along the lines of those standard regulations.
We may well argue that privacy in the public administration took a bold step forward in 2005.
This was and will be a valuable opportunity for public administrative bodies to reconsider their ways and means, analyse internal procedures, the operationality of organisational arrangements, and the actual need for them to obtain the data requested from time to time.
A new age has begun in the relationship between citizens and public administration – an age of enhanced transparency.
We will continue to work with the utmost care and in a cooperative spirit to check how the administration will manage to turn these rules into virtuous management practices.
Indeed, the collaboration between the Garante and the public administration led to developing effective solutions in key areas also in the past year – for instance, with regard to monitoring of public expenditure by the Ministry for Economy and Finance, or to the processing of sensitive data by Regions in the health care sector.
The health care sector was actually a field we devoted, and will continue to devote in future, a considerable portion of our work. Let me quote our provisions concerning the organisational arrangements to be made by health care bodies in order to safeguard patients' privacy, or those related to implementing the recently enacted legislation on assisted reproduction and the simplified information notices to be given by family doctors and paediatricians.
A general authorisation instrument applying to the processing of genetic data is about to be released. The issues related to the so-called "electronic health care" are looming on the horizon, and have yet to be tackled in full.
A daunting task was dealing with digitalised administrative practices. We issued an opinion on the new Code of Digital Administration, the re-use of public instruments for private purposes, and the electronic passport. We started a co-operation initiative with CNIPA [National Centre for the Computerisation of Public Administration], which was also the subject of a memorandum of understanding. This allowed us, for instance, to provide an important advance opinion on the call for tenders drawn up by the Ministry of Justice in view of ensuring security of key databases in the fight against organised crime.
Technological innovation in the public administration is a priority to Italy. We are ready and keen to do our part.
Security in a Technological Society
Specific consideration is due to the entities and organisations in charge of security and prevention activities.
Our societies are in need of security.
Europe is in need of security.
The European Union, after being set up to foster free trade and develop as an area of democracy and freedom, is now paying special attention to protecting citizens' security.
There is a growing trend towards making use of all the information resources made available by technology to achieve an all-round, preventive, often pervasive control for security purposes.
The decisions taken after the events in Madrid and London resulted into increasing amount and quality of the data retained for security reasons – both in Italy and in the EU.
At the end of 2005, the European Union adopted a directive on data retention, which will entail the retention of billions of data concerning fundamental features of European citizens' lives. It has been estimated that 200 million conversations and 300 million mobile telephony "events" will have to be retained on a daily basis, whilst 2.4 million Gbytes will have to be stored annually by having regard to e-mails only.
In our country, very long retention periods were already provided for in respect of telephone traffic data; last year, following enactment of the so-called Pisanu decree, the obligation to retain data was actually extended to include electronic networks as well – albeit by providing for a shorter retention period.
More data does not necessarily translate into more security.
This is why Government and Parliament are required to verify whether these measures are actually effective – especially if, as is the case in Italy, the retention period is longer than that set out at EU level.
At all events, this wealth of information must be safeguarded adequately to ensure that it is only used by the entities authorised to do so, and for the purposes specifically set out.
Let me also add that the "fortress Europe " is enhancing the interconnection of the databases used to monitor movement of individuals, in order to counter illegal migrants and crime. The new SIS II and VIS systems envisage a major co-ordination role to be played by the Commission in view of the interoperability of national databases.
Some European countries – France, Germany, Spain, Belgium, Austria, Netherlands and Luxembourg – recently undersigned a Treaty in Prüm, which envisages the possibility to also exchange genetic data information within the framework of enhanced co-operation initiatives. This issue will have to be tackled also in our country by taking account of all relevant contributions and views.
Our approach to the issues I mentioned has always been highly responsible and mindful of the overall context as well as of the general interest.
Privacy should not be a hindrance to security. Security and privacy are equally fundamental components of a democratic system.
This is why we believe that – as proposed by the Commission – the adoption of regulatory instruments aimed at enhancing judicial and investigational co-operation should go hand in hand with the adoption of robust data protection rules also in the security and justice sectors.
We call upon the Government, in particular the Minister of Justice and the Minister of Home Affairs, to support the Commission's position, which is shared unanimously by the European Article 29 Working Party.
To continue this overview of the European context, let me recall that following the recent decision by the Court of Justice, which granted a complaint lodged by the European Parliament and voided the EU-US agreement concerning the "Passenger Name Records" (PNR), it is now necessary to negotiate a new, more satisfactory agreement on the transfer of data related to European citizens flying to or through the United States.
These issues have always been followed attentively both within the European Article 29 Working Party and on the occasion of the international conferences of data protection authorities held in Montreux, Madrid, Budapest, and Warsaw.
Regarding the entities in charge of investigations and controls, we have been and will be taking steps based both on the issuance of mandatory rules and on the adequate supervision over implementation of such rules.
Our activities, without impinging on anyone's competences, can actually help security and law enforcement bodies to retain data more effectively. On the other hand, this can help increase citizens' trust in security and law enforcement bodies.
Ours is an important task, since it has to do with a very delicate sector in which citizens' rights to access the data concerning them are partly limited.
Bearing this in mind, we started an inspection campaign in 2005 concerning the Data Processing Centre at the Public Security Department of the Ministry for Home Affairs. Initially, the aim was to check on the measures taken to protect the information on file, and a provision setting out measures to strengthen security systems has been already issued in this regard. Our inspection activities continued thereafter, and another – more detailed – provision addressing all the activities carried out by the said Data Processing Centre is about to be issued upon conclusion of those activities.
Privacy and Publishing of Tapping Transcripts: Between News Media and Judicial Authorities
The Garante dealt with the issues related to freedom of speech and the publication of tapping transcripts in the course of the past year. Indeed, this issue has become of ever increasing importance over the past few weeks.
The decisions taken by the Garante in this sector have always been the outcome of a careful, painstaking analysis because of the values at issue – freedom of speech, enshrined in Article 21 of our Constitution, and the right to privacy and dignity, resting on the foundations of Article 2 of our Constitution.
These constitutional values must be reconciled and applied in concrete to the individual cases, by taking account of multifarious variables.
Consideration should be given to the nature of the information, its scope and the entities involved, the context in which the news are broadcast, and citizens' right to know all they must know in order to exercise the sound scrutiny that is typical of democracies.
This is one of the loftiest components of the journalistic profession – to gauge whether an item of information is essential in order to allow the public opinion to get an unbiased view of the events, or whether it is not only irrelevant, but downright in breach of personal dignity.
No good journalist would – indeed, should – ever violate a person's dignity merely for the sake of gossiping about, of pushing up sales or catering to voyeuristic appetites.
In the many decisions adopted so far, we have always tried to ensure that those working in this difficult professional sector ask themselves some questions, act discerningly, strive to painstakingly evaluate the impact caused by an item of information or the reference to a certain individual – in short, that they be aware of the fundamental role played by free press in a democratic society.
We did not refrain from prohibiting or blocking the publication of news, at times with regard to public figures or VIPs. Still, we have always reaffirmed that the appropriate exercise of freedom of the press postulates respect for the principles of materiality of the information and protection of privacy – which mark the impassable boundaries in this area.
There have been several provisions adopted to safeguard individual citizens that had lodged complaints; the most interesting among them have allowed us to spell out both the principles concerning the right to oblivion and those related to the protection of children.
Finally, let me add some considerations in respect of the publication of tapping transcripts.
There was recently an outcry caused by the – unprecedented – mechanisms and manner whereby the full contents of wiretapping transcripts were published, at times actually posted on the Internet or offered for sale after being collected in booklets.
This is to be taken seriously into account.
The texts of the transcripts are included in a draft that contains a summary of the tapped conversations; this summary is drawn up by a legal practitioner and is meant to be kept, evaluated and used by other legal practitioners both in the judicature and from the Bar.
Publishing these transcripts basically in full and in a raw format, with no intermediation or comments, can hardly be considered to help readers in shaping their own opinions freely and appropriately.
One is treading on mined ground when providing the public opinion – without any mediation – with the contents of texts that are meant to be used by a public prosecutor and/or a judge, jointly with other items of evidence, to build up their views of the case.
The general provision we adopted a few days ago was meant to strongly reaffirm the importance of the rules applying to exercise of freedom of the press with all the attending obligations, in view of respecting dignity and confidentiality of individuals in line with widely received views and approaches.
This is no attempt to introduce censorship requirements or muzzle the press – certainly this is not meant to be so by the Garante.
In fact, we expect journalists to do their job in full by carefully assessing news also in respect of public figures, drawing a distinction between information that is necessary to appraise an event and information that is mainly related to an individual's private sphere.
"Innocent bystanders", family members, and children must always be safeguarded, and special care must be taken with sensitive data.
We are aware that the use of wiretapping transcripts also depends on the conduct of other entities – first and foremost, legal practitioners.
This is why we have called upon the Higher Council of the Judicature to take steps in accordance with the respective competences in order to enhance safeguards and security measures protecting the confidentiality of trial-related information.
Additionally, we have undertaken to collaborate with Parliament and Government on these topics also by availing ourselves of the power/duty to draw attention to specific issues as set out in the law.
As for the Garante's supervisory powers, which are applied retrospectively because of their very nature, we believe it is appropriate to request Parliament to consider a legislative amendment so as to allow the Garante to impose pecuniary administrative sanctions whenever it is ascertained that the rules set out in the Journalists' Code of Practice have been infringed.
Electronic Communications Services
In 2005, the issue of telephone wire-tapping was tackled by the Garante also in a different perspective that is equally important.
In Italy, judicial authorities avail themselves plentifully of this investigational mechanism, so that the number of interceptions and the attending costs are especially high in comparison with other European countries – as recently pointed out by the Italian Minister of Justice.
It should be recalled that as well as telephone wire tappings, judicial authorities may request service providers to carry out many other activities such as call localisation and interception of communications. There are also preventive interceptions that may be carried out by the police based on a magistrate's authorisation.
In this area, all decisions are taken, first and foremost, by lawmakers, and secondly by investigating judges and prosecutors. It is not up to the Garante to pass a judgment on such decisions.
Still, it is well known that the more personal data you collect, the higher the risk is that security measures are not enough to ensure confidentiality of those data.
It is fundamental for telephone operators to take stringent security measures and for judicial authorities to protect the information and data they have obtained.
The Garante has carefully investigated the mechanisms by which the different operators comply with the requests made by judicial authorities in providing the services required to carry out tappings and/or interceptions. It has been found that there is the urgent need to significantly step up system security; in December of the past year, the Garante set out several security measures to be adopted by the operators within 180 days. This deadline has expired, and we are about to check whether our guidance was followed or not.
At the same time, we stressed the need for judicial offices to adopt similar measures, and we decided since March of this year to foster collaborative initiatives for this purpose by requesting the support of both the Higher Council of the Judiciary and the Ministry of Justice.
Recent events led us to voice our concerns anew a few days ago.
The attention paid to our request by the Minister of Justice as well as by authoritative members of the judicature is a source of comfort to the Garante.
Therefore, we regard the inquiry initiated in this connection by the Justice Committee of the Senate as a valuable opportunity, and we are ready to contribute to it in any manner considered fit. Nor will we fail to contribute to any other initiatives undertaken by Parliament and/or the Government.
Another highly sensitive issue has to do with the protection of telephone traffic data, which operators are obliged to retain for 5 years.
We recently found that no sufficiently adequate measures to protect these data and the relevant reports had been taken by the main Italian operator. In particular, the inadequacies affected the database access logging system, whilst tracking and identification of the entities authorised to access the data were found to be incomplete. We immediately issued a detailed provision setting out the necessary measures and a 120-day implementing deadline.
At the same time, we started gathering information and developed a highly demanding inspection plan in order to ultimately draw up a general provision on traffic data retention as per Section 132 of our data protection Code. This provision is expected to systematically lay down the measures and arrangements to be taken by each operator in order to fully ensure security of the respective databases.
Let me also refer to two other initiatives that are under way with regard to telephone operators.
We issued a provision a few months ago addressed to all telephone operators with regard to the disquieting practice of activating unsolicited services, such as unsolicited ADSL services. This provision also concerns the so-called call centres, and we expect shortly to check whether our instructions were complied with.
A few weeks ago, we started inquiries to establish whether a telephone operator had unlawfully profiled former subscribers that had switched to another operator, based on the findings contained in a precautionary injunction issued by the Milan Appellate Court.
Thus, we were very busy in the electronic communications sector throughout 2005, and actually stepped up our activities over the past few months – and expect to increase them further in the coming months.
The protection and retention of communications data must become the subject of a careful analysis also in view of devising innovative solutions that can afford enhanced safeguards.
We consider that this is one of our duties.
A proposal has been put forward to set up a public body to which the operators should transfer all the data they respectively hold after expiry of the billing-related retention period. This proposal has already been put forward at European level and found to be somewhat questionable, however it might serve as a starting point for discussion. Anyway, such a body should be subject to the Garante's supervision and ensure the strictest compliance with the relevant security measures.
Safeguards for Databases: The Garante's Role
In a broader perspective, consideration should be given to the safeguards required in order to ensure security and integrity of the large databases that are – and will be increasingly – a significant component of our social framework.
So far, data protection authorities have mainly carried out some fundamental tasks – ensuring citizens' right to access their personal data; ensuring implementation of the remedies available in case individual rights are violated by unlawful processing operations; fostering the application of European directives in as "harmonised" a manner as possible, and implementing domestic laws.
To the above tasks, there should be added – especially with regard to the Italian Garante – the power set out (partly) in the law to issue general prescriptions on the application of European and domestic legislation to the different sectors. The activities related to fostering the adoption of industry codes of conduct and professional practice fall under this chapter.
It is high time we drew attention to the need for ensuring the security of the information contained in large databases.
There is the need for a fresh start.
All European authorities share this concern.
The Italian Garante is ready to be at the forefront in breaking this partly new ground.
If there is agreement on this point, it is necessary to identify the databases requiring more careful supervision by having regard, in particular, to those serving national/State interests in especially important sectors.
Telecommunications traffic databases as well as those related to security services or containing biometric and/or DNA samples should unquestionably be included in the picture.
In this regard, let me recall that the provisions set out in the data protection Code, whereby the Minister of Justice and the Minister for Home Affairs are required to specify the centralised databases used by the respective administrations and list them in an Annex to the Code, have not yet been implemented.
Indeed, this list should be the first step in view of creating an ad-hoc "Registry of High-Risk Databases" which would also ensure increased transparency towards citizens.
We hope Parliament will clearly set out what role the Garante will have to play in future in this difficult area.
From a more general standpoint, we believe it is appropriate to call upon Parliament to consider the desirability of making available suitable fora and mechanisms to ensure the continued dialogue with our Authority, which is and acts as an independent Authority both because of its nature and in pursuance of Community obligations, but regards Parliament as its reference counterpart.
This is why we believe it is appropriate to point out here that, in the light of the complex, wide-ranging objectives we have set ourselves, our powers are not enough.
Regulatory amendments are necessary with regard to inspection and sanctioning/injunction powers; in particular, the Garante should be empowered to impose administrative pecuniary sanctions to a greater extent and in a larger number of cases compared with those currently set out in the data protection Code. Furthermore, it is necessary to re-consider organisational framework and staffing of the Garante, which currently avails itself of an Office including about one hundred people. This is really a small figure if the Garante is expected to be fully capable to ensure the lawful operation of major databases as well.
Other Activities Performed by the Garante in 2005
Let us move on to the conclusions.
Like in the past, the Garante has taken steps in many different sectors both following claims or complaints lodged by citizens, associations, trade associations and professional rolls, and on its own motion.
The available data show that the Garante is a peculiar Authority among the so-called independent authorities.
The most striking peculiarity has to do with the "symbiotic" relationship between the Garante and "privacy" issues, which are focussed on citizens' fundamental right to the protection of their personal data.
The Garante's tasks do not consist in regulating a specific sector.
In fact, our tasks consist in fostering and facilitating the absorption and incorporation of a new approach to the handling of personal information by a wide-ranging gamut of entities. Ultimately, we are required to contribute not only to ensuring respect for dignity and freedoms of individuals, but also to strengthening the democratic texture of our country.
The complexity and multifariousness of our activities result from the cross-sectoral, wide-ranging issues we are required to address.
This can account for the large amount of decisions, opinions, and provisions issued in the past year as well as for the many decisions related to our supervisory, regulatory, and proactive functions in respect of public and private decision-makers.
Here are some figures: in 2005, the Garante's collegiate panel adopted 724 provisions, which also included the handling of 634 complaints. Taking account of some cases that were dealt with in the past year and finalised recently, we replied to 1,633 claims and reports and to 364 requests for information or clarification. 31 opinions were rendered on regulatory measures drafted by Government; 61 draft regulations were adopted on the processing of sensitive data by public administrative agencies. Over one hundred general provisions were issued, including the renewal of seven general authorisations for the processing of sensitive data.
Time and energy were devoted to listening to what industry, professionals, and consumers had to communicate.
We hope that privacy will be perceived as a plus in life, and this is why we started an analysis on the relationship between privacy and happiness.
We worked hard to equip the Garante with regulatory instruments that were indispensable in view of its operation, so as to strengthen its structure and organisation and afford enhanced safeguards to the citizens that turn to us.
We introduced innovative working methods on the basis of six-month plans as for both activities and inspections.
Two hundred inspections were carried out in 2005 and one hundred and forty-five in the first six months of this year. These figures testify to the importance the Garante attaches to such activities. We plan to continue working in this direction by further strengthening our co-operation with the Finance Police – an effective, valuable co-operation for which I wish to thank the Commander-in-Chief, all officers and those working with us.
Ladies and Gentlemen,
Together with my colleagues, Giuseppe Chiaravalloti, Mauro Paissan, and Giuseppe Fortunato, I hope I managed to present a summary, though exhaustive, picture of our activities, considerations, and objectives.
We wish to provide assurances to you, Mr. President, to Parliament and Government that we will never fail to discharge the tasks and duties entrusted to us.
The Garante is treading on the most sensitive ground in "very fast-changing societies" – the thin line separating democracy and freedom, on the one hand, from control and fear on the other hand.
The Garante is working to ensure that we all can continue to live in a community of free, responsible women and men, who are capable to use technology without becoming slaves to it and keen to shape up their security without giving up their human dignity.
We expect Parliament and Italy to trust us, and we are working to make trust possible.