Speech by Francesco Pizzetti, President of the Italian Data Protection Authority - Introducing the Annual Report for 2008-2009 - Roma, 2 july 2009
[doc. web n. 1630962]
Speech by Francesco Pizzetti, President of the Italian Data Protection Authority
Introducing the Annual Report for 2008-2009 - Rome, 2 july 2009
Your Excellency, Mr. Chairman of the Senate
Your Excellencies, Ladies and Gentlemen,
The collegiate panel of the Italian data protection authority has been in office for four years. We have travelled a long stretch of the road, but we still have three years' hard work ahead. Which is not a short time.
Thus, this is a time for taking stock, but also for looking forward.
Strengthening of the Office of the Italian DPA and the New Powers Conferred on the DPA
Our Office is comprised of highly skilled people whom I wish to thank and acknowledge publicly; it is now undergoing major changes.
Early this year, Mr. Buttarelli, who has long and outstandingly served as the Secretary General to the DPA, was appointed Deputy European Data Protection Supervisor. This was a veritable badge of honour both for himself and for the Authority. His office was taken up by Mr. Patroni Griffi, a highly authoritative, experienced officer who quickly managed to prove equal to his renown as well as to his difficult legacy.
Over the past year, we had public competitive examinations to recruit 25 more staff members. This means that our staff increased significantly – from 100 to 125 permanent members. Still, this is not enough to tackle the wide-ranging gamut of our competences.
Our DPA was recently empowered to impose new sanctions, which allows us to take steps more effectively. The scope of the violations carrying punishments was enlarged and the applicable sanctions – which ranged in the past from 500 to 60,000 Euro, the latter only in especially serious cases – now start from 1,000 Euro and may add up to 300,000 Euro for major breaches or even reach 1,2 million Euro in a worst-case scenario.
This mirrors the attention paid by Italian institutions over the past few years to the work done by the DPA – for which we express our sincerest thanks.
We are also grateful to the political world, which has consistently acknowledged and supported our activities regardless of party allegiances.
Still, we could witness some ill-advised legislative measures in the course of the past year that amended individual provisions of the data protection Code – at times on a transitional basis – and brought about innovations that failed to always produce favourable effects.
I am referring, in particular, to the prolonged retention periods of telephone traffic data and the provisional amendments to the regulations on the use of telephone directories for marketing purposes. Recently, section 1 of the DP Code was also amended to derogate from personal data protection principles in respect of the personal information related to public officials; although we appreciate the underlying rationale, we cannot but highlight how dangerously wide-ranging and unspecific such measures may turn out to be.
Sector-specific initiatives like those described so far are best avoided.
We gave ample proof through our work that we do not shirk from requesting regulatory amendments whenever they are necessary.
There have been significant instances in which we proved capable to strike a balance between public interests, business needs and personal data protection – for instance, when we provided guidance to the Minister for Public Administration on how to publish the salaries of public employees online by reconciling transparency requirements with the protection of data subjects' privacy.
There have also been many cases in which we introduced major innovations in implementing rules by means of the dialogue set up with economic and social stakeholders – without any law-making being necessary; let me only quote the simplification measures applying to SMEs.
Whilst jealously guarding our independence and role, we have never failed to collaborate with all institutions; we have never shied away from seeking dialogue; we have never turned a cold shoulder to the reasons of business.
We call upon Parliament and the Government to always look to the Garante in any undertakings related to the protection of personal data.
What Role for the Italian DPA in a Changing Country
This is the spirit in which we wish to fulfil our tasks in the coming years.
Our DPA is part of a system that is in need of urgent reformation to successfully cope with future challenges.
We believe that it is also up to us to ensure that the progress made towards innovation, enhanced competitiveness, better services, new administrative and governance models does not leave citizens' rights behind – including the right to the protection of personal data.
This is already the case in some areas.
We are ready to follow these processes with due attention and institutional care in the citizens' best interest.
The Italian DPA and Tax Federalism
Implementation of the tax federalism scheme entails huge information exchanges between administrative bodies along with the establishment of new databases and the introduction of standardised collection and processing mechanisms.
Thanks to the activities carried out over the past few years in respect of the Taxation Register, which will also concern other Agencies in the coming months, we believe we can provide a major contribution to the security of data flows.
If we are requested to do so, we will provide guidance to the many technical and supervision Committees envisaged in connection with the scheme as well as to Regions and local administrative bodies.
The Italian DPA and the New Welfare System
The experience gathered with regard to health care and assistance will help us tackle the reformation of the welfare system, especially if the approach described in the "White Paper on the Future of the Social Model" is followed – whereby matching of the data is expected to play a key role with a view to piecing together the different needs and expectations harboured by citizens.
In the coming months, part of our work will focus on the databases in the health care sector and, more generally, in the welfare sector. A range of in-depth inspections and collaboration initiatives are scheduled regarding INPS [National Social Security Agency], in agreement with its President.
The Italian DPA and "Integrated Security"
Special importance should be attached to implementation of the new integrated security system, which entrusts mayors with discharging tasks that were reserved for the State so far and also enhances the co-operation between local police and national institutions – including wider access to the national police databases, with all the attending problems related to entering and disclosing the information contained in the latter system.
Access to security databases is bound to be regulated more pervasively. Our DPA has gathered considerable experience in this area and our role can be expected to gain momentum after the decree by the Minister for Home Affairs is finally issued to specify how many databases have been set up in our country for ordre public purposes and what features they have.
Another issue has to do with the use by security bodies of information collected by private entities.
Reference can be made here to video surveillance and, generally speaking, the possibility for associations of citizens to carry out activities falling within the scope of the institutional tasks conferred on the police.
We feel we have the duty to keep these developments under control.
We have long started a dialogue with the Ministry for Home Affairs in order to lay down new rules on the appropriate use of video cameras and other remote monitoring systems. We expect to issue a decision on these topics shortly, to better specify retention periods, security measures, and access control mechanisms.
We are also following up the developments related to the ordinances issues by mayors and the law-making activities of Regions, which in some case supplement the legislation enacted by the State.
The Italian DPA and the Reformation of Public Administration
We welcome all the initiatives that are aimed at making the public administration work more effectively and enhancing the use of technologies to expedite and facilitate the relationships with citizens. We support the plans to increase transparency of the public administration as also related to the discharge of official duties.
However, we cannot help emphasizing how dangerous it can be to post on the net millions of personal data that are processed daily by the public administration, without any appropriate safeguards and controls. By the same token, we must urge that the rights vested in public officials be assessed carefully.
The new legislation in this area should not be construed in an excessively unbalanced way such as to violate the fundamental rights vested in all workers – to the detriment of all public employees.
To improve performance and assiduity, it might be enough to publish aggregate data and step in timely to punish the individual shortcomings.
Additionally, we would recommend that care should be taken in making excessive use of citizens' sensitive information, which is often likely to be unjustly prejudicial to the given data subjects.
The key point to be made has to do with the inescapable tension between right to know and protection of privacy.
It is no mere chance that in the UK the data protection authority was committed the dual task of ensuring access to information and protecting the personal data processed by public bodies.
We urge never to regard data protection as an obstacle to be overcome and removed.
Our co-operation with the Minister for Public Administration and the attention paid to our decisions – which we appreciated considerably and was recently confirmed by the work done on the Instructions concerning use of the email and Internet by civil servants – let us be confident that this will not be the case.
The Work Done
Submitting the Annual Report is also an opportunity for taking stock of what has been done.
A Few Figures
Comparing the figures for 2008 with those of 2007, one can easily see that we have worked even harder.
The number of collegiate decisions has increased up to 524; the replies to reports, claims and questions have also gone up considerably. There were almost 40,000 contacts with the Front Desk and about 20,000 emails were handled.
Investigations and controls rose by over 10%.
The number of inspections also increased thanks to the exceptional support provided by the Privacy Squad of the Special Units from the Financial Police, under the masterful as well as unquestionably professional leadership of their commanders. We wish to thank them for this and do hope that this co-operation will develop further.
The increase in the number of administrative breaches fined by our DPA amounted to 30%; the proceeds levied in this manner rose from eight hundred thousand to over 1 million Euro. Twice as many opinions as in the past year were rendered to the Government. As for the hearings of our DPA before Parliament, let me refer here to those concerning insurance issues, the Taxation Register, frauds and identity thefts.
Many presentations and reports were submitted by our DPA on the occasion of international conferences. Close relationships are cultivated with the other DPAs and we provided our contribution consistently to the work of the Article 29 Working Party.
The quality of our work was recognised significantly when the Chairmanship of the European Working Party on Police and Justice (WPPJ) was unanimously conferred for the second term on the Italian DPA. The WPPJ is a working party set up by the DPAs that have competences in this area to enhance the impact of their actions and initiatives.
Training and Information
We put additional emphasis on training and information activities, which were focused especially on youths although they were aimed ultimately at raising general awareness of the potential and risks inherent in technology – so as use it better as well as more responsibly.
Let me quote two leading examples of those activities – the European Data Protection Day, which was dedicated to social networks, and the development of a quick, effective information tool consisting in a short "handbook" intended specifically to enable parents and children to get a closer look at this phenomenon. Our Vademecum was also received favourably by the Minister for Youth, who will present it on the occasion of the forthcoming G8-Youth summit. It will be also circulated throughout our country thanks to the co-operation with Poste Italiane.
The care we take in fostering an open-minded, friendly, affirmative view of data protection and privacy is also shown by the activities carried out by two members of our collegiate panel, who produced major contributions within the framework of their personal studies and researches – namely, one of them published an essay significantly titled "Privacy Is Dead, Long Live Privacy", whilst the other one continued his leading-edge studies via the "Privacy Lab" he had set up and is currently managing.
The Main Areas of Activity in 2008
The Italian DPA focused also in the past year on the most at-risk areas for citizens – on improving the efficiency of public administrative agencies and services; enhancing the security of major public and private databases; supervising the processing of data in the telecom, judicial and security sectors.
We monitored the activities of media carefully and also tackled issues arising from the use of modern technologies. Finally, we started up a wide-ranging exercise of simplification for the benefit of businesses and public administrative agencies.
The simplification initiatives were aimed, in particular, at sparing companies and the business sector cumbersome red-tape requirements and costs – without lowering the protection level for citizens and consumers alike.
We worked out a three-fold strategy.
Notification requirements and security measures were simplified to make them less cumbersome and more effective without exposing customers and suppliers to whatever risks.
To facilitate cross-border data flows to third countries, we started authorising the adoption of binding corporate rules. The latter are a tool to make data protection both more effective and accountable at international level, whilst bringing Italy into line with other major European countries.
Corporate mergers and split-ups were facilitated to expedite the restructuring of Italy's production system.
Protecting Citizens as Consumers
Unrelenting attention was paid to strike the right balance between business needs and protection of users and customers.
It is often far from easy to reconcile those interests.
Let me only refer to the use of telephone directories for telephone marketing purposes, which was repeatedly banned by our DPA because it entails continuous rule-breaking as well as giving rise to insufferable interference with the private lives of users and their families. In fact, the use of telephone directories for those purposes was subsequently allowed until December 2009 via the enactment of ad-hoc legislation, which took us by surprise. This piece of legislation made it necessary for us to step in once again in order to clarify under what conditions and to what extent the new rule was applicable.
We all know that the solution found is far from acceptable. The right thing to do is to start a fair, open-minded dialogue between our DPA and this industry sector, and then ask Parliament to take action if appropriate.
A decision was issued a few days ago to set forth clear-cut, binding rules that apply to profiling activities performed by telephone operators with a view to monitoring customers' consumptions, habits, and even wage brackets – whilst consumers are often unaware of such activities.
As for our decisions that attempted the reconciliation between safeguards for citizens and business requirements, reference can be made in particular to the following: the collaboration with ISVAP [an independent supervisory body dealing with insurance companies] aimed at reconciling the sensible protection of insurance risks with the fair use of information on the insured; the instructions applying to the processing of business information; the guidance provided to facilitate the transition from Alitalia to CAI without jeopardising customers' rights and/or slowing down the whole process excessively.
Further to the balancing of interests principle, we allowed a company running public transportation services to geo-locate their fleet continuously, in compliance with employees' rights and with their consent, as well as to monitor the drivers' driving pattern to better safeguard users. This was the first case in which we addressed the use of new traffic monitoring technologies – an area that is currently the focus of specific initiatives by the European Commission and calls increasingly for the attention of all DPAs.
Protecting Citizens: Decisions by the DPA Concerning Health Care and Pharmaceutical Research
By definition, health care entails the processing of sensitive data, which have to do with the most fragile components of our life.
This is an area we have customarily tackled in an innovative perspective – sometimes ahead of the underlying changes. This was the case, for instance, with the electronic health record and the recent decision on the processing of medical findings online. We consider them to be important contributions in order to ensure streamlined treatment and harmonised standards in the various Regions, based on the dialogue with both Regions and the National Health System.
Ever mindful of personal rights as well as of the need for making health care more effective, we collaborated with the Ministry of Health in regulating the collection of data for assisted reproduction purposes; we rendered opinions on the decrees setting up the Mental Health Information System (SISM) and the National Information System on Addictions (SIND), respectively; we issued ad-hoc decisions to regulate the online publication of the lists of recipients of health care and/or welfare benefits.
Special importance should also be attached to the Guidelines on Clinical Drug Trials, which have major business implications and set forth stringent security measures by reducing the retention periods of biological data and samples – indeed, they might be regarded as a reference standard throughout Europe.
Let me also mention our decision on the so-called "tell-tale ticket", which replaced the specification of the purchased drug (included in the ticket) by a numerical code and thereby allowed reconciling tax-related requirements with respect for patients' privacy.
The Public Sector
The public sector along with security is where our work aimed at modernizing and securing the Italian system stands out most clearly.
A daunting as well as fatiguing task consisted in checking the security measures implemented by major public databases as well as in respect of the data storage and processing systems used by the Revenue Office. After several-day inspections and many controls, we issued several decisions with instructions aimed at protecting taxpayers' data, which had been jeopardized recently because of both the lack of appropriate security measures and the uncontrolled access mechanisms; this was done by seeking a constructive dialogue with the Revenue Office as well as with SOGEI, i.e. the operating branch of the Revenue Office.
Our work in this area will continue and extend to other key sectors.
Institutional co-operation with the central Administration, Regions and the associations of peripheral bodies allows us stepping in at the time administrative procedures are planned without having to issue instructions and/or prohibitions thereafter.
Also following the recent earthquake in L'Aquila, our co-operation with the Civil Protection Department enabled us to tackle data protection issues in emergencies from an innovative, co-ordinated standpoint.
Indeed, the latter experience resulted into the Civil Protection Department's issuing an important Ordinance to lay down the rules that should apply in case of natural disasters, based on our guidance.
Let me finally recall a decision whose significance is mainly symbolic – namely, the one clarifying that privacy is no obstacle to publication of students' exam records or to the public acknowledgment of individual performance.
Unsolicited Calls, Unsolicited Services, and Anti-Spam Measures
We continued our efforts to protect citizens against unsolicited calls and services also in the past year.
Spam is an ever-growing scourge.
Unsolicited emails are not just another hassle for users. Emails may also pass on spyware and "malicious" software that can lead to information theft and manipulation – often causing irreparable damage to the software installed on one's PC.
This is why we re-affirmed that email addresses may not be used without any limitations merely because they can be found on the Net; indeed, the user's consent is always necessary.
Securing Data in IT Systems
As for the security measures applying to the IT sector, let me recall here our decision on system administrators – which I believe ranks among the most important ones in the past few years.
System administrators have been basically overlooked so far, whilst they are actually indispensable to ensure the operation of networked systems – indeed, they can access any data in the system at any time and can potentially change, delete or add whatever data.
Our decision sets forth rules to assess their technical skills, ensure that their accesses are logged, and enable users (in particular, employees) to be appropriately informed on their doings.
Another decision to be mentioned here is more limited in scope, though not less innovative in nature – I am referring to a decision laying down the rules that should apply to the so-called "recycling" of e-waste, i.e. the re-use of computers and other electronic or electrical equipment to be disposed of, which often contains a considerable amount of personal data. Our decision is addressed to users and consumers as well as – more importantly – to major entities that decide to re-use old/obsolete equipment for different purposes and/or in other locations when revamping their technological outfits.
Data Protection in the Judicial Sector
The world of justice was the focus of considerable attention by our DPA.
We believe it is unacceptable that those in charge of enforcing laws and rights may fail to take the precautions required to protect the data and information they get to know in connection with their official duties.
Special importance should be attached to a decision concerning the role, powers and duties of court-appointed experts as for the data they process. Our decision clarified that such data – where processed in pursuance of specific assignments – must be delivered in full to the competent judicial authority, whilst it is prohibited to use the data collected for a different judicial authority and in connection with a different investigation for the purposes of the current investigation – unless the former judicial authority grants an authorisation to do so.
We issued a pilot decision with regard to the Court of Rome in order to secure their archives and data processing operations so as to ensure that the minimum conditions would be fulfilled to respect citizens' rights in administering justice. Implementing this decision will require resources and investments – which the Ministry of Justice has the duty to make available.
The initial implementation of computerised procedures for civil proceedings and the computerisation of the records held by court's clerk's offices and other judicial offices allowed us to prove our capability to successfully get along with innovations in these areas.
Another important achievement was the adoption of the new Code of Practice for lawyers and private detectives, which also applies to investigational and party-driven activities that had not been regulated specifically yet.
Let me also recall the many cases in which we stepped in to secure the telephone traffic data held and used for judicial purposes.
The experience we gathered in this area – although it was not exploited in full – was helpful in drafting a few sections of the bill on interception of communications.
The latter bill has raised much debate and privacy has often been the buzzword in Parliamentary discussions.
We have consistently pointed out that it is up to Parliament, rather than to our DPA, to determine how, when and for what purposes a judge may resort to the interception of communications and acquire traffic data. Nor may we as a DPA question the amount of data that are acquired and processed in the individual cases.
Conversely, we do have the duty to request that any data and activities be adequately protected both by the judges and by any other operator/practitioner collaborating with judges.
The innovations envisaged in the bill to protect the data collected for judicial purposes are unquestionably appropriate; however, much will depend on the specific implementing regulations. We do hope our DPA will be consulted in the implementing phase.
As for the new rules on the limitations applying to disclosure of the information that is acquired and processed by judicial authorities, we can only reiterate that new regulations are appropriate but the imposition of criminal punishments on media practitioners would appear to be questionable.
On the other hand, it is not our DPA's responsibility to lay down the rules underpinning the respect for freedom of the press that is enshrined in our Constitution – unless specific violations of citizens' privacy are at issue.
There are no grounds to believe that the general regulation of freedom of the press is directly, immediately related to the protection of privacy – which should actually be assessed on a case by case basis.
In respect of ordre public issues, let me refer, first and foremost, to the role we played in connection with the census and survey of Roma/nomadic settlements. We did not just contribute to the drafting of "Guidelines" by the Ministry, as we also supervised over their implementation.
This enabled us to provide suitable assurances and clarification to the European Parliament as well.
We continued monitoring the processing of DNA data for judicial and ordre public purposes.
The work done vis-à-vis the Parma RIS [special investigating division of the Carabinieri] led to full implementation of our guidelines both by the latter entity and by all the RIS units in Italy.
Building on the experience gathered in 2007, we submitted a Report to Parliament in which we pointed out the requirements to be met in order to transpose the Prüm Treaty by respecting human dignity and proportionality of processing operations.
Many of our recommendations were taken on board. Other recommendations – in particular those concerning the wide scope of the citizens subjected to the coercive taking of samples and the excessive retention periods – have not been taken consistently into account.
Finally, we do not fail to discharge our supervisory tasks also in respect of non-EU countries, in particular whenever the processing of genetic data is at issue.
Recently, we took steps at the request of the Government and the competent Ministers to ensure that a bilateral Italy-US agreement also concerning the exchange of DNA information would comply in full with the rules falling within the scope of our competence.
Our DPA and Intelligence Services. Co-operation with COPASIR [Parliamentary Committee for the Security of the Republic]
We have repeatedly collaborated with COPASIR, which allowed us to prove tangibly how useful our farsightedness had been in addressing the issues related to telephone traffic data, processing of personal data by court-appointed experts and consultants, and knowledge of leading-edge systems for interception and monitoring of communications.
Whilst these activities enabled us to dispel groundless fears – in particular related to telephone wiretapping – they showed that the alarm we raised a couple of years ago was substantiated, i.e. that spyware is available and can be installed on mobile phones to intercept and spy on communications and traffic data.
Journalism and Information
We often had to strike the right balance between two fundamental rights of any democratic society – the right to inform and be informed, and the right to have one's privacy and the most intimate sphere of one's private life protected.
There were more than a few cases in which the dignity of individuals was at stake – especially young people, or victims of crime – when faced with a ruthless, at times unfair use of freedom of the press.
We stepped in to prohibit the publication of data and information that allowed identifying young people and/or victims of crimes, especially sex crimes, which meant adding violence on top of violence.
We urge media, once again, to stick to the Journalists' Code of Practice, the Charter of Treviso [on media and children], and, above all, good journalism rules.
To protect the dignity of individuals, we recommended a measured approach in filming social degradation situations such as those encountered in Roma settlements, or in filming social maladjustment cases. This is in no way prejudicial to the value of investigative journalism whenever a balanced approach is followed and the ultimate objective is informing the public.
By the same token, we prohibited the continued dissemination of images of the victim in a murder case that took place in Perugia, after those images had been broadcast by local TVs in utter contempt for human dignity.
In the past year there was no dearth of cases in which tapping transcripts were published and disclosed whilst the respective judicial investigations were still in progress.
We recommended repeatedly – in particular whenever publication was said to be forthcoming but had not yet taken place – that it was necessary to carefully assess whether disclosure of the information at issue was actually in the public interest, and that both laws and the journalists' Code of Practice were to be respected by also protecting any third parties involved.
Ban on Publishing Pictures Taken Inside a Person's Home
On two occasions we addressed the publication of pictures taken inside Villa Certosa [the Villa owned by Mr. Berlusconi in Sardinia], where various persons could be seen.
We banned publication of those pictures as zoom lenses and intrusive, highly sophisticated systems had been used to capture and process the images.
Pursuant to the stance taken not only by Italy's Court of Cassation, but also by European Courts and – more recently – the UK House of Lords, we reiterated that it was unlawful to film or photograph individuals inside a person's home – including the relevant premises – without those individuals' consent, especially if the individuals in question were cultivating their own social relations.
This principle is applicable in general, irrespective of whether the person is a public figure or not; accordingly, any picture taken in breach of this principle is unlawful and may not be published/disseminated. Furthermore, this principle applies even if the individuals living in and/or visiting a person's home are public figures.
At the same time, we confirmed that it was permitted to publish pictures showing public figures and/or de facto public figures if the pictures were taken in public and/or publicly accessible places.
Media and New Technologies
Our DPA had to tackle issues related to media and the use of new technologies on several occasions.
We repeatedly witnessed the publication of pictures showing victims of accidents and/or violent crimes that had been taken from Facebook without whatsoever controls and without the persons' consent – indeed, those pictures showed other individuals that had nothing to do with the events. This raises the issue of how dangerous it can be to exploit the new opportunities provided by the Internet naively and/or inattentively – which is all the more serious given that media people are involved.
We banned publication of the pictures and reported the cases to the National Board of Journalists and the National Publishers' Federation, requesting that our recommendations be adequately circulated.
A novel, significant issue has to do with the online publication of the archives of newspapers and TV channels.
Any past event that is stored in those archives can be dished up today – add the use of search engines and the contextless information retrievable via them, and you are in for unprecedented problems that can potentially cause havoc to persons' lives.
Our past becomes a sort of endless present – it is no longer possible to expect that painful stories perhaps belonging with a person's past life will be forgotten and remain confined within conventional archives.
We stepped in several times, either following complaints or based on reports submitted by data subjects. Whenever we held that there was no current interest in becoming acquainted with the given information, we recommended that the data be at least anonymized without being retrievable any longer via general-purpose search engines – i.e. they should only be accessible via internal search engines.
However, we are not fully satisfied with our decisions, because we believe they are not enough to tackle a phenomenon whose implications are difficult to fathom. This is why we will continue our analysis by also involving media practitioners.
A similar case had been highlighted by our DPA last year in respect of the online publication of parliamentary questions dating back to several years before, where detailed information was to be found on events that had been subsequently disproved.
We think that the best solution might consist in preventing general-purpose search engines from accessing at least the texts of parliamentary motions, questions, etc., as this would not affect public availability of the information at issue.
Finally, we are witnessing the multiplication of technologies that enable as good as peer-to-peer information exchanges by enhancing the relationships between information providers and information recipients – which is one of the most fascinating features of today's world. From blogs to social networks up to the recent (though no longer leading-edge) Twitter, information is nowadays increasingly produced by world-wide continuous, collective communications.
The current events in Iran show that these tools, in particular the most innovative ones, are the foundations of an unprecedented type of democratic resistance. At the same time, such in-depth transformations require us to reconsider the meaning and import of "information" nowadays. This is actually the focus of attention firstly by media practitioners, and secondly by representatives from cultural and law circles as well as by all the Authorities like ours.
Looking at the Future
Beyond the Pillars of Hercules: Data Protection and New Technologies
We are committed, first and foremost, to the staunchest defence of citizens' right to be masters of their own data and protect their privacy.
Still, it is increasingly difficult and complex to cope with current reality by using the traditional tools at our disposal.
We live in a world where surveillance is growing more pervasive by the day – where practically everything about us becomes a data that can be stored, kept, matched and used for the most diverse purposes by the widest possible gamut of entities, thanks to modern technology.
Affording everyone full control over their life and – accordingly – their personal data would seem increasingly to be the last dream of contemporary mankind.
Today, the right to data protection is set forth in Charters of Rights and recognised by the European laws and case law as well as by national case law. Still, never was it more difficult than it is today to effectively and efficiently uphold this right.
Each of us may build up a thousand different identities, at times temporary in nature, or else be identified and portrayed in many different ways.
The traditional dimension of space is changing because the network allows us to exist in any area of the world. The time dimension is also changing because information and data can live on the Net irrespective of whatever time constraints.
With every passing day we lose our hold of a valuable good: namely, the possibility to decide what should be disclosed or concealed about ourselves, how we wish to appear or be – in short, the possibility to shape our image vis-à-vis the world and in the world.
This is placing a burden on all of us that risks becoming insufferable.
Mankind is exposed to a stark-naked experience that only Adam and Eve were capable to live with in the Garden of Eden.
Today's big revolution is taking mankind beyond the Pillars of Hercules, travelling towards unknown future – an undertaking mankind will never shy from.
It is everybody's responsibility, and in particular it is the responsibility vested in our Authority, to raise public awareness and help people be reasonably free to master technology without becoming slaves to it.
The Need for New Rules and the Drive Towards Global Regulation
Re-Defining Fundamental Rights, Their Limitations and Implementing Mechanisms
It is necessary to undertake an in-depth re-haul of the contents, scope and implementing mechanisms of fundamental rights, which are the most valuable legacy of century-old battles and which we are expected to get across to the new world.
In the society where we grew up, reconciling the different interests and rights was left to the individual local communities via the respective law-makers, judges and administrative bodies.
But how should we apply those principles without changing the rules in today's society?
How should we gauge the right to be informed and inform in a context where the boundary between public and private communications is becoming so blurred as to be almost imperceptible? How should we apply the principles of purpose limitation, data minimization, proportionality when faced with a reality that is increasingly free from whatever geographical constraints and is taking on a global dimension?
The very circumstance that blocking the Internet, shutting down social networking sites, and hampering the use of mobile phones are the prime retaliation tools used by totalitarian regimes shows that the frontier of democracy is closely related to the freedom to access the new communication systems.
Democracy and the rights rooted in democracy can only exist if they turn global.
Nor is it less difficult to descry how the right to know should be construed in the new world. We all are deluged with information, and it is often impossible to establish sources or reliability of that information – with the attending risks of manipulation, forgery, and undue rectification.
New balancing approaches are also necessary with regard to the relationship between security and freedom.
The need for security is giving rise to an all-pervasive surveillance society, where data and information are hoarded indiscriminately across national borders.
This is a new kind of reality that is bound to undermine the very foundations of our freedoms in the absence of regulation and governance.
The same applies to the world of business and societal relations, which is increasingly dependent on data exchanges, the exploitation of information, and network-based relationships.
From this standpoint, the world of the Net is the mirror image of the world of global finance that has produced the current crisis because of the lack of whatever rules and regulators.
Past rules and institutions, indeed our long-cherished democratic structures grounded on the link between community, sovereignty, and territory, are increasingly unequal to the task of coping with this new world.
In this context, the resurgence of State-centred approaches adds up to our concerns. One can increasingly see attempts by States to do things their own way, prohibiting what is permitted in the rest of the world. In the long run, this might take the clashes and tensions existing worldwide directly to the heart of the Web.
At a time when the shortcomings of unbridled globalisation push countries increasingly on towards power politics approaches, the only way to prevent huge worldwide conflicts from breaking out – assuming this can still be possible – consists in managing to devise world-wide shared rules.
This holds true – which is far from negligible – for data exchanges and telecommunication systems as well.
Towards Global Regulation
We urgently need new, shared rules.
We must protect Net freedom against those attempting to muzzle it, and we must protect Net users against latter-day bandits in the new digital Far West.
We need Authorities that can reconcile the domestic dimension as related to national culture, traditions, and interests with a global vision. This is by now indispensable, because this is where the going really gets tough. And this also applies to data protection.
The age of national and European guarantors is coming to an end. We increasingly need new regulatory and supervisory authorities that can work jointly.
An international agreement is necessary along with the setting up of a supranational organization affording a co-operation umbrella to all data protection authorities – based on shared principles that are mutually enforceable. We need a new, larger WTO – not so much to regulate international trade, as to bring about sound, clear-cut rules for the huge system of communications networks that is the throbbing heart of today's world.
This is the frontier where the DP Authorities from Europe and the most advanced countries are already at work to pave the way.
The next International Conference in Madrid will be tackling this issue, following up to the one in Strasbourg of the past year in order to work out shared international standards for data protection. This objective was recently re-affirmed as also related to the law enforcement sector. We will have to work long and hard and put much time and effort in this undertaking aimed at setting forth rules that can only be made binding by way of an international Treaty.
Our Authority is ready to be at the forefront of this joint initiative. We trust that we can count on our country.