Speech by The President of the Italian Data Protection Authority 2010
Speech by The President of the Italian Data Protection Authority
On the occasion of submitting the 2009 Annual Report to Parliament
Rome, 30 June 2010
Mr. President of the Chamber of Deputies,
Your Excellencies, Ladies and Gentlemen,
This year's annual report does not only take stock of our activity, as it also contains an analysis of the role, functions, and tasks applying to our Authority. This is made necessary by the difficult times our country is going through as well as by the issues currently debated in Parliament, which relentlessly conjure up the privacy argument – although the point is missed in some cases.
1. The Treaty of Lisbon and the Protection of Personal Data
Data protection as a fundamental right has been finally enshrined in the Lisbon Treaty and is applicable to all the areas falling under the EU's scope of competence including the common foreign and security policy.
The Treaty also provides that data protection should be ensured by independent supervisory authorities, which raises major issues in terms of homogeneous powers, tasks and independence vested in national supervisory authorities as ever-increasing convergence is necessary in this area.
Thus, we can expect significant legislative innovations to be also brought about at domestic level.
This is why we would like to draw attention to the peculiarities applying to our Authority in the debate concerning re-organization of independent authorities, since our supervisory authority is the only one that is mentioned explicitly in the Lisbon Treaty and is called upon to protect a fundamental right.
All EU Member States are to abide by this requirement in accordance with the principles of consistency with and adaptation to the new European legal framework.
Accordingly, a major challenge to be taken up has to do with the operation of independent authorities grounded in European law.
2. Our DPA and the Data Protection Crossroads Today
Our mission is protecting citizens' data against unlawful processing and ensuring that whoever is in charge of protecting such data does so appropriately; this is why our DPA is at a crossroads where all human relationships intersect that rely on the exchange of information.
Ours is a crossroads that has become key at a time when communication technologies are developing fast and networks are being globalized – giving rise to previously unconceivable mechanisms to stay and get in touch such as social networks as well as to new location and mapping mechanisms and the increasingly pervasive networking of all aspects of our life.
This is a multifarious reality where past, present and future are becoming blurred and everything is in danger of turning into everlasting present.
The world is increasingly a mesh of digital routes that are mutually interconnected; they cross, intersect, diverge, go in different directions.
Faced with all of this, both an innocent bystander and the lawmaker may feel dismayed and downright powerless.
It is no chance that some have argued that today's world will not afford any measure of privacy any longer, and this will be all the more so in future – giving rise to a society where everyone will be able to access every piece of information, where it will no longer be possible to keep anything confidential.
It is the picture of a world featuring all-pervasive knowledge – almost omniscience, which might soon turn into a nightmare in which everyone will be controlling everyone else and no room will be left – small as it might be – to individuality.
The changes we are experiencing are challenging values, principles, and rights and call upon us to re-consider the legal categories on which our legal systems have been founded.
This is all the more so for our DPA, whose scope of competence is more substantial than is the case in other countries because this is what our Parliament decided.
In Italy, it is not only natural persons, but also legal persons that are entitled to the protection of their data; our DPA is the only one in Europe that is also specifically competent for the use of personal data by media, which often requires us to act as arbitrators in handling the ever-unstable relationship between freedom of the press and protection of privacy.
Finally, we have more extensive powers than other DPAs as also related to enforcement and – generally speaking – public administrative agencies, security, and judicial organisation.
This is why our DPA can work as a watch-tower from its vantage point – observing the present and, above all, the future.
3. Our Work: Some Figures
Our workload was quite demanding also in the past year.
The decisions and measures issued by the collegiate panel of our DPA totalled almost six hundred in 2009. Almost 4,000 requests for information, reports and claims were handled by our Office. In forty-three cases, information was preferred to judicial authorities concerning breaches of the law.
Over 400 inspections and inquiries were carried out, mostly with the help of the Financial Police – and we wish to express our warmest thanks to the privacy squad of the Financial Police and its commanding officer.
If one also takes account of the first six months of 2010, over three million Euros of fines were levied – including a fine for over 1 million Euro imposed on a major telephone operator in connection with trafficking in pre-paid phone cards.
In over six hundred cases the administrative procedure related to imposition of a sanction has yet to be finalised.
At European and international level, our activities continued at a very fast pace.
Outreach and communication initiatives implemented by the competent Service were also quite demanding.
On a separate count, our activities also profited from the contribution coming from the "Privacy Lab", which is being managed by my colleague Mr. Fortunato at his own initiative and outside the scope of our institutional activities. Mauro Paissan focused in particular on the dissemination of our decisions concerning press and media, whilst the Vice-President, Giuseppe Chiaravalloti, took care of pharmaceutical and medical research issues.
In short, it can be argued that last year's work proved unquestionably equal to the traditional commitment shown by the Italian DPA in discharging its tasks.
We wish to thank the Office as a whole for the work done along with the two Secretary Generals, President Patroni Griffi and Mr. De Paoli who took over from the latter in the course of this year.
Still, we know we must do more – although the budgetary cuts due to the problems affecting Italy's financial accounts have downsized our funding and placed additional constraints on our work.
We did accept responsibly to keep our expenses under control, and we are actually re-considering some operational mechanisms in order to further reduce costs.
Our DPA is a slim-bodied organization including a small number of highly-skilled staff, and we think it is giving Italy more than what it is taking from it.
Next year will mark the fifteenth anniversary of the passing of the Italian data protection Act. These fifteen years featured our continued development, and we think this should be so also in future.
This is partly why we are requesting that we will not be deprived of the resources we need to carry out our activities.
4. The Hard Core of Privacy
In many important areas there is widespread awareness of the need for protecting personal data. This is what we might term the "hard core" of privacy.
I am referring, first and foremost, to the veritable heart of our law – setting forth and protecting the need for consent and, even more so, appropriate information as preconditions for personal data to be used lawfully; this also applies to citizens' right to know whether their data are kept and used by other entities, how the latter entities obtained those data, why such data are to be processed – including the right to have incorrect data rectified and unlawfully kept data deleted.
As for these principles, the battle waged to disseminate the right to data protection in our country did make major steps forward.
This does not mean that there are no breaches of the law, indeed there are cases where the law is shamelessly and repeatedly violated – still, both the offenders and the victims know that they are faced with a breach of the law as well as of civility.
Thanks to the decisions and guidelines approved by our DPA over the past few years, the protection of personal data in the employment sector would appear to be sound.
I am not referring simply to the rules that ban the use of workers' data via remote surveillance mechanisms – which are set forth first and foremost in the so-called "Workers' Statute"; I am also thinking of the rules whereby collecting and keeping these data must be in compliance with the principles of relevance and data minimization.
This applies, for instance, to the use of biometric and sensitive data in the employment sector and the relevant rules.
Importance should be also attached to the guidelines and decisions on the use of emailing and Internet services at the workplace. This issue along with the protection of customers' and vendors' data has often been the subject of confrontation between our DPA and the business world, in particular small-sized businesses.
On the other hand, the simplification measures we introduced allowed striking a reasonable balance between the different requirements at issue.
We believe the ultimate outcome to be fully acceptable and hope that the new impulse given to cutting red tape for enterprises will not jeopardise the current balance.
The crisis situation we are experiencing is bringing up well-known problems as for the relationships between businesses, users, and consumers.
There are two sectors where significant tensions are still rife.
One has to do with credit reference agencies, which collect and store data on consumer credit and accordingly allow reducing risks and losses.
Whilst this activity can impact directly on citizens, who may fail to be granted a loan because of a transiently difficult financial situation, it is also a tool that can reduce corporate risk especially at a time of crisis. These problems are compounded by the crisis and difficulties that are currently experienced by individuals and companies alike.
The balance struck by the Code of Conduct for consumer credit has been upheld so far, and the requests by the corporate world to set up credit reference agencies in other business sectors have not been granted.
There is a permanent undercurrent of tension in this area that requires special care and a responsible approach.
Monitoring debtors' conduct to identify especially needful situations and afford appropriate support, at least in terms of basic services, is an altogether different kettle of fish.
No response can be given to this issue by relying on current legislation.
We hope that, with the lawmaker's help, a balanced solution can be found that is consistent with the overall system.
A sound balance has been long achieved in respect of consumer profiling for commercial purposes; however, this balance is continuously in danger of being undermined.
Increasingly sophisticated systems to monitor behaviour are being developed by using different technologies, which is producing new profiling mechanisms especially in connection with web-based services.
The use of modern technologies along with the globalised dimension of the Net make it increasingly daunting to ensure respect for our rules by operators that are established in other countries where more lenient laws are in force, which affords them an unfair competitive edge also in our country.
We are trying to counter this development by all possible means. We cannot and should not accept that citizens are deprived of all appropriate safeguards.
Finally, another important area where a satisfactorily sound stance could be achieved over the past few years has to do with sensitive data, even though there are unfortunately severe breaches of the law that still require our DPA to step in.
We recently ordered health care practitioners not to collect information suitable for disclosing HIV-related diseases at the time a patient is hospitalised and goes through the administrative routine, since only the treating physicians are lawfully entitled to process this information.
Initially this approach was regarded as excessively dangerous by some medical associations, which believed it might expose physicians to health risks.
Thereafter the rationale and grounds underlying our decision were understood.
Another important initiative by our DPA concerned the guidance issued on electronic health records and online medical examination records.
We collaborated with Regions and the Ministry of Health and launched a wide-ranging public consultation on the drafts, which for the first time in Europe have set forth guidelines to appropriately process personal data along with the necessary security measures.
In this manner, we averted the risk that different organisational and technical mechanisms might be implemented by the individual Regions in the absence of unified standards – which would have prevented setting up a nationwide interconnected system.
We followed the same approach in laying down the arrangements applying to the processing of online medical examination records.
Important opinions were also rendered by our DPA concerning health care – such as the one on the registers of mammal prostheses, which prevented the census data of the women concerned from being uselessly disclosed.
5. The Hard Core of Privacy: Large-Sized Databases
Another area that is by now part of the hard core of privacy has to do with large-sized databases.
Our controls concerned initially the databases of major telephone operators and were subsequently extended to Italy's census register; this year we addressed the database of INPS (the national social security body).
We gathered considerable experience in analysing the various criticalities of databases, in particular those that can be accessed by a large number of entities.
We make this experience available to the fiscal federalism project, whereby new databases will have to be set up and a closely-knit network of relationships created between those databases and the different local governmental bodies.
Our work will also be useful to implement the budgetary measures currently tabled before Parliament, as those measures envisage the creation of new databases in especially sensitive areas.
Reference can be made in this regard to the Welfare Register, which should collect, keep and manage information, income data and other items of information concerning welfare beneficiaries; this is clearly a very sensitive database that will be accessible by the State, local authorities, non-profit organisations and statutory welfare agencies.
We welcome the fact that it is expressly provided that those measures will have to be implemented in compliance with data protection legislation.
Another daunting issue has to do with the establishment of the consolidated real estate registry, which will be managed by Agenzia del Territorio [a public body in charge of keeping and handling cadastral and real estate information] but will also be accessible by local municipalities. Again, our involvement will allow ensuring top protection of data and processing operations.
New, considerable data flows are also envisaged in connection with municipalities' role in checking tax and employment contributions as well as with a view to notifying INPS of the identification data concerning certain beneficiaries.
Several innovations are also expected to be implemented as for the census surveys carried out by ISTAT [Italian Public Statistics Institute].
6. Data Protection and Telecommunications
Over the past years, our DPA contributed to the strengthening of data protection as for telephone operators and traffic data repositories.
Recently we made a further step forward in regulating customer profiling and the sale of telephone data for marketing purposes by specialised companies.
This was a difficult task and was made possible by in-depth inspections.
And it goes to show that our DPA does not simply issue formal rules, as it actually takes the steps required to punish any violations of those rules.
Still, we take great care in striking the right balance between protecting citizens and the need not to hamper economic development.
Data protection is no enemy to defeat; in fact, it is an essential component of any well-regulated society.
Conversely, we did not achieve satisfactory results as for the fight against unsolicited promotional calls, unsolicited faxes, and any other type of communication used unlawfully for marketing purposes.
In spite of the increased imposition of sanctions, this is an industry sector that continues breaching the law.
Indeed, it is a sector that keeps pursuing shamelessly unbridled competition by relying to an ever-increasing extent on the differences in domestic laws and using the argument of the difficult employment conditions applying to the workers engaged in these services – most of whom are employed on a time-limited basis – as an excuse.
Parliament recently decided to shift from the opt-in system for telemarketing to a mechanism whereby telemarketing is permitted subject to the subscriber's objection.
We hope that the new mechanism – whose implementation is actually lagging – will be respected by this industry sector to a greater degree and will ensure more effective safeguards to citizens.
However, if it is violated to the same extent and as shamelessly as it has been the case with the current system so far, we will resort to all available tools – including a request for European institutions to step in, the Court of Justice of the EU not excepted.
7. Our DPA between Citizens and Businesses
Our DPA stepped in many times and in many different sectors during the past year in order to reconcile the protection of users' and consumers' rights with business requirements.
We made major efforts to keep the protection of citizens at its top whilst doing away with formal obstacles that hampered foreign investments.
This is why, in line with the other European DPAs, we allowed multinationals to adopt unified, binding corporate rules for data protection that are applicable in all countries where such rules have been found to be adequate and compliant with domestic laws.
An important issue concerned the so-called whistleblowing, i.e. the mechanisms for employees to anonymously report on alleged breaches of conduct within businesses. This reporting mechanism was devised in the American world following the major financial bribery cases of the past few years.
Its introduction into our country is fraught with difficulties related to both civil law and labour laws, which make it impossible to apply failing specific regulations.
We called Parliament's attention to this issue – without receiving any response so far – so that specific legislation could be enacted. This goes to show, once again, that our activity is mindful of the broader picture – we aim at protecting citizens' fundamental rights as well as fostering competitiveness of the business sector.
We started an in-depth investigation into the mechanisms deployed by banks and financial institutions to process, store and protect customer data, which highlighted both best practices and flaws, shortcomings and backwardness.
In close co-operation with the banking sector and the relevant trade associations, we are about to issue guidelines setting forth security measures and specific requirements that will go beyond the provision of – often foggy – information notices.
8. Where Privacy Got Stuck
The balance that can be drawn looking at the past year along with the growing pervasiveness of the privacy culture show that our DPA has become stronger – especially in key sectors and vis-à-vis the decision-makers grounded in our Constitution, such as government, Parliament, the public administration, and society as a whole.
Still, there are areas where we are faced with structural shortcomings of our country such as to factually make our efforts unsuccessful.
I am referring basically to the judicial sector, some national security bodies, and health care.
We devoted much time and attention to the processing of judicial data as well as – generally speaking – to processing operations by the judicial administration; we issued decisions, laid down guidelines, carried out inspections at both standard and administrative courts.
We repeatedly addressed letters to Italy's Judicial Council (Consiglio Superiore della Magistratura) and the Minister of Justice asking for adequate resources to be made available to judicial offices.
The results were ultimately unsatisfactory.
We are unfortunately faced with very serious shortcomings.
The breakdown experienced by the services of many judicial offices is not simply in breach of data protection rules; in fact, it is against the basic principles of any legally sound democratic society.
Yet, we will keep on asking the judicial administration to better respect our rules.
Indeed, we never failed to collaborate with the Ministry of Justice and the judicial administration whenever this proved necessary.
Proof is given by our opinion on civil proceedings held via electronic means, including the security measures we recommended to ensure that full-fledged protection of the judicial data to be processed could be ensured from the very beginning.
Another area where we did not spare our efforts but did not manage to achieve the results we expected has to do with data processing by the police, in particular where related to investigations by judicial authorities.
Like we did in the past for the Data Processing Centre of the police, this year we inspected the Italian facilities that are part of the Schengen Information System and ordered some measures to be taken – which has only been done in part so far.
We have been asking for years – to no avail – that the list of the police databases set up in Italy be made known; in spite of the promises and undertakings we received, no such list has been published yet.
A third major sector where we have been repeatedly unsuccessful, at least so far, has to do with public hospitals.
Due to the shortcomings affecting the organization, operation, at times the very buildings of public hospitals, our guidelines addressed to health care bodies to ensure that patients' dignity could be protected better have been applied in a very patchy way so far.
9. Privacy amidst Inconsistencies and Tensions: The Shifting Balance of Privacy vs. Transparency
Some ongoing developments entail our ever-increasing involvement.
This applies, first and foremost, to citizens' right to know all the operational mechanisms of the public administration, with particular regard to the use of public resources.
In our legal system, this strive towards getting information on all the activities involving the use of public resources has been termed transparency.
The transparency principle is intended to reverse the conventional relationship between administration and citizens, where exclusion and secrecy have typically featured and have been only partially counterbalanced by the right to access public records and participate in decision-making.
Indeed, this principle has already been implemented in several recent pieces of legislation that have provided for making an increasing number of instruments and decisions public and/or publicly available – with particular regard to the awarding of welfare benefits and eligibility for specific on-demand services.
Following the so-called Brunetta reformation, transparency became a pivotal principle of public administration – closely related to the use of the Net and the posting of online information.
The wide-ranging, pervasive scope of this principle is bound to give rise to some tensions with the privacy principle and also challenges some key data protection principles – such as the close link to the purpose sought by way of dissemination of the given piece of information, and the determination of who has the right to know such information; for how long such information may be disseminated; and when it is to be deleted.
All these issues lose much of their significance if transparency is regarded as a purpose per se. However, one may unquestionably challenge sweeping statements to the effect that public administrative agencies ought to make available online all the information they hold, or that the same rules ought to apply to whatever type of information – as this would entail the very tangible risk of enabling everyone to control everyone else's doings.
The ultimate result would be a society where no privacy would be available, so that the mere fact of having to do with the public administration would require everyone to accept that all the information concerning them may be disclosed.
There would be no longer any possibility to protect sensitive data nor could one safeguard the dignity of any person that has petitioned for and been granted an allowance, some disability benefit, some support in case of need, or the recognition of a privilege related to their economic, social and/or health status.
It would a horrible society – one which would bring about the glass house that has ever been dreamed of by dictators as well as by any ideology that prioritizes community/societal interests over the individual's freedom and autonomy.
It would be a nightmare, which might actually worsen if one placed no limitations on availability of the information that is disseminated on the Net by search engines. Indeed, search engines strip away all reference to the context of the public administrative websites that information is taken from and use it to create artificial, often fabricated biographies on the basis of criteria that are mostly unfathomable.
Our DPA has long been addressing requests for opinions concerning the online processing of individual data categories – in particular data on wages and other items of information relating to senior officers in the public administration. We have handled several of such requests and also started dealing with some of the most significant criticalities.
We now think it is urgent to draw up new guidelines that should allow fulfilling transparency obligations without violating privacy principles.
We plan to have such guidelines ready shortly after the summer break.
We will co-operate closely with the CIVIT, the new Committee in charge of laying down guidelines for enhancing transparency, and we will foster as wide-ranging consultations as possible.
We expect a knowledgeable public opinion to help our country as a whole to take a major leap forward in this sector.
In any case, we should prevent even the merest suspicion that privacy is used as an excuse to shield corruption, favouritism, or the misuse of public funds – in short, as a tool to prevent citizens from being democratically in control.
In fact, we have ever fostered public access to information on how public resources are used.
A significant example in this regard is provided by our decisions concerning RAI [Italian public TV broadcaster]; ever since 1997 we have repeatedly clarified that data protection is no obstacle to the disclosure of corporate data on the use of public funds – starting from the salaries paid to the employees.
Reasoning on how to disseminate this information is a different kettle of fish; we recently clarified that the information in question was only to be posted on the company's website under the law. This issue was recently brought to our attention once again by RAI's director general, who also applied to other independent authorities.
We will consider this issue carefully, although there does not appear to be any change to the applicable legislation such as to require a different approach.
10. Privacy amidst Inconsistencies and Tensions: The Shifting Balance of Privacy vs. Freedom of the Press
Another area where there is continued tension with data protection principles – especially in terms of a person's right to privacy – has to do with freedom of the press and, more generally, freedom of expression.
The large-scale availability of online media is raising unprecedented challenges.
One cannot help wondering whether the online reproduction of the archives of newspapers, including video archives, is to be regarded as the latter-day expression of the (by now) timeless freedom of the press, or rather equated to the dissemination of historical information – especially if the archives contain information on temporally removed events – in which case it should attract the data protection rules applying to this type of activity.
Regarding the Internet, a question that has to be addressed is, once again, whether, under what circumstances, and to what extent it can be helpful and appropriate for the online websites of newspapers and other media – or at least for the sections of those websites that contain archived information – to be accessible in all cases to search engines; search engines, as already pointed out, capture and de-contextualize the individual items of information, so that even temporally removed events become part of a timeless present and no check is performed on whether there is a reasonably substantial public interest in knowing such information.
These are highly important issues and keep coming up with ever-increasing frequency.
So far we have chosen a case-by-case approach. We have often requested the individual newspaper websites to prevent search engines from accessing certain items of past information we considered to be no longer of public interest.
In other cases we have rejected the complaint or the individual claim because we considered that there was as yet a public interest in knowing – given the importance of the event/news item and the short time span elapsed since the said event.
Still, it is unquestionable that a wide-ranging, in-depth public discussion is necessary and that such discussion should involve both practitioners and society as a whole.
On a more traditional note, the search for the right balance between freedom of the press, right to be informed and protection of the privacy of individuals focused on two especially significant areas in the past year.
One of them concerned mostly non-VIPs and provided an opportunity for reiterating the limitations to be complied with by the press whenever victims of violence – in particular rape – are involved.
We repeatedly recalled that enhanced safeguards are necessary in such cases, and that no details should be disclosed by the press such as to enable identification of the victims.
Another area of activity concerned, once again, VIPs and their children.
We granted the complaint lodged by a father against the publication of pictures showing his children in a swimming pool with him and his girlfriend, as it could be shown that – on account of the specific circumstances - this might be seriously prejudicial to the children's psychological profile. Conversely, we rejected the complaint lodged by another VIP parent concerning publication of a picture of his child on a weekly; in the latter case, the picture had been taken on a public occasion, the child's father was clearly aware of it, and the picture was unquestionably meant to be disseminated.
We have been following the discussion that is in progress, both inside and outside Parliament, on what is known by now as the "phone tapping" bill.
We have refrained absolutely from participating in the discussion so far, as we considered it inappropriate – especially since Parliament can at any time ask for our views by way of an ad-hoc hearing.
We will stick to this approach also in future.
However, this Report is addressed first and foremost to Parliament.
Accordingly, we find it necessary on this occasion to clarify some issues that have to do more closely with the relationship between judicial investigations, freedom of the press, and protection of privacy.
In principle, the relationship between freedom of the press and privacy should be assessed on a case by case basis. Freedom of the press and privacy are unavoidably at variance; depending on the specific circumstances as well as on whether there is a public interest to be informed, the cursor may shift towards freedom of the press or else towards privacy.
As for the relationship between judicial investigations and protection of privacy, the scales are always tilted in favour of justice because judges must be enabled to establish the facts at issue – subject to their being obliged, also by data protection legislation, to protect any information they may have acquired in connection with their tasks and to use that information in accordance with the applicable procedural rules.
In principle, the investigational tools judges are empowered to use by law should be assessed by having regard to the requirements of justice – which does not rule out Parliament's power to also assess, in a prudential perspective, their impact on citizens' fundamental rights.
On the other hand, it is unquestionable that not even fundamental rights per se are an impassable boundary for judicial activities and the investigational tools judges are empowered to use by law.
Nor is it per se in breach of freedom of the press that limitations are placed on the dissemination of judicial records – in particular those a judge has ordered to keep secret – to prevent information from leaking out and possibly jeopardizing judicial activities, especially in the pre-trial investigations phase.
However, laying down specific limitations on the dissemination of judicial information by relying on the nature of the investigational tools used to collect that information is an altogether different story. This is the objective of the bill currently under discussion, which provides for specific limitations on the publication of tapping records – not so much because they are contained in a judicial file, which may be published in a summary version, but because those records were collected by means of wiretapping.
In the latter case the need is felt for justifying these specific limitations as applying to this specific investigational tool – and this is why reference is made in particular to privacy.
However, reference is made not so much to factual instances where protection is required in connection with specific privacy constellations, as rather to a sort of a priori protection that is to be afforded from a general standpoint to any data that is collected – based on the assumption that the protection of the data in question overrides any other requirements because of the features of the investigational tool used, which allows tapping conversations between individuals.
By doing so, one shifts the balance between freedom of the press and protection of privacy totally in favour of privacy.
From this viewpoint, please allow me to say that this is a daunting challenge – one that relies on a general, theoretical position and takes no account of the specific contents of the information collected, so that the cursor I mentioned earlier is moved towards the no-disclosure extreme, i.e. towards privacy.
This is why it can be justifiably argued from many different quarters that freedom of the press is at risk.
On the other hand, it is unquestionable that the above concerns are somewhat exaggerated if one considers their sweeping nature – that is, the provisions at issue do not impact on all the other mechanisms for the exercise of freedom of the press, and even in respect of judicial activities they only apply to publication of wiretapping records, whilst any other items of information contained in other records or provisions on file may be disclosed in a summary version.
It is from a totally different standpoint that one should consider the concerns raised as for the sanctions threatening publishers, who are likely on this account to more frequently have their say prior to publishing certain news items.
In many countries with sound democratic traditions, freedom of the press is actually regarded as a right as well as a duty vested in publishers to no lesser extent than in editorial managers and journalists.
However, in the Italian case the approach followed in the bill does mark a significant departure from standard practice.
The Press Act that was adopted to fully implement the relevant Constitutional principles drew up a clear-cut distinction between the responsibilities and role vested in publishers as opposed to those applying to editorial managers and took care to ensure that editorial managers would be shielded against any direct interference by the respective publishers – partly because it is seldom the case in Italy that media publishers confine their interests to the media world.
But there is a further issue we attach special importance to.
The approach chosen in the bill now tabled before Parliament results ultimately into introducing a sort of dual-speed freedom of the press regime in our country – especially as regards respect for privacy.
Indeed, the bill provides that any violation by a journalist of the provisions on wiretapping carries criminal punishments and the relevant liability is shared between the journalist and his/her publisher.
Nothing changes, conversely, as for the remainder – i.e. as for all the issues related to freedom of the press and the need for reconciling the right to inform and be informed with the protection of privacy.
It will be up to our DPA – as well as to the courts seized under civil or criminal law – to strike this difficult balance also in future.
A case-by-case approach is required in this area, and in balancing the rights at issue one has to apply both the laws on privacy and the code of practice applying to journalists.
We wonder whether it would not have been preferable to refrain from introducing this sort of dual-speed regime and leave the whole matter to our DPA and the courts – possibly by providing that our DPA should hear journalists' and publishers' representatives prior to issuing a decision.
Still, we know that the strong criticisms levelled at times by journalists against our decisions along with the many cases in which freedom of the press was misused over the past few years – see the publication in full of wiretapping records that had to do most frequently with politics, sports, the show business and very rarely with organised crime or petty criminal offences, even though the latter had been a source of considerable social concern – might partly justify the suspicion that sales, market shares, and the fight with competitors are felt to be more important than the actual interests vested in the public opinion.
Hence the reaction staged by lawmakers, which has resulted into making decisions that are both highly demanding and definitely questionable.
One final remark.
Too often do we hear, also from highly authoritative quarters, that journalists have the duty to publish any items of information they come across.
This means forgetting, for instance, that although the name of a rape victim is news, nevertheless it is not publishable in all circumstances.
Additionally, this goes against the grain of a balanced relationship between freedom of the press and protection of personal data – at least to the same extent as the opposite view, whereby a lawmaker is allegedly empowered, in certain cases, to rule out that a given news item may ever be published in order to meet a sort of a priori privacy protection requirement.
Whilst taking the former stance means shifting the cursor by definition to the freedom of the press extreme, the latter means shifting it – again, in a priori perspective – to the privacy extreme.
Both approaches take a unilateral stance.
On our part, we will strive to always be reliable guarantors of the balanced relationship between freedom of the press and privacy to the extent this falls within our scope of competence.
11. Privacy amidst Inconsistencies and Tensions: Data Protection and Security
Yet another area where tensions are forever rife has to do with security – meaning the fight against old and new forms of crime by means of increasingly sophisticated technologies.
In a decision providing general guidance on video surveillance, we addressed security issues in depth and also initiated a consultation activity with both the Public Security Department at the Ministry for Home Affairs and ANCI [National Associations of Italian Municipalities].
Within this framework, we analysed the new powers entrusted to mayors as for urban security by drawing a distinction between powers related to security as such and powers that have to do more precisely with life standards in the urban environment.
We issued important recommendations for security bodies and organizations and called upon them to use information notices in order to signify the presence of cameras and other remote surveillance mechanisms. Informing citizens of the existence of these tools is an instance of civility and can also work as a deterrent.
We issued specific rules for those cases where video cameras installed by private entities are connected with a police office and/or various police bodies, including municipal ones.
By the same token, we required that our DPA's prior opinion should be sought if the so-called "smart cameras" were to be deployed – which allow specific types of surveillance; to that end, a prior checking procedure will have to be followed.
On a different note, we continued our collaboration with the Ministry for Home Affairs also in the past year; indeed, our contribution was sought increasingly also in drafting Ministerial orders and measures.
We have long been working on developing the rules that should apply to DNA databases and their operation. This is fundamental in order to fully implement the Prüm Treaty, which envisages the exchange of DNA information between law enforcement authorities of the signatory countries. It is a sensitive area that has also been addressed at European level by the WPPJ, which is chaired by our DPA.
Another area we focused on had to do with the use of body scanners.
In line with the stance taken by European DPAs, we highlighted the basic principles to be followed if this type of surveillance is to be resorted to.
We know that in-depth tests were carried out in Italy as for the different technologies that can be used.
We are ready and willing to carry out the appropriate prior checking, if we are requested to do so.
New security risks are brought about by IT networks.
Indeed, these networks are a "tool" that is used not only by businesses, but also by States' internal and external security bodies.
All communications and activities may be jeopardised by IT attacks.
It is necessary to fully implement the Cybercrime Convention – which entered into force on 1 July 2004 and was transposed in Italy by Act no. 48/2008 – as quickly as possible; we are following the relevant developments with the utmost attention.
Indeed, we chaired a working group that initiated various joint actions by the European DPAs and were the only DPA that participated in the Conference organised by the Council of Europe to discuss cybercrime-related issues.
Consideration should also be given to the risks arising out of the so-called "cloud computing" – a technology that will make control over data and information increasingly elusive, since data processing relies on servers that may be located anywhere in the world. This will make remote hard disk services increasingly widespread and foster the use of system hosting and outsourcing; third-party services will thereby become increasingly common and the de-location of stored data will be thriving.
It is a new frontier that is causing concern among both military and internal security bodies, as it entails hugely sensitive issues.
Our DPA has been working on these issues for some time. We adopted a decision on system administrators in this perspective, and carried out inspections at some nationwide databases to check that the required risk assessment had been performed, suitable network protection measures adopted, and the reliability of outsourcing services established.
Now we need a quality leap. It is necessary for our DPA to be provided as quickly as possible – perhaps by introducing the required amendments to the law – with an exhaustive list of the nationwide databases and their location including those managed by private bodies.
Enhanced international co-operation is necessary, as this has been missing so far.
12. The Future of Privacy: New Challenges
The Net and all the systems using it raise unrelentingly new issues. In virtual reality, conventional legal safeguards as well as data protection principles are sorely challenged.
Let us only consider the conflict – which has not been solved yet – between copyright protection and the need to prevent the unrestricted tracking of Internet navigation to prosecute possible violations.
This is a complex issue for which no shared solutions have been devised so far convincingly.
Only think of what has been inappropriately termed the "right to oblivion" – which is basically the right to prevent one's personal data from being retrievable if there is no current public interest in disclosing such data. This is a right that is quite difficult to enforce on the Net.
Consider the issues related to search engines, which by nature capture and use personal data unrestrictedly.
Or think of the risks posed by social networks, of which users are often unaware.
Think of the difficulties in verifying the age of Internet users and their legal capability, also in order to ensure their protection.
Think of the difficulties in reconciling the posting of public information that is to be publicized for a set period with the need to ensure that this information is erased unfailingly at the expiry of the said period – which is as good as impossible nowadays.
Think of the risks related to IT accidents, which the directives of the second "Telecom package" now require to be reported immediately to the competent authorities – in order to foster the ever-increasing integration of European telecommunications systems.
Special consideration should be given to the risks related to the new services made available by Google.
This applies to Google Latitude, which allows users to geographically locate other users by simply getting their consent via an SMS; it also applies to Google Maps, which in "my location" mode allows locating the individual user.
Currently, our DPA is focusing along with many other European DPAs on Google StreetView, which mapped our cities and also collected information on unprotected wireless networks in breach of the law.
The scenarios are increasingly complex as well as multifarious; careful analysis and balanced approaches are absolutely necessary.
Net freedom must be guaranteed, but rules and measures must also be imposed on practitioners so as to protect network security and the rights of all stakeholders.
It is on these issues and the solutions we will manage to devise, also internationally, that the future of privacy is dependent.
13. The Importance of Our DPA for Italy's Economic and Social System
Taking stock of the results we achieved allows highlighting what is the "place" of our Authority also with regard to the most pressing problems our country will have to tackle.
There are two main points to be made.
Firstly, data protection should no longer be limited to protecting the rights vested in individuals, since it is increasingly an essential component of Italy's economic and social system – in particular as for telecommunications and network-based services.
Secondly, it is increasingly urgent to lay down internationally recognised data protection rules. This is a precondition to tackle the new age of computerised globalisation by also ensuring adequate supervision and control.
If no shared, internationally recognised rules are available, the path towards effective data protection is bound to be blocked by impassable boundaries.
This is the scenario applying to the initiatives undertaken by the European Commission in order to outline the "future of privacy".
Our Authority is at the forefront in this area. We wish to be a valuable watchtower that keeps scanning the horizon to also anticipate any problems looming in the distance.
We are driven by a single objective in our daily work: being always equal to our country's expectations.
This is our Constitutional patriotism, because this is our mission.