The Italian Data Protection Authority presented its 2019 Activity Report: main findings
argument: Legal Area
di Sergio Guida
The Report illustrates the various fronts the Authority has been engaged on during its mandate’s year of the extension.
The most relevant interventions
2019 saw a series of interventions centred primarily on the significant innovations introduced by the GDPR and on the major issues related to the protection of people's fundamental rights in the digital world: ethical implications of technology; the data-driven economy; large platforms; big data; artificial intelligence and the problems posed by algorithms; system security and cyberspace protection; the pervasiveness of the different forms of control and surveillance; the increasingly widespread use of biometric data; monetization of personal information; fake news; the Internet of things.
- Online data breaches and the risks of hidden profiling: the past year recorded the 1 million euro penalty given Facebook for the violations that emerged as part of the investigation relating to the well-known “Cambridge Analytica” affair, which also affected Italian citizens.
- Dangers posed by’ Tik Tok’, the Chinese social network that allows the creation and sharing of audio, video and images used by millions of users, most of them very young: the Authority obtained the establishment of a specific task force within the EDPB.
- Cybersecurity and the lack of attention to security measures by public administrations, businesses and online platforms: the Authority continued its surveillance and intervention activities, also following cases of particular gravity.
- Precise prescriptions have been given about the safety of a political participation platform.
- Data processing for national security purposes and guarantees to be assured to citizens: cooperation with intelligence has been strengthened with the new protocol of intent on cybersecurity signed with the Safety Information Department (Dis).
- Cyberbullying: a memorandum of understanding has been signed with some Regional Committees for Communications with the aim of strengthening the protection system and activating a timely and coordinated intervention network to protect young victims.
- Defence against harmful software, in particular from ransomware. Indeed, this threat has been particularly dangerous in the era of Covid-19 that led many more people to be connected online for much longer.
- Protection of ‘the right to be forgotten’ has further strengthened and the comparison has developed internationally regarding its defence beyond European borders.
- Work: the Supervisor has defined the guarantees for the collection of fingerprints of public employees for the purpose of combating absenteeism and has set the rules for the use of new technologies, with particular regard to the control of workers and email management.
- Justice: the Authority has proposed measures to ensure greater guarantees in the use of the so-called ‘trojans’ for investigative purposes and has signalled to the Justice Minister the need for an organic reform for these particularly invasive investigative tools, also to limit the serious risks of their distortive use emerged e.g. in the "Exodus" case.
- Health: clarifications were given to citizens, doctors, local health authorities and private subjects on the innovations introduced by the EU Regulation and national legislation.
- Public administration: the Authority called on the administrations to respect the canons of proportionality and to reconcile the obligations of publicity of the documents with the people’s dignity. It has set precise rules for exercising the right of civic access and has asked for more protection for whistleblowers. For the new permanent census, the Authority asked for guarantees to strengthen the protection of the huge amount of information collected, in particular by improving the techniques of data pseudonymisation.
- Tax system:, the Supervisor asked for safeguards to avoid disproportionate treatment of taxpayers' personal data and security measures for access to the financial resources archive for the pre-filled “ISEE”(Equivalent Economic Situation Indicator). For the electronic invoicing system, the Authority reiterated the need to guarantee proportionality and selectivity in the storage of taxpayer data. Guarantees were also set for automated processes for the purpose of combating tax evasion and rules were established for the launch of the new "tax lottery".
- Welfare: the Authority asked to bring the mechanism of recognition, disbursement and management of citizen’s basic income in line with European legislation, avoiding too invasive monitoring of individual consumption choices and ensuring the selectivity of access to information relating to weak sections of the population.
- Consumer protection: the Supervisor intervened against aggressive telemarketing with the application of heavy penalties (one of 27.8 million euros and another of 11.5 million euros) to operators who used the data of the subscribers without their consent. New rules have been launched to protect consumers registered in credit information systems, to respond to the challenges of the digital economy and to impose transparency on the functioning of algorithms.
- Relationship between privacy and the right to inform: the Authority intervened several times to stigmatize the excesses of morbidness that characterize a certain way of providing information and to ensure the appropriate safeguards, first of all, against the victims of sexual abuse, especially if they are minor.
- Supporting companies and public administrations with intense training, including through international cooperation projects (T4Data and Smedata), for the purpose of correct and effective application of the EU Regulation, also with regard to the new position of the ‘DPO’, Data Protection Officer.
With 137 meetings, it was characterized above all by the support action for the application of the Data Protection Regulation.
Within the European Data Protection Board (EDPB), our Authority has contributed to the adoption of numerous guidelines and opinions on complex issues: codes of conduct; privacy by design and by default; online contracts; video surveillance; data transfers to non-EU countries based on binding corporate rules (BCR).
The Authority also participated in the cooperation and coherence mechanisms ("one-stop-shop") provided for by the EU Regulation, through daily exchanges of information and documentation (in particular concerning decisions on cross-border complaints) on the IMI system used for this purpose.
Noteworthy was the work carried out on the interaction between the European Regulation and the e-Privacy Directive, as well as the activity for the Council of Europe, which - through the specific Committee in charge of following data protection issues, chaired by a representative of the Italian Authority - continued the follow- up work of the Protocol amending the Convention 108 which gave birth to the so-called "108+ Convention". The Convention 108 Advisory Committee also adopted the Artificial Intelligence Guidelines and the Opinion on the draft Second Additional Protocol to the Budapest Convention on Cybercrime.
The contribution made within the OECD was also significant, in particular with regard to security and the protection of privacy in the digital economy for the online protection of minors. Collaboration has also intensified within international groups (such as the Global Privacy Enforcement Network, GPEN), which promote joint and targeted interventions to verify compliance with data protection legislation.
Last but not least, it came the work carried out in relation to the control activities on the national application of the EU regulations concerning the Schengen system, Europol (European Police Office) and VIS (Visa system).
Source: Autorità Garante per la protezione dei dati personali - Relazione sull'attività svolta nel 2019. Sintesi per la stampa.