1.Preliminary remarks – 2. The principal intervention of the DPA. Telemarketing. – 3. Electronic communications. – 4. Elections and propaganda activities. – 5. Cybersecurity and cyberbullying – 6. Public administration and labor law.
1. On 14th July, the Italian Parliament has appoint the new committee of the Garante per la protezione dei dati personali, the Italian Data Protection Authority (DPA), by electing two law professors, one lawyer and a politician. The new committee will replace, from the 29thJuly, the previous one and it is called to settle important issues, starting from the application of the Schrems II decision of the European Court of Justice.
The previous committee has been working for over a year since its natural expiration, due to the difficulty of political parties to find an agreement on new college members as well as for the pandemic lockdown.
Hoverer, before leaving the seat to the new members, as every year Italian Data Protection Authority published its annual report, accurately examining all the activities carried out during the previous year, showing progress and results. The latest annual report was published on 23rdJune 2020, and explains the different tasks accomplished by the Authority, with a particular focus on the several engagements and the constant work during the health emergency due to the Covid-19.
Synthetically, the most relevant figures recorded concern collegial measures, complaints and reports and questions. During 2019, the Authority adopted 232 collegial measures, provided feedback in response to 8.000 complaints and reports, especially about telephone marketing; health-care issues; consumer credit; IT security; banking and financial sector; labor law; public local authorities; and it considered more than 15.800 questions, which predominantly covered the obligations related to the application of the EU General Data Protection Regulation, followed by the ones related to unsolicited telephone calls, mail, fax, and promotional SMS, to the internet services, public and private employment relationships, video-surveillance, private risk centers, banking data. Besides, the Authority released 46 opinions about, among other topics, national security activities; the digitization of the Public Administration; the reform of the Public Register of Oppositions, and 33 opinions about transparency. The last figure concerns the 49 inspections registered during 2019, in the private and public sector, regarding particularly, marketing and financial intermediation.
The report focuses on all the interventions held on 2019, and primarily on the major innovations introduced by the GDPR and on the fundamental issues related to the protection of fundamental rights in the digital world. Indeed, the slogan adopted by the Data Protection Authority for the past year was “between continuity and innovation”: the continuity is showed by the fact that the past decisions of the Authority have been confirmed, due to their currency; instead the innovation is represented by the adaptation to the newest demands, for instance, to the Budget law of 2020, contrasting tax evasion, and by providing the Agenzia delle Entrate with more tools of verification and investigation.
2. Beyond the activity of consulting, the Supervisory Authority carried out interventions in various fields, concerning the data protection: administrative; the health and scientific research; judicial; journalistic activity; cyberbullying; telemarketing; private and public works sector.
One of the most interesting sectors is the one related to telemarketing, which constitutes also the prevalent workload of the DPA. Indeed, the Authority receives usually a thousand reports, denouncing illegal telemarketing, followed by Authority’s injunctions and convictions. Due to the gravity of the phenomenon, the Authority decided to inform the Judicial Authority, specifically the Court of Rome, sending a full-bodied and articulated about the aforementioned telemarketing called “wild telemarketing”, with particular reference to promotional phone calls, and containing a timely historical reconstruction of the complex and varied activity implemented by the Authority, also, accompanied by an overview of the increased penalties imposed in the last period. The need to inform the Judicial Authority raised, on the one hand, by having found the limits of the powers of “investigation”, especially concerning companies that are born just for a promotional campaign, and on the other hand, the need to represent the phenomenon with a view to possible criminal outcomes linked to ongoing or future investigations. For that reason, the Authority decided to publish some FAQ as well, on the official website, to help users and data subjects to manage the calls and giving them some practical suggestions on the possibilities and methods of blocking unwanted communications.
After an important investigation and inspection activities, as well as receiving a large number of reports, a sanctioning measure was taken against a famous and major energy company, which also included the imposition of a penalty of 8.5 million euros. Among the violations, there were the ones related to advertising calls made without the consent of the person contacted or despite the opposite refusal to receive promotional calls, or without activating the specific verification procedures of the Public Register of Oppositions; the absence of technical-organizational measures; the duration of data retention, higher than the one allowed; the data of potential customers taken from list providers that had not acquired a previous consent of the data subject for the communication. Similar investigations have been carried out at the same time regarding other telephone companies.
3. Regarding the internet and the electronic communication services, a measure was adopted, with a wide range of contents, against a primary telephone company with which a sanction of approximately 28 million euros was imposed. It is the highest in the history of the DPA while considering the period of the first application of the sanctions provided for by the GDPR.
Indeed, the DPA ascertained the following numerous serious infringements: promotional telephone calls made without the consent of the people contacted (sometimes up to 155 times in the month); lack of control by the company over the actions of some partners; incorrect management and failure to update the blacklists; promotional calls to numbers, that were not present in the contact list; mandatory acquisition of consent for promotional purposes to be able to join the online loyalty program; incorrect or not transparent information on the processing of data in the management of apps for customers; use of paper forms with a request for a single consent for different purposes; unsuitable management of data breach.
It should be noted that the Authority, in the context of the same measure, intervened, with an innovative approach, on factual and legal issues quite debated by operators in the sector, such as the legitimate interest in marketing, establishing that, in accordance with the GDPR, this legal basis can replace consent only by applying certain conditions and within certain limits; the possible co-ownership of the processing between the client of the promotional campaign and the call center in charge of their execution; the use of numbers “out of the list”, with particular reference to lead subjects (i.e. subjects who released their data in a specific online form or asked to be contacted by the operator) and those “suggested” by subjects present in lists of contactable users; the (non-) negotiability of consent to processing (in particular, for promotional purposes).
4. Another important intervention concerned the activities on the internet related to the processing of personal data with the electoral propaganda purpose. The Authority approved the provision held on April 18, 2019, no. 96 which established the rules for the correct use of voter data by parties, political movements, promoting committees, supporters and individual candidates and also focused on the use of political propaganda messages sent to users by social networks (such as Facebook and LinkedIn) or other messaging platforms (such as Skype, WhatsApp, Messenger).
The processing of data because of election competitions had also emerged in the wider investigation carried out against Facebook following the well-known Cambridge Analytica case: it initially concerned the processing of personal data of Italian citizens, users of Facebook services, by the company Cambridge Analytica and then extended to two additional services of Facebook, activated on the occasion of the general election held in Italy on March 4, 2018: the product “Candidates” and the memorandum on the elections of 4 March 2018. Regarding Cambridge Analytica, the problematic aspect emerged was related to data protection and concerned the use of the “Facebook Login” function, designed to access third-party apps through the Facebook platform. The communication of user data by Facebook to these apps was declared illegal, in the absence of valid consent of the interested parties.
5. From the side of cybersecurity, the Authority focused the attention to the lack of security measures by public administrations, companies, and online platforms: due to that, the activities of vigilance and intervention have been continued and implemented, especially after some serious events occurred. Indeed, the number of data breach notified is significant: 1443, reported from public and private entities. Besides, the Authority required a company that offers certified e-mail services to take strict measures for the security of its pec service and to heal the vulnerabilities identified during an inspection.
The activity of the DPA in the sector of cyberbullying was characterized by a fast management of alerts which, led to a rapid definition of the parties’ requests concerning, in particular, the removal of offensive content and/or images, or of false profiles created within social networks. During the last year, there were useful opportunities for collaboration with other subjects committed to the topic for the adoption of measures and strategies for the prevention of the phenomenon.
The opportunity was also taken to implement cooperation tools with public bodies in a local dimension, such as Co.re.com. (Regional Communications Committee, functional bodies of the AGCom, the Italian Communications Authority): indeed, some special conventions were signed, in order to facilitate the dissemination of information on the phenomenon according to a proximity criterion, without altering the powers conferred by law to the Authority – that are not delegable.
6. Concerning the labor law sector, the Authority issued an opinion on public administration interventions to prevent absenteeism, specifically concerning the introduction of biometric identity detection and access to video surveillance systems, replacing the various automatic detection systems.
The analysis was finalized to remove all the critical issues, and to obtain total compliance to the GDPR, starting from the correct use of the definitions, the principle of minimization of the tools used to monitor employees and the proportionality canon, as well as that of accountability.
Also, the Authority considered unlawful the control of the email account of the employee, after the termination of the employment contract: so, it was instructed all companies to remove email accounts attributable to identified or identifiable persons after the cessation of working relationship, and also to provide appropriate measures to prevent the display of incoming messages during the period in which the automatic system of e-mails is in operation.
Specifically, as far as public administration is concerned, the Authority called on the administrations to respect the rules of proportionality and to balance obligations of acts disclosure and dignity of individuals. Some precise rules were established for the exercise of the civic access right and the Authority asked to adopt more safeguards for those who report illegal events occurred by using the tool of whistleblowing. For the new permanent census, the Authority also demanded to strengthen the security measures to protect a large amount of information collected, by improving the techniques of pseudonymization of data.