On 23 June 2020, the Italian Data Protection Authority (DPA) presented the report on its activities during the year 2019.
During the course of such year, the DPA supervised the application of Regulation 679/2016 (GDPR) and intervened on issues relating to the protection of fundamental rights in the digital age, the ethical implications arising from the use of artificial intelligence and the use of new surveillance systems, as IoT tools.
In light of the peculiar situation arising from the covid-19 pandemic, in its report the Authority has also expressed its views on specific issues relating to the first half of 2020.
Figures
In 2019, the DPA adopted 232 collegial measures and responded to 8000 complaints, including in relation to telephone marketing, consumer credit, employment law matters, and IT security, and carried out 147 inspections, both in the public and private sector.
The DPA also responded to 15,800 questions from citizens who asked for clarifications regarding the requirements related to the entry into force of the GDPR and issues related to unwanted promotional activities such as telephone calls, text messages, video surveillance in the public and private sector and banking data.
Platforms
With regard to online data breaches, in 2019 the DPA sanctioned Facebook Ireland Ltd for €1 million, following the investigation on the "Cambridge Analytica" case, which also involved data of Italian citizens.
In the same year, the authority strengthened its activities aimed at protecting the "Right to be Forgotten" and promoted an international debate to redefine the role played by Internet Service Providers in this specific context.
In 2020, the DPA also raised concerns about TikTok, a Chinese platform that has become extremely popular among millennials all over the world and which allows users to share videos and images. The Italian Authority requested and obtained the establishment of a “task force” at European level to investigate this platform.
Activities in the field of cybersecurity
In 2019, 1443 data breaches were notified and the DPA commented on the inadequacy of cybersecurity measures enacted by public administrations and private companies that collect data online. The Authority has also provided guidelines against ransomware and other malicious software.
Ransomware
Ransomware are computer programs that encrypt data, making them no longer accessible, and that request the payment of a "ransom" in order to re-obtain possession of the contents stored on the device. In its recommendations, the DPA pointed out that these malware are often installed on users' devices through free gaming or other apps, which users download being completely unaware of the potential threats hidden thereunder.
Digital Assistants
The DPA has also examined the risks associated to the use of digital assistants. These are programs which interpret human language through algorithms and artificial intelligence and are therefore able to interact as a "human user", responding to various types of requests (such as finding information on the web, searching for a certain route, making an online purchase, adjusting the temperature or home lighting, closing or opening home locks).
The DPA observed that these digital assistants collect and process a huge amount of data, while users are often unaware of how data are processed and of the identity of the data controller.
Privacy and Marketing
The DPA intervened against "aggressive" telemarketing activities by applying significant penalties (including penalties amounting to euro 27.8 million and euro 11.5 million respectively) to companies that have utilized data without the data subject’s prior consent.
Privacy and Right to Report
The Authority intervened on several occasions to condemn the gruesome details published by some newspapers and television stations in relation to certain news, in order to ensure appropriate protection for the victims of crimes, and especially minors.
Privacy and Work
The DPA defined the necessary safeguards required in relation to the collection of employees’ fingerprints in order to contrast absenteeism in public administrations. The Authority affirmed that the collection of biometric data is an extremely sensitive proceeding, due to the nature of the data processed. Specifically, in the event the collection of fingerprints is coupled with the use of video-surveillance technologies, such procedure appears to be in contrast with the principle of proportionality.
Similarly, the DPA considered that a broad and generalized introduction of biometric survey systems for all public administrations would not appear to be justified under the GDPR.
Privacy and Justice
In relation to the "Exodus case" - in which the communications of hundreds of citizens not involved in police investigations were tapped due to an error in the functioning of an electronic tapping device - the Italian Authority proposed measures to ensure increased safeguards in relation to the use of tools potentially threatening the citizens' freedom.
Privacy and Health
With regard to health data, the DPA intervened several times on the procedures for the collection and processing of health data in the context of the pandemic. The authority stated that, even in an emergency context, the principles of the GDPR must nonetheless be complied with.
The DPA also provided its opinions and indications regarding the "Immuni" app (i.e., the app chosen by the Ministry of Economic Development to provide contact tracing technology to Italian health authorities). The DPA expressed its views on the methods for carrying out serological tests and for the collection of health data of employees and customers.
The several actions put in place by the DPA show the continuing efforts to monitor the application of the new European regulation, and to prevent and sanction violations that may pose a threat to individual freedoms.