Privacy

Italian Privacy Authority considers "personalized" advertising based on legitimate interest unlawful and TikTok adapts

Last June, TikTok publicly announced that it would soon begin sending, to its users over 18 years of age, advertising based on behavioral profiling while browsing on the platform, without requesting consent from the data subjects, using the legal basis of the legitimate interest of the owner (i.e., Dublin-based TikTok Technology Limited itself).

In the measure adopted as a matter of urgency on July 7, the Privacy Guarantor had warned TikTok that such processing activity would be unlawful, not under the GDPR (European Privacy Regulation), but contrary to Article 5(3) of the e-privacy Directive (Directive on privacy and electronic communications) and Article 122 of the (Italian) Privacy Code. In fact, according to the Garante, the storage of information, or access to information already stored, in the terminal equipment of a subscriber or user expressly requires as a legal basis the exclusive consent of the same.

In the notice, the Privacy Guarantor, in light of the inability of TikTok (and other social networks) to identify those of legal age, had highlighted the risk that advertising could also reach minors.

The violation of the ePrivacy Directive allowed the Garante to take direct and urgent action against TikTok, outside of the international cooperation procedure under the GDPR. At the same time, however, the Authority had informed the Data Protection Commission of Ireland (the Irish Privacy Authority), the country where TikTok has its main establishment, and the European Data Protection Board.

TikTok currently indicates in its privacy policy (viewed on September 13) that personalized advertisements based on user activity on and off the platform will be shown with user consent (https://bit.ly/3xkqC5e).

TikTok, responsibly, has therefore deferred personalized advertising based on legitimate interest.

Smart Contract and Blockchain: what they are, how they work and their compliance with GDPR.

smart.contract.jpg

According to the definition of art. 1321 of the Civil Code, a contract is "the agreement between two or more parties to establish, modify or terminate a legal asset relationship". A smart contract is instead a "piece of code" - a software - that executes an agreement between its parties if certain conditions are met.

On the basis of these simple definitions it is easy to note that while contracts in the legal sense of the term require the parties to play an active role - i.e. the performance of specific actions for the fulfilment of obligations - smart contracts are "self-executing" because, once the conditions are met, the outcome of the desired transaction is automatically obtained on the basis of the terms incorporated in the code. It is therefore possible to see that in a smart contract - unlike what might happen in a legal contract - a delay or failure to fulfil obligations is technically impossible.

On the basis of these considerations it can be argued that in a smart contract it is not necessary that there is a prior trust between the parties and that there is a third party who is entrusted with the power to coercively impose performance in the event of a breach. All this is possible because the trust component - at the heart of the legal contract - is replaced by the implicit transparency of the Blockchain infrastructure on which the smart contracts are placed and operate.

Blockchain: transparency and lack of authority

The Blockchain can be defined as a set of blocks linked together in an immutable way and that record information using a cryptographic system. This infrastructure allows parties with no previous contractual (and therefore trusted) relationships to carry out transactions securely and without the supervision or control of a centralized authority.

The development of blockchain technology has contributed to the spread of smart contracts by enhancing some of their fundamental characteristics.

Being stored in the public system and distributed, transactions that take place in Blockchain can be verified and validated by all participants in the network. From this it follows that the security of the system is greatly increased, since any change, alteration, deletion of a transaction should be replicated in each distributed registry. Therefore, the smart contacts implemented on Blockchain are virtually unchangeable and are not subject to any external interference.

These mechanisms also allow unknown parties to carry out transactions without the need for a trusted third party on which network participants should otherwise rely to perform and enforce mutual obligations. The lack of a centralized third party also leads to a reduction in transaction costs, as no fees are retained by any intermediary (e.g. financial institutions).

Using smart contracts implemented on blockchain is now a reality in many sectors, including financial and insurance markets, real estate, commercial agreements and copyright management.

Leases could also benefit from blockchain technology: the lessor could provide the lessee with a digital key to be delivered in exchange for an electronic payment. The operation would be considered extraordinarily secure because only if both the electronic key and the payment are actually made available (as verified by hundreds of participants in the blockchain system) the transaction will be carried out.

Oracle: bridge between virtual and real

In most cases, the execution of smart contracts is activated through the reception of information collected from institutional sources located in the real world and which is entered into the Blockchain system through a "bridge" - called oracle.

Oracle is a structure that connects what is in the chain of blocks from what is outside it, acting as a bridge between off-chain and on-chain events. The external data used by an oracle can derive both from events in the "real" world (for example, tracking a shipment) and from the digital environment (stock market data and other public indexes).

To understand how Oracle works, it is interesting to analyze the use of smart contracts in the insurance market. A policy designed to ensure coverage of losses resulting from earthquakes could benefit from a smart contract component. In this situation, the oracle would have the function of retrieving relevant information in the real world - for example, the seismic magnitude value directly from official government sources - and feeding it into Blockchain. In this way, the amount of compensation to be paid to the insured could be determined automatically without the need for any documentation to be produced by the insured. This mechanism is also suitable for reproduction in other contexts such as delayed or cancelled flights insurance.

Blockchain, Smart Contract and GDPR

All data entered into Blockchain are pseudonymized (suitable for revealing the identity of users through a reidentification process) and therefore fall within the scope of recital 26 of the GDPR, which requires the application of the European Regulation to all information relating to identifiable persons.

Despite the provisions of the regulation, it is easy to see that the effective application of the GDPR provisions to the Blockhchain infrastructure raises a number of issues.

One of the main aspects of the Blockchain is the lack of a centralized authority: each participant has the ability to create, verify and have access to the public register of transactions and all relevant data. In a decentralised context such as that of the Blockchain, it is therefore impossible to define the roles of data controller and data controller (key figures in European legislation).

It should also be noted that the data entered in Blockchain are by nature immutable, while the GDPR assumes that any data can be modified or deleted at the request of the data subject, when he wants to exercise the right to rectification of information or the right to be forgotten, under Articles 16 and 17.

Not even the principle of data minimization can be easily applied to the blockchain system: the records in fact include data from all previous transactions that are constantly expanding and are stored in the devices of all participants in the network. This is in open contrast to the provisions of the GDPR that provide that personal data are processed only when necessary for specific purposes previously identified.

SOS Italia App. Privacy and Big Data at the time of Covid 19.

hqdefault.jpg

The dramatic evolution of the health crisis linked to Covid-19 in Italy has required the Government to put in place exceptional measures to deal with this emergency, including the use of new technological tools never previously used by national institutions.

On March 20, 2020, the Ministry for Technological Innovation, together with the Ministry of Economic Development and the Ministry of University and Research, issued an invitation to all operators in the Italian digital ecosystem to help simplify the management of the pandemic through the development of digital platforms and other data processing systems.

Thus the mobile app "SOS Italia" was launched, a project developed by the Italian Digital Revolution Association, in collaboration with the software house Sielte, which is expected to be soon available on the digital stores of iOs and Android operating systems.

"SOS Italia" aims to monitor and contain the spread of Covid-19 through a user-friendly interface (log in via Google, Facebook, SMS with OTP on phone number and native integration with SPID) that will allow citizens to easily find the official communications made by the Government, the rules of conduct to be adopted, the numbers to call in case of emergency and other useful information.

Citizens will be able to fill in a questionnaire for self-diagnosis purposes and communicate to the authorities their state of compulsory or preventive isolation, the presence of symptoms and positivity to the virus.

Each user will also be able to choose to digitize their self-diagnosis for permitted travel and receive notifications if there is a risk of infection. This will be possible because, once the subject has voluntarily downloaded the app, GPS functionality will remain active even if the user is not using the app. In this way it will be possible to create a mapping of all the places frequented by the individual and build a register of the people with whom the subject has come into contact.

Similarly to what has already been experimented in South Korea, also in Italy, therefore, a technological response is attempted, based on the use of Big Data and algorithms, to put a brake on the contagion curve. But, if, on the one hand, the technical functionalities of the application provide tools of undisputed importance for the monitoring and containment of the pandemic, on the other hand, the inevitable implications in matters of data protection are worrying.

During a national and global health crisis, the protection of the primary right to health is potentially at odds with a number of other values worthy of protection. The management of the current emergency inevitably entails the restriction by the authorities of fundamental rights, including personal freedom and the protection of personal data (privacy).

Let us look at the privacy aspects. GDPR provides for the lawfulness of data processing, even for special categories, even without the express consent of the data subject, when the processing is necessary to safeguard his/her vital interests (or those of another natural person), or when it is indispensable for the performance of a task in the public interest. On the basis of this provision, therefore, the processing of the natural person's data, including data relating to his/her health, may take place independently of the granting of consent when the purpose of such processing is to limit the dissemination of Covid-19.

With regard to the processing of telecommunications data, such as location data, national laws implementing the ePrivacy Directive must also be respected. The ePrivacy Directive allows Member States to introduce legislative measures to safeguard public security.

Legislative Decree 14/2020, which contains urgent provisions for the strengthening of the National Health Service in relation to the Covid-19 emergency, provides for the possibility that the subjects operating in the National Civil Protection Service, the offices of the Ministry of Health and the Istituto Superiore di Sanità and all other subjects in charge of monitoring and ensuring the implementation of the pandemic containment measures, may share and exchange among themselves personal data of citizens (including those relating to their state of health) that are necessary for the performance of their duties. They may also omit to provide the privacy policy (as well as instructions to data processors) or provide it only orally.

This decree also makes clear that personal data processing must in any case be carried out in accordance with the principles of lawfulness, transparency and correctness provided for in Article 5 of the GDPR, reducing their processing to a minimum (principle of minimisation).

To date, however, it is not clear how these principles will be punctually implemented and who, among the various authorities at stake, will in fact be identified as the data controller and which entities, public and private, will be responsible for the aforementioned processing.

One of the issues of greatest concern is the processing of data relating to the location of citizens and how these data can be used by the authorities.

In various interviews, the Privacy Guarantor, in the person of its president, has reiterated that the right to privacy may be subject to certain limitations in the face of a collective interest, provided that the necessary balance is ensured between the protection of individual rights and the safeguarding of collective legal assets, including by providing that any law in derogation has a defined duration and coincides with the emergency period.

Moreover, an inevitably related issue concerns the data retention time, which will also have to be limited to the aforementioned emergency period and it will have to be clarified beforehand what processing operations will be allowed at the end of the emergency period and what will happen to the data collected.

The Privacy Guarantor has clarified that "data protection can even be a very useful tool in the fight against the epidemic, when this action is based on data and algorithms, of which accuracy, quality and "human" review must be guaranteed, where necessary, as in the case of wrong automated decisions based on bias". 

In this regard, continues the Privacy Guarantor, a decree-law could combine timeliness of the measure and parliamentary participation. It goes without saying that the duration must be closely linked to the continuation of the emergency.

In the joint statement of the President of Convention 108 and the Commissioner for Data Protection of the Council of Europe there is an interesting indication on the use of preliminary tests in "sandbox", namely the advice to test the app in a safe and private environment before releasing it to the public.

The Privacy Guarantor may, if necessary, be involved in prior consultation, but in any case, the logic of processing and security measures must be verified by expert consultants able to develop correct privacy architectures and set up processing operations - by design and by default - respecting our fundamental rights.

In conclusion, privacy is not an obstacle to the massive processing of data, even sensitive data, but such operations, which affect our fundamental rights, must be effective, gradual and adequate.