On January 6, following investigations, the CNIL found that the sites facebook.com, google.fr and youtube.com do not allow users to refuse cookies as easily as they accept them. The CNIL thus fined FACEBOOK 60 million euros and GOOGLE 150 million euros and ordered them to comply within three months. The French authority noted, in particular, that the sites facebook.com, google.fr and youtube.com offer a button that allows the user to immediately accept cookies, while they do not provide an equivalent solution (button or other) that allows the user to refuse, in an equally simple way the use of the same cookies. Indeed, the websites under scrutiny by the CNIL provided for several clicks to refuse all cookies and only one click to accept them, thus limiting the freedom of consent, which is provided for as a fundamental element by Art. 82 of the French Privacy Law, as well as by the GDPR. In addition to the payment of the aforementioned penalties, Google and Facebook will have to comply with the CNIL's requirements within 3 months, providing users with a way to reject cookies that is as simple as accepting them. Failing this, companies will have to pay a penalty of 100,000 euros for each day of delay. These two decisions are part of the comprehensive compliance strategy launched by the CNIL over the past two years against French and foreign operators who publish websites with many visits and who engage in practices that are contrary to the legislation on cookies. Since March 31, 2021, when the deadline expired for websites and mobile applications to comply with the new cookie rules, the CNIL has taken nearly 100 corrective measures (orders and sanctions) related to non-compliance with cookie legislation. On the Italian landscape regarding cookies, we point out the Cookies Guidelines published by the Privacy Guarantor and entered into force last January 10, 2022, the details of which are provided, on our Blog
Clovers Alert! Is your website compliant with the new regulations that will enter into force on January 10, 2022?
Below we analyze the new guidelines on cookies of the Privacy Guarantor
- Guidelines on the use of Cookies and other tracking tools
With Measure no. 231 of June 10, 2021, published in the Official Gazette no. 163 of July 9, 2021, the Privacy Guarantor has provided its guidelines to
a) indicate to website operators the rules to be applied for the use of cookies and other tracking tools and
b) to specify the correct procedures for providing information and acquiring the consent of those concerned (the "Guidelines").
The Guidelines therefore aim to supplement the previous indications of the Privacy Guarantor (Measure no. 229 of 2014) by specifying that the manifestation of will of the interested party is "unequivocal" as well as free and informed and by requiring that data protection is ensured by design and through default settings (privacy by default and by design).
- What needs to be done from 10 January?
The following is a summary of the obligations set out in the Guidelines, with particular reference to the methods of acquiring consent and the characteristics of the Cookies disclosure.
a) The acquisition of consent
First, the Guarantor reiterates that are not allowed, as forms of acquisition of consent, the practices:
- of the so-called "scrolling" (i.e., the downward movement of the cursor), which can be qualified as a positive action suitable to unequivocally manifest the will to give consent to the treatment, subject to exceptions to be seen case by case;
- the so-called "cookie wall", i.e. a binding mechanism (so-called take it or leave it) in which the user is obliged, in order to access the site, to express his/her consent to the reception of cookies or other tracking tools, except for exceptions to be evaluated on a case-by-case basis.
From an operational perspective, the Guarantor requires the following characteristics to validly acquire the consent of the surfer:
- at the time of a user's first access to the website, no cookies or other tools other than technical ones will be placed inside the device and no active or passive tracking techniques will be used;
- at the first access to the web page, an area or a banner will appear of adequate size and such as not to induce the user to make unwanted choices;
- such banner will have to allow the user to express his consent, through a positive action;
- it is therefore necessary to allow the user to maintain the default settings and to continue browsing without giving any consent, by clicking on the command to close the banner marked by an "X" positioned at the top and on the right inside the banner;
- it is necessary to insert (besides the link to the complete informative report) a minimum informative report relative to the use of technical cookies and - previous consent, in order to send advertising messages or to supply the service in a personalized way - of profiling cookies or other tracing instruments;
- there will also be a command through which it is possible to express one's consent by accepting the placement of all cookies or the use of any other tracking tools and the link to a further dedicated area in which it is possible to select the functions, the so-called third parties and the cookies to the use of which the user chooses to consent.
The Guarantor also states that the banner will not have to be re-presented at each new access and that the user's choice must be duly recorded and no longer solicited for at least 6 months, unless significant changes in the conditions of treatment.
b) The informative report
The Cookies informative report will have to indicate the recipients of the personal data collected and the storage time of the acquired data and can also be made on more than one channel and with different modalities (for example, with pop-ups, videos, vocal interactions). If only technical cookies are used, the Cookies policy may be included in the general policy. The Guarantor then recommends that analytics cookies, used to assess the effectiveness of a service, be used only for statistical purposes.
The above is the general framework of the guidelines of the Privacy Guarantor that - with proper legal support - should be implemented on each website.
Privacy Shield for EU - US data transfer has been ruled invalid by the European Court of Justice
The ”Privacy Shield” is an agreement between the European Commission and the U.S. Secretary of Commerce that allowed the transfer of data from EU to U.S. and followed the declaration of invalidity of the “Safe Harbour Pact” , the previous agreement between EU and US for the transfer of data.
The decision issued by the European Court of Justice on July , 16, 2020 will have serious political consequences for the EU-US relations and for US providers and European companies.
The decision
In accordance with the General Data Protection Regulation (hereinafter referred to as the 'GDPR'), the transfer of data outside the EU can take place only if the third country can ensure an adequate level of protection.
The European Commission can find that a third country ensures an adequate level of protection because of its national legislation or because it is part of an international agreement (such as the Safe Harbour Pact which was declared invalid in Decision 206/1250 and it was related to the export of data from EU to USA).
In the absence of an adequacy decision, a transfer of data can take place only if the data controller, established in EU, provides adequate safeguards, which may result from standard contractual clauses adopted by the Commission (Decision 2010/87), and if the data subjects have enforceable rights and effective remedies.
In the absence of an adequacy decision or adequate guarantees, the GDPR shall ultimately determine the conditions under which such a transfer may take place.
The level of protection required in the context of a non-EU data transfer is equivalent to level of guarantee within the EU Member States.
The assessment of this level of protection concerns both what is contractually agreed between the parties (data exporter established in the Union and the recipient of the transfer established in an extra EU country) and the access for extra EU public authorities to the data, as well as other elements of the legal system of the country where data are transferred.
Specifically, the legislation governing the US surveillance programmes do not minimize the processing of data of EU data subjects and do not limit the power of US authorities establishing adequate guarantees for European citizens who may potentially be subject to US mass surveillance.
For all these reasons, the Court – with the Decision 2016/1250 – declared the Privacy Shield Agreement invalid.
The Court also held that, in the absence of a valid adequacy decision adopted by the Commission, the Data Protection Authority must suspend or prohibit a transfer of personal data to a third country when it considers that the conditions required are not met.
The Court stated that the Decision 2010/87 on standard contractual clauses for the transfer of personal data to entities established in third countries was valid. It is certain that the reasons for the deletion of the Privacy Shield will also have effects on the standard contractual clauses.
Therefore, US providers who have used the legal basis of the Privacy Shield for data transfer from the EU to the US will have to adopt a different solution, such as standard contractual clauses.
The Italian company, as data exporter, and the data Protection Authority, will have to make a complex assessment of the adequacy of the guarantees offered by the party importing the data and the regulations in force in that country, with relevant liability profiles.
Practical implications
Impact on business activities
Decision 2016/1250 does not cover necessary data transfers to the USA (e.g. sending e-mails to a person in the USA, booking travel in the USA).
Can European companies continue to use US providers? At the moment the answer appears to be no, as all major providers are subject to potential US government oversight.
Can companies continue to use US providers based in the EU? In such cases, European companies are responsible for ensuring that "intra-Group" personal data flows to the US are GDPR compliant. Companies will now need to carefully review such data flows and determine whether to retain data in Europe or any other country that provides better privacy protection, instead of being transferred to the US.
Impact on consumer rights
Users are free to send their personal data directly to a third country, for example when using a Chinese or US website. However, consumers may not directly share other people's data (e.g. friends, colleagues) with a US provider unless they have obtained free, specific, informed and unequivocal consent.
The Data Protection Authority’s Report: activities overview and prominent issues in 2019 and 2020
On 23 June 2020, the Italian Data Protection Authority (DPA) presented the report on its activities during the year 2019.
During the course of such year, the DPA supervised the application of Regulation 679/2016 (GDPR) and intervened on issues relating to the protection of fundamental rights in the digital age, the ethical implications arising from the use of artificial intelligence and the use of new surveillance systems, as IoT tools.
In light of the peculiar situation arising from the covid-19 pandemic, in its report the Authority has also expressed its views on specific issues relating to the first half of 2020.
Figures
In 2019, the DPA adopted 232 collegial measures and responded to 8000 complaints, including in relation to telephone marketing, consumer credit, employment law matters, and IT security, and carried out 147 inspections, both in the public and private sector.
The DPA also responded to 15,800 questions from citizens who asked for clarifications regarding the requirements related to the entry into force of the GDPR and issues related to unwanted promotional activities such as telephone calls, text messages, video surveillance in the public and private sector and banking data.
Platforms
With regard to online data breaches, in 2019 the DPA sanctioned Facebook Ireland Ltd for €1 million, following the investigation on the "Cambridge Analytica" case, which also involved data of Italian citizens.
In the same year, the authority strengthened its activities aimed at protecting the "Right to be Forgotten" and promoted an international debate to redefine the role played by Internet Service Providers in this specific context.
In 2020, the DPA also raised concerns about TikTok, a Chinese platform that has become extremely popular among millennials all over the world and which allows users to share videos and images. The Italian Authority requested and obtained the establishment of a “task force” at European level to investigate this platform.
Activities in the field of cybersecurity
In 2019, 1443 data breaches were notified and the DPA commented on the inadequacy of cybersecurity measures enacted by public administrations and private companies that collect data online. The Authority has also provided guidelines against ransomware and other malicious software.
Ransomware
Ransomware are computer programs that encrypt data, making them no longer accessible, and that request the payment of a "ransom" in order to re-obtain possession of the contents stored on the device. In its recommendations, the DPA pointed out that these malware are often installed on users' devices through free gaming or other apps, which users download being completely unaware of the potential threats hidden thereunder.
Digital Assistants
The DPA has also examined the risks associated to the use of digital assistants. These are programs which interpret human language through algorithms and artificial intelligence and are therefore able to interact as a "human user", responding to various types of requests (such as finding information on the web, searching for a certain route, making an online purchase, adjusting the temperature or home lighting, closing or opening home locks).
The DPA observed that these digital assistants collect and process a huge amount of data, while users are often unaware of how data are processed and of the identity of the data controller.
Privacy and Marketing
The DPA intervened against "aggressive" telemarketing activities by applying significant penalties (including penalties amounting to euro 27.8 million and euro 11.5 million respectively) to companies that have utilized data without the data subject’s prior consent.
Privacy and Right to Report
The Authority intervened on several occasions to condemn the gruesome details published by some newspapers and television stations in relation to certain news, in order to ensure appropriate protection for the victims of crimes, and especially minors.
Privacy and Work
The DPA defined the necessary safeguards required in relation to the collection of employees’ fingerprints in order to contrast absenteeism in public administrations. The Authority affirmed that the collection of biometric data is an extremely sensitive proceeding, due to the nature of the data processed. Specifically, in the event the collection of fingerprints is coupled with the use of video-surveillance technologies, such procedure appears to be in contrast with the principle of proportionality.
Similarly, the DPA considered that a broad and generalized introduction of biometric survey systems for all public administrations would not appear to be justified under the GDPR.
Privacy and Justice
In relation to the "Exodus case" - in which the communications of hundreds of citizens not involved in police investigations were tapped due to an error in the functioning of an electronic tapping device - the Italian Authority proposed measures to ensure increased safeguards in relation to the use of tools potentially threatening the citizens' freedom.
Privacy and Health
With regard to health data, the DPA intervened several times on the procedures for the collection and processing of health data in the context of the pandemic. The authority stated that, even in an emergency context, the principles of the GDPR must nonetheless be complied with.
The DPA also provided its opinions and indications regarding the "Immuni" app (i.e., the app chosen by the Ministry of Economic Development to provide contact tracing technology to Italian health authorities). The DPA expressed its views on the methods for carrying out serological tests and for the collection of health data of employees and customers.
The several actions put in place by the DPA show the continuing efforts to monitor the application of the new European regulation, and to prevent and sanction violations that may pose a threat to individual freedoms.
SOS Italia App. Privacy and Big Data at the time of Covid 19.
The dramatic evolution of the health crisis linked to Covid-19 in Italy has required the Government to put in place exceptional measures to deal with this emergency, including the use of new technological tools never previously used by national institutions.
On March 20, 2020, the Ministry for Technological Innovation, together with the Ministry of Economic Development and the Ministry of University and Research, issued an invitation to all operators in the Italian digital ecosystem to help simplify the management of the pandemic through the development of digital platforms and other data processing systems.
Thus the mobile app "SOS Italia" was launched, a project developed by the Italian Digital Revolution Association, in collaboration with the software house Sielte, which is expected to be soon available on the digital stores of iOs and Android operating systems.
"SOS Italia" aims to monitor and contain the spread of Covid-19 through a user-friendly interface (log in via Google, Facebook, SMS with OTP on phone number and native integration with SPID) that will allow citizens to easily find the official communications made by the Government, the rules of conduct to be adopted, the numbers to call in case of emergency and other useful information.
Citizens will be able to fill in a questionnaire for self-diagnosis purposes and communicate to the authorities their state of compulsory or preventive isolation, the presence of symptoms and positivity to the virus.
Each user will also be able to choose to digitize their self-diagnosis for permitted travel and receive notifications if there is a risk of infection. This will be possible because, once the subject has voluntarily downloaded the app, GPS functionality will remain active even if the user is not using the app. In this way it will be possible to create a mapping of all the places frequented by the individual and build a register of the people with whom the subject has come into contact.
Similarly to what has already been experimented in South Korea, also in Italy, therefore, a technological response is attempted, based on the use of Big Data and algorithms, to put a brake on the contagion curve. But, if, on the one hand, the technical functionalities of the application provide tools of undisputed importance for the monitoring and containment of the pandemic, on the other hand, the inevitable implications in matters of data protection are worrying.
During a national and global health crisis, the protection of the primary right to health is potentially at odds with a number of other values worthy of protection. The management of the current emergency inevitably entails the restriction by the authorities of fundamental rights, including personal freedom and the protection of personal data (privacy).
Let us look at the privacy aspects. GDPR provides for the lawfulness of data processing, even for special categories, even without the express consent of the data subject, when the processing is necessary to safeguard his/her vital interests (or those of another natural person), or when it is indispensable for the performance of a task in the public interest. On the basis of this provision, therefore, the processing of the natural person's data, including data relating to his/her health, may take place independently of the granting of consent when the purpose of such processing is to limit the dissemination of Covid-19.
With regard to the processing of telecommunications data, such as location data, national laws implementing the ePrivacy Directive must also be respected. The ePrivacy Directive allows Member States to introduce legislative measures to safeguard public security.
Legislative Decree 14/2020, which contains urgent provisions for the strengthening of the National Health Service in relation to the Covid-19 emergency, provides for the possibility that the subjects operating in the National Civil Protection Service, the offices of the Ministry of Health and the Istituto Superiore di Sanità and all other subjects in charge of monitoring and ensuring the implementation of the pandemic containment measures, may share and exchange among themselves personal data of citizens (including those relating to their state of health) that are necessary for the performance of their duties. They may also omit to provide the privacy policy (as well as instructions to data processors) or provide it only orally.
This decree also makes clear that personal data processing must in any case be carried out in accordance with the principles of lawfulness, transparency and correctness provided for in Article 5 of the GDPR, reducing their processing to a minimum (principle of minimisation).
To date, however, it is not clear how these principles will be punctually implemented and who, among the various authorities at stake, will in fact be identified as the data controller and which entities, public and private, will be responsible for the aforementioned processing.
One of the issues of greatest concern is the processing of data relating to the location of citizens and how these data can be used by the authorities.
In various interviews, the Privacy Guarantor, in the person of its president, has reiterated that the right to privacy may be subject to certain limitations in the face of a collective interest, provided that the necessary balance is ensured between the protection of individual rights and the safeguarding of collective legal assets, including by providing that any law in derogation has a defined duration and coincides with the emergency period.
Moreover, an inevitably related issue concerns the data retention time, which will also have to be limited to the aforementioned emergency period and it will have to be clarified beforehand what processing operations will be allowed at the end of the emergency period and what will happen to the data collected.
The Privacy Guarantor has clarified that "data protection can even be a very useful tool in the fight against the epidemic, when this action is based on data and algorithms, of which accuracy, quality and "human" review must be guaranteed, where necessary, as in the case of wrong automated decisions based on bias".
In this regard, continues the Privacy Guarantor, a decree-law could combine timeliness of the measure and parliamentary participation. It goes without saying that the duration must be closely linked to the continuation of the emergency.
In the joint statement of the President of Convention 108 and the Commissioner for Data Protection of the Council of Europe there is an interesting indication on the use of preliminary tests in "sandbox", namely the advice to test the app in a safe and private environment before releasing it to the public.
The Privacy Guarantor may, if necessary, be involved in prior consultation, but in any case, the logic of processing and security measures must be verified by expert consultants able to develop correct privacy architectures and set up processing operations - by design and by default - respecting our fundamental rights.
In conclusion, privacy is not an obstacle to the massive processing of data, even sensitive data, but such operations, which affect our fundamental rights, must be effective, gradual and adequate.
A FEW FACTS YOU NEED TO KNOW ABOUT THE GDPR
As many may know, starting from 25 May 2018, the 2016/679 EU Regulation, known as GDPR (General Data Protection Regulation) - relating to the protection perosnal data will be directly applicable in all Member States.
In a nutshell, the GDPR:
- introduces clearer rules on information and consent;
- defines the limits to the automated processing of personal data;
- lays the foundation for the exercise of new rights;
- establishes strict criteria for the transfer of these outside the EU;
- sets strict rules for data breach cases.
Theses rules also apply to companies located outside the European Union that offer services or products within the EU market. All companies, wherever established, will therefore have to respect the new rules. Companies and institutions will have more responsibility and case of non-compliance with the rules risk heavy penalties.
The "One Stop Shop"
To solve any difficulties, the "one stop shop" rule has been introduced, which will simplify the management of treatments and guarantee a uniform approach. Companies operating in several EU countries may contact the Privacy Guarantor of the country where they have their headquarters.
Data portability
The regulation introduces the right to "portability" of personal data to transfer them from one data controller to another. The rule is an exception in cases where the data are contained in archives of public interest, such as the registry offices. In this case, the right can not be exercised, as is the transfer of personal data to non-EU countries or international organizations that do not meet the security standards for protection.
The principle of "accountability"
There are other important elements of novelty. In fact, the accountability of the data controllers (accountability) has been introduced and an approach that takes into greater consideration the risks that a particular processing of personal data may entail for the rights and freedoms of the interested parties. This new right will facilitate the transition from one service provider to another, facilitating the creation of new services, in line with the Digital Single Market strategy.
Data breach
The data controller must report any violation of personal data to the Guarantor. Responding effectively to a data breach requires a multidisciplinary and integrated approach and greater cooperation at EU level. The current approach has numerous flaws that need to be corrected. It is not simple but it is necessary to do so in order not to lose the opportunity provided by the GDPR. The first fulfillment to be put in place for Italian companies is certainly the adoption of the Register of processing of personal data, but even before the bureaucratic queries, the company must understand the importance and value of the data, as well as the huge economic damage due to a loss of information If the data breach poses a threat to people's rights and freedoms:
The owner must inform all interested parties in a clear, simple and immediate manner and offer indications on how he intends to limit the damages;
You may decide not to inform interested parties if you believe that the violation does not pose a high risk for their rights or if they demonstrate that they have already taken security measures; or, finally, in the eventuality in which to inform the interested ones could involve a disproportionate effort to the risk. In this last case it will have to provide with a public communication;
The Guarantor Authority may in any case require the data controller to inform the data subjects on the basis of an assessment of the risks related to the violation committed.
The figure of the DPO (Data Protection Officer)
It is no coincidence that the figure of the "Data Protection Officer" (Data Protection Officer or DPO) was set up, responsible for ensuring the correct management of personal data in companies and institutions and identified according to professional qualities and specialized knowledge of the legislation and data protection practice.
The Data Protection Office reports directly to the company’s summit and is independent, as it does not receive instructions regarding the execution of the tasks.
In reality there are still too many doubts on the figure of the DPO is. It is a relevant figure, but certainly it is not the "center" of the system established by the GDPR, which in the new system is always the Data Controller. The DPO must have a specific competence "of the regulations and practices concerning personal data as well as the administrative rules and procedures that characterize the sector". It is no less important, however, that it also has "professional qualities appropriate to the complexity of the task to be performed" and, especially with reference to sensitive sectors such as health, can also demonstrate specific competences with respect to the types of treatment put in place to the holder. The decision-making autonomy and the extraneousness of the DPO with respect to the determination of the purposes and methods of data processing is equally important if we want to return to those affected that sovereignty over the circulation of their data.
Elena Ferrante. Between the "Right to be Forgotten" and Privacy.
“I don’t hate lies, I find them healthy and I use them to hide my person”.
Thus, it’s written in the autobiography entitled La Frantumaglia by the famous and mysterious Elena Ferrante, whose identity seems to be revealed today.
The author of books become bestsellers is, according to a recent 24Ore’s report, Anita Raja, a translator born in Naples and resident in Rome, whose mother was a Polish Jew escaped from Holocaust. Therefore, the mystery of Elena Ferrante seems to be resolved. Thus, the millions of readers’ (lawful?) dream, who wish to know the name and person behind the famous pseudonym, finally come true.
Firstly, the question is if the report has violated the right of pseudonym. The pseudonym indeed can be used to conceal its true identity, so as an expression of privacy right.
According to Civil Code, pseudonym is a name different from the one attributed by law. However, it can be protected as well as the right to have a name, provided that the pseudonym has achieved the name’s importance otherwise it has carried out the same social identification’s function. If this requirement occurs, (i.e. writers and actors whose pseudonyms are more famous than their name) the person who use pseudonym can demand a restraining order and claim the termination of the pseudonym’s unlawful use, without prejudice to compensation.
However, it doesn’t seem to be the case. The Sole 24ore’s report indeed doesn’t infringe the famous writer’s pseudonym, on the contrary it seems to violate her right to anonymity. The problem is that according to Italian legal system, the general right to anonymity doesn’t exist.
Could Elena Ferrante, who has always said that she doesn’t want to reveal her real identity, invoke protection of Privacy Right (that it is increasingly being denied to public figures)?
Before Privacy Law entered into force, the source of the right to be left alone was a 1975 Italian High Court judgment, that describes this right as the protection of personal and family situations and events which, although they occur outside domestic context, they don’t have a socially valuable public interest. Therefore, violation of right to privacy means any interference that, even if it is carried out by lawful means and for non-offensive purposes, is not justified by reasonable public interests.
Eventually, jurisprudence specified that famous people are supposed to have waved to the part of Privacy Right which is connected to the public context.
Therefore, the line between the right to privacy and the right to information seemed to be the subject’s fame. However, even very popular people retain the privacy right, limited to facts which have nothing to do with the reasons for their popularity.
The relationship between the right to report and privacy right is very complex and it is regulated by a set of rules stratified over time which have tried to establish a proper balance between the different interests.
There are several privacy rules that journalists have to respect.
The 675/1996 Law regarding Personal Data Protection, then become “Italian Personal data Protection Code” (Legislative Decree no. 196 of 30 June 2003), has created an extensive system of balancing conflicting rights through the provision of several legal means: balancing policies, procedures to accomplish it, jurisdictional instruments.
Italian Law provides different guarantees depending on the nature of Data. Briefly, the use of Personal Data is possible if three conditions are met:
The use of Personal Data shall be related to freedom of expression
Personal Data shall concern public interest facts
the spread shall occur "within essential limits", that is, it is not possible to insert non-strictly necessary information.
The report on the true identity of Elena Ferrante has not been clearly neither confirmed nor disproved. Therefore, if she is really Anita Raja is still a mystery.