Tag Archives: Italian Data Protection Authority

2017 New Year’s Privacy Resolution: Road to Compliance with the New European Privacy Framework

Year 2017 already brought to us some exciting change. The beginning of the year is also the perfect time for appraisals of the past and resolutions for the near future. Whether we see it as a welcome enhancement of personal data rights or simply as another burdensome European set of requirements, 2016 delivered the new European General Data Protection Regulation (Regulation EU 2016/679, “GDPR”). Already 233 days passed since GDPR entered into force and 498 days are left until the new Regulation will start to apply on May 25, 2018. Roughly, one third of the time given to comply with the new regulatory framework has already gone by. Then, perhaps, the beginning of 2017 can be a good chance to ask ourselves what has already been done in the first 233 days and what still needs to be done in the future 498 days in order not to miss May 2018’s deadline.

The GDPR imposes a much more burdensome level of compliance requirements to companies acting as data controllers and data processors.

Some of them require the assessment and preparation of organizational and implementing measures that need to be put in place well in advance of May 2018.

  • Data controllers and data processors must appoint a data protection officer (“DPO”). The controller and the processor shall ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. The controller and processor shall support the DPO in performing his/her tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his/her expert knowledge. The controller and processor shall also ensure that the DPO does not receive any instructions regarding the exercise of those tasks. Furthermore, the DPO shall not be dismissed or penalized by the controller or the processor for performing his tasks and shall directly report to the highest management level of the controller or the processor.
  • Data protection by design and by default will have to be implemented. The data controller: (i) both at the time of the determination of the means for processing and at the time of the processing itself, must “implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of [the GDPR] and protect the rights of data subjects” and (ii) “to implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.
  • A data protection impact assessment must be carried out. Such impact assessment must contain: a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data subjects; the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR.
  • Data controllers must guarantee the effectiveness of the data subject’s right to be forgotten and right to portability. This requires an assessment of the adequacy of the technical and organizational instruments currently available and, possibly, their improvement. More specifically, data controllers must be able to fulfill: (i) in relation to the right to be forgotten, their obligation to “take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”; (ii) as regards to the right to portability, their obligation to allow the data subjects to effectively exercise their right to “receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller”.
  • Data controllers shall notify personal data breaches to the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. This imposes on controllers the preparation of appropriate notification forms, as well as organizational measures to guarantee adequate resources to complete such task.
  • The mandatory content of the written contract between the data controller and the data processor requires a revision of all such contracts. They shall include, inter alia, the obligations of the processor to: process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization; ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; delete or return all the personal data to the controller after the end of the provision of services relating to processing, including copies; make available to the controller all information necessary to demonstrate compliance with the obligations under GDPR; allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
  • Information notice forms currently in use will need to be revised. In fact, information to be provided to data subjects must include, inter alia: the contact details of the DPO; the legal basis for the processing; the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission; the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; the existence of the right to data portability; the existence of the right to withdraw consent at any time for processing based on consent; the existence of the right to lodge a complaint with a supervisory authority; the existence of automated decision-making, including profiling.
  • Data controllers and data processors must keep record of processing activities under their responsibility. Records to be kept by data controllers shall contain all of the following information: the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the DPO; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations; where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards; where possible, the envisaged time limits for erasure of the different categories of data; where possible, a general description of the technical and organizational security measures. Records to be kept by data processors shall include: the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the DPO; the categories of processing carried out on behalf of each controller; where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards; where possible, a general description of the technical and organizational security measures. Data controllers and data processors shall therefore dedicate and organize resources to be able to start keeping such records.

All this may appear daunting. Nevertheless, 498 days are more than enough to take all necessary steps, if we let one of our New Year’s resolutions be to timely walk the road to compliance with the GDPR.

Advertisements

Is Privacy Really a Fundamental Right?

Privacy of individuals is framed as a fundamental right in the European Union. In fact, the new European Union Regulation no. 2016/679 reiterates this in the very first of its “whereas”.

Yet, it is clear to everyone that such “fundamental” nature is regularly questioned by various factors, and particularly:

  • Technological progress, coupled with people’s growing addiction to smartphones, allowing the collection of an amazing number of personally identifiable information and leading to big banks of intrusive data; and
  • Security threats that prompt governments to closely monitor citizens’ behavior.

Once upon a time courts were called to decide on how to balance conflicting rights. These days, the act of balancing privacy and other issues has become much more common and it is in the hands of a variety of subjects, such as data processors, who must carry out a data protection impact assessment according to Section 35 of the EU Regulation no. 2016/679, and data protection authorities, who provide both general guidelines and specific advice.

A couple of recent decisions by the Italian Data Protection Authority have led me to believe that the Authority is readier than before to accept that there are justified limits to the right to privacy:

  • On July 14, 2016, the Italian Data Protection Authority has decided that a bank is allowed to analyze behavioral/biometric information regarding its customers (such as mouse movements or pressure on the touch screen) as a measure to fight identity theft and internet banking fraud. Of course, a number of limitations have been set by the Authority, in addition to consent of the customer/data subject, such as specific safety measures, purpose and time limitations, and the segregation of the customer names from the bank’s IT provider.
  • On July 28, 2016, the same Authority has granted its favorable opinion to the use of a face recognition software at the Olimpico stadium during soccer games in order to check that the data on the ticket and the face of the person actually attending the event correspond. Provided that strong security measures are used and that the processing is carried out by police forces, the processing was deemed to be necessary.

A tougher stance, instead, is adopted by the Italian Data Protection Authority in cases of processing aimed at marketing purposes, as in this decision, for example. (I note, however, that the code of conduct applying to data processing for the purposes of commercial information that will enter into force on October 1, 2016, blessed by the Italian Data Protection Authority, continues to allow the dispatching of commercial communications to individuals whose personal data is included in public listings, even without the data subject’s express consent).

Balancing rights and interests is inherent to law and justice. It remains to be seen, considering the obvious (and absolutely reasonable) limitations to which the right to privacy is subject, if it will continue to make sense to frame it as “fundamental” right.

Medical Apps and the Law, Part II – Medical Apps: Helpful or Harmful?

A BOOMING MARKET. The idea of running software on a mobile device with healthcare uses has been discussed as early as 1996[1]. However, the issue has assumed explosive proportions in recent years, thanks to the spreading of an “app mentality” among health care professionals and consumers, and its potential, given cloud computing, social networks and big data analytics, could be yet to be realized. According to a March 2014 BCC report, this growing trend will be continuing in the next years[2]. App stores offering thousands of medical app also confirm the trend, as about 97,000 mobile health apps in 62 app stores according to a Research2Guidance market report of last year. Hardware manufacturers are certainly not immune to the medical app fervor, and – for example – the new smartphone Gear 2 Neo by Samsung, launched on April 11, 2014 by Samsung in 125 countries, incorporates a heart rate sensor.

 

ACCORDING TO THE EU COMMISSION, MEDICAL APPS AND E-HEALTH HAVE GREAT POTENTIAL.  What is the view of the authorities on this phenomenon? The potential of apps makes them app enthusiasts, the reality of apps worries them. The European Commission believes in medical apps, which can be leveraged in order to eliminate barriers to smarter, safer, patient-centred health services. Further, digital health could also be a promising factor to cut Member States’ budget[3] while – in the words of the Commission – “putting patients in the driving seat[4]. The reality of the app market, however, does not necessarily boost patient empowerment. In fact, the Commission noted that there are substantial risks connected with the way apps are currently marketed: information to consumers is not clear, the trader’s contact details are not easy to find, the use of the term “free” is often misleading[5].

 

ENFORCEMENT ACTION BY THE ITALIAN DATA PROTECTION AUTHORITY. On September 10, 2014 the Italian Data Protection Authority has issued a warning regarding data protection risks inherent to medical apps (“Medical Apps: More Transparency Is Needed On Data Use”) promising future sanctions. The Authority found that insufficient information to users prior to installation, as well as the processing of excessive data. The survey conducted by the Italian Data Protection Authority involved a total of 1,200 apps and the findings thus obtained were striking: (i) barely 15% of them provided meaningful privacy notices; and (ii) in 59% of the apps reviewed the Authority found it hard to locate pre-installation privacy notices. The stance taken by the Italian Data Protection Authority echoes the Opinion 02/2013 by The “Article 29 Data Protection Working Party”, which had identified lack of transparency, lack of free informed consent; poor security measures; disregard for the principle of purpose limitation requiring processing of personal data only for specific and legitimate purposes.

 

CONSENT IN WRITTEN FORM: A REQUIREMENT PECULIAR TO ITALIAN LAW.  Italian legislation includes a couple of additional requirements, which could kill the medical app market. We note, however, that they have not been mentioned by the Italian Data Protection Authority in their September 10, 2014 warning so it is unclear whether there is any appetite for enforcing them. In addition to a specific authorization by the Data Protection Authority, typically substituted by a general authorization such as this, Section 23 of the Data Protection Code requires that consent to process sensitive data, such as health data, must be given in written form, a requirement which is not satisfied by a mere “click” on the smartphone, but would only be satisfied by the digital or qualified electronic signature in accordance with Italian legislation. This obstacle could be solved only when (and if) the proposed EU Data Protection Regulation enters into force and repeals the existing Italian Data Protection Code, as consent to process sensitive data shall have to be “freely given, specific, informed and explicit” and the controller shall bear the burden of proof of such consent, but consent in written form would no longer be required.

[1] Regulation of health apps: a practical guide”, d4Research, January 2012, citing material from the Conference of the American Medical Informatics Association Fall Symposium of 1996.

[2]This market is expected to grow to $2.4 billion in 2013 and $21.5 billion in 2018 with a compound annual growth rate (CAGR) of 54.9% over the five-year period from 2013 to 2018”.

[3]In Italy, overall savings from the introduction of ICTs in the Health Sector are estimated to be around 11.7% of National health expenditure (i.e., €12.4 billion). Savings from digital prescriptions alone are estimated to be around €2 billion”. European Commission Memo of December 7, 2012 “eHealth Action Plan 2012-2020: Frequently Asked Questions”.

[4] It should be noted that, while the Commission is a fervent proponent of eHealth (see also the recent Green Paper on mHealth), there are strong limitations to its actions given its lack of competence in healthcare delivery and financing, which is entirely up to Member States. The effectiveness of eHealth solutions in Europe require the commitment of Member States to implement organizational changes which make patient-centric eHealth solutions an integral part of their healthcare systems, a task that each Member State is pursuing with various degrees. A March 24, 2014 press release by the European Commission commenting on two European surveys on the use of eHealth (including Electronic Health Records, Health Information Exchange, Tele-health and Personal Health Records) showed that many critical issues still exist: lack of penetration, lack of interoperability, and lack of regulatory certainty, to name a few.

[5] Focus of the Italian Antitrust Authority has so far been on game apps, rather than medical apps: it, too, found that apps were misleadingly presented to users as free, while they were not.