Tag Archives: Italian Data Protection Authority

Is Privacy Really a Fundamental Right?

Legal news, Uncategorized, , , , , , , ,

Privacy of individuals is framed as a fundamental right in the European Union. In fact, the new European Union Regulation no. 2016/679 reiterates this in the very first of its “whereas”.

Yet, it is clear to everyone that such “fundamental” nature is regularly questioned by various factors, and particularly:

  • Technological progress, coupled with people’s growing addiction to smartphones, allowing the collection of an amazing number of personally identifiable information and leading to big banks of intrusive data; and
  • Security threats that prompt governments to closely monitor citizens’ behavior.

Once upon a time courts were called to decide on how to balance conflicting rights. These days, the act of balancing privacy and other issues has become much more common and it is in the hands of a variety of subjects, such as data processors, who must carry out a data protection impact assessment according to Section 35 of the EU Regulation no. 2016/679, and data protection authorities, who provide both general guidelines and specific advice.

A couple of recent decisions by the Italian Data Protection Authority have led me to believe that the Authority is readier than before to accept that there are justified limits to the right to privacy:

  • On July 14, 2016, the Italian Data Protection Authority has decided that a bank is allowed to analyze behavioral/biometric information regarding its customers (such as mouse movements or pressure on the touch screen) as a measure to fight identity theft and internet banking fraud. Of course, a number of limitations have been set by the Authority, in addition to consent of the customer/data subject, such as specific safety measures, purpose and time limitations, and the segregation of the customer names from the bank’s IT provider.
  • On July 28, 2016, the same Authority has granted its favorable opinion to the use of a face recognition software at the Olimpico stadium during soccer games in order to check that the data on the ticket and the face of the person actually attending the event correspond. Provided that strong security measures are used and that the processing is carried out by police forces, the processing was deemed to be necessary.

A tougher stance, instead, is adopted by the Italian Data Protection Authority in cases of processing aimed at marketing purposes, as in this decision, for example. (I note, however, that the code of conduct applying to data processing for the purposes of commercial information that will enter into force on October 1, 2016, blessed by the Italian Data Protection Authority, continues to allow the dispatching of commercial communications to individuals whose personal data is included in public listings, even without the data subject’s express consent).

Balancing rights and interests is inherent to law and justice. It remains to be seen, considering the obvious (and absolutely reasonable) limitations to which the right to privacy is subject, if it will continue to make sense to frame it as “fundamental” right.

Medical Apps and the Law, Part II – Medical Apps: Helpful or Harmful?

Legal news, , , , , , ,

A BOOMING MARKET. The idea of running software on a mobile device with healthcare uses has been discussed as early as 1996[1]. However, the issue has assumed explosive proportions in recent years, thanks to the spreading of an “app mentality” among health care professionals and consumers, and its potential, given cloud computing, social networks and big data analytics, could be yet to be realized. According to a March 2014 BCC report, this growing trend will be continuing in the next years[2]. App stores offering thousands of medical app also confirm the trend, as about 97,000 mobile health apps in 62 app stores according to a Research2Guidance market report of last year. Hardware manufacturers are certainly not immune to the medical app fervor, and – for example – the new smartphone Gear 2 Neo by Samsung, launched on April 11, 2014 by Samsung in 125 countries, incorporates a heart rate sensor.

 

ACCORDING TO THE EU COMMISSION, MEDICAL APPS AND E-HEALTH HAVE GREAT POTENTIAL.  What is the view of the authorities on this phenomenon? The potential of apps makes them app enthusiasts, the reality of apps worries them. The European Commission believes in medical apps, which can be leveraged in order to eliminate barriers to smarter, safer, patient-centred health services. Further, digital health could also be a promising factor to cut Member States’ budget[3] while – in the words of the Commission – “putting patients in the driving seat[4]. The reality of the app market, however, does not necessarily boost patient empowerment. In fact, the Commission noted that there are substantial risks connected with the way apps are currently marketed: information to consumers is not clear, the trader’s contact details are not easy to find, the use of the term “free” is often misleading[5].

 

ENFORCEMENT ACTION BY THE ITALIAN DATA PROTECTION AUTHORITY. On September 10, 2014 the Italian Data Protection Authority has issued a warning regarding data protection risks inherent to medical apps (“Medical Apps: More Transparency Is Needed On Data Use”) promising future sanctions. The Authority found that insufficient information to users prior to installation, as well as the processing of excessive data. The survey conducted by the Italian Data Protection Authority involved a total of 1,200 apps and the findings thus obtained were striking: (i) barely 15% of them provided meaningful privacy notices; and (ii) in 59% of the apps reviewed the Authority found it hard to locate pre-installation privacy notices. The stance taken by the Italian Data Protection Authority echoes the Opinion 02/2013 by The “Article 29 Data Protection Working Party”, which had identified lack of transparency, lack of free informed consent; poor security measures; disregard for the principle of purpose limitation requiring processing of personal data only for specific and legitimate purposes.

 

CONSENT IN WRITTEN FORM: A REQUIREMENT PECULIAR TO ITALIAN LAW.  Italian legislation includes a couple of additional requirements, which could kill the medical app market. We note, however, that they have not been mentioned by the Italian Data Protection Authority in their September 10, 2014 warning so it is unclear whether there is any appetite for enforcing them. In addition to a specific authorization by the Data Protection Authority, typically substituted by a general authorization such as this, Section 23 of the Data Protection Code requires that consent to process sensitive data, such as health data, must be given in written form, a requirement which is not satisfied by a mere “click” on the smartphone, but would only be satisfied by the digital or qualified electronic signature in accordance with Italian legislation. This obstacle could be solved only when (and if) the proposed EU Data Protection Regulation enters into force and repeals the existing Italian Data Protection Code, as consent to process sensitive data shall have to be “freely given, specific, informed and explicit” and the controller shall bear the burden of proof of such consent, but consent in written form would no longer be required.

[1] Regulation of health apps: a practical guide”, d4Research, January 2012, citing material from the Conference of the American Medical Informatics Association Fall Symposium of 1996.

[2]This market is expected to grow to $2.4 billion in 2013 and $21.5 billion in 2018 with a compound annual growth rate (CAGR) of 54.9% over the five-year period from 2013 to 2018”.

[3]In Italy, overall savings from the introduction of ICTs in the Health Sector are estimated to be around 11.7% of National health expenditure (i.e., €12.4 billion). Savings from digital prescriptions alone are estimated to be around €2 billion”. European Commission Memo of December 7, 2012 “eHealth Action Plan 2012-2020: Frequently Asked Questions”.

[4] It should be noted that, while the Commission is a fervent proponent of eHealth (see also the recent Green Paper on mHealth), there are strong limitations to its actions given its lack of competence in healthcare delivery and financing, which is entirely up to Member States. The effectiveness of eHealth solutions in Europe require the commitment of Member States to implement organizational changes which make patient-centric eHealth solutions an integral part of their healthcare systems, a task that each Member State is pursuing with various degrees. A March 24, 2014 press release by the European Commission commenting on two European surveys on the use of eHealth (including Electronic Health Records, Health Information Exchange, Tele-health and Personal Health Records) showed that many critical issues still exist: lack of penetration, lack of interoperability, and lack of regulatory certainty, to name a few.

[5] Focus of the Italian Antitrust Authority has so far been on game apps, rather than medical apps: it, too, found that apps were misleadingly presented to users as free, while they were not.