The Italian Data Protection Authority (IDPA) has submitted its annual report on its 2017 activities.
2017 represents an important date for the Authority, since it is the 20th anniversary of its activity marked by the introduction into the Italian legal system of the data protection law, which, since 25thMay 2018, has been regulated by the new General Data Protection Regulation (GDPR).
During its presentation, the Authority disclosed that cyber-attacks on personal data have reached 140 per day and that since 25th May data breach notifications to the Authority have increased by more than 500%.
The presentation reaffirmed that serious attention has been given to issues such as cyber-bullying, social networks and web platforms, fake news and the state of security levels of public databases.
In addition, the presentation reported the on-going activities aimed at ensuring data protection on the Internet, starting from the important search engines and social networks. In 2017 the criteria for the exercise of the right to be forgotten were strengthened and the right would now also be protected outside the EU.
The Authority answered 6,000 complaints and reports specifically regarding ever-increasing telemarketing, consumer credit, video-surveillance, public service concessionaires, debt collection, the banking and finance sector, insurance, labour, journalism, local bodies and agencies, healthcare and social assistance services.
With regard to aggressive telemarketing, the Authority took action against so-called “web-scraping aka web harvesting”, namely the practice of the automatic and indiscriminate collection of personal data which are gathered on line by means of specific software extracting names, surnames, addresses, telephone numbers and mail addresses, in order to contact users without their consent.
In the healthcare sector, the Authority simplified the procedures relating to the new obligations regarding vaccines and promoted the sharing of information between schools and local health authorities. The Authority also gave the go-ahead to the transplant information system, took action to give a reminder of the safeguards concerning personal HIV data and expressed a favourable opinion on the Lazio Region’s cancer registry.
In relation to employment, the Authority defined rules for the use of new technologies following the introduction of the “Jobs Act”, with particular regard to worker geolocation. The Authority also banned indiscriminate controls of e-mails and smartphones.
With regard to Public Administration’s online transparency, the Authority called the government’s attention to the need to strike a balance between the obligation of transparency and people’s dignity, and defined rules for the exercise of the citizen’s freedom to access public information. In this respect, the Authority stopped the circulation of sensitive personal data on Public Administration web sites and expressed its concerns on the new system of permanent census which provides for the integration of databases and the massive use of personal data from the whole population.
Specific action was also taken to increase the security levels of Digital Public Administrations and to strengthen safeguards for citizens when using SPID (the Italian public system for digital identity). With regard to the new Digital Administration Code, the Authority raised the question of general and indiscriminate access to data relating to citizens’ “digital domicile” and demanded more specific rules for access to Public Administration digital services and for the use of personal data.
The complete text of the annual report is available on the website of the Italian Data Protection Authority.