With sentence n. 5715/2018, last April (therefore, before the personal data protection legislation reform which came into force on 25th May) the Court of Rome revoked the Italian Data Protection Authority measure which had prohibited a company from all processing of personal data connected to the online service of reputation rating, which they were offering.
The service consisted of quantifying the reputation of natural persons, corporations and public and private bodies, based on an algorithm specifically created with the aim of assigning a score in terms of professional reliability to the subjects signed up on this platform, and who for this purpose could upload data and documents in order to increase their rating (for example: certificates, legal documents, and so on). This service was intended to increase the level of trust among counterparts and encourage virtuous behaviours and therefore to create safer conditions for negotiation to guarantee greater transparency and certainty in interpersonal and business relationships.
However, having been called on to examine the case following a petition by the company itself, the Data Protection Authority declared this system unlawful. In fact, the DPA believed that, if an individual’s rating was negative, their economic and social representation would be adversely affected, with consequent detrimental repercussions for the individual’s dignity. Therefore, in balancing the right to private economic initiative and the right to personal dignity, the DPA pronounced itself in favour of the latter, in consideration of the possible negative effects that the rating would also be able to cause on the private life of the rated subjects, by “influencing their choices and perspectives and influencing their own admission to (or exclusion from) specific performances, services or benefits”. In support of its decision, the Authority focused on the lack of prerequisites for processing (according to the Authority, consent was not freely demonstrated in certain circumstances). It also focused on the unlawful processing of data belonging to third parties not signed up the service, on the violation of the principles of necessity and proportionality in relation to the massive collection of data and the inadequacy of the security measures adopted by the company.
On the basis of these findings, the Authority prohibited all processing of personal data connected to the reputation rating service offered by the company, which thus contested the measure by the Court of Rome.
Partially disregarding the observations of the DPA, the Roman Court revoked the relative measure and in this way certified the conformity of the reputation rating system with the principles regarding the protection of personal data.
Firstly, according to the Court, private enterprise had the full right to offer “systems of accreditation of subjects, which in broad terms provide ‘evaluation’ services, in preparation for these subjects to enter the market, for the conclusion of contracts and the management of economic relationships”, even in the absence of a regulatory framework governing this area.
Secondly, the Court identified the prerequisite for the legitimacy of the consequent processing of data as being the consent of the individuals who subscribed to the service and in the voluntary nature of their action.
According to the Rome judge, this consent would not have been jeopardized even with regard to a contractual clause which meant that the permanence and/or conclusion of a contractual relationship was conditional on being signed up on the platform. In reality, this clause did not constitute an integral part of the contract, but was only a secondary condition of the contractual relationship between two or more associates and the validity of which, therefore, would be conditional on the nature of the contractual relationship itself.
On the other hand, the Court agreed with the objections raised by the DAP in relation to the processing of data of third parties who were not registered on the service.
Through data and documents produced by individuals subscribed, it was possible to obtain personal data of third parties which would then be processed without their express consent. This processing was also considered critical by the Court of Rome which consequently decided to revoke the DPA’s measure except for banning every operation and activity connected to the processing of data belonging to subjects/not subscribed to the platform.
The judgment commented on above certainly has innovative content and opens the way to an extensive review of the legislation on the protection of personal data, which up to now has only been applied in a narrow sense in order to protect the fundamental right to have control of one’s own personal information. The Rome judges have shown significant openness towards the free circulation of information, which is very much supported by the Regulation (EU) 2016/679 itself, and has up to now been hindered by an excessively rigorous interpretation of the legislation.