Direttore Scientifico: Prof.ssa Avv. Giusella Finocchiaro
Curatrice Editoriale: Dott. Giulia Giapponesi

Master Sole 24ore Vi proponiamo qui l’articolo di Giusella Finocchiaro sullo schema di decreto che armonizza l’integrazione del Regolamento dell’Unione Europea sulla privacy, pubblicato sull’inserto privacy del il Sole 24 Ore il 24 maggio 2018.

A distanza di oltre vent’anni dalla prima normativa europea in materia, la direttiva madre 46 del 1995, è giunto il momento di voltare pagina. Prendendo atto dei cambiamento tecnologici (nel 1995 non esistevano gli smartphone) che hanno indotto grandi cambiamenti sociologici (basti pensare alla vita che si svolge sui social network). E’ cambiato anche il contesto economico: oggi i dati sono il nuovo petrolio, come scrive l’Economist. E quello politico: l’Europa si è impegnata nel mercato unico digitale.

Il Regolamento europeo 679/2016, che entra in vigore domani, riflette tutti questi cambiamenti e volta pagina. Innanzitutto detta una disciplina unitaria per tutti gli Stati Membri, salvo alcuni spazi lasciati al legislatore nazionale, definendo così uno spazio unico anche sotto il profilo giuridico, all’interno e verso l’esterno.

Afferma con forza il principio della libera circolazione dei dati, la quale “non può essere limitata nè vietata per motivi attinenti alla protezione delle persone fisiche con riguardo al trattamento dei dati personali”, come recita l’articolo 1 del regolamento.

Il diritto alla protezione dei dati personali, sancito dalla Carta Dei Diritti Fondamentali dell’Unione Europea, è soggetto a un necessario bilanciamento. I dati personali possono essere al tempo stesso gli elementi su cui si definiscono l’immagine e l’identità dell’individuo, nonché beni economici oggetto di scambio.

Il patrimonio italiano costituito dalla nostra elaborazione normativa, giurisprudenziale e dottrinale, è ormai patrimonio giuridico europeo e in questa prospettiva va correttamente inquadrata la nuova fase della protezione dei dati personali. I principi fondamentali già consolidati sono confermati dal regolamento europeo: così informativa, consenso e altri presupposti di legittimità del trattamento.

Muta però la filosofia di fondo: si passa dall’approccio autorizzatorio a quello fondato sull’accountability. E questo comporta la modifica nella governance: la gestione dei dati personali diviene gestione del rischio, non più soltanto competenza del legale o dell’IP.

In Italia, con grande ritardo, è stata incaricata una commissione legislativa – che ha concluso i lavori in due mesi, il 19 marzo – di predisporre il testo di un decreto legislativo per adeguare la normativa italiana a quella europea.

Opera non strettamente necessaria, essendo il regolamento direttamente applicabile, ma utile per operare un coordinamento. La commissione ha verificato la compatibilità delle norme presenti nell’ordinamento italiano con quelle del regolamento europeo, che direttamente le sostituiscono.

Ha quindi proceduto con un’operazione non frequente: l’abrogazione espressa delle norme italiane sostituite. Si tratta di n’operazione culturale di grande rilevanza, volta a chiarire agli operatori e agli interpreti il quadro normativo di riferimento.

[...]

Continua sull’inserto privacy del Il Sole 24 Ore del 23 maggio 2018.

Si parla sempre di più del cosiddetto GDPR (General Data Protection Regulation) cioè del nuovo Regolamento europeo in materia di protezione dei dati personali, n. 679/2016, applicabile dal 25 maggio 2018.

Poco si dice, però, sul nuovo approccio alla sicurezza che viene sostanzialmente ribaltato. Il nuovo regolamento non prescrive le misure da adottare, dettandone l’elenco. Al contrario, lascia al titolare del trattamento la valutazione dei rischi, del valore dei dati, della loro criticità e la scelta delle misure di sicurezza da adottare.

Scelta che poi va sottoposta a continuo monitoraggio.

Occorre, dunque, effettuare un’analisi dei flussi informativi e una valutazione dei rischi che incombono su di essi, per decidere poi quali misure adottare.

Dunque, analisi, scelta, proceduralizzazione, implementazione, monitoraggio e presidio.

Non istruzioni dettate dalla norma, ma autovalutazione e gestione. E ovviamente documentazione precisa delle scelte, motivate, e del processo.

Un approccio nuovo basato sulla accountability, che richiede necessariamente competenze integrate: tecnologiche, organizzative e giuridiche.

posted by admin on febbraio 19, 2013

Eventi

(No comments)

Nuova sessione di lavoro per gli esperti internazionali sull’Accountability, questa volta i riflettori sono puntati sul flusso di dati in particolari contesti informatici come cloud computing e mobile.

Il 21 Febbraio 2012 si terrà a Varsavia l’incontro degli esperti afferenti all’Accountability Project Phase V, quinta fase del progetto Accountability-Based Privacy Governance sviluppato da The Centre for Information Policy Leadership.

Il progetto, avviatosi nel 2009, coinvolge un gruppo di lavoro di 60 esperti internazionali, tra i quali Giusella Finocchiaro, che collaborano per individuare e stabilire quali debbano essere gli elementi essenziali richiesti alle aziende per dimostrare l’affidabilità del proprio processo di trattamento delle informazioni.

L’idea di accountability al centro del progetto potrebbe essere tradotta con responsabilità e, insieme, prova della responsabilità. Il concetto è stato originariamente elaborato per favorire il flusso internazionale di dati personali, ma può avere una più ampia applicazione e può rappresentare un più generale paradigma nel trattamento dei dati personali.

Nel 2012, l’accountability si è affermata come un elemento riconosciuto in materia di privacy e protezione dei dati, al punto da diventare un aspetto rilevante della nuova proposta di regolamento in materia di protezione dei dati della Commissione Europea.

L’accountability è oggi considerata approccio pratico alla privacy e al trattamento dei dati personali. In quest’ottica, l’Accountability Project punta allo sviluppo di strumenti che possano essere utilizzati dalle organizzazioni per valutare lo stato della propria accountability e per dimostrarlo alle Autorità Garanti per la protezione dei dati personali.

La quinta fase del progetto, che si svolge in questi giorni in Polonia, si concentrerà sugli elementi di rischio rappresentati da particolari ambienti informatici come tablet, smartphone e cloud computing.

L’8 marzo presso la Federal Trade Commission di Washington si terrà il secondo incontro degli esperti afferenti al progetto Accountability  III – The Madrid Project, terza fase del progetto Accountability- Based Privacy Governance sviluppato da The Centre for Information Policy Leadership.

Il progetto coinvolge 60 partecipanti internazionali, tra i quali la Prof. Avv. Giusella Finocchiaro, che collaborano per individuare e stabilire quali debbano essere gli elementi essenziali richiesti alle aziende per dimostrare l’affidabilità del proprio processo di trattamento delle informazioni.

La sessione che si terrà a Washington esplorerà, in particolare, aspetto di convalida del processo (validation), un passaggio fondamentale per dimostrare ai regolatori e al pubblico l’affidabilità di un sistema progettato per la protezione dei dati personali.

Social networks, privacy-by-design, right to oblivion and accountability were the main topics debated in the course of “Privacy Generations”, the 32nd International Conference on Data Protection and Privacy Commissioners .

The newest of these topics is the concept of accountability, the introduction to which is the result of more than two years of work by a group of experts of which I am part and which is documented and published in The Centre for Information Policy Leadership.

Accountability will play an important role in modifications (currently in progress) of the European Directive on e-privacy.

What is accountability? It could be defined as responsibility and at the same time proof of responsibility.

The concept was originally devised in order to facilitate the international flow of personal data, but it may have a broader application and may be a more general reference model in personal data processing.

Sources of accountability may be legislative, administrative or contractual. The data controller must be able to demonstrate that he has adopted a comprehensive procedure of personal data protection consisting of legal measures, organizational procedures and technical solutions and has also acted through the creation of specific organizational models, similar to those used in the application of d.lgs 231/2001.

We present here an exclusive interview with Mr. Giovanni Buttarelli, European Data Protection Assistant Supervisor.
“Saving jobseekers from themselves”, is the purpose of the German draft law which will regulate the use of information concerning job applicants collected on the internet by employers. What is your opinion on restricting by law the use of personal data that can be collected online?
This is an item on the agenda of the Data Protection Supervisors and lawmakers. In Germany for example, particular attention is devoted to this issue, because the German legislation is particularly detailed and advanced regarding data protection of workers, but the problem is also increasing in other countries.  As an expert appointed by the Council of Europe, I wrote the new draft of recommendations that should replace Recommendation (89) 2 about data processing in job relationships. A Recommendation of the Council of Europe is not a simple invitation, it is an act addressed to the fifty or so states of the Council, who, by voting for it, commit themselves to putting it into effect. In Italy the Council of Europe recommendations have been mentioned in the delegated law about the adoption of the DL consequent to law n.675 and even in the 2003 Code itself as directive criteria for the production of ethical behavior codes. This document of mine, accompanied by  research, refers to the necessity for specific new rules regarding this point. Up to now we have worked with very general criteria of transparency and accuracy, with the obligation to inform and with the evaluation of the principle of incompatibility and purpose, but these criteria are no longer sufficient because practices may be widely varied today.
Actually, it is already illegal to access social network pages under false pretences such as, for example, delegating someone to use  an account or requesting job-seeker friendship on Facebook through deceit.  However, even if the employer was openly present on the social network in a transparent way, the problem would occur in any case. Social networks are used in order to socialize with a limited number of people and usually for personal reasons. Therefore, we should make this kind of evaluation, perhaps drawing a distinction between social networks used for entertainment and those used for professional relationships, such as Linked_In.
- Facebook’s CEO said that privacy is no longer a social norm for new generations. Yet, in Germany the proposal of teaching how to defend personal data in schools is under consideration.  Is the European Supervisor considering the opportunity of teaching privacy?
The 32nd Annual International Conference of Data Protection and Privacy Commissioners recently held in Jerusalem started off with this Facebook statement in order to overturn it and to maintain that it is totally inappropriate. Even Facebook’s attitude demonstrated the opposite of what its CEO had asserted. It was not by chance that they have recently solved several serious privacy issues and in all probability they will solve others in the coming weeks. The fact that people are enthusiastic about new communication systems does not mean that it is correct to consider privacy outdated. For the younger generations this may well be true now, but not necessarily in the future, when they will have to face the consequences of those problems related to a lack of information regarding privacy on social networks.
First of all, we should find an easy way to communicate privacy to  the younger generations. Pedagogical approaches must be avoided. We should not speak over their heads, trying to teach young people how to use new technologies. Paternalism will not work at all. Thus we will have to develop a better understanding of the new languages and adapt the information on privacy to the communication devices which people ordinarily use to exercise their rights. Bureaucratic forms will never be used, a user-friendly pop-up window probably will also on smartphones. For this reason the new European Commission’s Communication on the future of European law regarding this issue, draws great attention to educating the younger generations to warning and risk but also to opportunities of having new devices which are more dynamic, functional, immediate and easier to use when exercising individual rights and deleting information, for example in the event of migration from one social network to another.
Privacy by design is considered one of the most effective systems to avoid privacy violations due to the launch of new software online. Will the new European regulation order companies to add privacy consultancy in designers’ work?
Definitely yes. The European Commission’s Communication which was published in all EU languages on the 4th of November, announces the commitment of the Commission to insert privacy by design in the principles of the new discipline.
It is currently under discussion whether to consider it an independent principle or a notion that can be translated later into different practices.
What is certain is that this principle should help us to face problems from the beginning of every project in order to avoid the difficulty of developing data protection systems subsequently, when all the choices have already been made.  It is therefore necessary to have technological support to solve problems of privacy, not only through privacy-oriented software but also through the creation of devices which will automatically fulfill privacy requirements, such as the erasure of data by overwriting, or setting of alerts which would allow people to know when further data use is incompatible with the original purposes, or, in addition, something that would prevent search engines from making a personal profile based on a data collection concealed from the user.
- Geolocalization through GPS devices is the cause of a recent alert about privacy online. However, IP addresses have always contained localization information. Will the next European regulation specifically consider this point?
There is already an advanced regulation regarding this issue. Directive 2002/58, recently reviewed by the e-privacy Directive which must be acknowledged by Member States before May 2011, touches on these points and with all probability it will not be modified by the new European regulation. So, it will be a pillar for several years to come.
Today, the regulation already requires the approval of the userdata subject, who should be adequately informed, and the possibility of terminating a value-added service involving geolocalization.  The issue is also being approaching with an eye to the retention of this kind of data in the so-called data-retention Directive. Today, for police and justice purposes, recorded data is stored for one or two years (depending on whether the data source is the telephone or telematic), which can lead to a possible excess of filing of personal communication activities.
It should also be considered that geolocalization is today mainly controlled through telephone systems, but in the near future, thanks to intelligent transport, it will operate independently of mobile telecommunication systems and will be used in the field of vehicular traffic for services such as toll payments, city centre access and safety systems.  For instance, we will be able to use these devices for sending alarm messages in case of an accident. Therefore, we will once again need to have a balance between the benefits of innovative systems and the guarantee that our data will only be used on one off basis and will not be stored. In any case, it should only be used for the specific  purposes of the services and not for marketing or filing.
- The subject of company accountability was one of the most important topics discussed at The 32nd Annual International Conference of Data Protection and Privacy Commissioners in Israel. How will this issue be integrated into the new European regulation?
Not as a new principle, nor as an extra cost for public bodies and for the private companies/individuals sector?. It will, however, help to give a sense of responsibility to data custodians controllers and it will have an influence on the Data protection Authorities themselves, who will have to be more selective and must not be entirely responsible for enforcement. Our approach is to maintain the principles we have followed since 1995, while making them more dynamic and suitable for new technologies. The main point is to do things in a more responsible way; data custodians controllers should not consider these principles as something to comply with only when there is a problem, a complaint or an appeal. They should consider their duties as something to be put into practice on a day-to-day basis. They should take on the responsibility of transforming into internal procedure everything which is necessary to adhere to the principles of law, which would mean redistributing roles and tasks, creating an internal policy and in case of appeal, complaint or inspection by the authorities, they should instantly be able to demonstrate they have been adhering to these principles. So, we will no longer have a situation in which data custodians controllers choose not to fulfill their privacy obligations and run the risk of incurring fines, thinking that an inspection may never arrive. Instead we will have a new scenario in which the data custodian controller is conscious that protection of  privacy is a daily obligation. An obligation which, if not correctly carried out, may lead data custodians controller to face serious legal consequences. Therefore, this is something both new and not new at the same time.

We present here the english translation of the interview with Mr Giovanni Buttarelli, European Data Protection Assistant Supervisor.

“Saving jobseekers from themselves”, is the purpose of the German draft law which will regulate the use of information concerning job applicants collected on the internet by employers. What is your opinion on restricting by law the use of personal data that can be collected online?

This is an item on the agenda of the Data Protection Supervisors and lawmakers. In Germany for example, particular attention is devoted to this issue, because the German legislation is particularly detailed and advanced regarding data protection of workers, but the problem is also increasing in other countries. As an expert appointed by the Council of Europe, I wrote the new draft of recommendations that should replace Recommendation (89) 2 about data processing in job relationships. A Recommendation of the Council of Europe is not a simple invitation, it is an act addressed to the fifty or so states of the Council, who, by voting for it, commit themselves to putting it into effect. In Italy the Council of Europe recommendations have been mentioned in the delegated law about the adoption of the D.Lgs consequent to law n.675 and even in the 2003 Code itself as directive criteria for the production of ethical behavior codes. This document of mine, accompanied by research, refers to the necessity for specific new rules regarding this point. Up to now we have worked with very general criteria of transparency and accuracy, with the obligation to inform and with the evaluation of the principle of incompatibility and purpose, but these criteria are no longer sufficient because practices may be widely varied today.

Actually, it is already illegal to access social network pages under false pretences such as, for example, delegating someone to use an account or requesting job-seeker friendship on Facebook through deceit. However, even if the employer was openly present on the social network in a transparent way, the problem would occur in any case. Social networks are used in order to socialize with a limited number of people and usually for personal reasons. Therefore, we should make this kind of evaluation, perhaps drawing a distinction between social networks used for entertainment and those used for professional relationships, such as Linked_In.

Facebook’s CEO said that privacy is no longer a social norm for new generations. Yet, in Germany the proposal of teaching how to defend personal data in schools is under consideration. Is the European Supervisor considering the opportunity of teaching privacy?

The 32nd Annual International Conference of Data Protection and Privacy Commissioners recently held in Jerusalem started off with this Facebook statement in order to overturn it and to maintain that it is totally inappropriate. Even Facebook’s attitude demonstrated the opposite of what its CEO had asserted. It was not by chance that they have recently solved several serious privacy issues and in all probability they will solve others in the coming weeks. The fact that people are enthusiastic about new communication systems does not mean that it is correct to consider privacy outdated. For the younger generations this may well be true now, but not necessarily in the future, when they will have to face the consequences of those problems related to a lack of information regarding privacy on social networks.

First of all, we should find an easy way to communicate privacy to the younger generations. Pedagogical approaches must be avoided. We should not speak over their heads, trying to teach young people how to use new technologies. Paternalism will not work at all. Thus we will have to develop a better understanding of the new languages and adapt the information on privacy to the communication devices which people ordinarily use to exercise their rights. Bureaucratic forms will never be used, a user-friendly pop-up window probably will also on smartphones. For this reason the new European Commission’s Communication on the future of European law regarding this issue, draws great attention to educating the younger generations to warning and risk but also to opportunities of having new devices which are more dynamic, functional, immediate and easier to use when exercising individual rights and deleting information, for example in the event of migration from one social network to another.

Privacy by design is considered one of the most effective systems to avoid privacy violations due to the launch of new software online. Will the new European regulation order companies to add privacy consultancy in designers’ work?

Definitely yes. The European Commission’s Communication which was published in all EU languages on the 4th of November, announces the commitment of the Commission to insert privacy by design in the principles of the new discipline.

It is currently under discussion whether to consider it an independent principle or a notion that can be translated later into different practices.

What is certain is that this principle should help us to face problems from the beginning of every project in order to avoid the difficulty of developing data protection systems subsequently, when all the choices have already been made. It is therefore necessary to have technological support to solve problems of privacy, not only through privacy-oriented software but also through the creation of devices which will automatically fulfill privacy requirements, such as the erasure of data by overwriting, or setting of alerts which would allow people to know when further data use is incompatible with the original purposes, or, in addition, something that would prevent search engines from making a personal profile based on a data collection concealed from the user.

Geolocalization through GPS devices is the cause of a recent alert about privacy online. However, IP addresses have always contained localization information. Will the next European regulation specifically consider this point?

There is already an advanced regulation regarding this issue. Directive 2002/58, recently reviewed by the e-privacy Directive which must be acknowledged by Member States before May 2011, touches on these points and with all probability it will not be modified by the new European regulation. So, it will be a pillar for several years to come.

Today, the regulation already requires the approval of the userdata subject, who should be adequately informed, and the possibility of terminating a value-added service involving geolocalization. The issue is also being approaching with an eye to the retention of this kind of data in the so-called data-retention Directive. Today, for police and justice purposes, recorded data is stored for one or two years (depending on whether the data source is the telephone or telematic), which can lead to a possible excess of filing of personal communication activities.

It should also be considered that geolocalization is today mainly controlled through telephone systems, but in the near future, thanks to intelligent transport, it will operate independently of mobile telecommunication systems and will be used in the field of vehicular traffic for services such as toll payments, city centre access and safety systems. For instance, we will be able to use these devices for sending alarm messages in case of an accident. Therefore, we will once again need to have a balance between the benefits of innovative systems and the guarantee that our data will only be used on one off basis and will not be stored. In any case, it should only be used for the specific purposes of the services and not for marketing or filing.

The subject of company accountability was one of the most important topics discussed at The 32nd Annual International Conference of Data Protection and Privacy Commissioners in Israel. How will this issue be integrated into the new European regulation?

Not as a new principle, nor as an extra cost for public bodies and for the private sector. It will, however, help to give a sense of responsibility to data controllers and it will have an influence on the Data protection Authorities themselves, who will have to be more selective and must not be entirely responsible for enforcement. Our approach is to maintain the principles we have followed since 1995, while making them more dynamic and suitable for new technologies. The main point is to do things in a more responsible way; data controllers should not consider these principles as something to comply with only when there is a problem, a complaint or an appeal. They should consider their duties as something to be put into practice on a day-to-day basis. They should take on the responsibility of transforming into internal procedure everything which is necessary to adhere to the principles of law, which would mean redistributing roles and tasks, creating an internal policy and in case of appeal, complaint or inspection by the authorities, they should instantly be able to demonstrate they have been adhering to these principles. So, we will no longer have a situation in which data controllers choose not to fulfill their privacy obligations and run the risk of incurring fines, thinking that an inspection may never arrive. Instead we will have a new scenario in which the data custodian controller is conscious that protection of privacy is a daily obligation. An obligation which, if not correctly carried out, may lead data controller to face serious legal consequences. Therefore, this is something both new and not new at the same time.

[ Please note that the acronyms of the Italian legislative documents have been left in their original form.

D. Lgs. may be translated as Legislative Decree].

Social network, privacy by design, oblio e accountability, i temi principali di “Privacy Generations”, 32esima Conferenza Internazionale sulla Protezione dei Dati Personali e i Garanti della Privacy.

Fra questi, il tema realmente nuovo è quello dell’accountability. L’introduzione di questo tema è frutto del lavoro di oltre due anni di un gruppo di esperti, fra i quali chi scrive, documentato e pubblicato in The Centre for Information Policy Leadership.

L’accountability troverà ampio spazio nella modifica (attualmente in corso) della direttiva europea sull’e-privacy.

Che cos’è l’accountability? Potrebbe essere tradotto con responsabilità e, insieme, prova della responsabilità.

Il concetto è stato originariamente elaborato per favorire il flusso internazionale di dati personali, ma può avere una più ampia applicazione e può rappresentare un più generale paradigma nel trattamento dei dati personali.

Le fonti dell’accountability possono essere legislative, amministrative e contrattuali. Il titolare del trattamento deve essere in grado di dimostrare che ha adottato un processo complessivo di misure giuridiche, organizzative, tecniche, per la protezione dei dati personali, anche attraverso l’elaborazione di specifici modelli organizzativi, analoghi a quelli utilizzati nell’applicazione del d. lgs. 231/2001.

La 32esima conferenza mondiale sulla privacy che si è recentemente conclusa a Gerusalemme, ha portato in primo piano il tema dell’accountability aziendale nella gestione e nella protezione dei dati.

Il concetto di accoutability – che non si esaurisce nella traduzione italiana di “responsabilità”, ma coinvolge aspetti quali l’affidabilità e la competenza aziendale nella gestione dei dati personali – è stato sviluppato da The Centre for Information Policy Leadership in un progetto di lavoro internazionale che ha coinvolto 60 partecipanti – tra i quali la Prof. Avv. Giusella Finocchiaro – rappresentanti del mondo del business, dalla società civile, dei governi, delle Autorità per la protezione dei dati e del Garante Europeo alla Protezione dei dati.

In Israele, durante la Conferenza Internazionale sui Garanti della Privacy e la Protezione dei Dati,  The Centre for Information Policy Leadership ha presentato il documentoDemonstrating and Measuring Accountability, Accountability Phase II – The Paris Project”, risultato della deliberazione del gruppo di lavoro internazionale che si è riunito in Irlanda nel 2009 e a Parigi nel 2010.

Il documento è disponibile QUI per il download in formato PDF.