On January 6, following investigations, the CNIL found that the sites facebook.com, google.fr and youtube.com do not allow users to refuse cookies as easily as they accept them. The CNIL thus fined FACEBOOK 60 million euros and GOOGLE 150 million euros and ordered them to comply within three months. The French authority noted, in particular, that the sites facebook.com, google.fr and youtube.com offer a button that allows the user to immediately accept cookies, while they do not provide an equivalent solution (button or other) that allows the user to refuse, in an equally simple way the use of the same cookies. Indeed, the websites under scrutiny by the CNIL provided for several clicks to refuse all cookies and only one click to accept them, thus limiting the freedom of consent, which is provided for as a fundamental element by Art. 82 of the French Privacy Law, as well as by the GDPR. In addition to the payment of the aforementioned penalties, Google and Facebook will have to comply with the CNIL's requirements within 3 months, providing users with a way to reject cookies that is as simple as accepting them. Failing this, companies will have to pay a penalty of 100,000 euros for each day of delay. These two decisions are part of the comprehensive compliance strategy launched by the CNIL over the past two years against French and foreign operators who publish websites with many visits and who engage in practices that are contrary to the legislation on cookies. Since March 31, 2021, when the deadline expired for websites and mobile applications to comply with the new cookie rules, the CNIL has taken nearly 100 corrective measures (orders and sanctions) related to non-compliance with cookie legislation. On the Italian landscape regarding cookies, we point out the Cookies Guidelines published by the Privacy Guarantor and entered into force last January 10, 2022, the details of which are provided, on our Blog
The Data Protection Authority’s Report: activities overview and prominent issues in 2019 and 2020
On 23 June 2020, the Italian Data Protection Authority (DPA) presented the report on its activities during the year 2019.
During the course of such year, the DPA supervised the application of Regulation 679/2016 (GDPR) and intervened on issues relating to the protection of fundamental rights in the digital age, the ethical implications arising from the use of artificial intelligence and the use of new surveillance systems, as IoT tools.
In light of the peculiar situation arising from the covid-19 pandemic, in its report the Authority has also expressed its views on specific issues relating to the first half of 2020.
Figures
In 2019, the DPA adopted 232 collegial measures and responded to 8000 complaints, including in relation to telephone marketing, consumer credit, employment law matters, and IT security, and carried out 147 inspections, both in the public and private sector.
The DPA also responded to 15,800 questions from citizens who asked for clarifications regarding the requirements related to the entry into force of the GDPR and issues related to unwanted promotional activities such as telephone calls, text messages, video surveillance in the public and private sector and banking data.
Platforms
With regard to online data breaches, in 2019 the DPA sanctioned Facebook Ireland Ltd for €1 million, following the investigation on the "Cambridge Analytica" case, which also involved data of Italian citizens.
In the same year, the authority strengthened its activities aimed at protecting the "Right to be Forgotten" and promoted an international debate to redefine the role played by Internet Service Providers in this specific context.
In 2020, the DPA also raised concerns about TikTok, a Chinese platform that has become extremely popular among millennials all over the world and which allows users to share videos and images. The Italian Authority requested and obtained the establishment of a “task force” at European level to investigate this platform.
Activities in the field of cybersecurity
In 2019, 1443 data breaches were notified and the DPA commented on the inadequacy of cybersecurity measures enacted by public administrations and private companies that collect data online. The Authority has also provided guidelines against ransomware and other malicious software.
Ransomware
Ransomware are computer programs that encrypt data, making them no longer accessible, and that request the payment of a "ransom" in order to re-obtain possession of the contents stored on the device. In its recommendations, the DPA pointed out that these malware are often installed on users' devices through free gaming or other apps, which users download being completely unaware of the potential threats hidden thereunder.
Digital Assistants
The DPA has also examined the risks associated to the use of digital assistants. These are programs which interpret human language through algorithms and artificial intelligence and are therefore able to interact as a "human user", responding to various types of requests (such as finding information on the web, searching for a certain route, making an online purchase, adjusting the temperature or home lighting, closing or opening home locks).
The DPA observed that these digital assistants collect and process a huge amount of data, while users are often unaware of how data are processed and of the identity of the data controller.
Privacy and Marketing
The DPA intervened against "aggressive" telemarketing activities by applying significant penalties (including penalties amounting to euro 27.8 million and euro 11.5 million respectively) to companies that have utilized data without the data subject’s prior consent.
Privacy and Right to Report
The Authority intervened on several occasions to condemn the gruesome details published by some newspapers and television stations in relation to certain news, in order to ensure appropriate protection for the victims of crimes, and especially minors.
Privacy and Work
The DPA defined the necessary safeguards required in relation to the collection of employees’ fingerprints in order to contrast absenteeism in public administrations. The Authority affirmed that the collection of biometric data is an extremely sensitive proceeding, due to the nature of the data processed. Specifically, in the event the collection of fingerprints is coupled with the use of video-surveillance technologies, such procedure appears to be in contrast with the principle of proportionality.
Similarly, the DPA considered that a broad and generalized introduction of biometric survey systems for all public administrations would not appear to be justified under the GDPR.
Privacy and Justice
In relation to the "Exodus case" - in which the communications of hundreds of citizens not involved in police investigations were tapped due to an error in the functioning of an electronic tapping device - the Italian Authority proposed measures to ensure increased safeguards in relation to the use of tools potentially threatening the citizens' freedom.
Privacy and Health
With regard to health data, the DPA intervened several times on the procedures for the collection and processing of health data in the context of the pandemic. The authority stated that, even in an emergency context, the principles of the GDPR must nonetheless be complied with.
The DPA also provided its opinions and indications regarding the "Immuni" app (i.e., the app chosen by the Ministry of Economic Development to provide contact tracing technology to Italian health authorities). The DPA expressed its views on the methods for carrying out serological tests and for the collection of health data of employees and customers.
The several actions put in place by the DPA show the continuing efforts to monitor the application of the new European regulation, and to prevent and sanction violations that may pose a threat to individual freedoms.
A FEW FACTS YOU NEED TO KNOW ABOUT THE GDPR
As many may know, starting from 25 May 2018, the 2016/679 EU Regulation, known as GDPR (General Data Protection Regulation) - relating to the protection perosnal data will be directly applicable in all Member States.
In a nutshell, the GDPR:
- introduces clearer rules on information and consent;
- defines the limits to the automated processing of personal data;
- lays the foundation for the exercise of new rights;
- establishes strict criteria for the transfer of these outside the EU;
- sets strict rules for data breach cases.
Theses rules also apply to companies located outside the European Union that offer services or products within the EU market. All companies, wherever established, will therefore have to respect the new rules. Companies and institutions will have more responsibility and case of non-compliance with the rules risk heavy penalties.
The "One Stop Shop"
To solve any difficulties, the "one stop shop" rule has been introduced, which will simplify the management of treatments and guarantee a uniform approach. Companies operating in several EU countries may contact the Privacy Guarantor of the country where they have their headquarters.
Data portability
The regulation introduces the right to "portability" of personal data to transfer them from one data controller to another. The rule is an exception in cases where the data are contained in archives of public interest, such as the registry offices. In this case, the right can not be exercised, as is the transfer of personal data to non-EU countries or international organizations that do not meet the security standards for protection.
The principle of "accountability"
There are other important elements of novelty. In fact, the accountability of the data controllers (accountability) has been introduced and an approach that takes into greater consideration the risks that a particular processing of personal data may entail for the rights and freedoms of the interested parties. This new right will facilitate the transition from one service provider to another, facilitating the creation of new services, in line with the Digital Single Market strategy.
Data breach
The data controller must report any violation of personal data to the Guarantor. Responding effectively to a data breach requires a multidisciplinary and integrated approach and greater cooperation at EU level. The current approach has numerous flaws that need to be corrected. It is not simple but it is necessary to do so in order not to lose the opportunity provided by the GDPR. The first fulfillment to be put in place for Italian companies is certainly the adoption of the Register of processing of personal data, but even before the bureaucratic queries, the company must understand the importance and value of the data, as well as the huge economic damage due to a loss of information If the data breach poses a threat to people's rights and freedoms:
The owner must inform all interested parties in a clear, simple and immediate manner and offer indications on how he intends to limit the damages;
You may decide not to inform interested parties if you believe that the violation does not pose a high risk for their rights or if they demonstrate that they have already taken security measures; or, finally, in the eventuality in which to inform the interested ones could involve a disproportionate effort to the risk. In this last case it will have to provide with a public communication;
The Guarantor Authority may in any case require the data controller to inform the data subjects on the basis of an assessment of the risks related to the violation committed.
The figure of the DPO (Data Protection Officer)
It is no coincidence that the figure of the "Data Protection Officer" (Data Protection Officer or DPO) was set up, responsible for ensuring the correct management of personal data in companies and institutions and identified according to professional qualities and specialized knowledge of the legislation and data protection practice.
The Data Protection Office reports directly to the company’s summit and is independent, as it does not receive instructions regarding the execution of the tasks.
In reality there are still too many doubts on the figure of the DPO is. It is a relevant figure, but certainly it is not the "center" of the system established by the GDPR, which in the new system is always the Data Controller. The DPO must have a specific competence "of the regulations and practices concerning personal data as well as the administrative rules and procedures that characterize the sector". It is no less important, however, that it also has "professional qualities appropriate to the complexity of the task to be performed" and, especially with reference to sensitive sectors such as health, can also demonstrate specific competences with respect to the types of treatment put in place to the holder. The decision-making autonomy and the extraneousness of the DPO with respect to the determination of the purposes and methods of data processing is equally important if we want to return to those affected that sovereignty over the circulation of their data.
Are you Ready for the EU New Privacy and Data Protection Rules?
The Data Protection Authority has published the new Guidelines concerning the implementation of the new European General Data Protection Regulation 2016/679, issued by the European Parliament in April 2016, to enable public entities, institutions, natural person and private companies to know and correctly apply the new provisions on this matter. The Regulation, which will become fully effective from 18/05/25, will be operational in all EU countries without any other transposition procedure and it will replace the current Privacy Code, which was adopted instead with the Legislative Decree n. 196 of 2003 in the implementation of a previous European Directive. Within a year, data protection national laws will be unified in a single discipline. The system set up by the European Union consists of two parts: a regulation concerning people, companies and administrations and a more specific Directive concerning the use of personal data in the field of security and police or justice activity. This second part will have to be transposed by a national law. The Data Protection Authority's Guidelines deal with the issues of the first part of the legislation, dividing it into six groups (lawfulness of processing, disclosure, data subjects’ rights, processing responsible, risk-based approach and accountability measures of holders and responsible, international data transfers) and addressing its innovation and possible issues. In particular, some of the changes introduced by the Regulation are in the interest of data owner. First of all, the disclosure eventually signed by the data owner must be clear, brief, intelligible and easily accessible. In addition, the owner may decide to transfer his data from one subject to another, with the possibility of changing the manager without losing the information provided. Only for non-European countries or for international organizations not having an adequate privacy policy it will require an explicit consent to the transfer of personal data. On the other hand, the Regulation promotes the accountability of data holders and the adoption of approaches and policies that constantly take into account the risk that may occur in the data processing. Finally, another important innovation is the introduction of the Data Protection Officer, a professional manager for managing and controlling the privacy policies of companies and public entities. Thus, in a year we will discover the effects of this reform and how personal data management will change in all of European Union.