The Italian Supreme Court clarifies the requirements for privacy consent. The Italian Data Protection Authority annual report and some legal valuable indications on the legitimate interest

1. The Italian Data Protection Authority has presented its report on the activities carried out in 2017 to Parliament

On 10th July, the Italian Data Protection Authority (“DPA” or the “Authority”) presented its annual report to Parliament, outlining the usual assessment of the activities carried out by the Authority during the previous year, also indicating the prospects for future action, especially in light of the entry into force of the EU Regulation 679/2016 (the “GDPR“).

The report deals with some of the most current topics in the field of personal data protection, including: the processing of personal data in the judicial field, DNA databases, aggressive telemarketing, the protection of confidentiality in the tax area, as well as some particularly current issues, such as the protection of personal data in the use of social networks, fake news and the relationship between privacy and news.

The number of activities carried out in 2017 by the DPA are particularly relevant: the Authority indicates that it has adopted 573 collective measures, responded to 6000 complaints and reports and decided 276 appeals, as well as communicated 41 news reports of offenses to the Judicial Authority. 275 inspections were carried out, 589 administrative violations were detected and sanctions totalling 3 million 800 thousand euros were issued (16% more than in 2016).

2. The Italian Supreme Court comments on consent requirements, taking into account the GDPR

The Italian Supreme Court (2nd July, 2018, N. 17278) ruled in favour of the Italian DPA against a company that offered a newsletter service through its website. In order to access the newsletter service, the user was required to enter his/her e-mail address and, at the bottom of the data collection form, there was a checkbox by which the user could express his/her consent. The registration process to the newsletter service could not be completed without validating the consent box, since the message “box selection is required” appeared. The website’s page did not highlight, though, what the “processing of personal data” mentioned in the checkbox was referred to: to understand that in detail, the user had to click on a link and ‘land’ on a different web page where it was specified that the collected personal data was not only used for the provision of the newsletter service, but also “for sending promotional communications and commercial information from third parties”.

The Supreme Court has highlighted how the consent cannot be specifically and also therefore freely given in a scenario in which the effects of the consent are not clearly indicated next to the specific “check box”, and they are instead described in another web page linked to the first, such that it is not possible to know if the data subject has actually consulted the above mentioned other page, again selecting a different «check» aimed at expressing his specific consent.

By virtue of the notion of “informed consent”, which, according to the Supreme Court, does not “allow pressure of any kind” and “does not tolerate being disrupted”, and by virtue of the notion of “specific consent”, referring to “a clearly identified processing activity, which implies the need, at least, of the indication of the product sectors or services to which the advertising messages will be reported”, the user must always be ” placed in a position to depict, unequivocally, the effects of consent given to the processing of his/her personal data”. If the processing of personal data, as in the above mentioned case, “entails a number of effects” the consent therefore “(…) must be individually given in reference to each of them”.

In another interesting passage of the judgment, the Supreme Court has stated the importance to assess whether the offered service (in the case at hand, the supply of the newsletter) is essential or can be renounced by the data subject.

In that respect, the Supreme Court has asserted that, where the website manager offers an information service (newsletter), disseminating information which are otherwise easily obtainable, the provision of the service can be conditional upon the data subject giving his/her consent to the use of the personal data for further marketing. What is instead forbidden is that the effects of that consent are concealed or that the data subject is misled.

From a practical point of view, the following conclusions can be drawn from the ruling under consideration:

(i) when the data subject has requested newsletter services, it is not necessary to ask for consent, as such processing is carried out on the basis of a contract with the data subject or to execute his/her request (as already foreseen by article 24 1.b of the former Privacy Code and now by article 6.1.b of the GDPR);
(ii) when consent is required (for example to use the data of the data subject for different marketing purposes, including of third parties) the consent must be specific and informed and, to this end, it is advisable to insert “short” information notice next to the online checkboxes whereby the controller can explain to users what they are agreeing to;
(iii) information mechanisms constructed by means of referrals and “Chinese boxes” are not allowed, as they are not transparent, when they are built so only make it more difficult for the data subjects to obtain the necessary information on the processing.

3. The processing of personal data originating from GPS devices and body cams is possible even without the consent of the employees – with appropriate guarantees

The Italian DPA has recently had the opportunity to deal with two topics of great interest and relevance, such as the processing, by the employer, of employees’ personal data originating from tracking devices (GPS) and from the use of body cams.

In particular, in the annual report presented to Parliament for the activities carried out during 2017, the DPA illustrated the cases in which the processing of employees’ geolocation data may take place without their explicit consent, but on the basis of a legitimate interest of the data controller, i.e. the employer.

It is important to highlight that the DPA has also highlighted, in relation to the cases handled, the specific guarantees that the companies or entities involved have to adopt for the purpose of the lawfulness of such processing, including:

– the configuration of the system in such a way as to detect the geographical position with a temporal frequency strictly proportionate to the objectives pursued;
– the access to the processed data only by the staff in charge and provided with specific authorization;
– the adoption of measures designed to automatically delete the collected data after the retention period;
– the identification of the data subjects only in case of need; etc.

The position taken by the Authority in relation to the processing of personal data of employees coming from wearable devices for image acquisition (so-called body cams) is very similar.

In particular, in the provision adopted on 22nd May 2018, after having described the peculiarities of such processing (which provides a link in real time and that is decided at the start and end by the operator who wears the device), the Authority assessed, following a request for preliminary verification and in-depth analysis of the system used, that the company in question was carrying out the data processing in accordance with the principles and non-excess, identifying, consequently, a legitimate interest of the data controller in the processing itself.

However, even in this case, the Authority has not omitted to prescribe certain measures to protect the rights of the data subjects, specifically the employees of the company itself. The latter was therefore called to adopt an internal disciplinary whereby to:

– identify the conditions and methods of use of body cams (with particular reference to the need to take special precautions in the event that video footage can record victims of crimes, witnesses, minors or may record places subject to particular confidentiality formalities);
– provide specific measures for intervention and use of the collected images;
– identify specific procedures, reserved for authorized parties equipped with appropriate credentials, to access and verify the collected images;
– set a time limit for (in particular, the DPA has highlighted that holding of such images for more than 7 days may only be arranged after verification of the relevance of the collected images with respect to the purposes pursued); etc.

The positions taken by the DPA in relation to the mentioned issues are a good starting point for those controllers who intend to base some data processing on the legitimate interest; in fact, such positions contain indications on the elements to be taken into consideration in the implementation, by the data controllers, of the so-called Balance of interests, which the GDPR requests to the data controllers before commencing such processing. 

Download the document