Skip to content

The GDPR doesn’t work for Data Retention

A simple syllogism.


GDPR’s Whereas 19 says:

The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. This Regulation should not, therefore, apply to processing activities for those purposes.


Voice and Internet Data Retention regulations serve to investigate crimes, prevent threats to public security and so on,


the GDPR’s reach doesn’t touch Data Retention


A29 and local Data Protection Authorities have no jurisdiction over this topics.

Question: where’s the fallacy of this syllogism?


The EU Court of Justice: privacy and data protection are different rights. Data Protection Authorities are on notice

The press release 84/2017 issued by the EU Court of Justice on the EU-Canada PNR transfer contains  an important (though unnoticed) statement:

… the transfer of PNR data from the EU to Canada, and the rules laid down in the envisaged agreement on the retention of data, its use and its possible subsequent transfer to Canadian, European or foreign public authorities entail an interference with the fundamental right to respect for private life (emphasis added). Similarly, the envisaged agreement entails an interference with the fundamental right to the protection of personal data (emphasis added).

This statement from the Court clarifies what the Data Protection Directive and the GDPR both say: privacy is a different right than protection of personal data.

That’s not just an issue of legal semantics: by re-asserting the difference between privacy and data protection, the Court issued a (possibly unintended) warning to all of  the parties (Data Protection Authorities and Article 29) involved into the enforcement of the DPD and the GDPR: interpreting the DPD and the GDPR as “privacy laws” leads to wrong interpretation of the letter of the law, thus involving the risk of unnecessary costs to comply with non-involved provisions and injust fines that will force companies to spend time and resources to stand for its right in Court.

A useful feature of the upcoming GDPR

The unified system of definitions set forth by the GDPR is its main strenght because it prevents – at national level – the unauthorized modification of the EU provisions.

The Italian Data Protection Directive enforcement (Legislative Decree 196/03)  is a clear example of what I mean.

The Data Protection Directive (DPD) clearly says, in its Whereas number 15, that the Directive is going to be enforced to data processing performed by way of a filing system.

The Italian Legislative Decree 196/03, oddly enough, defines “trattamento” (processing” as:

qualunque operazione o complesso di operazioni, effettuati anche senza l’ausilio di strumenti elettronici, concernenti la raccolta, la registrazione, l’organizzazione, la conservazione, la consultazione, l’elaborazione, la modificazione, la selezione, l’estrazione, il raffronto, l’utilizzo, l’interconnessione, il blocco, la comunicazione, la diffusione, la cancellazione e la distruzione di dati, anche se non registrati in una banca di dati; (emphasis added)

So, as the emphasis shows, the notion of “processing” the Italian Way  has been arbitrarily extended from one performed by filing system up to include those processing that are not recorded into a data-base.

Yes, just in case, you may challenge a fine from the Data Protection Authority issued by enforcing a wrong provision. But you have to do it through a Court, thus spending time and money.

Luckily, the GDPR contains a limitation similar to the one included into the DPD):

The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system.(emphasis added)

Since member-States have no power to change what a Regulation states (because there is no need to pass local bills to have it up and running), falling next May 25, 2018 this Italian oddity (and, hopefully, many more) will disappear.

Enforcing the GDPR: Authority vs Legal Interpretation

In the last couple of days, commenting a Linkedin post about Article 29’s (the future European Data Protection Supervisor) opinions, I’ve been involved in an interesting thread that can be summarized as “Authority vs. Legal Interpretation”.

To put it short, my position is that  “opinions”, “position papers” and ruling from administrative bodies run by a limited number of civil servants should be always taken with a grain of salt.

First,  court-issued decision are the result of a process involving thousand and thousand of magistrates that – on the long term – produces an average, steady body of legal opinion. On the contrary, the decisions coming from an agency or an independent body such as a Data Protection Authority are actually the outcome of a limited number of people that will be in charge for decades. So it is fair to say that such kind of decisions are more likely to be “Monarch’s Edicts” instead of  a “peer-reviewed” statements.

And, secondly, as I wrote in one of those comments:

whoever an interpretation of law comes from, it must be logical and technically sound. If A29 is more frequently right then wrong, that doesn’t make its next opinion to be automatically correct. I support David Hume’s approach : the fact that the sun rose yesterday doesn’t mean that it will tomorrow.

The core of the issue is was: what is the value of Article 29 opinions and should it be held as a binding (or preferred) interpretation of the GDPR?

Some of the commenters’ positions ranged from “A29 should be followed” to “It would be unwise to completely ignore A29” and are very interesting because are a chance to bridge the gap between theory and practice when enforcing a piece of legislation in the corporate world.

Of course, especially when advising companies, it would be irresponsible to simply disregard a legal interpretation coming from the entity that will investigate you. But it doesn’t neither implies that the public body’s legal findings are always correct nor that they must be taken at its face value.

Take, for instance, the Genetic Personal Data Processing Authorization issued by the Italian Data Protection Authority (IDPA) last November 2016.This authorization has no legal status as “source” of law 1 nevertheless the IDPA seized the moment to extend its reach from genetic personal data (well within its jurisdiction) up to biosamples that, per se, are not covered by the Data Protection Act.

By taking the IDPA authorization “as such”, a biotech company should “simply” extend its internal policy up to including Material Transfer Agreements, biobanks management and research protocols even though – as when using anonymous biosamples – non personal data are involved. All that comes with an increasing of costs (i.e. less money for the research) and bureaucratic burdens (i.e. less efficiency in the company’s management.)

Sure, by verbatim complying to what the IDPA stated reduces the risk of being fined, but where is the point in complying to a wrong (interpretation of a) law, it this leads you to paralysis, lack of funds or lesser efficiency? Answer: you should do it – as it has been advocated in thread about the A29 opinions’ legal value – because the DPAs statement are “authoritative.

But “authoritative” in the legal interpretation is a very vague word. Authority might comes from the blind exercise of power, so people comply with an “authoritative” suggestion just to avoid further troubles and not because of the intrinsic correctness of the suggestion. Or may comes from a rough consensus – that is not, per se, a guarantee of being right. Or, furthermore, can be the outcome of the personal beliefs of a single civil servant in the position of asserting his own personal views.

On the contrary, the enforcement of the legal logic and of the theory of legal interpretation is a scientific way to proceed. In a Continental Legal System such as the Italian one, the only authentic interpretation of Law comes from the Parliament. All other readings are done by applying the logic and the specific rules of legal interpretation set forth in the Civil Code.

This is to say that what matters is the strength of the logic holding an interpretation and not the “nobility” of the interpreter (that would turn out being an argumentum ad baculum that is incompatible with a modern legal system that aspires to be acknowledged as “scientific”.

  1. in Italy the source hierarchy goes from the Constitution to Parliament-passed laws, to Government-passed Decree-Law, down to Ministries’ Decrees and other minor acts.

The Italian Data Protection Authority to Challenge the European Court of Justice?

According the online newspaper, the Italian Data Protection Authority (DPA) stated verbatim that the 72  months retention periodo imposed by the upcoming legislation is much too long.
By doing this, the DPA implied that the only problem with data-retention is its duration, and didn’t mention the main issue raised by the EUCJ decision: carpet data-retention is not possible under the EU legislation.

What is worse, is that DPA did so without any hint of the “stress-test” required to ascertain whether the national legislation is still eurocompatible or not.

The lack of the stress test is going to be a relevant issue for a lot of subjects, including prosecutors, ISPs and the very DPA itself, because of a legal “short-circuit” that can be summarized as follows:

  1. A citizen starts a Schrems-like case, asking an ISP for his personal traffic data to be deleted.
  2. If the ISP complies affirming that the data-retention legislation is not valid, it will be probably be charged of obstruction of justice (at least, according the Legislative Decree 231/01 – criminal corporate liability).
  3. If the ISP refuses, upholding the data-retention legislation, the citizen will file a complaint with the DPA.
  4. Two possibilities now:
    1. the DPA acknowledge the citizen’s right and order the data to be deleted: goto Line 2.
    2. the DPA denies the citizen’s request and order the ISP to keep maintaining the traffic-data. Thus the DPA counterdicts the EU Court of Justice decision.

Things are getting worse in criminal court:

  1. The prosecutor offers data-retention obtained traffic-data.
  2. The defense challenges this evidence on the basis of the EUCJ decision.
  3. The court either:
    1. sustains the defense challenge, thus declaring null and void the acquisition of the traffic-data, and possibly ask the prosecutor to investigate the ISP that retained illegally the data,
    2. reject the defense request, opening the way to the involvement of the EUCJ on the matter, causing an unforeseeable duration of the process, likely to reach the Statute of Limitation term.


Vaccines do not cause autism, do they?

Vaccines do not cause autism: this is what, according an Italian online newspaper, the Supreme Court (is supposed to have) stated, thus putting a “The End” tag to story where the viruses of superstition and ignorance plagued the mind of millions people who refused to treat their children because of a blatantly false information.

Unfortunately, there is not so much to be happy of because first, the Supreme Court only told that it hasn’t been given enough “scientific” evidence to rule in favour of the existence of cause-effect relationship between vaccines and autism. Then, as soon as somebody comes back to the Court with more “scientific” evidence, the issue will be re-considerated.

Second, as the scientific journalist Piero Angela said talking about the speed of light,

you can’t determine it by a raise of hands.

And this is true even though the hands belong to somebody wearing a robe (and – in some country – a wig.)

Cyber-Wathever Expert in Ten Steps

No need to know what you’re talking about when writing about computers. Just follow these 10 steps and gain major media and companies attention!

  1. Expose an academic affiliation even if not related to the topic you’re talking about. Academic aura always looks good,
  2. Put words like “AI”, “cyber”, “virtual”, “future”, “kinetic” and “threats”  together with Vodka, Gin and Kina Lillet into a mixer and shake it (by no means stir it!). You’ll get a beautifully blended words’ cocktail that fits all tastes… and don’t forget the lemon peel, of course,
  3. Stay away from hard facts and base your musing on what (mainly) the ICT marketing-mongers throw on the market,
  4. Write in English, even if you barely speak your mother language. If you can’t afford a professional to put your ideas (?) in writing, go for Google Translate. Only the message counts, not its form. And, by the way, wouldn’t you like to look like those German or Russian scientists that, back in the days, were taken seriously by the West thank to their strong, native accent too?
  5. Start (and keep) talking about “strategic scenarios”, “intelligence” and “lesson learned” from your personal (and obviously authoritative) point of view,
  6. Try as hard as you can to appear in a picture (no matter in which position) with somebody wearing a uniform, possibly a brass. No need to know him,
  7. Use empty words that everyone can fill with his own meaning. After all, is this what they taught you at those NLP practitioner seminar, isn’it?
  8. Always talk either about the future or the past. Never, ever about the present,
  9. Abuse statistics. The lesser you know it, the better you succeed in having numbers lie on your behalf,
  10. Make the Post Hoc fallacy your standard analysis tool. Correlation is not Causation, but… who cares?

Data Retention Strikes Back in Italy

The Italian Parliament is going to pass a provision (“hidden” into an elevator’s safety decree) to re-introduces the extension of the original (and still possibly illegal) data-retention term up to 72 months. (Continued)

The Danger of Remotely Managed (i.e. cloud-based) Software

Today you can buy a lot of software on a subscription, cloud basis scheme.

Of course, from the software-house point of view there are no issues.  But from the users’ perspective the fact that cloud, subscription-based business models are widely enforced by the market, and that its supporters claim this to be an advantage for the users doesn’t turn a bad management choice into a good one. (Continued)

No More Mandatory Data Retention in Italy? – Update

As a consequence of the Parliament/Govern inactivity, the huge quantity of traffic data that survived the June, 30 midnight – and that some ISP might still have in its own hand, maybe hoping for a last-minute, never passed, prorogation – is currently being deleted.

Right now, traffic-Database deleting schedules should have been re-set to the old standard: one year retention period as set forth by sec. 132 of the Italian Data Protection Act.

And the Data Protection Authority still hasn’t hissed a word.