The Corte di cassazione (Italian Supreme Court) decision n. 20615/16 narrows the definition of “personal data” under the Italian data-protection act that enforces the data-protection directive.
The merit of the decision is a legal action against a municipality accused of having published on its website the name and surname of an individual who sued the municipality.
While, the Court said, when mandatory by law the releasing of personal data is always allowed (and this was the case, since there is a law the bind a municipality to disclose its decisions, including those related to legal actions), the simple publication of a name and surname is not enough to make and individual actually identifiable.
Verbatim, the Court says:
the identification of the individuals… would have been possible only by way of further investigations, including third-parties database, with a disproportionate effort in terms of energy and money that is not justified by the interest to identify people involved in a trivial car accident.
This decision set forth a very important point because points out the fact that the “identifiability” notion of the directive is a relative one.
In other words, and enforcing the legal principle to the telco world, an IP number in itself is not necessary a personal data, unless “the identification of the individuals… would have been possible only by way of further investigations, including third-parties database, with a disproportionate effort in terms of energy and money that is not justified by the interest to identify people”.
Needless to sat, the Italian Data Protection Authority has always challenged this interpretation, trying to affirm an “absolute” notion of personal data, thus creating bureaucratic burdens end financial costs for the compliance.