The Italian Parliament is going to pass a provision (“hidden” into an elevator’s safety decree) to re-introduces the extension of the original (and still possibly illegal) data-retention term up to 72 months. Continue reading “Data Retention Strikes Back in Italy”
As a consequence of the Parliament/Govern inactivity, the huge quantity of traffic data that survived the June, 30 midnight – and that some ISP might still have in its own hand, maybe hoping for a last-minute, never passed, prorogation – is currently being deleted.
Right now, traffic-Database deleting schedules should have been re-set to the old standard: one year retention period as set forth by sec. 132 of the Italian Data Protection Act.
And the Data Protection Authority still hasn’t hissed a word.
Yesterday the Internet Traffic Mandatory Data Retention regulation expired without being re-enacted by the Parliament. This means that at the midnight of June, 30, all the Italian Telcos and ISPs just (or should have) deleted last year Internet usage information from their databases.
Maybe the Parliament and the Data Protection Authority just had a strike of consciousness and decided so, after having “forgotten” for years to stress test the national data retention legislation to check if it could still stands against the EU Court of justice 2014 decision that bashed the data-retention directive.
Or, maybe, the powers-that-be just forgot about the data-retention.
We’ll never know for sure, but fact is that current high profile criminal investigations are now deprived of an important information gathering tool.
A friend of mine asked a quick commentary about a Telegraph news about the European Court of Justice decision that bashed the British Data Retention and Investigatory Powers Act, forcing the ISPs to abid to a one-year Internet traffic data retention period.
Here is my answer:
It is clear that the EUCJ is following its political agenda.
As I said countless times, law enforcement and national security aren’t subjected to the might of the data-protection directive so this legal instrument can’t be enforced to rule investigative powers.
It is false that users are note informed about the retention. There is a law that set forth the duty, so the citizen are supposed to know about it (ignorantia legis non excusat.)
Again, the article and – I suppose – the EUCJ confuses fairly different things: GCHQ is intelligence and – as such – is well out of reach from the DP directive. Other public bodies have the right to perform their investigation to guarantee the respect of the law.
So, the actual problem is quis custodies ipsos custodies. In other words: I have no problem with an agency that accesses my data. But I do have the right to know in real time when it happens and why (or, if there is a secrecy issue, as soon as it is reasonable.)
As expected, Privacy Shield has been challenged in front of the EUCJ.
Before wasting time and money trying to comply with this DOA thing, it would be safe to wait for the judgement.