Privacy and Data Protection – Page 31

July 1, 2014

Italian Data Protection Act As Censorship Tool

The news of the day is that the lawyers of an indicted Italian politician will ask the Italian Data Protection Authority to block the publication of a video ?covertly-made by a journalist portraying this indicted politician while serving his sentence in and elder-care facility (as a substitution for a 4 month jail term.)

While it is (still) not known whether the request will actually be filed, the news is a confirmation that the Data Protection Act is now seen as an effective tool to remove “unpleasant” information from the public sources in the name of “privacy protection”.

It will be interesting to see if, in this case, the Italian Data Protection Authority will follow the censor attitude showed back in the 2006 in the case of a TV show that exposed several Italian MPs to make use of drugs.

It really doesn’t matter whether, in this case, the Data Protection Authority shall block the video or not. The point is that by confusing “privacy” with “data protection” and giving room to a devious interpretation of the “right to be alone” – such in the Google Spain case – on the long term we are making impossible the work of the future historian and, on the short term, we are favouring the possibility for the powers-that-be to finally get back its dark, quiet obscurity where anything can happens, hidden from the public scrutiny.

In the name of “privacy”.

June 23, 2014June 23, 2014

A Homicide Investigation And The (Still Alive) Data Retention Regulation

The young girl homicide investigation I’ve talked about in a previous post reveals other interesting information, this time about the Telcos’s role in supporting the public prosecution service through the traffic data retention.

The media are reporting (italian only, sorry) that more than 120.000 single mobile calls are under scrutiny spanning from a few months before the kill. But since the fact is more than three years’old, these data aren’t even supposed to exist since the Data Retention Directive forbade its preservation once the (maximum) two-years term expired.

So, hopefully for the justice and the family of the poor girl, at the beginning of the investigation the public prosecutor, as required by law, did issue a traffic data “freezing” order or, better, seized it as dictated by the Italian Criminal Rule of Evidence.

As in the case of the DNA-based evidence, the collection of traffic data without complying the Rule of Evidence might allow the defense lawyers to challenge the reliability of these information especially because the original traffic data have (or should have been) destroyed once collected by the public prosecution service, thus preventing the possibility of double-checking during the trial their actual evidence “weight”.

June 19, 2014June 19, 2014

DNA Clandestine Collection, Data Protection and Rule of Evidence. Jeopardizing an Homicide Investigation?

After a three years investigation the public prosecutor of Bergamo (a city near Milan) arrested the alleged author of the homicide of a young girl. The suspect has been found thanks to a massive DNA analysis that involved about 18.000 residents of the area, that led, after the skimming of the majority of the genetic profiles, to only two “candidates” .

To obtain the genetic samples to be compared with those found on the crime scene, the investigators faked a routine traffic control check-point, asking the suspect to pass the alcool-test. Further more – as the media say – the investigators were able to collect “organic fluids” from the suspect’s mother unbeknownst to her.

In this way of investigating the homicide there are two issue that haven’t been taken into account so far: what do the investigators do with the 18.000 DNA samples that they’ve collected and, more important, if a “clandestine” DNA sample collection legal under the Italian Rule of Evidence and Data Protection Regulation.

About the first issue: hopefully the “de facto” biobank should be destroyed once no more useful for the investigation, but neither public information is available nor the Data Protection Authority told a word about it. If this is not the case, this 18.000 samples will be used as a comparison for all the future investigation, meaning that those resident who voluntary gave out their samples will be routinely “investigated” unbeknownst to them.

About the second issue: the suspect’s mother has not been charged since there is no evidence of her connection with the crime. So, as a citizen not charged of anything, should have been told by the investigators that they were collecting her genetic sample.

As per the suspect, the available information don’t reveal whether the clandestine genetic sample collection has been ordered BEFORE he was officially charged by the prosecutor or AFTER his official involvement in the case as the potential perpetrator. This might lead to the possibility for the defense lawyer to object the genetic evidence be part of the trial on the basis that both samples have been collected in a wrong way.

Frankly, as this homicide is a major case in Italy, I doubt that neither a judge nor the Data Protection Authority (very aggressive against SPAM and Social Networks misuse) ? will “buy” this objection, even if – as I think – has some merit.

So, provided that the defense lawyers follow this path, the trial will take years to end, because of the legal issues involved with the genetic evidence (think of the Kercher murder, that is still re-tried after having gone up to the Supreme Court and back to the Court of appeals) thus allowing a culprit to stay out of jail longer than he deserves, or an innocent to be acquitted much too late.

As somebody said, big cases make bad justice.

June 11, 2014

Google Spain’s ECJ Ruling Mistranslated in Italian

The Italian translation of the European Court of Justice’s Google Spain ruling is affected by serious translation errors that undermine its meaning.

The first recital of the conclusions read, in Italian

L’articolo 2, lettere b) e d), della direttiva 95/46/CE … deve essere interpretato nel senso che, da un lato, l’attività di un motore di ricerca … deve essere qualificata come ?trattamento di dati personali ?, … e che, dall’altro lato, il gestore di detto motore di ricerca deve essere considerato come il ?responsabile ? (enphasis added) del trattamento summenzionato, ai sensi dell’articolo 2, lettera d), di cui sopra.

The same word, “responsable” appears in the Spanish text, ? while the English text uses the words “data controller”, that Under Sect. 2 of the Dir 95/46/CE is a different legal position

Article 2(b) and (d) of Directive 95/46/EC … are to be interpreted as meaning that, first, the activity of a search engine … must be classified as ‘processing of personal data’, … second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d).

The difference between Google being “data processor” or “data controller” is a serious one so it is of the utmost importance to find out which translation is the correct one, since the Italian courts and the Data Protection Authority are likely to refer to the Italian text.

The answer is the the English text is correct and both the Italian and Spanish are wrong. This conclusion comes from the fact that the recital points to sect. 2 lett. d) of the Directive that contains the definition of “data controller”.

But the mistakes of the Italian text don’t stop there. Talking about the role of the websites and blog owners, the translations uses the word “editori” as a false friend of the English word “publishers”. “Editore” in Italian means an entrepreneur whose business is selecting and publishing books and, broadly speaking, contents. While the Court is obviously referring to everybody handles a website, no matter if for business or what.

June 10, 2014

The Italian Data Protection Authority and Parkinson’s Law

Despite the ECJ ruling that bashed the Data Retention Directive (DRD), the Italian Data Protection Authority (IDPA) still continue to enforce the DRD local regulation as if nothing happened. And it does so without a prior “stress test” to see whether or not the Italian version of the DRD has the very same problems than the DRD itself.

The result is that these investigations might be proven useless, but only after having spent time and money in court, challenging the IDPA sanctions.

Such a waste of resources can only be justified by one word, bureaucracy and one goal, self-preservation.

It really seems that after so many decades, Parkinson’s Law still works…