Google and the Italian Data Protecion Authority fine

The news is making the round that Google has been indicted to pay a 1.000.000,00 Euros’ fine for the Street View’s “privacy infringement” under Italian Privacy Act. But (at least in this case) Google didn’t violate the Italian Laws and the Data Protection Authority did a blatant mistake: let’s see why.

1 – Google has not been investigated under “privacy” law, the relevant statute being the Data Protection Act (as I wrote, there is no superimposition between the two legal concepts);

2 – The Data Protection Act, being an enforcement of the EU Directive 95/46/CE only handles “personal data”, i.e. data that either identify a natural person or make a natural person identifiable;

3 – As the Italian Supreme Court said more than once – and so did the same Data Protection Authority ? – outdoor there is no reasonable privacy expectation,

Then, as soon as Street View shots pictures in open spaces and doesn’t identify people, there is no “privacy” infringement.

But this is just a conclusion drafted by interpreting the law. Real life is a horse of different colour.

EU “Privacy” Directives and the Haunted Companies

The right to privacy is a pre-requisite of the EU Directive 95/46/CE ? and not its object. Art. 1 states it loud and clear:

1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.

This means that that calling the data protection-related directive – as well as the upcoming new regulation – “privacy law” or whatever similar is not just a terminology’s mistake but an error with actual (and costly) consequences negatively affecting companies’ budget allocation, legal compliance and marketing capabilities.

Under the EU data protection legal framework, companies are not required to protect “privacy” as such, but only to handle personal data on a “need-to-know” basis provided that fundamental rights are not endangered. This has nothing to do with the “hush-hush” attitude commonly “sold” by “expert” consultants summoning the right to privacy as a threatening devil to haunt a company.

Stop using “privacy” as a substitute for “data protection” and your (corporate) life will keep smiling at you again.

 

Friday Night (Data Retention) Fever

Here is a real case that happened just a couple of days ago, while helping an ISP to find a way to handle the deletion of data after the mandatory term imposed by the Eu Data Retention Directive expires. Whatever the solution, thank to the rigidity of the provisions, a law will not be obeyed.

Background:

  •  ? The automatic processing of the data-deletion is usually made so that a script matches daily the data-creation date with the current date, and if the match says that the retention term is expired, then the script delete the data,
  • The only exception is a “freeze” order issued by a Court or a prosecutor. In this case it is possible to avoid the requested data to be destroyed,
  • The “freeze” order are notified either by fax, secure email or direct order to the “Protocol department” (that handles the incoming communications, and that “route” the messages to the concerned people),
  • While when the offices are closed there is always at least one resource belonging to the technical department to be alerted in case of urgency, the administrative offices just shut down the curtains of Friday at – say – 5P.M.,

Scenario:
– let’s say that a secure mail or a fax containing the “freezing” order arrives when the Protocol Department is closed. This means that the request will be processed the next day,

– let’s say that the “freezing” order concerns data that are going to be destroyed the very same Friday night when the order arrived,

What happens is that the “freezing” order arrived timely, before the data were destroyed, but since the internal route of the order is handled when the term is expired, the data have been deleted.

A possible solution could be to extend the deleting time frame of three days (thus accounting for the week-end gap) but it doesn’t work. Here is why.

If I have to destroy the data on Friday, and I kept it until Monday just to check if some Court order has been notified in the meantime, it might happens that on the very same Monday a Court order might be notified in relationship to the Friday-to-be-deleted data (when the data are supposed not to exist anymore).

So, if I follow the DRD I must refuse to comply with the Court order because though the data are there, they can be processed only if the Court order were notified within the original term. On the other hand, I can’t refuse to obey to a Court order, if I still have the concerned information.

A contemporary version of the Buridan’s Ass Paradox.

 

Iphone for Business? At Your Own Risk

Buying a Iphone as a business tool from a mobile operator is – at least in Italy – a problematic issue.

As I have personally experienced, if the devices breaks after the first, Apple granted, warranty period, you can’t do anything else but drop it in a local store, having shipped to a repair facility, and hope for the best, without being given a spare device.

The conclusion is: before subscribing a plan that includes an Iphone, do check if the mobile carrier is offering some insurance or other form of assistance (of course, at extra-cost) that doesn’t let you naked in the middle of Trafalgar Square on New Years Eve.

Here are the facts:
– On Nov. 2012 I purchased from Vodafone Italia an Iphone 5 with a 24month voice and data plan,
– The warranty is on behalf of Apple for the first 12 months, and on behalf of Vodafone for the next 12
– The battery of the phone died and I asked an official Apple centre if they could change (upon payment) the battery,
– The Apple Centre told me that since the phone is now under Vodafone warranty they can’t even touch it,
– I called Vodafone and they told me to give them the phone, with no actual idea of the time needed for the repair (to be on the safe side, it shouldn’t be less than a month) without giving me a back up phone.

That said, my option are:
– stay possibly one month waiting for the Iphone to come back. But this is impossible: it’s a work tool, so I should buy another Iphone in the meantime. Why should I care – then – to repair the first one?
– buy a new smartphone. Again, why should I repair the old one?
– change the battery on my own, losing what lasts of the warranty and risking to break it. Spend money, finally buy a new phone.

Thus, whatever the option, to solve my problem I’m supposed to buy a new Iphone just because there is no way to just change a died battery of an otherwise perfectly working device. Maybe this business strategy might work for a consumer that can just wait for the smartphone to come back from the repair garage, but it is non acceptable for a business user.

The Italian Approach on Cyberwarfare: paper-based security

From time to time, cyberwarfare surfaces on the ocean of the useless Italian political and sub-political talks.

Last week, waiting my turn to talk in a conference, I’ve heard a speaker claiming to “knows best” ? that said that in five year Italy will have its set of actual guidelines to enforce ENISA standards, advocating a stronger tie between industries and a government committee on critical infrastructure and all the usual vaporware that comes with the topic.

I stayed speechless while losing the count of the times that – in about 27 years on the field – I’ve heard such kind of nonsenses. These people care about the colour of the windows’ curtains while there a house still to be built. They think in term of “national committee”, “global report”, “breach notification” while they still have to succeed in convincing people in not leaving passwords on a monitor-stuck post-it. This reminds me a sketch from “I Maniaci“, an Italian movie from the Sixties, where His Excellence Micozzi, ministry of defense (actor Raimondo Vianello) alwyas followed the journalists questions’ by saying “we shall appoint a committee to look further into the matter”, even the day he was cautioned for alleged wrongdoing.

While the movie was supposed to by a comedy, seeing it today doesn’t elicit a laugh. The security issue ? is serious because, when the Echelon scandal exploded, we could claim that it was a relative threat to Italy since our communication infrastructure and our reliance upon were from stone-age. But now things have changed enough to allow an attack(er) to actually endanger Italy as a country. And I can’t stop thinking of ? the Italian approach being like a politburo of some (former) Eastern Block country, talking about Marxist orthodoxy while people in the squares was taking down Lenin’s statues.

We shall appoint a committee to look further into the matter.