The Italian Data Protection Authority to start a code reviewing investigation

Better late then ever: a press release from the Italian Data Protection Authority ? advertises the data-protection oriented review of a certain number of apps.

This initiative should be a major concern for the (yet unaware) software industry, whose intellectual and industrial property might be endangered by a deep peep into its well protected secrets. Neither are clear the criteria that will lead to the app selection, nor whether or not the DPA will asks the developers for source code access.

Unless this IDPA investigation is just an empty PR stunt, it should be carried on by accessing the source code or reverse-engineering the executables: but doing so without signing NDAs and/or provide guarantees of non exploitation is an approach that the industry will likely reject.

Furthermore, if the software check will target only a certain kind of companies, leaving the other players of the same market safe from the scrutiny, this might be held as an unfair alteration of the market dynamics. And things might be much worse if the targeted companies are the smallest one, instead of the big fishes in the pond.

Mind, the lack of data-protection compliant programming isn’t a new or unforeseen issue – as the history of software can witness – but the IDPA never actually cared that much. For instance, it didn’t move a finger when back in 2002 ALCEI (a civil-rights Italian NGO) asked in vain the IDPA to check the claims of the existence of hidden features of a certain series of Telindus routers that posed significant threats to the users’ data protection.

 

 

Data Protection and Right of Defense. Stating the Obvious

Yet more evidence that Data Protection is not an absolute right. On the contrary, as the Italian Supreme Court decision n. 7783/14 said 1 a few days ago:

the interest to the protection of personal data must step back when confronted by true defense needs and other legally relevant interests, such as the fair and coherent enforcement of the right of defense in court.

  1. Unofficial Translation

Statute of limitation and Data Retention Corporate Policies

There is a common opinion that personal data should be deleted almost immediately and, anyway, as soon as they become useless: a sensitive problem in particular under the (now defunct) Data Retention Directive, once the mandatory retention period expired.

This position is not correct since a company has a legitimate motive – and a legal obligation – to preserve whatever information, including personal data, that are necessary to abide the law and to protect both its right of defense and the right to a due process. This means that under the term set forth by the Statute of limitation a company might, at its own will, choose to continue retaining personal data of its customer base.

In Italy, the ordinary Statute of limitation is ten years. So companies can be sued by customers and tax authorities for alleged charges that go way back into the past. This is what happened in a court case tried in front of the Justice of peace of Grosseto (Tuscany) that on January 2014 ruled a quarrel started in 2011 between a telecom company and a client. The ruling said that, under the rule of evidence for civil trials, the telecom company has the duty to provide evidence of having actually delivered its services and that this duty is fulfilled by showing the traffic-data log.

It is clear that by interpreting the Italian Data Protection Act in a way that forces the deletion of the traffic data after a few months, an ISP or a telecom operator wouldn’t be able to defend itself if the trial starts within the Statute of limitation term but after the traffic data have been deleted.

A similar situation might happens in the antitrust field and in case of investigations run by the Italian Internal Revenue Service, so the conclusion is that the Data Protection Legal Framework cannot be interpreted in such a strict manner to endanger the legitimate rights of a company.

The Impact of the Data-Retention ECJ Ruling on the Law Enforcement Activities

From the Law Enforcement perspective, the ECJ ruling that on Apr. 8, 2014 declared invalid the Data Retention Directive didn’t harm its investigation to such a greater extent as somebody has claimed. There are, indeed, other legal tools that can be used to fit the purpose of getting traffic data of interest.

First, ISPs and telco operators might still retain traffic data for other legitimate purposes and for longer periods than the six months “sponsored” by the ECJ. This can happens either with the consent of the customer (for marketing and commercial purposes) or without (in case the traffic data have to be retained to meet under a statutory term (in Italy, ten years) the legal obligation to provide evidence to the tax authorities that the billed services have actually been provided and that the ISP is not involved in a money laundering activity. Thus as soon as some data – though not all the one retained under the now defunct DRD – are available, a prosecutor can always seize it.

Second, the Budapest Convention on cybercrime allows the public authorities to issue a “data-freeze” order to avoid the deletion. Again, this might be a second best solution, but it is currently working and viable.

Third, the national Data Protection Authorities have the power, under the Directive 95/46, to issue orders to “customize” the implementation of this legal instrument so to match the requirements of the ECJ, thus legally keeping alive, though maybe partially, the intrinsic admissibility of the data-retention as such under the current European Data Protection legal framework.

How to poison 700.000 people and live happy with it. A case study in crisis management

According the Italian National Institute of Health, about 700.000 resident of an Italian Region, Abruzzi, have been exposed to water polluted by an abusive chemical waste storage that the national newspaper Repubblica labeled as the biggest in Europe. Although the existence of the wastes was widely known since 1972, only in 2007 the public prosecution service started an investigation and now the criminal trial is likely to end in nothing. The statutory term that set the maximum duration of this trial is going to expire and then the court couldn’t be able to actually indict the responsible.

Apart from the legal issues, it is interesting to look at this incident from crisis management perspective.

Though the big corporation involved into the scandal and now tried in court have surely steamed up their spin doctors to properly handle the damage control, it can’t be said so about the local politicians reacted.

Whatever book you get on the topic advises you to check the facts, be transparent with the media, don’t hide things under the carpet, tell what you know, what you don’t know and what you’re going to do to fix the problem, protect your credibility and so on. But in this case, all of these suggestion haven’t been followed. Neither the longstanding politicians who occupied the core seats during the last forty years ? nor the law enforcement accounted for their lack of control, and when the media started inquiring the main reaction has been to let the bucks slip on somebody else’s shoulders, releasing vague and contradictory statements and avoiding to talk about the hot topic.

From a general crisis management theory point of view, the way the “stakeholders” handled this scandal can be qualified – to be gentle – as grossly amateurish, but a reality-check shows that the lack of enforcement of a crisis management plan didn’t affect the career of the most part of the involved people, some of those are now even running for a new term in the upcoming elections or still seating on their (power) chairs.

A possible explanation of this status quo is the lack of pressure from the information professionals. The local and national media failed to pitch high the facts so to ignite a burst of durable public outcry and protest. Far from the public scrutiny, the involved people fell into a convenient oblivion and didn’t feel compelled to devise a properly arranged defensive strategy.

Once again, this story shows that Information is Power.