The unified system of definitions set forth by the GDPR is its main strength because it prevents – at national level – the unauthorized modification of the EU provisions. Continue reading “A useful feature of the upcoming GDPR”
Enforcing the GDPR: Authority vs Legal Interpretation
In the last couple of days, commenting a Linkedin post about Article 29’s (the future European Data Protection Supervisor) opinions, I’ve been involved in an interesting thread that can be summarized as “Authority vs. Legal Interpretation”. Continue reading “Enforcing the GDPR: Authority vs Legal Interpretation”
No More Mandatory Data Retention in Italy? – Update
As a consequence of the Parliament/Govern inactivity, the huge quantity of traffic data that survived the June, 30 midnight – and that some ISP might still have in its own hand, maybe hoping for a last-minute, never passed, prorogation – is currently being deleted.
Right now, traffic-Database deleting schedules should have been re-set to the old standard: one year retention period as set forth by sec. 132 of the Italian Data Protection Act.
And the Data Protection Authority still hasn’t hissed a word.
NSA, Search Engines and Political Competitions the Frank Underwood’s Way
AntiPublic, British Airways and the Italian Data Protection Supervisor
Italy just discovered AntiPublic, the next data-leak with about half a million of personal accounts made publicly available by the lack of care of “trusted” websites in handling its “security measures”.
British Airways got a shut down of its IT infrastructure due, according to the Italian newspaper Repubblica.it, a lack of management of the business continuity plan.
This two cases, while unrelated, are both evidence of an infringement of the EU Data Protection Directive (95/46/CE).
In the AntiPublic data-leak the reason why is obvious, as it should be for the British Airways IT infrastructure “freeze”: business continuity, indeed, is one of the security measures that the Data Processor should enforce to avoid damages arising from the unavailability of personal data.
This is a challenge for the (Italian) Data Protection Supervisor. He can either look elsewhere, or open an investigation to ascertain what happened and who is the culprit of these personal data mismanagement.
The EU Directive 95/46 and his own case law? give the Italian Data Protection Supervisor the power to act even outside the national and European jurisdictions,? so there wouldn’t be a motive no to start an investigation.
So, if the Italian Data Protection Authority will actually starts poking around to find out the “truth”, then a message is sent to the business and civil servant community: we don’t need to wait for the General Data Protection Regulation (GDPR) to enter into force, to exercise our prerogatives against no matter who.
Should he, on the contrary, look elsewhere, the message would have a very different meaning. Citizen, companies and public services might be led to think that all the “early warnings” about the upcoming GDPR and the dire consequences of the non compliance are just a pre-emptive notice of some sort of “hidden tax payment through fines” approach, targeted against SME, some big Italian company and a couple of USA multinationals.)
In the meantime, AntiPublic & C shall continue to access unnoticed our personal data, while citizen will continue paying the consequences (in term of damages and lack of services) of the poor compliance to a set of provisions that, just yet, are felt as useless bureaucratic burden.