Category: Privacy and Data Protection

Posted on

DNA Clandestine Collection, Data Protection and Rule of Evidence. Jeopardizing an Homicide Investigation?

After a three years investigation the public prosecutor of Bergamo (a city near Milan) arrested the alleged author of the homicide of a young girl. The suspect has been found thanks to a massive DNA analysis that involved about 18.000 residents of the area, that led, after the skimming of the majority of the genetic profiles, to only two “candidates” .

To obtain the genetic samples to be compared with those found on the crime scene, the investigators faked a routine traffic control check-point, asking the suspect to pass the alcool-test. Further more – as the media say – the investigators were able to collect “organic fluids” from the suspect’s mother unbeknownst to her.

In this way of investigating the homicide there are two issue that haven’t been taken into account so far: what do the investigators do with the 18.000 DNA samples that they’ve collected and, more important, if a “clandestine” DNA sample collection legal under the Italian Rule of Evidence and Data Protection Regulation.

About the first issue: hopefully the “de facto” biobank should be destroyed once no more useful for the investigation, but neither public information is available nor the Data Protection Authority told a word about it. If this is not the case, this 18.000 samples will be used as a comparison for all the future investigation, meaning that those resident who voluntary gave out their samples will be routinely “investigated” unbeknownst to them.

About the second issue: the suspect’s mother has not been charged since there is no evidence of her connection with the crime. So, as a citizen not charged of anything, should have been told by the investigators that they were collecting her genetic sample.

As per the suspect, the available information don’t reveal whether the clandestine genetic sample collection has been ordered BEFORE he was officially charged by the prosecutor or AFTER his official involvement in the case as the potential perpetrator. This might lead to the possibility for the defense lawyer to object the genetic evidence be part of the trial on the basis that both samples have been collected in a wrong way.

Frankly, as this homicide is a major case in Italy, I doubt that neither a judge nor the Data Protection Authority (very aggressive against SPAM and Social Networks misuse) ? will “buy” this objection, even if – as I think – has some merit.

So, provided that the defense lawyers follow this path, the trial will take years to end, because of the legal issues involved with the genetic evidence (think of the Kercher murder, that is still re-tried after having gone up to the Supreme Court and back to the Court of appeals) thus allowing a culprit to stay out of jail longer than he deserves, or an innocent to be acquitted much too late.

As somebody said, big cases make bad justice.

Posted on

Google Spain’s ECJ Ruling Mistranslated in Italian

The Italian translation of the European Court of Justice’s Google Spain ruling is affected by serious translation errors that undermine its meaning.

The first recital of the conclusions read, in Italian

L’articolo 2, lettere b) e d), della direttiva 95/46/CE … deve essere interpretato nel senso che, da un lato, l’attività di un motore di ricerca … deve essere qualificata come  ?trattamento di dati personali ?, … e che, dall’altro lato, il gestore di detto motore di ricerca deve essere considerato come il  ?responsabile ? (enphasis added) del trattamento summenzionato, ai sensi dell’articolo 2, lettera d), di cui sopra.

The same word, “responsable” appears in the Spanish text, ? while the English text uses the words “data controller”, that Under Sect. 2 of the Dir 95/46/CE is a different legal position

Article 2(b) and (d) of Directive 95/46/EC … are to be interpreted as meaning that, first, the activity of a search engine … must be classified as ‘processing of personal data’, … second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d).

The difference between Google being “data processor” or “data controller” is a serious one so it is of the utmost importance to find out which translation is the correct one, since the Italian courts and the Data Protection Authority are likely to refer to the Italian text.

The answer is the the English text is correct and both the Italian and Spanish are wrong. This conclusion comes from the fact that the recital points to sect. 2 lett. d) of the Directive that contains the definition of “data controller”.

But the mistakes of the Italian text don’t stop there. Talking about the role of the websites and blog owners, the translations uses the word “editori” as a false friend of the English word “publishers”. “Editore” in Italian means an entrepreneur whose business is selecting and publishing books and, broadly speaking, contents. While the Court is obviously referring to everybody handles a website, no matter if for business or what.

Posted on

The Italian Data Protection Authority and Parkinson’s Law

Despite the ECJ ruling that bashed the Data Retention Directive (DRD), the Italian Data Protection Authority (IDPA) still continue to enforce the DRD local regulation as if nothing happened. And it does so without a prior “stress test” to see whether or not the Italian version of the DRD has the very same problems than the DRD itself.

The result is that these investigations might be proven useless, but only after having spent time and money in court, challenging the IDPA sanctions.

Such a waste of resources can only be justified by one word, bureaucracy and one goal, self-preservation.

It really seems that after so many decades, Parkinson’s Law still works…

Posted on

The Fake Data Processor and The True Criminal Liability

Under Legislative Decree 196/03 (the Italian enforcement of the Data Protection Directive) one of the most common practice when developing the data-protection corporate policy of a company is to appoint the heads of the various departments as “Data Processor”.

Although easy on the short term, this solution might backfire the company itself. A recent Corte di cassazione (Italian Supreme Court) decision – ? III penal section – Dec. n.20682/14 – ruled that under the workplace safety regulation, the employer that appoints a safety manager who is not fit for the job because of his lack of competence, ? commits a criminal offense.

The very same principle can be applied by analogy to the Data Protection Directive. The DPD – and its Italian enforcement – make mandatory to appoint a data controller actually fit for the job.

By choosing people on different basis (not because they know the matters, but just because they’re company’s heads) means that in case of data-protection-related criminal offenses the data controller (and, most important, the prosecutor and the court) can’t blame (only) the data processor itself.

Then, in terms of management, the decision is between only formally comply with the legal requirements, and actually comply by appointing capable data processors.

In the first case the company is accepting the risk of a future (but uncertain both in “if” and “when”) accident but saves on the short term effort and time.

In the second case the company spends more, has to possibly change its internal processes in the anticipation of an event that might not happens at all.

Posted on

Google, the European Court of Justice and the End of History

The European Court of Justice ruling against Google Spain is another step toward the deletion of the History (capital “H”) and collective memory. In the name of “privacy” the Court allowed the possibility to completely remove a lawful information from public scrutiny, as is clearly stated at the end of the ruling:

Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful. (emphasis added)

Now, with the support of this decision, corrupts politicians, scammers, con artists, bad payers and similar breeds can easily re-gain their anonymity, and historians from the future will not be able to discover and understand how our society was working.

And, to some extent, this wouldn’t be a bad thing…