Category: Privacy and Data Protection

Posted on

Google Spain’s ECJ Ruling Mistranslated in Italian

The Italian translation of the European Court of Justice’s Google Spain ruling is affected by serious translation errors that undermine its meaning.

The first recital of the conclusions read, in Italian

L’articolo 2, lettere b) e d), della direttiva 95/46/CE … deve essere interpretato nel senso che, da un lato, l’attività di un motore di ricerca … deve essere qualificata come  ?trattamento di dati personali ?, … e che, dall’altro lato, il gestore di detto motore di ricerca deve essere considerato come il  ?responsabile ? (enphasis added) del trattamento summenzionato, ai sensi dell’articolo 2, lettera d), di cui sopra.

The same word, “responsable” appears in the Spanish text, ? while the English text uses the words “data controller”, that Under Sect. 2 of the Dir 95/46/CE is a different legal position

Article 2(b) and (d) of Directive 95/46/EC … are to be interpreted as meaning that, first, the activity of a search engine … must be classified as ‘processing of personal data’, … second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d).

The difference between Google being “data processor” or “data controller” is a serious one so it is of the utmost importance to find out which translation is the correct one, since the Italian courts and the Data Protection Authority are likely to refer to the Italian text.

The answer is the the English text is correct and both the Italian and Spanish are wrong. This conclusion comes from the fact that the recital points to sect. 2 lett. d) of the Directive that contains the definition of “data controller”.

But the mistakes of the Italian text don’t stop there. Talking about the role of the websites and blog owners, the translations uses the word “editori” as a false friend of the English word “publishers”. “Editore” in Italian means an entrepreneur whose business is selecting and publishing books and, broadly speaking, contents. While the Court is obviously referring to everybody handles a website, no matter if for business or what.

Posted on

The Italian Data Protection Authority and Parkinson’s Law

Despite the ECJ ruling that bashed the Data Retention Directive (DRD), the Italian Data Protection Authority (IDPA) still continue to enforce the DRD local regulation as if nothing happened. And it does so without a prior “stress test” to see whether or not the Italian version of the DRD has the very same problems than the DRD itself.

The result is that these investigations might be proven useless, but only after having spent time and money in court, challenging the IDPA sanctions.

Such a waste of resources can only be justified by one word, bureaucracy and one goal, self-preservation.

It really seems that after so many decades, Parkinson’s Law still works…

Posted on

The Fake Data Processor and The True Criminal Liability

Under Legislative Decree 196/03 (the Italian enforcement of the Data Protection Directive) one of the most common practice when developing the data-protection corporate policy of a company is to appoint the heads of the various departments as “Data Processor”.

Although easy on the short term, this solution might backfire the company itself. A recent Corte di cassazione (Italian Supreme Court) decision – ? III penal section – Dec. n.20682/14 – ruled that under the workplace safety regulation, the employer that appoints a safety manager who is not fit for the job because of his lack of competence, ? commits a criminal offense.

The very same principle can be applied by analogy to the Data Protection Directive. The DPD – and its Italian enforcement – make mandatory to appoint a data controller actually fit for the job.

By choosing people on different basis (not because they know the matters, but just because they’re company’s heads) means that in case of data-protection-related criminal offenses the data controller (and, most important, the prosecutor and the court) can’t blame (only) the data processor itself.

Then, in terms of management, the decision is between only formally comply with the legal requirements, and actually comply by appointing capable data processors.

In the first case the company is accepting the risk of a future (but uncertain both in “if” and “when”) accident but saves on the short term effort and time.

In the second case the company spends more, has to possibly change its internal processes in the anticipation of an event that might not happens at all.

Posted on

Google, the European Court of Justice and the End of History

The European Court of Justice ruling against Google Spain is another step toward the deletion of the History (capital “H”) and collective memory. In the name of “privacy” the Court allowed the possibility to completely remove a lawful information from public scrutiny, as is clearly stated at the end of the ruling:

Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful. (emphasis added)

Now, with the support of this decision, corrupts politicians, scammers, con artists, bad payers and similar breeds can easily re-gain their anonymity, and historians from the future will not be able to discover and understand how our society was working.

And, to some extent, this wouldn’t be a bad thing…

Posted on

The Italian Data Protection Authority to start a code reviewing investigation

Better late then ever: a press release from the Italian Data Protection Authority ? advertises the data-protection oriented review of a certain number of apps.

This initiative should be a major concern for the (yet unaware) software industry, whose intellectual and industrial property might be endangered by a deep peep into its well protected secrets. Neither are clear the criteria that will lead to the app selection, nor whether or not the DPA will asks the developers for source code access.

Unless this IDPA investigation is just an empty PR stunt, it should be carried on by accessing the source code or reverse-engineering the executables: but doing so without signing NDAs and/or provide guarantees of non exploitation is an approach that the industry will likely reject.

Furthermore, if the software check will target only a certain kind of companies, leaving the other players of the same market safe from the scrutiny, this might be held as an unfair alteration of the market dynamics. And things might be much worse if the targeted companies are the smallest one, instead of the big fishes in the pond.

Mind, the lack of data-protection compliant programming isn’t a new or unforeseen issue – as the history of software can witness – but the IDPA never actually cared that much. For instance, it didn’t move a finger when back in 2002 ALCEI (a civil-rights Italian NGO) asked in vain the IDPA to check the claims of the existence of hidden features of a certain series of Telindus routers that posed significant threats to the users’ data protection.