Anonymization and Pseudonymization
Italian Data Protection Authority: data shadowing through a marker is not suitable to make personal data anonymized or pseudonymized
The Italian Data Protection Authority sanctioned a local healthcare service for having “anonymized” personal data of numerous data subjects through an approximate cancellation with a black marker. The Authority stressed that an imprecise and non permanent cancellation cannot be accepted as a way of making personal data anonymized or pseudonymized. It is, rather, a simple manual shadowing procedure of personal information that does not impede one to find out who those data belong to.
The Data Protection Authority also clarified that the privacy legislation hinders the spread of personal data about the health state affirming that those data can be communicated to another person only with the expressed consent of the interested party, or on the basis of a legal requirement.
The EPDB creates a dedicated task force on chat GPT
Following the Italian Data Protection Authority, many European and overseas authorities announced the intention of starting a preliminary investigation on chat GPT. In particular, the Italian authority raised concerns about the missing privacy notice and, above all, the absence of a legal basis that justifies the heavy collection of personal data.
For these reasons, the European Consumer Organization (BEUC) – founded in 1962 and including 46 European consumer associations of 32 countries – addressed all the national authorities asking them to evaluate the data management by chat GPT carefully. On April 13th, the European Data Protection Board disclosed the discussion about the executive action undertaken by the Italian Data Protection Authority towards Open AI, the American company that developed and manages the Chat GPT platform and launched a task force to foster cooperation and change of information between all the European data protection authorities.
Italian Data Protection Authority sheds light on dark patterns
The Italian Data Protection Authority has published an informative webpage that analyzes and describes the phenomenon of dark patterns. These are a range of behavioural and design techniques used in the configuration of some websites in order to collect personal data in a massive way and without free and express prior consent from users. The Privacy Authority recently dealt with the phenomenon, fining a company for 300,000 euros for using these templates to induce customers to give consent for marketing purposes, thus committing unlawful processing of personal data.
The Authority’s initiative is part of a more general effort by European authorities on the issue: last February 24, the European Data Protection Board (EDPB) published guidelines on how to recognize and avoid dark patterns. The document identifies six deceptive design patterns and offers practical recommendations to social media managers, designers and users on how to deal with these interfaces.
Admissibility of Evidence
Evidence gathered in violation of privacy regulations is not cured by summary judgment
The Supreme Court ruled that geolocation data related to telephone or telematic utilities acquired by the judicial police in the absence of the authorization decree are unusable in summary judgment. In fact, such evidence would be prejudicial to the constitutionally protected right to secrecy of communications and, therefore, not remedied by the request to settle the case under the forms of the alternative procedure. Moreover, in the text of the judgment, the judges reiterated the principles expressed in the Court of Justice’s March 2021 ruling (CJEU Case C-746/18). This defined the limits to access by public authorities to telephone and telematic traffic data, involving their request and use for investigation purposes.
Italian Supreme Court: the data controller must respond to a request for access even if he does not process the data of data subject
The italian Supreme Court, with Order No. 9313, upheld the appeal brought by a private citizen against Ing Bank N.V. concerning a request for access to personal data and affirmed the following principle: “the addressee of the request for access to personal data must always meet the request of the data subject, even in negative terms”. The Court clarified that the data subject does not have to prove that the bank was actually the data controller. This burden, as clarified by the First Civil Section, falls instead on the addressee of the access request (i.e. the data controller) who, pursuant to Article 12(5) GDPR, is required to “demonstrate the manifestly unfounded or excessive nature of the request” submitted by the data subject.