Personal data processing: two years after it was put into practice, the European Commission has published its first report on the European Data Protection Regulation known as GDPR. The report says that the regulation has achieved most of its objectives, guaranteeing European Union citizens a solid set of rights and creating a new European system of governance. According to the report: “The GDPR strengthened data protection safeguards, provides individuals with additional and stronger rights, increased transparency, and ensures that all those that handle personal data under its scope of application are more accountable and responsible”.
It is difficult not to agree with the statement: the regulation sets out important rights to protect the individual and creates the conditions for those charged with personal data processing to do so responsibly.
But is there any awareness of this? Is the culture necessary to ensure respect for these rights and to enforce them actually widespread?
Personal data processing: the experience of recent months
Looking back on the last few months, some doubts arise. One could say that the period is exceptional and that among the rights that have been compromised, the right to privacy is the least worrisome. The question, however, is not whether we are willing to give up our rights to deal with a very dangerous situation, but whether we are aware that we are doing so. Only then can we assess whether it is justified by the situation and therefore, really necessary.
From the debate on the Immuni app (the contact-tracing app offered by the Italian government), we could deduce that, in Italy, the subject of personal data protection is a sensitive topic: citizens have expressed their concerns about the risks for the protection and security of the data collected and have asked for adequate protection, individually or through groups that advocate for citizens’ rights.
The concerns, shared at the European level, first led the European Data Protection Board (EDPB) to issue guidelines on the use of location data and contact tracing tools in the context of Covid-19 (Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the Covid-19 outbreak) and then led the Commission to take a position with the Communication on Apps for supporting the fight against the Covid-19 pandemic.
In Italy, Legal Decree no. 28 of 30 April 2020 established the principles to which the Covid alert system must adhere, providing that the impact assessment required by the regulation must be carried out and constantly updated. The Italian Data Protection Authority issued its opinion on the proposal for the provision of an application aimed at tracking contagions from Covid-19 (29 April 2020) and authorized the use of the App (1 June 2020) based on the impact assessment carried out by the Ministry of Health (28 May 2020).
The controversy still continues today: not everyone is convinced that the app doesn’t violate our personal data rights, but this is part of the democratic debate. Moreover, the right to disagree is solidified in the main principle, directly derived from the Regulations, which legitimizes the processing of the Immuni app’s personal data, which individuals may download at any time
Similar attention, however, has not been paid to the continuous and repeated requests for personal health data. It’s almost as if our data becomes personal, and therefore should be protected, only when it is requested by the state. However, somehow it becomes much less personal when requested by others — employers, organizers of your children’s summer camp, the restaurant manager, the local authority who regulates access to the workplace, the condominium administrator, or the homemade app.
Managing data and stakeholders
It is as if we had remained tied to an old-fashioned idea of privacy where our rights must be defended from Big Brother without realizing that distributed technology and widespread processing capacity make all of us both data managers (data controllers according to the language of the Regulations) and data subjects, the people to whom the data refer. From this double role, instead of encouraging greater attention and awareness to the regulation and our own responsibility, a sort of ambiguity and complicity follows. The result is an indiscriminate collection of personal data, most often health data, almost without even realizing it. Think of the shopkeeper who asks the customer to sign a declaration stating that he does not have a fever, or the employer who records his employees’ temperatures every day, even if those temperatures are normal and do not exceed the threshold of 37.5 degrees Celsius.
Because a certain deafness to the protection of personal data is accompanied by a sort of narrow-minded mentality by virtue of which, if a law imposes a prohibition, for example, to enter a public place with a fever, the manager of this place is not limited to simply inform those who access it (in theory, someone who has a fever would not leave the house in the first place!), but also asks him to officially declare that he has knowledge of the ban, or even to declare that he does not have a fever, without considering that this entails a collection of personal data, sometimes even health data
If individuals were actually aware of their “additional and stronger rights”, and if they are faced with the choice of whether or not to collect data in a way that is “more accountable and responsible” (as the Commission Report states), the short circuit of self-certifications to fight the coronavirus (!) would not exist.
To what extent is it permissible to collect personal data?
It has been said that the Regulation permits the personal data processing when it is necessary to safeguard the vital interests of the data subject or another person. But are we really sure that the declaration signed protects these interests more strongly than it would adequate information?
For those who dare question the legitimacy of data collection (we say “dare” because the risk of being a super spreader is very high!), the response is, “it’s required by law.” However, the Regulation allows that personal data may be processed when it is necessary to fulfill a legal obligation, but the question is, what is the law whose fulfillment involves recourse to such collection?
Let’s take the restaurant sector as an example. According to the Prime Ministerial Decree of 11 June 2020, restaurant activity is permitted, following the protocols indicated in the Guidelines adopted by the Regions or the Conference of Regions. The rules of conduct dictated by the latter provide for two contexts where personal customer data may be collected: taking the temperature of customers to ensure that no one with a temperature above the threshold may enter the premises; storing reservation data of those who have eaten at the restaurant for 14 days in order to be able to track them in the event that there has been exposure to someone with the coronavirus. The Guidelines of the Lombardy Region (as one example), permits keeping the list of customers who have reserved a table in restaurants, but only takes the temperature of employees.
Based on these considerations, there is clearly no legal basis (and therefore it is not legitimate) for restaurants to collect the customer’s declaration that they have not had contact with someone who has contracted the disease nor to maintain the temperature record of customers or employees. Equally devoid of a legal basis is the collection of data by those who interpret the obligation as a necessity to keep reservation data, making customers fill in a form with their first and last name, their address, year of birth, mobile phone number, and email. Instead, the Guidelines only provide for companies to maintain data related to the reservation, i.e. only the first name, last name, and mobile phone number.
In some cases, a declaration is also required by the customer that the diners sitting at his or her table are relatives and therefore not required to respect social distancing rules. The Guidelines of the Lombardy Region expressly specify that this aspect is one of individual responsibility. Maintaining the declaration is clearly unjustified.
Restaurants are just one example. There are other contexts where personal data is collected indiscriminately, despite the fact that the Authority for the protection of personal data has given precise instructions in the event of a full health emergency for what should and should not be collected.
In the FAQ related to personal data processing in the public and private work environment, the regulation has clarified, for example, that employers can take the temperature of employees, users, suppliers, visitors, and customers at the entrance to the premises. However, it can only record instances where an employee has exceeded the temperature threshold and in any case, where necessary, to document the reasons that someone was prevented access to the workplace. Keeping an entry log with the data and time and one’s temperature is clearly illegitimate. The fact that it is common practice does not make it any less incorrect.
What often seems to escape notice is the so-called “minimization principle”, according to which, data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed. And this is, nevertheless, one of the central pivots on which the whole structure of the Regulation rests. Together with the other, equally disregarded, principle of transparency. The forms where data is collected are rarely accompanied by adequate information. As a result, not only is data collected without there being an actual need for it, but it is not known what happens to the data, to whom it is communicated, nor for how long the data is stored, etc.
The storage of personal data
Shelf life is another aspect of personal data processing that deserves consideration. While the Immuni app specifies a deadline for deleting data (data will be stored until the end of the health emergency and until December 31 at the latest), for other data collections, it is often a mystery. The list of customers who have booked a restaurant reservation should be kept for 14 days, but how long are the various records kept?
Determining how long the data should be maintained is the responsibility of the data controller, which is an expression of his or her “accountability” in managing the processing of data. Unfortunately, the information, when present, often refers to generic terms of law; this is not reassuring for those of us who look at it closely. T: the law, in fact, does not prescribe personal data processing, does not even define the duration of its storage, and therefore the reference to what it prescribes is very puzzling.
All that remains to be done is to trust that the data being collected is not of great interest to the owner, who consequently has no reason to keep it. But is this really true? The data collected can reveal much about the customer: his habits, his acquaintances, his relationships, etc., and as such, this data represents a wealth of information on customers which, in the pre-Covid world, was not easy to dispose of.
Objective: Change the culture and behavior
Therefore, there is still a long way to go before the rights recognized by the rules governing personal data are actually exercised and respected. Moreover, the European Commission itself, in its report, points out that “the ultimate objective of the GDPR is to change the culture and behavior of all actors involved for the benefit of the individuals” and establishes among its future objectives that of creating “a European common culture of data protection” that allows the desired change in behavior for the benefit of all.
It is a pity that none of the future actions described in chapter 3 of the Report (Way forward), all of which are certainly appropriate, are specifically aimed at creating the right awareness in European citizens of their rights to the protection of personal data and the corresponding responsibility when they are called to process the personal data of others.