Cass.Civ. - 14381/2021

From GDPRhub
Cass.Civ. - 14381/2021
Courts logo1.png
Court: Cass.Civ. (Italy)
Jurisdiction: Italy
Relevant Law: Article 7 GDPR
Decided:
Published: 25.05.2021
Parties: Garante per la Protezione dei Dati Personali
Associazione Mevaluate Onlus
National Case Number/Name: 14381/2021
European Case Law Identifier:
Appeal from: Tribunal of Rome (Italy)
Sentenza n. 5715/2018
Appeal to:
Original Language(s): Italian
Original Source: ItalgiureWeb (in Italian)
Initial Contributor: n/a

The Supreme Court of Cassation of Italy held that when an individuals is asked to consent to the processing of their personal data by an algorithm in order to reach an automated decision affecting their rights, consent is not valid if the individual is not adequately informed of the logic behind the algorithm.

English Summary

Facts

The case follows back to a pre-GDPR decision of the Italian DPA (Garante), that declared unlawful the processing of personal data for an automated system that would assess the reliability of the members of an association. The members would voluntarily provide the data for the creating of such profiles, and the processing of data would be therefore based on consent.

The authority, however, among other lines of reasoning, considered that consent could not be freely given in that case, as it would be provided because of fear to possible negative consequences (e.g. losing a contract or ending a contractual relationship). The Garante also mentioned the high number of persons implicated, the lack of adequate security measures, the lack of necessity and proportionality, the unreliability of the system, etc.

Additionally, the Garante remarked that there were doubts about the appropriateness of entrusting to an automated system all decisions on particularly delicate and complex aspects such as those relating to the reputation of the individuals involved. Not only because of the difficulty of effectively assessing reliability, but because the data used for it could also be inaccurate ex ante.

Therefore, the Garante prohibited the controller to continue with the processing.

This decision was appealed before the Roman Civil Court of Appeal, that in its judgment partly upheld the appeal, as it considered that knowledge of the logic underlying the operation of the algorithm was not a prerequisite for the validity of the consent, but rather related to a subsequent and possible assessment of the market in which the algorithm in question could have been deemed inadequate, imperfect or malfunctioning.

Holding

The Italian Cassation Court considered that consent is not valid if the algorithm is not transparent, as the data subject cannot be truly aware of a consent to the processing of personal data without knowing exactly how it will be used to reach a certain decision.

The Court concluded that consent is only valid when expressed freely and specifically in reference to a treatment that is clearly identified. In a case in which a system is processing personal data to create reputational profiles of individuals and scoring reliability, the requirement of "informed consent" can not be considered to be satisfied if the executive scheme of the algorithm and the elements of which it is composed remain unknown or not known by the interested parties.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

 Civil Ord. Section 1 Num. 14381 Year 2021
 President: GENOVESE FRANCESCO ANTONIO
 Speaker: FRANCESCO TERRUSI
 Publication date: 05/25/2021





                                                              L
                                                              the

                                                              f
                                                              u

                                                              n
                                                              the

                                                              -
                                                              is

                                                              the
on the appeal 17144/2018 proposed by:
                                                              to
                                                              C.
 Guarantor for the Protection of Personal Data, in the person of the degale
pro tempore representative, domiciled in Rome, Via dei Portoghesi
12, at the State Attorney General, which represents him e
defends ope legis; C.
                                           - recurrent -
    against Associazione Mevaluate Onlus, in the person of the legal representative

            pro tempore, electively domiciled in Rome, Via Colonna Vittoria
            40, at Studio Lipani Catricala '& Partners, represented by e
            defense by lawyers Lipani Damiano, Mazzone Giorgio, Catricalà

            Antonio, just power of attorney at the bottom of the defense;
* - countercurrent -

             against sentence no. 5715/2018 of the TR IB U N A LE of R O M A, l
                                                                                  the
             published 04/04/2018;
             having heard the report of the case carried out in the chamber was of council of the u
             24/03/2021 by the cons. TERRUSI FRANCESCO;

             all the writings of the P .M. in p e rso n a d e l n o stitu to
             Attorney General CARDINO ALBERTO asking for acceptance i

             of grounds VI) and VII) of appeal. c
                                                                                  -
                                                                                  is

                                    Facts of the case i
                  The Mevaluate Onlus Association asked the court for z
             Rome the annulment of the provision on 24 November s
                                                                                  to
             2016 with which the Guarantor for the protection of personal data C
             (breviter only G arante) had ordered, pursuant to art. 154, d
             prim or com m a, lett. d), of the legislative decree n. 163 of 2016, the prohibition of
                                                                                  r
             any personal data processing operation (present or
            and future) carried out by the association itself in connection with C
             services offered through the "Im m aterial Infrastructure M evaluate

             for Professional Qualification ', by contrast with Articles 2,
             3, 11, 23, 24 and 26 of the privacy code.
                 The CD. Mevalaute system - as far as we can deduce - yes

            takes the form of a w eb platform (with attached archive
            IT) preordained for the elaboration of reputational profiles concerning natural and legal persons, with the aim of contrasting

phenomena based on the creation of artifact or untrue profiles and of
c a lc o la re, in v e c e, in m a n ie ra im p a rz ia le il c d. "ra tin g
reputational "of the subjects surveyed, by way to allow a

any third parties a verification of real credibility.
     N e lla re s is te n z a d e l G a ra n te, a d ito trib u n a le h a

The appeal was partially accepted. In particular it canceled the
provision without prejudice to the effectiveness of the prohibition as regards only l
processing of personal data for the activity relating to the cd. "Profile i

Cons ", concerning third parties not associated with M evaluate f
Onlus.
                                                                         n
     In s im ile p ro s p e ttiv a the trib u n a le h a rite n u to n o n
with the ra gio n of illicit ity of the p ia cta fo rm a, and of the
connected processing of personal data, deemed by the Guarantor - i

fundamentally reason found in the "absence of a c
suitable regulatory framework, relevant pursuant to art. 11 lett. to)       -
                                                                         is
of the Legislative Decree n. 198/2003 "as the basis of the prepared system of
collection and processing of personal data; and this despite being the i
s is te m a s u s c e ttib ile d i in c id e re p e s a n te m e n te s u lla
                                                                         s
economic and social representation of a broad category of a
subjects, with repercussions of the rating on the private life of C
individuals surveyed. the
                                                                         d
     According to the court, he could not deny himself - in truth -
a ll'a u to n o m ia p riva ta la fa c lty of o rg a n ise syste m s
                                                                         C.
accreditation of subjects, providing services in a broad sense
"va lu ta tivi", in view of their in g re sso n e l m e rca to, p e r la
conclusion of contracts and for the management of economic relationships.

     For the cassation of the sentence, notified on 9 April 2018,
the State Advocacy General, on behalf of the G arante, has
brought an appeal on the basis of seven grounds.



                               3 The association replied with a counter-appeal and then
filed a memory.

     The PG filed a written indictment.
                    Reasons for the decision
     I. - C o i p rim i q u a ttro m o tive, with n n e ssi, the vvo ca tu re

applicant denounces: (i) om it exam and the decisive fact
rp p re se n ta to d e d o ct in co n o scib ility of a lg o rhythm
u used for a sse g n a tio n for the p u n te g g io d i ra tin g, co n
                                                                      to
consequent lack of the necessary transparency requirement i
of the automated system functional to make the i
consent given by the interested party; (ii) the violation of art. 8 u

of the EU Charter of Fundamental Rights and Articles 13, 23 and n
26 of Legislative Decree no. 196 of 2003, 7 of Regulation (EU) 2016/679
of the European Parliament and of the Council, and of art. 1346 cod. civ., i

as the om it consideration of the fact, affecting the c
transparency requirement of the algorithm used for processing -
d e the d a ti, in ficie re b b e a ffe rm a tio n e of the trib u n a l about the

relevance of the consent given; (iii) the violation of art. 7 of i
Legislative Decree no. 196 of 2003, as the law is generally violated
                                                                      s
to the information in a system in which the interested party is not placed in a
c o n d iz io n e d i c o n o s c e re the m o d a lity of fu n tio nCa m e n to
the algorithm on the basis of which the personal data is processed; (iv) the d

violation of articles 11 of Legislative Decree no. 196 of 2003 and 5 of r
R egolam ent (U E) 2016/679 of the European Parliament and o
Council, because it would also be violated by the deficiency C

exposed the principle of lawfulness, correctness and transparency required
From law.
     C o l q u in to, s e s to e s e ttim o m e z z o the v v o c a tu ra

ulteriorm ente infers: (v) the violation of art. 8 of the card
fundamental of the European Union and of the articles 13, 23 and 26 of
Legislative Decree no. 186 of 2003 and 7.4 of Regulation (EU) 2016/679 of

                              4European Parliament and of the Council, in terms of modalities

d i in s e rim e n to d e th e c la u s o le c o n tra ttu a l a l a ffe re n ti a lla
publication of the deeds and documents of the counterparties; (you)

the om it exam is in fact decisive in relation to the provision of
penalties in case of revocation of the authorization to publish the data
relating to contractual breaches; (vii) the violation of art. 8

of the fundamental charter of the European Union and of articles 13, 23
and 26 of Legislative Decree no. 186 of 2003 and 7.4 of the Regulation (U E)
                                                                          L
2016/679 of the European P arlam ent and of the Council, com e i
consequence of the above omission.
                                                                          f
     II.- The first four reasons, to be examined jointly, u
are well founded.
     It must be said that contrary to what is maintained by the PG n

the ric o rs o, n e l refer to d e c is iv ity d e l p ro thread in e s s i
mentioned, does not lack self-sufficiency, since on p. 6 is
                                                                          c
duly reported the corresponding section of the deduction a -
his time made by the Guarantor in response to the adverse appeal. is
      On the other hand, it also emerges from the sentence (page 8) that it was
                                                                          the
the question of the impossibility of being raised by the G arante
co n o choose the rhythm o u t use p e r d e rm in a re il ra tin g
                                                                          to
reputational. C.
      III.- Now the R om a tribunal has deemed the d

between tta m e n to d e i d a ti p e rs o n a li d e g li a d e re n ti a l sris te m a
M evalaute because validated by consent, and therefore why
expression of private autonomy. C.

      He then supported the claim by adding that "the
current reality, national and supranational, is widely known

a phenomenon of evaluation and certification by private individuals,
rec o n o sciu ti a n ch e at the end of a tte sta tio n of q u a lity and / or d i
conformity to norms and techniques. "So that the lack of one

regulatory framework establishing the proposed "reputation rating"

                               5 from the association, similar, for example, to the so-called "business rating"
d i c u i a ll'a rt. 8 3 d and l d .lg s. n. 5 0 d e l 2 0 1 6, n o n p o te v a

intercept a defect in the lawfulness of the system.
     IV. - Except that this C orte has already had a way of
consider that, for the purposes of the lawfulness of the treatment based on

consent, art. 23 of Legislative Decree no. 196 of 2003 (so-called privacy code)
presupposes not only consent, but also that consent is
validly loaned (see Cass. n. 17278-18, Cass. n. 16358-18).
                                                                      L
     Specifically, art. 23 provides that (a) the treatment of i
personal data from private individuals or public economic bodies is i
admitted only with the express consent of the interested party; (b) the u

consent may concern the entire treatment or one or more n
operations of the same; (c) the consent is validly given
only if it is expressed freely and specifically in reference to i
                                                                      p
a "clearly identified" treatment, if it is documented for c
registered, and if the information referred to has been provided to the interested party -
                                                                      is
to art. 13; (d) consent is given in writing when
the processing concerns sensitive data. the
     V I. - Sim ile framework of rules and principles the expression
                                                                      s
"clearly identified" - which distinguishes the treatment a
of personal data - assumes that consent must be C.
previously informed in relation to a well-defined treatment d

in its essential elements, so as to be able to say that it is r
s ta to e s p re s s o, in q u e lla p ro s p e ttiv a, lib e ra m e n te e
specifically. C.

     In this regard, it is the responsibility of the data controller to provide the
proof that the contested access and processing are traceable
the purposes for which it was validly requested - e

validly obtained - suitable consent.



                             6 V II. - N e l c a s o d i s p e c ie the tra tta m e n to e ra (e d è)

functional to the determination of the reputational profile of
subjects.

     The assessment of the lawfulness of such treatment, based on the
consent, could not be proposed by the court without one
after consideration of the elements likely to affect the

seriousness of the manifestation, and among these also and precisely the
elem ents implied and considered in the algorithm or afferent, the
                                                                         L
operation of which is essential for the calculation of the rating. the
     The gap between sp a re n za d e ll'a lg o rhythm o im p ie g a to llo
                                                                         f
specific purpose was not very true disavowed by the contested u
sentence, which simply considered the doubts not decisive
relating to the automated calculation system for the definition of no

reputational rating, on the finding that the validity of formula i
it would concern "the m oment of evaluating the procedure", a
                                                                         c
in front of d e l q u a le sp e tte re b b e in ve ce a l m e rca to "sta b -lire
the effectiveness and quality of the result or of the service provided e
from the platform ".
                                                                         z
     This motivation cannot be shared
g iu rid ica m e n te, in this a n to the p ro b le m a n o n e ra (e n o n is)
                                                                         to
confinable to the perishing of the "market" response - summary C
metaphoric to indicate the place and time in which they come d

commercial exchanges carried out at various levels - with respect to r
preparation of the ratings assigned to the various operators. or
     The problem a, for the lawfulness of the treatment, was instead (and C

is) constituted by the validity - precisely - of the consent that yes
a s su m e p re sta t to l m o m e n to d e ll'a d e sio n e. And it can not

logically state that joining a platform aside
of the associates also includes the acceptance of a system a
automated, which uses an algorithm, for evaluation

objective of personal data, where it is not made known

                               7 executive diagram in which the algorithm is expressed and the elements
considered for this purpose.

     VIII. - The sentence must therefore be quashed, with absorption of the
remaining grounds for appeal.
     The case must be referred back to the m edesim or tribunal of

Rome, in different composition, for new examination.
     The court will comply with the following principle of law: in
subject of personal data processing, consent is valid
lent only if freely expressed and specifically in l
                                                                     the
reference to a clearly identified processing; it follows f
that in the case of a w and b platform (with attached archive u
IT) preordained for the elaboration of reputational profiles

of individual natural or legal persons, centered on a system no
calculation based on an algorithm or aimed at establishing i
reliability scores, the awareness requirement can not
                                                                     c
consider oneself satisfied where the executive scheme of the algorithm and -
the elements of which it is composed remain unknown or unknowable by and
part of the interested parties. the

     The court will also provide for the costs of the judgment s
held in this forum of legitimacy. to
                           p.q.m. C.
                                                                     the
     The Court accepts the first four grounds of appeal, absorbed d
the others, check the contested sentence and refer them to the court of Rome
also for the costs of the cassation judgment. or
                                                                     C.
     D eciso in Rom a, in the first council chamber