Garante per la protezione dei dati personali (Italy) - 9347280

From GDPRhub
Garante per la protezione dei dati personali - 9347280
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law:
art. 4 Decree-Law n. 28/2020
Type: Advisory Opinion
Outcome: n/a
Started:
Decided: 19.05.2020
Published: 21.06.2020
Fine: None
Parties: n/a
National Case Number/Name: 9347280
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Italian DPA website (in IT)
Initial Contributor: Davide Cascone

The Italian DPA issued a favourable opinion on the draft decree of the president of the Council of State laying down the technical rules for the implementation of the electronic administrative proceedings from May 30 to July 31, 2020, due to the Covid-19 emergency.

English Summary

Facts

The Council of State requested, pursuant to art. 4 of Decree-Law no. 28/2020, the opinion of the DPA on a draft presidential decree containing the technical-operational rules to manage oral discussion in the context of administrative proceedings through an online system (i.e. Microsoft Teams) from May 30 to July 31, 2020. However, the DPA is concerned about using a private platform that can be subject to the US CLOUD Act requirements. Notwithstanding that the Council of State clarified that in the absence of the recording of the hearings and the exchange of messages on internal chat (which are not included in the decree scheme), the videoconferencing provider would not acquire any personal data outside the "metadata" of the videoconference. Furthermore, Annex 1 of the draft decree covers how to access to the electronic file and consultation of data identifying outstanding cases.

Dispute

Holding

The Italian DPA gave a favourable opinion on the measures provided by the draft decree. Notwithstanding that the Council of State clarified that the third-party provider would not acquire any personal data outside the videoconference metadata if the hearing and the messages on internal chat (which are not allowed in the draft decree) are not recorded, the DPA has strongly recommended to use an IT infrastructure that is managed by the public administration at a national level, once the emergency is over.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Garante per la protezione dei dati personali

Today's meeting was attended by Mr. Antonello Soro, President, Mrs. Augusta Iannini, Vice President, Mrs. Licia Califano and Mrs. Giovanna Bianchi Clerici, members, as well as Mr. Giuseppe Busia, General Secretary;

Having regard to Article 57(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter 'the Regulation').

Having regard to the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Legislative Decree No 196 of 2003, as amended by Legislative Decree No 101 of 10 August 2018, hereinafter the Code) and, in particular, Article 154, paragraph 5;

Having regard to the request for an opinion of the Council of State;

Having regard to the documentation in deeds;

Having regard to the observations of the General Secretary pursuant to Article 15 of the Garante Regulation No 1/2000;

Rapporteur: Dr Antonello Soro;

PROVIDED THAT

The Council of State requested, pursuant to Article 4 of Decree-Law no. 28 of 30 April 2020, the opinion of the Guarantor on a draft presidential decree containing the technical-operational rules for the implementation of the telematic administrative process, as well as for the experimentation and gradual application of the related updates.

In fact, art. 4, paragraph 2, of Law-Decree no. 28 of 2020 - in the part in which it amends art. 13, paragraph 1, of attachment 2 of Legislative Decree no. 104 of 2010 - entrusts the regulation of the technical-operational rules of the online administrative process, provided in particular as an ordinary way of dealing with the oral hearing of cases from May 30 to July 31, as an alternative to the purely paper-based cross-examination.

Art. 4, paragraph 1, of Law Decree no. 28 of 2020 has, in fact, provided that in the above-mentioned period of time the parties may request or be ordered ex officio, in any public or chamber hearing, as an alternative to the paper-based cross-examination, the oral discussion through remote connection. It must take place - the rule specifies - in such a way as to safeguard the adversarial process and the effective participation of the defenders in the hearing, in any case ensuring the security and functionality of the administrative justice information system and related equipment. In cases where remote discussion is arranged, the secretary's office must give notice of the time and method of connection, and record in the minutes the methods used to ascertain the identity of the participants and the free will of the parties, "also for the purposes of personal data protection regulations". The regulation also specifies that the place from which the magistrates, lawyers and staff are connected for the remote hearing is considered a hearing for all legal purposes.

The remote proceedings, using videoconferencing methods that allow magistrates and defenders to connect at the same time in respect of the adversarial process, requires a technical regulation that is not provided for at the moment. In fact, the current Decree of the President of the Council of Ministers of February 16, 2016, no. 40 (Regulation containing the technical operational rules for the implementation of the online administrative process), does not contain a specific provision in this regard.

Therefore, the draft decree in question provides for these aspects, regulating, in particular, the methods of connection, the participation of defenders and magistrates, discussion times, guarantees of security and functionality of the information system, as well as the methods for the remote operation of the council chambers of magistrates. On the other hand, the two annexes to the decree implement, with limited formal amendments, the provisions of the Prime Ministerial Decree no. 40 of 16 January 2016, of which the aforementioned art. 4 provides for the repeal, as of the fifth day following the publication, in the Official Gazette, of the first decree of the President of the Council of State.

FOUND THAT

With regard to the indications provided, in art. 2, for the discipline of the remote hearings, we take note of the solutions proposed to deal with the current emergency precisely because of it and we hope that, once it has ceased, an "internal" platform will be adopted, managed by (or under the strict control of) the Administrative Justice bodies. More in detail, the availability of open-source software of reliability and accuracy completely comparable to the best industrial products offers the not negligible advantage of lending itself to on-premises "implementation" (therefore, on data centres and networks of Administrative Justice) or, in any case, on infrastructures managed also collectively by or with other public administrations, avoiding at root cross-border flows inside or outside the European Union, however implied by the use of "cloud" solutions such as Microsoft Teams.  Among the risks to which this solution lends itself, in particular, is that of a unilateral application of the Cloud Act to which the operator is subject, which cannot be excluded a priori, solely because it is contrary to European law, in the absence of a specific agreement with the United States for cross-border access to electronic evidence for the purposes of judicial cooperation in criminal matters. In the present case, however, the information conveyed by the addresses is, in the case of the domain of Administrative Justice, related to the identity of the parties involved in the public hearing, which would be recorded in the logs of the Microsoft authentication systems and then stored for purposes and timescales provided for in the corporate privacy policies. According to what reported by the Council of State, in the absence of the registration of the hearings and the exchange of messages on internal chat (which is not included in the decree scheme), the videoconferencing provider would not acquire any personal data outside the "metadata" of the videoconference (identifiers for authentication coinciding with the email addresses, IP addresses of the connected workstations, date and time of the connection).

The recording of the hearing, in violation of the prohibition set forth in this scheme, would, moreover, result in the unlawful processing of personal data, since it would be carried out in contrast with the relevant discipline and in the absence of alternative legal grounds, which could, as such, expose the agent to liability, in particular administrative liability.

Therefore, the recourse, in the current emergency context, to the Microsoft Teams system is to be shared, by reason of the aforementioned prohibition of recording and the envisaged limitation to attended hearings only, since the "decision-making" chambers of the board are usually conducted in "audio-conferencing".

As regards, again, the information on the processing of personal data should be provided to the parties concerned at a stage prior to that referred to in Article 2, c.5, or in the notice of the filing of the application referred to in Article 2, paragraph 3, in order to allow the parties to make an informed assessment, also from the point of view of data protection, on the choice of whether or not to submit opposition.

Despite the reference, in art. 4 d.l. 28, to the "free will of the parties also for the purposes of data protection regulations", the provision, in art. 2, paragraph 7, of the scheme, of consent as a prerequisite for the lawfulness of data processing, raises some doubts. This is because the voluntariness of the choice of a particular method for the celebration of the hearing (the remote trial) must not be superimposed with the presuppositions of the lawfulness of the processing which, in the case in point, can be found in Articles 6, paragraph 1, letter e), 9, paragraph 2, letter g) and 10 of the Regulation.

Paragraph 8 states that "At the time of the connection and before proceeding with the discussion, the defendants of the parties or the parties acting on their own behalf declare, under their own responsibility, that what happens during the hearing or the council chamber is not seen or heard by persons not entitled to attend the hearing or the council chamber. The statement of the defendants or of the parties acting on their own account shall be included in the minutes of the hearing or of the council chamber", while paragraph 11 states that "It is forbidden to record, by any means and by anyone, public and chamber hearings, as well as the council chamber remotely held by magistrates alone for business decisions. In any case, it is forbidden to use instant messaging inside the applications used for videoconferencing or, in any case, other instruments or functions suitable for keeping in the system's memory a trace of the opinions expressed by the participants in the hearing or the council chamber".

In this regard, it is suggested to assess the advisability of supplementing the statement referred to in paragraph 8 with a commitment to also avoid the registrations referred to in paragraph 11, so as to enhance the awareness of the parties regarding the consequences of sanctions that may result from improper conduct.

Finally, it should be noted that the effective awareness of the functioning of the systems is indispensable for their correct use, also to avoid inconveniences such as, for example, listening to hearings or chambers of directors, by parties entitled to attend previous or subsequent hearings or chambers of directors. In order to ensure the best use of these systems, it is, therefore, necessary to take all appropriate initiatives aimed at training personnel, with particular reference to the technical and organizational measures provided for the protection of personal data.

CONSIDERED THAT

Articles 17 and 18 of Annex 1 to the draft decree, with the relevant technical specifications, regulate - implementing the provisions of the Prime Ministerial Decree no. 40 of 16 February 2016 - the regime of access to the computer file and consultation of data identifying pending issues.

In particular, Article 17 of the technical specifications provides:

"1. Access to the services of consultation of the data identifying the pending issues, access to the computer file and other information made available by the Administrative Justice takes place through the Institutional Site, in compliance with the provisions of the CAD and the Personal Data Code.

2. Access to the essential data identifying pending issues, made ostensible in such a way as to guarantee the confidentiality of the names of the parties in accordance with article 51 of the Personal Data Code, is allowed, without the need for authentication, to anyone who has an interest in it through the Institutional Site, Public Area, institutional activity, through specific links. In this area, information regarding Audience, Audience Calendar, Audience Role, Appeals, Measures can be accessed anonymously.

3. With the same modalities described in paragraph 2, access to the "study use" copies of the judicial measures published in the "Search Engine" of the Institutional Site is allowed, in accordance with article 56 of the CAD, with the precautions provided by the regulations on the protection of personal data.

4. Access to other information is allowed only to authorized persons, through special credentials issued by the General Secretariat of Administrative Justice".

The provision, in general, of the anonymisation of the identification data of the pending questions, for the purposes of access by the subjects not endowed with specific legitimacy, is certainly to be shared, because of the balance that is realized between the right to the confidentiality of the private parts of the dispute and the needs of legal information, as well as in a broader sense of publicity of the jurisdictional activity.

With regard, instead, to the access to "study use" copies of judicial measures (whose external indexation is inhibited), the reference to the precautions provided by the Code should be understood in the systematic-adjustment interpretation emerging from the jurisprudence of legitimacy, to be considered jus receptum a fortiori due to the greater guarantees granted by the new European legal framework, which should lead the internal legislator to an overall revision of the discipline. As is well known, in fact, the Court of Cassation (Section I, 20 May 2016, no. 10510), has decided to include, in cases of mandatory anonymisation of judicial measures, also those relating to health data, due to the absolute prohibition of disclosure previously provided by Article 22, paragraph 8, of the Code and now extended to genetic and biometric data by Article 2-septies, paragraph 8.

THAT SAID, THE GARANTE

pursuant to Article 57, paragraph 1, letter c), of the Regulation, gives a favourable opinion on the draft decree of the President of the Council of State, containing the technical-operational rules referred to in Article 4 of Decree-Law no. 28 of 30 April 2020, with the observations set out in the statement of reasons.

Rome, 19 May 2020