Digital privacy and data protection between the individual and the market

Milan, 25th October, 2017

The Conference Digital privacy and data protection between the individual and the market, held in Florence on Monday, 23rd October, 2017 at the CESIFIN Foundation, was a great success, with the participation of not only legal experts and attorneys, but also representatives of the business world and Data Protection Officers (DPO).

Professor of Private Law Emilio Tosi, of the University of Milano Bicocca - Editor of the  High Tech Law HTL®  series - Legal studies for Innovation®  and promoter of the scientific initiative, opened the conference by reminding those present of the three dimensions that combine to define the issue of privacy in its broadest sense: the legal and cultural dimension, the economic one and lastly the socio-anthropological dimension.

Prof. Emilio Tosi emphasized the "’importance of the cultural and legal dimension. Today’s meeting is one of the periodic initiatives promoted each year by the  High Tech Law HTL®   series - Legal studies for Innovation®,   which, together with Vincenzo Franceschelli, we have been working on ever since 2003, systematically studying the interference between the law, particularly private law, and the new technologies, as evidenced by the 19 volumes published to date.

Privacy and the new technologies continue to interact with increasing intensity, moving from the material dimension of its origins to the immaterial world of the digital information society. It seems appropriate to focus our attention on two important milestones in the chronology of the privacy story; it has been:

 - over 100 years from the publication of the first paper on privacy;   The right to privacy , published in 1890 in the Harvard Law Review and written by jurist Brandeis and Warren: at the time, the right to privacy was seen as the right to be let alone in one’s own home, a strictly material interpretation of the issue;

- over 20 years since the first EU legislation – the well-known Directive 95/46/EC – and the historic Law 675/96, which owed so much to the cultural and scientific efforts of the late lamented Prof. Rodotà, to whom Prof. Franceschelli will dedicate a tribute today.”

Professor and Legal Counsel Emilio Tosi notes "  an intrinsic conflict between privacy – not only of consumers, but of users of digital communication networks in general – and the business practices of companies that have based their models on the massive analysis of personal data, particularly the multinational giants, such as Google, Amazon, Facebook and Apple and the likes.” 

A fundamental pillar of the EU Digital Single Market (DSM) is, in fact, the European construction of a unitary regulatory framework with regard to privacy and protection of personal information, based on the double individual tutelage indicated in Articles  7 and 8 of the European Union’s Charter of Fundamental Rights (2000):

Art.7 - Respect for private and family life, and  Art. 8 – Protection of personal data”

" It is thus plain to see” - remarks Prof. Tosi - " the imbalance of power between the subjects of the data treatment (data controller-interested party) and the validity of an axiological interpretation of the protection of privacy and personal data which, through the lens of national and  European sources, can provide for the full application of said fundamental rights, offering a firm foothold for opposing the numerous and rapidly changing market forces of the liquid digital world.”

Moreover: " Digital privacy might appear to be a contradiction in terms, a singular juridical oxymoron of our times, describing an asymmetrical relationship that can never be equalized: in fact, protection of privacy and of personal data pose a genuine regulatory challenge, which the EU has apparently decided to face by approving the new   GDPR   – replacing the historic but obsolete EC Directive  95/46 – although the fundamental component of digital privacy remains to be drafted.   The process of reform was recently begun with the revision of Directive  2002/58/EC (a.k.a. “ePrivacy Directive“), which should serve to standardize the current EU regulatory framework with reference to the circulation of personal data in electronic communications – and an attempt to also regulate Machine to Machine communications involved in the new IoT phenomenon– through the introduction, in this case as well, of a Regulation that can be applied directly in all the EU member nations.

Professor Giuseppe Morbidelli, President of Cesifin, extended the greetings of the Foundation in an interesting talk on the typing of the new right to be forgotten, not in absolute terms but with reference to the prevalent right of information and importance of legal decisions, in the framework indicated by Art. 17 of the GDPR.

The Chairman of the Italian Data Protection Authority, Garante Privacy, Dr. Antonello Soro underscored - in his introductory report - the importance of the new Regulation, especially with regard to  privacy by design   and  privacy by default,   fundamental to   going beyond the mere protection of formal consent to ensure protection during the planning stage, particularly important in the IoT. He also explained the role played by the principle of proportionality and noted that there is a risk that the principle will be ignored, while respecting the autonomy of the legislature, in the case of the approval of the excessive extension of the data retention obligations to 6 years. In addition, the Italia Data Protection Authority urges global regulators to avoid delegating protection of privacy to algorithms, remarking that: “Calling the major players on the web to account is certainly a step forward, an inescapable decision, but we must repeat as clearly as possible that we cannot in any way encourage, through a convenient but ingenuous use of algorithms, the delegation of functions that are inherently public, and the resulting marginalization of the role of government and legitimate democratic institutions in the definition of rights and freedoms. This is the challenge facing European legislators and lawmakers in liberal democracies the world over.”

Video featuring Chairman Soro

Prof. Vincenzo Franceschelli presented a reconstruction of the birth, life and death of privacy, with particular emphasis on the seminal work by Prof. Stefano Rodotà,  Elaboratori e controllo sociale, published in 1970, while paying tribute to the eminent author, who played such an important part in the development of the right to privacy and the culture of privacy in Italian society.

Prof. Avv. Alberto Gambino gave a talk on the lack of relationships between privacy and intellectual property rights, and the risk of a regulatory short circuit, in the case in which data covered by the privacy laws can be exploited as resulting from creative intellectual work.

Prof. Giuseppe Vettori then gave a talk on the role of consent and the process of authorizing treatment of one’s personal data, the relationship between privacy and contracts and the right solution in that context; Prof. Landini illustrated the dynamics of digital security and risk, also in terms of insurance dynamics, and finally, Col. Menegazzo described the new and stricter sanctions structure, hailing the introduction figure of the Data Protection Officer, the ideal interlocutor during inspections.

Prof. Pietro Perlingieri, eminent master of private Law, closed the conference, underscoring the point that confidentiality and the protection of personal data are part of the larger context of the protection of personal dignity: protection of privacy means defending the individual against the all-powerful market forces. The selfsame also drew attention to the presence in the GDPR of general principles - well known to experts in private law - such as, for example, the principles of proportionality, transparency and fairness, effectiveness and subsidiarity. Above all, he pointed out that Italian lawmakers should work entirely by subtraction, simply eliminating the incompatible regulations from the existing Italian Code for the protection of personal data   and refraining from adding other regulations that may either not be coordinated systematically with the EU text or superfluous.