It is only May, but 2020 is already shaping up to be a crucial year for data protection. At least in Europe where the data protection authorities’ enforcement engine is starting to warm up. In Italy, for example, the Italian DPA, the Garante, started the year by handing down some very important fines. Beginning with provisions no. 231 and no. 232 issued Dec. 11, 2019, and published Jan. 17, 2020, against one of the global leading oil companies and with provision no. 7 issued Jan. 15, 2020, against a top-level telecommunications operator, the Italian watchdog imposed penalties of 11.5 and 27.8 million euros, respectively. These are record administrative fines not only for Italy, but they are also among some of the highest in Europe to date.

These decisions leave no doubt of which approach the Garante and the other national authorities intend to take in this new era of personal data protection. Enforcement is not an easy game, and sanctions are not the goal of the EU General Data Protection Regulation. The main scope of the GDPR is to promote accountability and improve awareness on the issue of personal data processing at any level. These provisions represent a precious opportunity for professionals to ask themselves about the status quo of the matter, remembering the importance of considering every final position as a mere starting point.

On consent for marketing

The Italian DPA underlines the centrality of consent as the legal basis to carry out commercial communications. The consent of data subjects is the only suitable option to pursue marketing and telemarketing purposes without prejudice to the opt-out regime as regulated by the national legislation. Consent must also be free since it cannot be tied by the supply of programs that provide a service to the data subject (i.e., the subscription to a loyalty program to obtain discounts). At the same time, commercial communications carried out under service notices are considered unlawful. In the provisions, the Garante also focuses on the disclosure of data to third parties. This processing can be carried out based only on the data subjects’ consent — the Italian DPA has stressed this consent given to a data controller legitimatizes the processing carried out by the controller. In other words, it has been categorically excluded as a “waterfall effect” of the consent that would allow any subsequent transfer of data between other not legitimized data controllers. Finally, the Garante noted the importance of keeping consent separated according to the different purposes pursued (e.g., a single consent for marketing and profiling is unlawful). And this is another paramount point: Profiling is still considered a purpose itself other than a means of processing.

About data processors

The Garante requests that data controllers verify and monitor the fairness of the conduct of appointed data processors and to prove their compliance with the applicable laws. Therefore, data controllers have to demonstrate that they have provided call centers with scripts and operational instructions to be used during the calls.

The rights of the data subjects

Several profiles are considered in these provisions regarding the position of data subjects. For example, the controller has to be able to receive and manage the data subject’s request to exercise their own rights, particularly their right to object and withdrawal consent. The data controller also needs to provide appropriate technical measures that ensure adequate representation of the data subject’s request within the company's databases and customer relationship management.

Technical and organizational measures

It is underlined the importance to have automated systems that guarantee constant alignment between CRM and blacklist to receive any objections to promotional activities and, therefore, keeping a real-time update of consents in the CRM. Therefore, the controllers have to assess the online platforms and tools to identify and correct any vulnerabilities in the services before they are made available to the public. Important observations are also made with reference to 1) the users’ computer authentication system (user passwords for websites need to be longer than eight characters long, are subject to automatic quality control that prevents “weak” passwords, and limits the number of attempts to access the website with incorrect passwords to prevent brute force attacks); 2) network protocols (the adoption of https/secure hypertext transport protocols is required to access all website content, and not just the homepage, based on a digital certificate issued by a recognized Certification Authority); and 3) how to store passwords of registered users to online platforms.

Is the GDPR still alive?

Notwithstanding the above, a debate is growing about the possible failure of the GDPR under the enforcement point of view. Perhaps the one-stop-shop mechanism is taking off slower than expected; perhaps the coordination procedure among EU DPA is not yet efficient and effective. Maybe yes. Maybe no. The GDPR is complex, comprehensive, uniform legislation shared among 28 EU countries. A substantial delay in the enforcement and fining heavy sanctions up to 4% of the global annual turnover of the data controller was fully expected and forecasted. But the success of multinational legislation, such as the GDPR, is not equal to the extent of the quantity and quality of the sanctions issued but it has to be measured in proportion to the wide compliance level reached around the globe. The COVID-19 pandemic is clearly showing how important and respected the GDPR and privacy is irrespective of the number of sanctions enacted, that, in any case, are not few.

Photo by Christopher Burns on Unsplash