Thus a European regulation defended our privacy

It was 25 May 2018 when, after two years of running in, the General Data Protection Regulation (in abbreviation, Gdpr) came into force throughout the European Union.

On a continent shaken by chance Cambridge Analytica (which affected not only the election of Donald Trump, but also Brexit) and the many scandals of the past decade, the GDPR aimed to reverse a situation in which our digital privacy and the data we disseminated on the Net were too often prey to the technological giants, capable of abusing them in the relative disinterest of the population and the authorities.

How much has the situation changed in these 3 years and what are the most evident cases in which the privacy regulation has protected European citizens from unwelcome intrusions? The most recent case, and very topical, does not concern the usual suspects (Facebook, Google and others), but some applications of the Italian Green Pass which regulates the movements and activities allowed to people vaccinated or recovered from Covid-19: “First of all, the Privacy Guarantor confirmed how the Gdpr obliges the institutions to consult it before implementing measures of this type, which, on the other hand, did not happen – explained Laura Liguori, lawyer partner of the Portolano Cavallo studio – In addition, he reported to the Regions how measures of this type can only be launched at national level and also went into detail, indicating the changes necessary to avoid violating fundamental rules such as that of data minimization, according to which only the indispensable data must be collected for the intended purpose. It is certainly a case in which, also thanks to the GDPR, the Privacy Guarantor was able to work in a preventive perspective “.

In other situations, however, the European regulation has made it possible to punish the abuses committed by the technological giants. In October 2020, for example, the European Commission has begun to blacklist digital companies with excessive power on the market and therefore, according to the provisions of the GDPR, could be subject to even stricter regulations. Overall, a company like Google has had to pay over $ 8 billion across Europe over the years for various types of breaches: “One of the most recent cases is France, which fined Google for a total of 100 million euros for having unlawfully processed the personal data of users, through the cookies used for profiling – recalled Giulio Novellini, counsel of Portolano Cavallo – It is one of the various cases in which the European supervisory authorities have the tendency to take sides with users confirmed “.

The cases involving Italy
However, one of the most sensational cases has Italy again as protagonist and dates back to April 2021, when the Privacy Guarantor, also taking into consideration the precepts of the GDPR, gave a negative opinion on the use by law enforcement agencies of the Sari Realtime system, which would have made it possible to monitor the Italian population through cameras equipped with facial recognition. A rejection based mainly on the possibility of moving from targeted surveillance to mass surveillance, but which leads to the question of how much citizens approve that technological tools designed to increase security are rejected in the name of confidentiality: “We assume that, before the launch of the GDPR, the culture of digital privacy in Italy was practically absent – added Novellini – The entry into force of the regulation it has instead contributed, from a social point of view, to create a new knowledge and a new attention. And we also see it from the many requests for protection that are made by citizens, something that was rarely the case before “.

“It also needs to be clear what tools like Sari Realtime feature risks to citizenship – is the clarification of Liguori – There may be cases of false positives, in which due to an error in the facial recognition system we could be reported for activities that we have not committed. “Although that of Sari Realtime is a case in which the Gdpr is is shown to be able to face even the most recent privacy challenges, the issue of the institutions’ constant run-up to technology continues to arise: “The European regulation had a gestation period of 6 years, given that the first draft dates back to 2012 – is the reflection of Liguori – In the meantime technologies move forward and problems become more and more complex. This is one of the main problems: the gap that is created between regulations aimed at regulating technologies that have already evolved in the meantime “.