If a five-year period of GDPR could be summarized in numbers, it would be sufficient to refer to 1600 fines imposed by the Italian Privacy Guarantor for a total close to 4 billion euro. But the Gdpr is something else, it is not a punitive system that revels in detecting infringements.
What is GDPR?
The General Data Protection Regulation (the acronym stands for General Data protection regulation), otherwise known as EU Regulation 2016/679 is in force in Italy from 25 May 2018 (text here). It is a compendium of rules with which the European Union wanted to guarantee the protection of citizens’ personal data, providing them with tools for controlling their data both inside and outside the EU. Also registered actors outside the European Union they had to subject themselves to the GDPR in order to be able to operate and process the data of those residing in Europe.
To take stock of this five-year period we turned to the lawyer Guido Scorzamember of the guarantor for the protection of personal data.
Sundar Pichai and Bard’s absence from the EU: “We’ll be there soon, but we want to respect all the rules”
by our correspondent Emanuele Capone
Beyond the numbers and penalties, how has the awareness of companies and consumers on privacy changed?
“I believe that the numbers, especially those of the sanctions, actually say little about the revolution of which the GDPR was the protagonist. Today there is a widespread sensitivity to privacy that was not there yesterday, a sensitivity that is certainly still more developed in the company than among individuals and consumers. It is an objectively very different context compared to the one we faced 5 years ago and, perhaps, having contributed to developing this sensitivity is one of the greatest merits of the GDPR, which has represented and represents an international benchmark in terms of privacy regulation.
But we are not yet where we should be and where we need to go: privacy is not yet considered an asset and a resource rather than a cost and a formal fulfillment. But the goal is this: to make privacy become one of the drivers it is destined to guide consumer choices and consumer and citizen policies. That day everything will be different, because companies and politics will be led to invest more in privacy not to fulfill a legal obligation, but for their own business and political convenience”.
In 2021, and therefore 3 years after the introduction of the GDPR, among Italian companies the habit of consulting the Privacy Guarantor had not yet spread to be able to act in the most pertinent way and, from this point of view, there is still a lot of work to do.
What can be done better and what has given unexpected positive results?
“Everything can always be done better, of course. But much more can certainly be done in mass education al data value. We must make privacy more pop, make it a popular and mass right, a right for everyone, starting with the least of society, for whom privacy is more precious because it is the best defense against discrimination that we have.
We need to learn more about the art of balancing: there are no tyrant rights, and therefore privacy must e it can always be balanced with other rights and freedoms, whether it is health, information, scientific research or transparency of the administration. Even in this direction, the road to go is longer than the one already covered”.
Now the challenge is dictated by AI. What are the main difficulties and, in a broader perspective: if AIs are the cause of interferences in privacy, can AIs themselves be used to solve them?
“The impact of artificial intelligence on society is superior to that of any other technological application, and it is natural that its development and use come into conflict, at least apparently, with a plurality of rights and freedoms, including the right to privacy. However, I have no doubt that technology, including artificial intelligence, represents the best possible vaccine against certain possible technological drifts, including those of artificial intelligence.
All in all, it is a question of the by design and by default logic around which it is built much of the European discipline regarding privacy. Design and develop artificial intelligences taking the right to privacy as a constraint is not only possible but probably helps to make these technologies better.
The story of ChatGPT I think it’s there to show that dialogue is the key to governing the future of algorithms, AI and robots: today ChatGPT, which is only the tip of the AI iceberg, after our intervention is more respectful of people’s rights and freedoms without any sacrifice in terms of performance. There is still a long way to go, but a meeting point is possible”.
An interesting case occurred in Portugal in 2021: the Instituto Nacional de Estatística (Portuguese Istat) carried out an online census, not clearly indicating which questions the answer was optional for. Furthermore, as it was reconstructed by the investigation of the Portuguese guarantor (Cnpd), the statistical institute did not properly evaluate the impact that the questionnaires could have had on citizens’ privacy, considering that the data left the European territory to transit through legislations that are not compatible with European legislation. So the organization was fined.
Does this prove that you don’t give anyone discounts?
“Sanctions against public and private entities are never a victory for an Authority but a defeat – explained Scorza – It means that it has not been possible to prevent the rights of one or more people from being violated. And when the recipient of the fine is a public entity this is even more true because, generally, the violation does not originate in the need to maximize profit but simply in the public body’s lack of preparation, in the inability to organize itself to respect privacy or in a cultural misunderstanding, ie in having believed that the end justifies the means and that the right to privacy of thousands or millions of citizens could be violated because of the aim pursued. True success is educate public and private subjects on the right to privacyso many as to eliminate the violations to be sanctioned”.
Why did Sam Altman skip Italy?
by Riccardo Luna
How accurate is the theory that privacy is a brake on innovation?
“We must eschew the narrative of privacy versus innovation. It is not true that privacy prevents innovation. It is simply about balance the former with the latter and you can have both. The right to do business and to innovate is a fundamental right just like the right to privacy and the composition and balancing algorithm is always the same: compressing one right to the minimum extent necessary to make room for the exercise of the other”.