The protection of privacy in the telematic process
The Law of 24 December 2012, n. 228, containing "Provisions for the formation of the annual and multi-annual State budget", introduced the obligation to electronically deposit procedural documents and documents, in civil proceedings, litigation and voluntary jurisdiction, starting from 30 June 2014 and, with it, opened the way to an electronic process file.
With regard to the administrative process, with Legislative Decree No. 90 of June 24, 2014 the legislator has set itself the goal of issuing, within 60 days of the entry into force of the law converting the decree (Law 11 August 2014, n 114), the Decree of the President of the Council of Ministers pursuant to art. 13 of the Attachment 2 to the legislative decree 2 July 2010, n. 104 aimed at dictating the technical-operational rules of the administrative process.
But it is a norm of primary rank, or the new paragraph 2-bis of art. 136 of the code of the administrative process, to provide that with effect from 1 January 2015 "all the deeds and measures of the judge, its auxiliaries, the staff of the judicial offices and the parties are signed with digital signature".
A further extension to 1 July 2015 was therefore granted with the decree-law of 31 December 2014, n. 19, converted into law February 27, 2015, n. 11.
Both the digital administrative process (PAD) and the electronic civil process (PCT) project are, in a broad sense, part of the process of digitization of the public administration and justice, and their main objective is to transform the process, traditionally conducted through paper and (or "analogical") tools and supports through the introduction of a system gradually projected towards a digital management of procedures. All the subjects involved in the civil trial (lawyers, magistrates, chancellors, consultants, etc.) will therefore have the obligation, in carrying out their own trial activities, to make use of digital tools in digital format.
This digital revolution of the process has led, and will lead, to an inevitable change in the management of data and files of the law firm also with regard, in the near future, to the digital administrative process. The obligation of electronic filing requires, at least, that the professional is equipped with computer stations with access to the ministerial infrastructure dedicated to the PAD, both equipped with a device for the affixing of their digital signature and is equipped with a certified e-mail box .
It seems clear, therefore, that the procedures introduced with the PCT and that, we believe, will soon be introduced also in the PAD, obligate the professionals, within the scope of their professional legal assistance, to process personal data, judicial (and sometimes even sensitive) of its customers, through electronic tools.
In this regard, the Privacy Code, art. 33-36, provides for some minimum requirements that each data controller (and therefore each lawyer) must comply with so that it can be considered lawful processing with electronic instruments. In Article. 34 of the Code, moreover, the rules set out in Annex B) of the same Code are recalled, which contains the modalities of application of the minimum security measures. The minimum security measures are the technical, IT, organizational and logistic measures to guarantee a minimum level of security and to protect the systems from the risks of loss, destruction and unauthorized access to the data.
IT authentication and access to systems.
Firstly, it is necessary to introduce a computer authentication system. Therefore, access to IT resources must be protected by an identification system through authentication credentials (keywords), which must be kept secret by the user. If there are several subjects in charge of processing in the law firm, they must be given precise instructions about the precautions necessary to ensure the confidentiality of the credentials assigned to them and the diligent custody of the devices in use.
When there are several subjects in charge, each for a different field of competence, they are assigned an authorization profile in order to limit their access to only areas of the system containing the data necessary to carry out the processing operations. In this way, the persons in charge (who may be study collaborators, secretaries, practitioners) can access and know only the data necessary for carrying out the operations for which they have been authorized. The authorization system must be periodically checked and updated and, at least once a year, the lists of persons in charge of the management and maintenance of electronic tools must also be updated.
Data protection against the risk of intrusion and damage.
The regulations provide for an update at least every six months of programs dedicated to system protection. These software are antivirus and firewall (or fire door), which, however, in order to ensure real protection, must necessarily be updated daily. Moreover, it is necessary to have a constantly updated operating system, to prevent the occurrence of possible system errors, incompatibility with the peripherals and with the other programs installed in the machine.
Copies of security and restoration of data and systems availability.
In order to prevent the total loss of data, in each law firm must be set up a backup system, or automatic storage in different media (and stored in safe places) of the data in the system. In this way it is possible to guarantee the recovery and continuity of the operations if the data are no longer available within the system.
The formalities examined so far apply to the processing of data in general, when this is done through electronic means. There are also specific rules to be adopted in case of treatment of sensitive or judicial data. In this regard, through the adoption of technical and organizational measures, the removable media containing the data must be kept in order to avoid unauthorized access and unauthorized processing. Further precautions are required in the case of re-use of the supports; the destruction or the uselessness of the data contained in the storage media must be guaranteed if these are to be re-used by parties not authorized to process the data. Finally, in the event of damage to electronic data or instruments, it must be ensured that operations are resumed in a short time, not exceeding seven days.
The minimum security measures dictated, represent the basic measures that must be taken to ensure the security and lawfulness of the processing and not incur criminal and administrative liability (pursuant to Article 169 of the Privacy Code). However, it is evident that they are not sufficient to guarantee a real protection of the systems and, moreover, their respect does not free the holder from any responsibility. In fact, in art. 31 of the Code, it is envisaged that the data are kept and checked also "in relation to the knowledge acquired on the basis of technical progress, the nature of the data and the specific characteristics of the treatment, so as to minimize, through the adoption of suitable preventive security measures, risks of destruction or loss, even accidental, of the data itself, of unauthorized access or treatment not allowed or not in accordance with the purpose of the collection ". When non-compliance with these appropriate measures causes damage to third parties, the data controller is obliged to pay compensation for damages, pursuant to art. 2050 of the civil code.
In light of the foregoing, with the digital administrative process a new phase is opened in which the adoption of correct technical-information measures and of appropriate criteria for the management and organization of the activities of the professional studio is becoming increasingly important, in compliance with the rules set to protect customers' personal data and IT security.
In the face of a public administration that increasingly absorbs, as a consubstantial element, the connotation of digital, following the issue of the Digital Administration Code (CAD) (Legislative Decree 7 March 2005, No. 82 ), the need arises to maintain and, if possible, increase and improve the privacy protection standards recognized by the Code regarding the protection of personal data (Legislative Decree 30 June 2003, No. 196).
If we intend to gradually transfer the entire administrative activity from the traditional paper-based system to the digital one, with all the intuitive consequences that this implies in terms of speed, efficiency and economy of the public administration, we must also guarantee the existence of an authentic electronic democracy.
The protection of privacy is of fundamental importance, so much so that the art. 2, co. 5, of the legislative decree n. 82/2005 significantly refers, in this regard, to the full application of the Privacy Code.
The analysis of the public administration and of the profound changes that the administrative agency is experiencing, in other words, embraces the crucial issue of the protection of personal data, in relation to which some preliminary considerations must be carried out on the meaning of the term privacy on historical evolution and legislation that concerned this subject:
The modern notion of privacy was born in the United States at the end of the 19th century. with the famous Warren-Brandeis case (see the essay The Right, in Harvard L.Rev., 1890), to meet the fundamental requirement that "we can be in the world, decide whether to be alone or in company, to play with our most private facts, being able to freely make our choices without paying the price of unjustified social stigmatization ".
Therefore, privacy must be understood, first of all, as a right to be left in peace (right to be forgotten) and not to suffer discrimination of any kind due to, for example, one's political or religious convictions.
But this definition is not exhaustive, since the term has two additional and fundamental meanings that must be put into due light immediately.
Privacy, in fact, is (and must be) also the right of everyone to the protection and control of their personal data and the circulation of the same, being evident that the increasingly numerous public and private entities that hold and process our personal data to be able to offer us the goods and services we need, especially in the current CD information society, must ensure the security of such data and make it available to the consent and control of those entitled.
Finally, privacy must be understood as the right to the personality of one's decisions and the protection of one's personal identity; and this is a profile of the same that today assumes a very important practical value, given that, for example, the presence of our data on the network and the creation of what has been effectively defined as electronic identity, can cause distortions and dangerous uses of our personal data, with the risk that we will be given choices that we have never actually completed or desired.
The protection of personal data has become widespread both in common law and in civil law, such as Italy, which, in implementation of the Directive 95/46 / EC of the European Parliament and of the Council, on protection of natural persons with regard to the processing of personal data, as well as the free circulation of such data, has issued the law December 31, 1996, n. 675: the first organic legislative provision concerning the protection of personal data.
They can not fail to remember the art. 8 of the European Convention on Human Rights; Articles 7 and 8 of the Charter of Fundamental Rights of the European Union of 7 December 2000, later transposed by Articles II-67 and II-68 of the European Constitution; as well as Directive 02/58 / EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector.
Finally, to give an account of the culmination of the evolution of legislation in this area in our country, the aforementioned Code regarding the protection of personal data was also called the Privacy Code (Legislative Decree 30 June 2003 n.196), with which the our legislator, the first in Europe, intends to discipline the matter of personal data protection in an organic and complete manner, also giving effect to the aforementioned directive n. 02/58 / EC and therefore taking into account both the Community regulatory framework and the international framework.
Dispositions in derogation or to supplement the general discipline are set by the Privacy Code in relation to specific sectors of interest for administrative activity, such as the judicial field.
With the subsequent CAD, which came into force on January 1, 2006, the legislator intended to make a real digital revolution for the public administration.
First of all, with regard to electronic signature, the art. 32, co. 2 of the Digital Administration Code provides that the certifier is required to adopt all the appropriate organizational and technical measures to avoid damage to others, including the certificate holder, while the subsequent co. 3, lett. i), states that the certifying authority issuing qualified certificates in accordance with Article 19 must also ensure the precise determination of the date and time of issue, revocation and suspension of the electronic certificates.
Article. 32, co. 5 of the Code in question has, then, significantly, that the certifier collects personal data only directly from the person to whom they refer or upon their explicit consent, and only to the extent necessary for the issue and maintenance of the certificate, providing the information required by Article 13 of the Code. The data can not be collected or processed for different purposes without the express consent of the person to whom they refer.
Pursuant to the privacy legislation, however, sensitive and judicial data contained in lists, registers or databases, kept with the aid of electronic tools, are processed using encryption techniques or through the use of identification codes or of other solutions that, considering the number and the nature of the data processed, make them temporarily unintelligible even to those who are authorized to access it and allow to identify the interested parties only in case of need.
As is well known, the confidentiality of communications in general and electronic communications, in particular, constitutes a right recognized and protected by Italian and European law, including at constitutional level.
As decided by the jurisprudence, on the other hand, based on the combined provisions of art. 5 l. December 23, 1993, n. 547, and of the art. 3 D.P.R. 10 November 1997, n. 513, correspondence transmitted by computer and telematic means, c.d. e-mail, must be protected in the same way as correspondence or telephone and is therefore characterized by secrecy.
The judgment of the Court of Justice of the European Union of 8 April 2014 goes in the direction of a more marked protection of the right to privacy. The ruling declared the directive on the conservation of telephonic and telematic traffic data invalid. Traffic data is not neutral information but reveals much of all of us, of our private life. An undifferentiated preservation of these data for very long periods therefore exposes them to great risks. With its decision, the Court also emphasizes the need for data kept for reasons of justice to remain in the territory of the EU with clear reference to the recent events of Datagate.
The ruling operates a rebalancing between two values, security and privacy, which in these years had definitely been misaligned.