“The goal I set myself in 2017, when I was commissioned to write the law on the protection of personal data for the Republic of San Marino, was to favor the access of San Marino companies to the international market, aligning the privacy legislation with the European one”.
The Court of Cassation lawyer and Specialist in Civil Law, Nicola Fabiano, explains in a nutshell the GDPR of the Republic of San Marino, of which he is President of the Data Protection Authority. “One of the innovations introduced by law no 171 approved in December 2018 and effective from 5 January 2019, is the establishment of the first Data Protection Authority for the protection of personal data in the Republic of the Titan, a collegiate body composed of three members”. A necessary provision, that of the Republic of San Marino, given the restriction with which the GDPR allows the transfer of data outside the EU which evidently also hindered the flows between Italy and San Marino. “When it comes to protecting personal data, in fact, you need to be very careful and be aware that this is not just a formal compliance“.
In one of his publications on the GDPR, robots and ethics, we read that transparency is a fundamental principle and that “people must have full control of their personal data”. How is this guaranteed?
“The issue of ethics in relation to the protection of personal data is complex and represents one of the challenges of these times. Ethics has become a fundamental element, even if not a codified one, which must be taken into account. Beyond what emerged on the occasion of the fortieth World Conference of Data Protection and Privacy Commissioners in 2018, numerous interventions have been recorded, among which I mention the 2018 Report by the AI Now Institute of New York University and the 10 recommendations on Artificial Intelligence. With specific regard to the question, the data controller must fully respect the GDPR according to the principle of accountability. Therefore, the data subject must be able to exercise his/her rights and, therefore, to always have full control over his/her personal data”.
Is one’s prior consent to the transfer of data, also used by big players like Google and Facebook, really effective or do we need something else?
“Consent, according to the provisions of the GDPR, is one of the conditions of lawfulness of the processing. However, the correct use of personal data cannot be based solely on the data subject’s consent, but always on the data controller’s compliance with the GDPR rules. Big players like Google or Facebook must comply with the rules allowing the data subject to have full control of his/her personal data and to exercise his/her rights.
I have been dealing with Privacy by Design (PbD) since 2010, a time when the 32nd World Conference of Data Protection and Privacy Commissioners adopted a resolution on the subject. The PbD theme, with a partially different approach, has become the “Data Protection by Design and by Default” principle provided for in art. 25 of the GDPR. The development of systems which use Artificial Intelligence and Deep Learning without complying with the principle of data protection by design and by default contained in art. 25 of the GDPR, can expose the personal data of the data subject to serious risks: one of these lies in profiling the data subject, without the same being able to fully control his/her own data. Moreover, so-called “inferred data” has recently been talked about; i.e. those that are obtained by acquisition or extraction from other information, without the data subject being able to be informed and, therefore, without any control over them. When using intelligent systems, the data controller must in any case comply with the rules of the GDPR and the related principles, whose observance, in my humble opinion, also provides the possibility of a correct ethical approach”.
A 2013 proposal of yours referred to the possibility of introducing a “standard privacy framework”: is it still valid? What is a possible model to build?
“Several years ago, I proposed the idea of an international framework which could be used by everyone for the protection of personal data. What I mean is a common regulatory framework at world level, which provides and establishes the basic principles concerning the protection of personal data and privacy; the content, of course, will consist of the individual national or federal rules (USA), or as in Europe, of the GDPR. The principle of harmonization of the national laws of the European states is a positive sign that goes in the very direction I proposed a few years ago. It is important to have a common reference in this matter. There are projects which have been started on the subject and among these I can mention, as I have been part of the technical committee, that of OASIS, called Privacy Management Reference Model (PMRM). However, the reference practice of UNI (Standard 43: 2018) also deserves to be mentioned, published following the work carried out by the “Privacy management processes in the digital environment” table, which I took part in. I believe that a good job was published and I understand that it is also of interest abroad”.
Probably the very concept of privacy today has changed. In your opinion, what is the correct definition?
“In an indefinite context, such as the infosphere or cyberspace, it is difficult to circumscribe the issue of privacy, or rather, of the protection of personal data. The GDPR is a milestone which has completely changed the approach to personal data protection, even if it is not the perfect solution. The data subject must trust the data controller to the extent that the latter complies with the GDPR rules. What must be clear is that the processing of personal data must be addressed by considering it in terms of processes which must be analyzed, evaluated, implemented and monitored. The approach towards the protection of personal data is decidedly dynamic and not static; those who believe they can tackle the issue of personal data protection by considering it as a path that ends with the achievement of a point of arrival, are mistaken. Adjustment to the GDPR is an endless dynamic path but it undergoes continuous monitoring of the processes. Privacy and protection of personal data are two distinct rights and may be qualified as fundamental rights in Europe; in fact, they are contained in the Charter of Fundamental Rights of the European Union. Personal information should be considered an absolute value because it belongs to each person. Therefore, personal information cannot be debased and economically evaluated for the sole purpose of becoming a commodity. These personal data have a high and noble value, otherwise we would end up debasing the person and human dignity. The European Courts will confirm these connotations of personal data on the occasion of violations of fundamental rights. Respect for personal data implies the same respect for human dignity”.