GDPR art. 9, entitled “Processing of special categories of personal data”, after having setting forth the general rule, specifically that “1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person‘s sex life or sexual orientation shall be prohibited,” identifies at paragraph 2 a few exceptions to that prohibition, which include – at letter e) – cases regarding processing that “relates to personal data which are manifestly made public by the data subject”.
This exception raises doubts as to the interpretation of the precise definition of its scope, especially when it calls attention to the important phenomenon of the indistinct mass of personal information that is shared on social networks every day.
For this evaluation I believe it is opportune to 1st consider the traditional meaning ascribed to the expression “public” as interpreted and applied by the Italian Privacy Code.
The first place in which our laws refer to the concept of personal data made “public” is set forth by the general consensus relating to the processing of – ordinary – data contained in “public registers, lists, acts or documents that are accessible to anyone”, set forth in art. 24, para. 1, letter c) of the Italian Privacy Code.
Considering the application of this provision, noting that the Italian DPA clarified in the decision dated 11 January 2001 (“Political communications, e-mail, acts and documents accessible to anyone”, published in Bollettino “Cittadini e società dell’informazione” n. 16, p. 39) that the provision set forth in art. 24, para. 1, letter c) of the Italian Privacy Code: “refers not to any personal data that is indeed accessible to a plurality of persons, but only to personal data that in addition to being included in “public” registers, lists, acts or documents (…) is subject to a legal regime of full knowledgeability by anyone, a regime which, however, can also include modalities or temporal limits (…)”: namely, in this context, for the legitimacy of use of the personal data it is not sufficient that such data is present in sources that are freely accessible, but it is also necessary that the purpose of such use is compatible with those reasons that justify its presence in the source, which is, indeed, public.
The consequence of this is – for example – the long-standing case law of the Italian DPA that forbids the use of personal data drawn from professional bodies for purposes that are not directly connected to those provided as the reason for such information’s publication , as with the traditional affirmation of the principle according to which the fact that an email address is accessible to anyone because it can be easily retrieved on the Internet does not authorize third parties to use it for sending advertising messages on an indiscriminate basis, needing instead to consider, in identifying permitted uses, the specific purposes, in the actual case in point, of public availability of the email address (for example, a list of addresses of professors published on a University website are usable only for contacts linked to their institutional activities).
Naturally this framework also applies regardless of the fact that personal data are contained in “public registers, lists, acts or documents accessible to everyone” because they were inserted by third parties or by the data subject itself, as occurs in social networks: with specific regard to the reuse of personal information published on social network profiles, one must note that the “guidelines for materials consisting of promotional activities and spam” dated 4.7.2013 (doc. Web 2542348, par. 6.1) affirms that it is illegitimate to send “ marketing message relating to a specific product or service from a company that obtained the user’s personal data from the user’s profile on a SN”, on the basis of the consideration that “the circumstance whereby personal data (such as phone numbers or email addresses) can be retrieved easily on the Internet does not allow using such data to send automated marketing messages without the recipients’ consent”.
The application of the exclusion set forth at art. 24, para. 1, letter c) of the Italian Privacy Code is therefore based on the prevalence of the principle of finality (art. 11, para. 1, letter b) and d) of the Italian Privacy Code), on the basis of which the data may be gathered and registered for purposes that are determined, explicit and legitimate and may be used for other types of processing that are compatible with those purposes.
One case in which the Italian Privacy Code specifically refers to personal data made “public” is that in which “data concerning circumstances or events that have been made known either directly by the data subject or on account of the latter’s public conduct” in the context of journalistic pursuits or by other means of expression (including arts), as results from the combination of the provisions of art. 137, para. 3 and art. 136 of the Italian Privacy Code.
As is widely known, in this specific context the communication and diffusion of even sensitive personal data “made known directly by the data subject or through their behavior in public” (and therefore also the information posted on social networks) is permitted not only without the consent of the data subject and authorization of the Italian DPA, and in particular without the obligation to provide prior information to data subjects, but also in the absence of the specific limitations that the law generally sets forth for the exercise of the press freedom: primarily the timeliness and relevance for the public interest of the information subject to processing (on this point jurisprudence of the Italian DPA has been consistent since 1999: see Provv. “Privacy and information” – 18.10.1999: “there is no violation of privacy nor the Code of Practice Concerning the Processing of Personal Data in the Exercise of Journalistic Activities whether the information is made known directly by data subject or through their behaviour in public”; Provv. “Publishing data made known directly by the data subject does not violate privacy” – 28.10.1999: “the diffusion by way of the press of circumstances, news and data already made known by data subject through “open letters” sent to a wide range of subjects does not violate the limits to press freedom set forth in protection of privacy”).
Instead there remain, as necessary circumstances for legitimising the processing, compliance with the general principles of fairness and data minimisation, as well as substantial adherence of the information shared to that made public by data subject itself.
In relation to such processing, these are always subject to the right to subsequently provide proof of the existence of lawful justification deserving legal protection (art. 5, para. 2, Code of Practice Concerning the Processing of Personal Data in the Exercise of Journalistic Activities), as well as the right to object, in whole or in part, on legitimate grounds, to the processing of personal data concerning him/her on the basis of art. 7 of the Italian Privacy Code.
This highly facilitated processing regime aims to guarantee the freedom of information (see. ex multis Provv. 30.12.2011 – doc. web n. 1873945), as well as the necessary balancing with a person’s fundamental rights (see Code of Practice Concerning the Processing of Personal Data in the Exercise of Journalistic Activities and Code of Conduct and Professional Practice Regarding the processing of personal data For historical purposes, respectively attached as Annexes 1 and 2 to the Italian Privacy Code)
To summarise, one may say that in the current system the reuse (by private parties, because “reuse” of information in the context of the Public Administration is a different and complex issue, which falls outside the scope of this discussion) of personal information that is “publicly available” (as per the cited articles of the Italian Privacy Code) is permitted without the data subject’s consent:
- in general, with regards to “ordinary” personal data, within the limits of the principle of purpose limitation, and therefore for end uses that are consistent with those that lead to the “publication”;
- instead, as a specific exception – which also extends to sensitive information – for cases in which the law identifies the possibility that the data can be used following a balancing between fundamental rights, according to the conditions specified.