In my courses on privacy I’m fond of saying that the Italian regulation protects against gossip. A friendly manner to highlight (what is not well known) that the Privacy Code must be respected by all citizens, who are not only protected persons, but must themselves respect the privacy policy.
In fact, the d.lgs 196/03 states in Section 5 (Subject-Matter and Scope of Application)
- This Code shall only apply to the processing of personal data carried out by natural persons for exclusively personal purposes if the data are intended for systematic communication or dissemination. The provisions concerning liability and security referred to in Sections 15 and 31 shall apply in any case.
So, anyone processing personal data, even the ordinary citizen, is required to adopt appropriate safety measures to protect them and responds civilly, under Article 15, for damage resulting from the processing of personal data.
However the most important aspect and real protection, is the fact that no one, not even your spouse, can publish your photos on a website or talk about you in public, without your consent. Given that in both cases of dissemination of personal data, the entire Privacy Code is fully applicable, even to private citizens,.
So before anyone can talk about you in public or publish your photo it is necessary they release an information note and ask your permission (this at least in theory). Otherwise the persons in question are liable on one side of the administrative and criminal sanctions of the Code and the other side of a possible compensation for damage resulting from their behavior. Therefore, a very strong protection, perhaps little known and rarely used. This protection has been guaranteed by the new EU Regulation.
In fact the Article 2 (Material scope) of Regulation states:
2. This Regulation does not apply to the processing of personal data:
…
(d) by a natural person in the course of a purely personal or household activity;
What does all this mean? Anyone can publish your photos or talk about you as long as they do it on their profile of any social network or on its website? Recital number 15 seems to go in this direction.
(15) This Regulation should not apply to processing of personal data by a natural person in the course of a purely personal or household activity and thus without a connection with a professional or commercial activity. Personal and household activities could include correspondence and the holding of addresses, or social networking and on-line activity undertaken within the context of such personal and household activities. However, this Regulation should apply to controllers or processors which provide the means for processing personal data for such personal or household activities.
Certainly with respect to the clarity of expression of the above mentioned article of the Italian Privacy Code, the new EU Regulation provides too much scope for interpretation, as in many other points.
The EU Regulation has put special emphasis on the introduction of safeguards such as the Right to erasure (“right to be forgotten”), little has been said about the protections that, compared to the current Italian Privacy Code, will be more difficult to implement.
Really interesting, in particular if we think of cyberbullies at school.