Journalistic activity and spamming regarding the unlawful processing of personal data
In the previous article (click here to read it) we talked about the role of the Data Controller and the Person in charge of the processing of personal data, focusing on the concept of damage and on the legal actions to be taken in the event of unlawful processing of the same and any damage caused to the interested parties or to third parties.
Here we will focus on journalistic activity and spamming, analyzing the main jurisprudential guidelines on the unlawful processing of personal data in these areas of interest.
Journalistic activity and the processing of personal data
The question that has always been debated certainly concerns the contrast between the right to information – provided for by art. 21 of the Italian Constitution – and that of confidentiality, provided for by the combined provisions of Articles 2 and 21 of the Italian Constitution.
Art. 17 of GDPR guarantees the right to be forgotten, i.e. the obscuring and non-disclosure of personal data (present on the web, above all) belonging to a specific subject or of news that, due to the passage of time, are now forgotten or no longer relevant to the community.
In the last 18 years, the Supreme Court has followed a single orientation in terms of the right to be forgotten, stating that the publication in a newspaper of a photo of a person in chronological coincidence with the moment of arrest must respect both the conditions of the right to report , and the “precautions imposed by the protection of the dignity of the person, who is caught in a situation of particular weakness” (Cass. Civ. sentence June 6, 2014, no. 12834).
The passage of time, in fact, changes the relationship between the opposing news and confidentiality rights. Therefore, the publication/disclosure of news or information regarding a specific subject, after some time from the occurrence of the facts, leads to a violation of his right to be forgotten.
The United Sections of the Supreme Court, with a recent sentence, have clarified this principle better, adding that, if a news of the past – disseminated at the time in the legitimate exercise of the right to press – is re-published/disclosed, after a “significant time span“, only for editorial choice, the activity carried out by the journalist has a historiographical character (Cass. civ. United Sections, n. 27988/2019).
Therefore, in the latter case, the right of the interested party (involved in the news) to maintain anonymity on his personal identity prevails, unless there is a renewed public interest in knowing the facts, or the protagonist has held or covers a function that makes it publicly known.
Spamming and the processing of personal data
Another important context in which continuous violations of the right to privacy are identified is that of spamming: the “wild” promotional activity, carried out by sending (in various forms) multiple advertisements to a wide audience of users, without prior consent of the latter.
However, the Supreme Court clarified how the criminal relevance of this promotional conduct cannot be identified in the simple annoyance caused to the recipient of having to delete unwanted emails from time to time; but in a “concrete prejudice, even non-patrimonial, capable of being legally appreciated …” (Criminal Supreme Court, Sent. n. 41604/2019).
An example of concrete damage can be seen in the inconvenience caused to the user by the continuous receipt of unwanted messages from the same sender (Data Controller or Data Processor), despite the notification that he no longer wishes to receive them.
This jurisprudential orientation has also been followed over the years by the Guarantor Authority, which last year (2021) issued two sanctions against two telecommunications companies, guilty of having implemented a massive practice of spamming against a plurality of users.
The first provision (ordinance of 16 September 2021) was issued against a telephone company, guilty of having violated articles 5, 6, 7, 14 and 21 of the GDPR for:
- having carried out processing of personal data for promotional purposes of its products and services, in the absence of the required consent from the users concerned and of suitable information;
- not having carried out checks on the contestability lists acquired from third parties;
- failing to correctly register the objections.
The Guarantor Authority, for these violations, sentenced the telephone company to pay a financial penalty of approximately 132 million euros, also prohibiting the processing of users’ personal data acquired from lists belonging to third parties for promotional and commercial purposes, in absence of effective checks on the consent of the data subjects.
The second provision (ordinance of 25 March 2021), on the other hand, was issued against another telecommunications company, following a proceeding initiated due to multiple complaints submitted by users who complained of continuous unwanted telephone contacts by the company. company, with the aim of promoting telephone and internet services.
The ordinance found that the company, as Data Controller, did not proceed, from the first contact with the potential customer, to implement control systems of the “chain” of collection of personal data, suitable to exclude that the activation of the services or the signing of contracts took place thanks to illegal or unwanted promotional activities.
The Authority, therefore, sentenced the company to:
- adapt the telemarketing treatments, so that these provided for the activation of services and the registration of contracts only following promotional contacts made by the sales network of the same company, through telephone numbers registered and registered in the Register of Operators of Communication.
- Reformulate the information relating to the “Call me back” service – specifically indicating how the user can contact you again – and provide for an automated method of deactivating the service.
- Pay a fine of approximately 90 million euros; amount commensurate with the Company’s turnover, the severity and duration of the violations perpetrated and the very high number of users involved.