New law proposal on data retention submitted in Italy

By EDRi · November 22, 2006

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Thanks to Italian MP Maurizio Turco (Rosa nel Pugno) a law proposal on data
retention authored by the Winston Smith Project has been recently submitted
to the Italian Parliament as DDL (Disegno di Legge) number 1728.

The proposal, whose title is “Regulations for the collection, usage,
retention and deletion of geo-referenced or chrono-referenced data,
containing unique user identifiers, through automatic devices” aims to limit
the “side effects” of the current “data retention culture”, in which – due
to political and technological reasons – logging and retention of all sorts
of data is the norm rather than the exception.

According to the explanatory text of the proposal, ISP connections, web
surfing patterns, mail, news, chats can be logged and stored indefinitely
with relatively small investments, even by small and medium organisations.
The phenomenon is not limited to the Internet “per se”: GSM “cell data”,
i.e. the list of cells to which a mobile phone connects while the owner
moves, or data resulting from RFID usage are two other examples.

Technological automation allows the creation of huge databases on
activities that are not necessarily considered “personal data” according to
Italian law 196/2003, the main legal source for privacy protection in Italy,
and are therefore not subject to the protection guaranteed thereof.

Such databases can quickly become a privacy nightmare as access controls
tend to be lax either for lack of funding or for a commercial interest into
giving such access in the first place, and as data mining theory and
applications become more and more sophisticated in cross-referencing
apparently innocuous data from different sources.

Three Italian laws regulate the duration of data retention: Legislative
Decree 259/2003 (“Codice delle comunicazioni elettroniche”), Law 196/2003
(“Codice in materia di protezione dei dati personali) and, most recently,
the so-called “decreto Pisanu”, from the name of the former Ministry of
Internal Affairs of the last Berlusconi government.

The law proposal by the Winston Smith Project does not want to negotiate the
current obligations related to data retention; rather, it aims at acting “ex
ante” by reducing the quantity of data that are automatically collected
without any specific legal obligation imposing such collection in the first
place. The law introduces the “duty to delete” principle, according to which
automatically collected data shall not be preserved for longer than strictly
necessary to achieve the goal for which collection took place in the first
place. In a nutshell, the law proposal aims at making deletion of data the
rule, rather than the exception.

The Winston Smith Project

An interoperable world: the European Commission vs Microsoft Corporation and
the value of open interfaces (04.2005)

Text of the law proposal (only in Italian)

(Contribution by Andrea Glorioso, Italian consultant on digital policies)