Chapter 16

Big Data and the Italian Legal Framework

Opportunities for Police Forces

Pietro Costanzo, Francesca D’Onofrio,  and Julia Friedl

Abstract

This chapter provides an analysis of the European and Italian legal framework on personal privacy and data protection, its development, current issues, and future perspectives, with reference to the increased appearance and use of Big Data. In addition, a view is provided of police and intelligence agencies dealing with those laws during their investigations.

Keywords

Investigations; Legislation; Predictive policing; Public security; Sensitive data protection

Introduction

We are currently experiencing unlimited growth of the size of real-world data and increasing requests for real-time processing on the behalf of various stakeholders: businesses, governments, health organizations, and police forces. Data have become the raw material of production, a new source of immense economic and social value. The increasing number of people, devices, and sensors that are now connected by digital networks has revolutionized the ability to generate, communicate, share, and access data (Robinson et al., 2009).
The deployment of Big Data offers a high number of benefits and advantages to its users.1 A report by the McKinsey Global Institute demonstrates the transformative effect that Big Data has had on entire sectors ranging from health care to retail and from manufacturing to political campaigns (Manyika et al., 2011). In addition, police forces can achieve important advantages by analyzing the enormous amount of information that composes so-called “Big Data” (World Economic Forum, 2012).
Big Data may facilitate predictive analysis with implications for individuals susceptible to disease, crime, or other socially stigmatizing characteristics or behaviors. Predictive analysis is particularly problematic when it is based on sensitive categories of data such as health, race, and sexuality (Tene and Polonetsky, 2013). Even when it does not imply the use of sensitive data, predictive analysis can become a prophecy that accentuates social stratification (Casady, 2011).
In general, the data deluge presents privacy concerns that appear more pressing when it comes to the use of data on behalf of governmental bodies and police forces.
Predictive analytics that incorporate social factors and local demographics can have an important role in enhancing intelligence-led law enforcement that will help police anticipate crime by predicting crime hotspots and identifying criminal networks. In fact, in some countries2 police forces are using these kinds of predictive analytics to better equip officers and improve public safety. This strategy builds on information shared among different police services, courts, prisons, and public administrations, and sometimes information collected from social networks, to identify where crimes are more likely to take place (Byrne and Marx, 2011).
If much of the debate around Big Data and privacy is based on the idea that organizations should be required to reveal the criteria used in their decision making processes with respect to personal data analysis (Tene and Polonetsky, 2013), what should occur when it comes to using Big Data for public/national security?
Starting from an analysis of the European legal framework concerning the protection of data and their use for policing and criminal law matters, this chapter will consider the Italian legal framework to understand opportunities and constraints for Italian police forces regarding the use of Big Data for public and national security purposes.

European Legal Framework

The first European data protection laws date to the early 1970s.3 These early laws largely affected parts of government administration that collected large amounts of information from citizens for the purpose of providing services such as health care, education, and welfare. For the most part, intelligence and law enforcement officials were untouched by these early data protection regulations. Their information-gathering activities were covered by a more specific set of national laws. Police had to apply for warrants from judicial authorities before they could undertake surveillance.4 In contrast, intelligence officers, who were responsible for security-related surveillance, were subject to less rigorous standards enforced not by courts but by independent government officials or parliamentary committees (Bignami, 2006).
Since the 1970s, one development has radically altered the nature of law enforcement and the relationship between law enforcement and data protection laws: technology. Increasingly, digital space has become the main feature of today’s society. As a consequence, by monitoring Internet traffic, the police can easily collect useful information about citizens and personal data have become essential for Internet business (Bignami, 2006). On a European level, a data protection legal framework has been developed in the past 20 years and is still in continuous transformation to adapt itself to the technological environment.

Directive 95/46/EC and Revision Process Started in 2012

Proposed in 1990 and adopted in 1995, the Data Protection Directive (95/46/EC) guarantees the right of individuals’ data protection as well as the flow of data in the European Union (EU). This directive binds member states to harmonize their legislation, guaranteeing in that way to process personal data fairly, lawfully, and only for specified, explicit, and legitimate purposes (Kulk and Van Loenen, 2012). The e-Privacy Directive 2002/58/EC (amended by Directive 2009/136/EC) serves as a complementary directive to protect personal data in the electronic communications sector.5 In 2008, a Framework Decision (2008/977/JHA) was adopted on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (Data Protection Framework Decision) (Peers, 2012).6 This decision aims to protect the personal data of natural persons when their personal data are processed for the purpose of preventing, investigating, detecting, or prosecuting a criminal offence or for executing a criminal penalty. The applicability of this framework decision is limited to ensuring data protection in the cross-border cooperation between these authorities and does not extend to national security. Thus, at the EU level, data protection in the police and criminal justice sector is regulated only in the context of cross-border cooperation of police and judicial authorities.7
Furthermore, a stronger legal basis is provided through adoption of the legally binding European Charter of Fundamental Rights,8 or more precisely Article 8, which recognizes data protection as an autonomous personal right, as well as Article 7, the right to a private and family life.9 The Council of Europe Convention 108,10 which is the main point of reference for the Directive (Bignami, 2007), applies to data protection in the area of police and criminal justice, although the contracting parties may limit its application (European Union Agency for Fundamental Rights, 2014).11
At the time of approval of the Data Protection Directive, data protection aimed to prevent rights abuse by market actors and by government agencies operating as service providers. Because globalization and quickly changing technological advancements are continuously modifying the way and methodologies with which data are collected and used, data protection is still challenged, calling for the need of a new, advanced legal framework. The revision of the 95/46 Directive started in 2010, in 2012, the EU Commission proposed a data protection regulation,12 a directly applicable legal act that should guarantee equal data protection for European citizens and an identical legal environment for companies modernizing and enhancing the old directive while setting global standards. More precisely the regulation should obligate non-European companies, when offering goods and services to European consumers, to apply the EU data protection law in full, no matter to what establishment they belong. On the other hand, citizens will benefit from the right to be forgotten, i.e., the right to have their data deleted in case it is processed without legitimate grounds.13 Control and easier access to data should be enhanced whereas privacy-enhancing technology should be employed by technology providers and Web services.
In March 2014, the regulation passed the EU Parliament’s vote and was waiting for final adoption by the Council of Ministers, as the ordinary legislative procedure (co-decision) was implemented.14 Together with the regulation, a further legislative proposal was presented15 regarding the processing of personal data in the law enforcement sector. This directive should allow personal data between competent authorities within the EU to be shared and exchanged for the purposes of prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, thus providing a directive to enhance law enforcement cooperation between member states’ authorities.

Data Retention Directive

The Data Retention Directive (2006/24/EC), amending the 2002/58/EC e-Privacy Directive, represents a complementary instrument to the Data Protection Directive. Highlighting the need of common measures regarding the retention of telecommunications data after the terrorist attacks on London and Madrid, the data retention directive can be considered the first EU law to address data privacy on law enforcement (Bignami, 2007). The two main purposes of the directive are harmonizing of obligations on providers to retain certain data and ensuring that the data retained are available for the purpose of investigation, detection, and prosecution of serious crime and terrorism.16 Hence, its aim was to facilitate European cooperation in criminal investigations.
According to the directive, communication service providers are required to retain communication data for a period from 6 months up to 2 years (from three sources of traffic data: fixed and mobile telephony as well as Internet traffic), allowing member states to retrieve these data for one of those law enforcement purposes. This massive storage of data generated criticism by civil society, from the Article 29 Data Protection Working Party17 as well as from the European Data Protection Supervisor, who pointed out that it entails serious interference with the fundamental rights to respect for private life and to the protection of personal data. These groups raised concerns regarding whether the stored data would achieve the crime-fighting results and whether, owing to the lengths and amount of data retained, the proportionality test was accomplished (Bignami, 2007).
Even though further evaluations made by the European Commission highlighted the positive impact on investigation of the directive, on April 8, 2014, the Court of Justice declared the Data Retention Directive invalid.18 According to the Court, the principle of proportionality, as well as the fundamental rights to respect for private life and personal data protection, were not guaranteed although the benefit and importance of retention, under precise and legitimate conditions, for the fight against serious crime and the protection of public security were recognized.

The Italian Legal Framework

Authority for Personal Data Protection

The Authority for Personal Data Protection is an independent administrative authority established by law n. 675 approved on December 31, 1996, to ensure the protection of rights and fundamental liberties and the respect of personal dignity when processing personal data (Gioffrè, October 21, 2009).
Data protection rights and secrecy rights do not coincide. The latter is the right to exclude others from having knowledge about private or family-related information. Data protection rights are about exercising a form of control over a person’s data and information. In the first case, we are talking about the right to keep secret some information that the holder wishes to keep excluded from the knowledge of others; in the second case, the intention is to protect data and information, therefore protecting their use. The information we are talking about here does not have a reserved content: Information and data could be public. For instance, the telephone number of a private phone line reported in a telephone directory is certainly not considered reserved data, but it is personal data that must be handled according to the privacy and data protection legal framework.

The Italian Privacy Code

Initially, personal data and privacy were protected by Law n. 675, December 31, 1996, which brought into force EU and international provisions relating to the topics (Council Directive 95/46/EC and Strasbourg Convention n.108, 1981) (Condello et al., 2009). Throughout the following 7 years, nine Law decrees regulating various specific aspects related to data protection were approved. This approach determined a discontinuous and inconsistent data protection legal framework.
In 2003, with the approval of D.Lgs 196/2003, the law on data protection (commonly called the Privacy Code) came into force in the Italian legal framework, replacing the previous framework.
The contents of the Code are driven by the objective of ensuring a high level of protection within the respect of principles of simplification, harmonization, and efficiency (Article 2, comma 2).
Personal data are defined as “any information relating to an identified or identifiable natural or legal person regardless its form, i.e., either paper or electronic based information.”19 The broad definition given in the Code is similar to that reported in the Data Protection Directive. However, the Italian Code also includes legal persons as personal data holders (i.e., personal data may belong to associations, public administration, and any legal entity).
In this setting, the border between personal data and anonymous data is close; data are considered personal if there is the possibility of identifying the holder of the data. Personal data must be referred or referable to a specific holder.
The Privacy Code also dedicates specific provisions to some particular categories of data:
1. Sensitive data are personal data that are able to reveal:
a. Racial and ethnical origins
b. Religious beliefs
c. Political opinions
d. Health and sexual life
e. Genetic data
Genetic data are considered sensitive because they are able to reveal the health status of the holder.
2. Judiciary data require a higher level of information security than other data. They include legal proceedings acts as stated in article 686 of the criminal law code, condemnation proceedings.
3. Semi-sensitive data present specific risks related to rights and fundamental rights. This category of data must undergo prior checking (as also reported in article 20 of the Directive). Prior checking is carried out by a supervisory authority. In the Italian case, this is the Garante della Privacy—that is, the Authority for Personal Data Protection (hereafter the Authority). For example, biometric data (e.g., digital fingerprints, iris recognition) is considered semi-sensitive data because, although they are collected for other purposes (mainly security issues such as immigration control), they are potentially able to reveal information about the holder’s health.
4. Traffic data relate to a telecommunication service user. The Italian code imposes limits relating to traffic data. Communication services suppliers must follow the general rule, which excludes data retention apart from:
a. 6 months’ data retention to have documented information to prevent billing disputes and
b. retention for periods foreseen by law to verify or restrain crimes.
Article 18 of the Code specifies that public actors (apart from medical staff and health organizations) are not required to obtain a holder’s consent, because their institutional function legitimates processing of personal data. Nevertheless, any unlawful data processing by public employees represents a violation of the Privacy Code. Furthermore, as a general rule, the exchange of personal data between two public actors is allowed when it is foreseen by a law or regulation or on the basis of an authorization issued by the Authority.

Focus on Italian Police Forces

Information technology is a fundamental tool for police forces because they base their activities on collecting, evaluating, and connecting information for crime prevention and repression activities and for administrative tasks (van Brakel and De Hert, 2011).
Public security is mentioned in Articles 117 and 118 of the Italian Constitution. Constitutional reform in 200120 left “public security”21 as the responsibility exclusively of the central government.
Specifically relating to police forces, data protection and analysis undergo the provisions indicated in Law n. 121/1981 and in a specific section of Privacy Code. Law n. 121/1981 assigned functions related to information and data classification, analysis, and evaluation to the Department of Public Security for purposes of order protection, public security, and prevention and repression of crimes (Article 6).
Article 7 of the law establishes that the information and data used for the purposes of Article 6 must refer to documents held by public administration or public entities, or result from proceedings of the judicial authority or from police investigations. According to the law, it is forbidden to collect information and data on citizens only because of their race, religion, or political opinions or their affiliation with unions or cultural, cooperative, or welfare-dedicated associations.
Information and data relating to bank operations or positions can be requested within the limits of police investigations and under explicit authorization issued by the judicial authority. Information and data held by police forces belonging to the EU member states and by other states, with which specific agreements have been reached, can be obtained under specific conditions.
Article 8 establishes the Centro Elaborazione Dati (Center for the Elaboration of Data (CED)), which collects, elaborates on, classifies, and stores information and data in automated files. The CED is also in charge of data transmission to authorized actors. Access and use of data and information stored in the CED are permitted for judiciary police officers, public security officers, security services officials, and authorized judiciary police agents. Controls on the CED are performed by the Authority according to specific laws and regulations. Finally, information and data shall not be used for purposes different from those listed in Article 6.

Police Data Processing and Privacy

As explained above, privacy protection consists of the right of each data holder to control information relating to her or him so that it is processed only in case of need and with respect for fundamental rights. The question is, Can the right of privacy protection somehow be restricted by data processing performed by police forces?
Since 2001, Italian police forces have made use of data and information collected and elaborated by the Sistema di Indagine (Investigation Systems (SDI)). Investigation Systems collects and coordinates a set of information and data from all police forces. The system is open to all Italian police forces and allows data to be searched and information to be held in external databases connected to the system. Through SDI, police forces can access the Schengen Information System (SIS).22

How long can police forces store information and data?

Article 6 of the Data Protection Directive and Article 5 of Convention 108 require member states to ensure that personal data are kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. The data must therefore be erased when those purposes have been served.
Article 11 of the Privacy Code provides that data must be stored to allow the identification of the holder for a period of time that must not exceed the period needed to pursue the finalities for which the data have been collected and processed. Article 22 of the Code also requires public actors to periodically verify the exactness and completeness and to update sensitive data and judiciary data.
In general, the second part of the Privacy Code, Processing Operations by the Police, specifically Articles 53–57, refers to police forces. Article 53 provides that personal data processing carried out by the CED at the Public Security Department or by police forces for the purposes of protecting public order and security, preventing, detecting, or repressing crimes is not limited by the provisions outlined in Articles 9, 10, 12, 13, and 16, 18–22, 37 and 38, and 39–45.
For example, this provision exempts police forces from the obligation to request the data subject’s authorization to use data and to collect his or her consent (Articles 9 and 13). Police forces are also excluded from observing special provisions relating to data processing by public actors (Articles 18–22). Articles 37–42 relate to the obligation to notify, communicate, and gain authorization for data processing by the Authority; for their specific functions, police forces are not required to observe these provisions, whereas articles 43, 44, and 45 relate to the transmission of data to subjects outside the national territory. Finally, according to the exemption from Articles 145–151, police force data processing cannot undergo citizens’ appeals.
According to Article 54, police forces can acquire data from other actors also in electronic format through specific agreements. Under provisions of Article 55, genetic and biometric data must be processed to protect the holder. Any data processing that is likely to be prejudicial to holders—with particular regard to genetic and/or biometric databases, location-based information processing, databases relying on specific information processing techniques, and the introduction of certain types of technology—must be compliant with measures and arrangements as may be set forth by the Authority to safeguard data subjects after a prior checking procedure.

Opportunities and Constraints for Police Forces and Intelligence

Recently, EU data protection has taken a new turn. Now, the challenge is to safeguard privacy when governments exercise their core sovereign powers of national security and law enforcement (see also Chapter 15). There is a need for legal rules in view of the increasing use of computers for administrative purposes. Compared with manual files, automated files have vastly superior storage capability and offer possibilities for a much wider variety of transactions, which they can perform at high speed. Further growth of automatic data processing in the administrative field is expected in coming years as a result of lower data processing costs, the availability of intelligent data processing devices, and the establishment of new telecommunication facilities for data transmission.
Information power brings with it the corresponding social responsibility of data users in the private and public sectors. Those responsible for the files are required to make sure that the advantages they can obtain from automatic data processing do not also lead to weakening of the position of the person whose data are stored.
In fact, main concerns regarding processing personal data are the loss of individuals’ control over sensitive information,23 the risk of linkability, and (re)identification. Some cases were already observed in Italy and highlighted by the Garante della Privacy in its 2013 report, “Data Protection: Times Are A-Changing Big Data, Transparency, Surveillance,”24 (Garante per la protezione dei dati personali, 2013) submitted to the Italian Parliament on June 10, 2014. This report “highlights the way ahead in order to make data protection genuinely effective,” not only relative to commercial and administrative matters, but also in key fields for public order and security such as global, national, and private surveillance, the role of major Internet service providers, social networks and cyberbullying, biometrics, protecting children on media and the Web, protecting personal data in judicial proceedings, and retention of telephone and Internet traffic data.
In terms of data access and data amendment, the Authority confirmed the importance for interested subjects to access CED data at the Public Security Department (Ministry of the Interior), one of the main data gates to personal information that can be used for investigative and intelligence purposes. Such control over data should also be granted over the new SIS (SIS II), according to the possibility of individuals and foreign SIS national sections asking for access.
The Authority also coped with specific requests coming from local police forces. In relation to the possibility of extending (up to 60 days) the retention of data gathered through video surveillance systems in public areas for possible investigative purposes, the Authority observed that the confirmed term is 6 days after collection and that any extension must be requested to the same Authority, underlining a conservative approach in a field still showing wide gray areas.
Within this framework, from the operational point of view, Italian police forces started to work on using structured and unstructured data to cope with crime in urban areas. Not many examples are available: Crime pattern recognition techniques and crime trend studies are still under-adopted, and results of ongoing experimentations have yet to be understood.
First outcomes may be reported from a project in the city of Milan, thanks to the adoption of Key Crime predictive policing software. The tool was developed by internal personnel at the police in Milan and adopted for testing on robberies as a typical serial crime. Based on the analysis of several thousand parameters per event collected from multiple sources (video surveillance, manual entry of operators, etc., all contained in police databases), the software allowed police to attribute past robberies to perpetrators on the basis of precise matching of key elements of modus operandi.25 The tool has also been adopted to predict activities and therefore better allocate resources in the field.
Currently the software only adopts data acquired by the police and contained in internal databases, but what if such tools were redesigned and allowed to access open source information?
Emerging challenges derive from the “data-gate” case, i.e., foreign citizens’ data collected by the United States National Security Agency (NSA) (The White House, 2014). After the disclosure to the public of information related to NSA’s activities, Italian interested institutions (the Authority, the Parliament security committee/COPASIR, and the Department of Information and Security (DIS)) held consultations (also on the basis of Article 31 of Law 124/2007) to shed more light on the possible involvement of Italian nationals in NSA’s data collection, both to enhance citizens’ data protection and to reinforce the mechanism of police and intelligence cooperation. An important outcome of this process was the agreement signed on November 11, 2013, between the Authority and DIS to set up processes granting, to some extent, access to information about the treatment of personal data for intelligence purposes (e.g., in relation to cybersecurity issues to the access to databases of the Public Administration or of public services).26
Finally, considering this complex and fluid legal framework, data protection is considered to be at the top of the agenda, as the cornerstone to define limits and opportunities for accessing personal data for police and intelligence purposes. In this view, the possibility of adoption of the Data Protection Regulation in 2015 and society’s growing concerns about privacy on the World Wide Web have already influenced technology businesses’ product development. New methods providing a differential privacy are developed by main companies through a technological privacy by design solution, guaranteeing both the quality of digital data and the certainty to individuals of being untraceable (Bloem et al., 2013). The use of privacy-enhancing technologies together with standardized legislation, for both companies and law enforcement agencies, can create trust and a balance between the responsible exploitation of the advantages of (big) data and the respect of privacy of data protection of individuals.
Opportunities for police forces and intelligence services in Italy are still under-considered and the studies in this direction are evolving. In particular, because urban areas are growing and aggregating a multitude of cultures, economic activities, technologies, and social habits, the complexity of social demands and security needs is quickly increasing. The challenge for police and intelligence assets in the country is to anticipate the change, be prepared to adopt the solutions potentially provided by technologies supporting security analysis and operations, but also strongly focus on the challenges posed by the changing urban political geography, as well as ethical and legal issues.

References

Bignami F. Protecting privacy against the police in the European Union: the data retention directive. In: Bot Y, et al., ed. Melanges en l’Honneur de Philippe Leger: le droit a la mesure de l’homme. 2006:109–125.

Bignami F. Privacy and law enforcement in the EU: the data retention directive. Chicago Journal of International Law. 2007:233–255.

Bloem J, van Doorn M, Duivestein S, van Manen T, van Ommeren E. Privacy, Technology and the Law. Big Data for Everyone through Good Design. VINT Sogeti; 2013 Available from: http://blog.vint.sogeti.com/wp-content/uploads/2013/04/VINT-Big-Data-Research-Privacy-Technology-and-the-Law.pdf.

Burkert H. Privacy – data protection a German/European perspective. In: Engel C, Keller K.H, eds. Governance of Global Networks in the Light of Differing Local Values. Baden-Baden: Nomos Verlagsgesellschaft; 2000:43–70.

Byrne J, Marx G. Technological innovations in crime prevention and policing. A review on implementation and impact. Cahiers Politiestudies. 2011;20(3):17–40.

van Brakel R, De Hert P. Policing, surveillance and law in a pre-crime society. Understanding the consequences of technologies based strategies. Cahiers Politiestudies. 2011;20(3):163–192.

Casady T. Police legitimacy and predictive policing. Geography and Public Safety. A Quarterly Bulletin of Applied Geography for the Study of Crime and Public Safety. 2011;2(4):2011.

Condello M., Guerra G., Ricchiuto P., 2009. La privacy nelle attività forensi. Avvocati, investigatori privati, periti, uffici giudiziari. Giappichelli.

Daly G, Sanchez Lopez M, Slessor J.W. Policing gets smarter. Accenture Outlook the Journal of High-Performance Business. 2013(3).

European Union Agency for Fundamental Rights. Handbook on European Data Protection Law. second ed. Publications Office of the European Union; 2014.

Garante per la protezione dei dati personali, La protezione dei dati nel cambiamento. Big Data, Trasparenza, Sorveglianza, Relazione 2013.

Gioffrè G. Il Garante della privacy e l’amministratore del sistema. ALTALEX; Wednesday October 21, 2009 [Online]. Available from: http://www.altalex.com/index.php?idnot=47812.

Holzacker R.L, Luif P. Freedom, Security and Justice in the European Union: Internal and External Dimensions of Increased Cooperation after the Lisbon Treaty. New York: Springer Science+ Business Media; 2014.

Kulk S, Van Loenen B. Brave new open data world. International Journal of Spatial Data Infrastructures Research. 2012;7:196–206.

Liscka K, Stöcker C. Data Protection: All You Need to Know about the EU Privacy Debate. Spiegel Online International; Friday January 18, 2013 [Online]. Available from: http://www.spiegel.de/international/europe/the-european-union-closes-in-on-data-privacy-legislation-a-877973.html.

Manyika J, Chui M, Brown B, Bughin J, Dobbs R, Roxburgh C, Hung Byers A. Big Data: The Next Frontier for Innovation, Competition, and Productivity. McKinsey Global Institute; 2011 Available from: http://www.mckinsey.com/Insights/MGI/Research/Technology_and_Innovation/Big_data_The_next_frontier_for_innovation.

Peers S. The Directive on Data Protection and Law Enforcement: A Missed Opportunity? Statewatch; 2012 Available from: http://www.statewatch.org/analyses/no-176-leas-data%20protection.pdf.

Robinson N, Graux H, Botterman M, Valeri L. Review of the EU Data Protection Directive, Rand Europe. 2009. http://ico.org.uk/∼/media/documents/library/data_protection/detailed_specialist_guides/review_of_eu_dp_directive.ashx.

Tene O, Polonetsky J. Big data for all: privacy and user control in the age of analytics. Northwestern Journal of Technology and Intellectual Property. 2013;11(5):239–273.

The White House, Executive office of the President. Big Data: Seizing Opportunities, Preserving Values. Executive Office of the President; 2014 Available from: http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf.

World Economic Forum. Big Data, Big Impact: New Possibilities for International Development. World Economic Forum; 2012 Available from: http://www3.weforum.org/docs/WEF_TC_MFS_BigDataBigImpact_Briefing_2012.pdf.

1 See World Economic Forum, Big Data, Big Impact: New Possibilities for International Development (2012). Available at: http://www3.weforum.org/docs/WEF_TC_MFS_BigDataBigImpact_Briefing_2012.pdf.

2 For example, police in Santa Cruz in California uses predictive analytics on burglary data to identify streets at greatest risk. Singapore police, instead, combine advanced analytical capabilities with existing video monitoring systems to ensure safety in the city (Daly et al., 2013). In Europe, predictive analytics is becoming fashionable, too. The Kent Police Force in the UK has tested a strategy in which analytics software is used to ascertain areas in which crime is more likely to occur, using several years of crime data.

3 The first data protection law in Europe was adopted in Hessen, Germany, on September 30, 1970 in the Hesse Data Protection Act or Hessisches Datenschutzgesetz, whereas the first national data protection act was passed in Sweden in 1973 (see Burkert, 2000).

4 For example, in the UK information gathering for law enforcement in terms of interception received a statutory regulation in 1985 with adoption of the Interception of Communications Act 1985. Before this act, the Secretary of State issued warrants for interception but there were no legal consequences if a warrant was not obtained. The 1985 Act was introduced after the European Court of Human Rights ruling in Malone vs UK in 1984 (for more information, see: http://www.lse.ac.uk/humanRights/documents/2011/KlugIntercepComms.pdf).

5 Source: http://europa.eu/legislation_summaries/information_society/legislative_framework/l24120_en.htm.

6 In January 2012, a revision process of both the Data Protection Directive and the Framework Decision started. The directive should be replaced by a regulation, whereas the Framework Decision should be replaced by a binding directive.

7 An important example of institutionalized cross-border cooperation by exchange of nationally held data is Council Decision 2008/615/JHA on the stepping-up of cross-border cooperation, particularly in combating terrorism and cross-border crime (Prüm Decision), which incorporated the Prüm Treaty into EU law in 2008. The aim of the Prüm Decision was to help member states improve information sharing for the purpose of preventing and combating crime in three fields: terrorism, cross-border crime, and illegal migration. For this purpose, the decision sets out provisions with regard to automated access to DNA profiles, fingerprint data, and certain national vehicle registration data, the supply of data in relation to major events that have a cross-border dimension, as well as the supply of information to prevent terrorist offences and other measures for stepping up cross-border police cooperation. The databases that are made available under the Prüm Decision are governed entirely by national law, but the exchange of data is also governed by the decision and the Data Protection Framework Decision.

8 Signed already with the Nice Treaty in 2000, but legally binding only after the ratification of the Lisbon Treaty (Holzacker and Luif, 2014).

9 The Charter includes all the rights found in the case law of the Court of Justice of the EU; other rights and principles resulting from the common constitutional traditions of EU countries and other international instruments; and the rights and freedoms enshrined in the European Convention on Human Rights; e.g., the Convention on Human Rights (ECHR) protects the right to private life, under Article 8 (see: http://ec.europa.eu/justice/fundamental-rights/charter/index_en.htm).

10 Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, Council of Europe Treaties 108 (01/1981). Available at: http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm. Although the European Union is not a party to Convention 108, its rights are applicable for different reasons (Bignami, 2007, pp. 241–242).

11 Handbook on European Data Protection Law, available at: http://www.echr.coe.int/Documents/Handbook_data_protection_ENG.pdf.

12 Source: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf.

13 The right to have your data erased is not absolute and has clear limits. It only applies where personal data storage is no longer necessary or is irrelevant for the original purposes of the processing for which the data were collected (Liscka and Stöcker, Friday January 18, 2013).

14 European Commission MEMO 14–186; see http://europa.eu/rapid/press-release_MEMO-14-186_it.htm.

15 “Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.” (Source: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0010&from=en).

16 From the beginning, proposal prevention was eliminated, whereas serious crime is intended as defined in every single national law (Holzacker and Luif, 2014).

17 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC.

18 Press Release available at: http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf.

19 Personal data includes name, surname, marital status, income, illnesses or diseases, workplace, and preferences and opinions. According to the definition of personal data given in the Directive and in the Italian Code, information can be either objective (e.g., the presence of a certain substance in the blood) or subjective (e.g., opinions, preferences).

20 Constitutional Reform was approved by law n. 3/2001involving the relationship between central and peripheral administrations.

21 Public security can be defined as the activity that allows individuals to live in the community and act within it, showing their own individuality and to satisfy their interests. Traditionally and legislation-wise, public security is associated with the concept of public order, meaning the material public order that is the specific goods which are to be protected. In this sense, public order and public security are equivalent concepts.

22 The newest version of the SIS, or SIS II, came into operation on April 9, 2013. It now serves all EU member states plus Iceland, Liechtenstein, Norway, and Switzerland. Europol and Eurojust also have access to SIS II. SIS II consists of a central system (C-SIS), a national system (N-SIS) in each member state, and a communication infrastructure between the central system and the national systems. The C-SIS contains certain data entered by the member states on persons and objects. The C-SIS is used by national border control, police, customs, and visa and judicial authorities throughout the Schengen area. Each of the member states operates a national copy of the C-SIS, known as N-SIS, which is constantly updated, thereby updating the C-SIS.

23 Communication from the Commission to the European Parliament, the Council, The Economic and Social Committee and the Committee of the Regions, (2010), “A comprehensive approach on personal data protection in the European Union.” Available at: http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf.

24 The full report and summaries are available from: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3192876.

25 Further information can be retrieved from: http://www.ilsole24ore.com/art/notizie/2013-11-01/milano-come-funziona-software-sventa-rapine-064317.shtml?uuid=ABZ9pka.

26 See Italian Government release, available at: http://www.governo.it/Presidenza/Comunicati/dettaglio.asp?d=73621.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.188.57.172