Interview with Carlo Piana from Array Law
Happy 16th Data Protection Day!
Launched in 2006 by the Committee of Ministers of the Council of Europe, Data Protection Day aims to educate the public on the right to data protection and the growing challenges it faces in our always-connected world. The day is observed globally and called “Data Privacy Day” outside Europe.
To celebrate Data Protection Day, Zextras had the pleasure to chat with Mr. Carlo Piana, a partner at Array Law with 25+ years of experience in the IT&TLC Law sector. Mr. Piana offered us valuable insight into the dangers we face as data subjects – and into what companies and users can do to improve data security.
The interview was conducted in Italian.
Zextras: Today is Data Protection Day – or, as it is known outside of Europe, Data Privacy Day. I find this different terminology intriguing. What is “privacy,” and what is “data protection”? Are they one and the same? Or is there a difference we should be aware of?
CP: I prefer to talk about “Data Protection.” It’s broader and more specific at the same time. Privacy, of course, is a fundamental component of data protection: avoiding unwanted and unnecessary access is crucial. But data protection is about more than secluding information. Data subjects have the right to make sure that their data is not erased, inaccurate, or incomplete.
To give you an extreme example, my blood group or alergies I have is, of course, personal data. It’s obvious that I do not want this information to be disclosed without my consent: but it doesn’t stop here.
I also want the data to be accurate and processed with due attention because otherwise, I might face serious – even lethal – consequences.
So you see, privacy is not my only concern in this scenario. The notion of “data security” better captures all these nuances.
Z: Data Protection Day was created by the Council of Europe in 2006. After more than 15 years, how do you think our relationship with data protection and privacy has evolved? Is the general public more or less privacy-aware than it was back in 2006?
CP: Unfortunately, I’d say the public is less aware than it should be. Or rather: there’s a selective sort of attention. Most people know the theory; they know they are supposed to care about privacy and data security. But then they fail to translate this notion into practice.
Every day, we share a ridiculous amount of personal data.
Sometimes, we do it intentionally, without realizing the risks we could face: think about how many parents post their underage children’s data on social media.
Other times, we might not even know we are sharing personal data, or we might think we are sharing way less information than we actually do.
In both cases, there isn’t a real understanding of the importance of keeping data safe.
And this is a pretty serious problem because oversharing can have serious, far-reaching consequences. Let me just name one. Data can be harvested to build voters’ profiles and then influence them with targeted campaigns: we’ve seen that happen quite spectacularly with the Cambridge Analytica scandal.
Also, we have no idea what could be done with our data in 5, 10, 15 years. Information we shared carelessly might resurface to hunt us.
Z: Would you say we are less safe than we were 15 years ago?
CP: Not necessarily. We have the GDPR now, and we didn’t have it 15 years ago. And luckily, after the EU implemented it, other countries followed suit – Brazil, Canada, New Zealand, and Australia all have adopted stricter regulations. Switzerland, too, has put in place provisions guaranteeing a very high standard of data protection.
Having said that, there’s no doubt we are more exposed to risks than we were 15 years ago. As I’ve said before, the amount of data we share has increased dramatically over the last decade, with the spread of cloud applications and social media. And the more data we share, the more dangers we run.
So it’s a mixed bag – we are more protected, but at the same time, we are more at risk.
Z: What could we do today to reduce the quantity of data we share? Could you give us some actionable advice?
CP: First, you should stop using social login. Social login makes you share a ton of personal data without even realizing it. The 30 seconds you save are simply not worth it.
Secondly, I’d recommend being careful with the internet of things. Let me clarify: the problem is not IoT itself – actually, IoT can be a fantastic resource. But not all companies are the same, and users should be cautious, especially when using cloud technology. There’s no reason why your request to start the dishwasher should travel to servers located in some remote places – usually in China.
And finally, I know this will fall on deaf ears, but please, don’t use the same password everywhere. It’s dangerous, particularly if you use your email as your username. If hackers manage to break through a security system and obtain both your username and password, they’ll be able to use them at will.
Z: What tells us a company really values our privacy and is not just writing it on its cookie banner for PR reasons?
CP: Unfortunately, in most cases, a layperson won’t be able to tell – a comprehensive assessment requires a degree of technical knowledge.
But if I were to mention one thing I appreciate, it would be two-factor authentication. It’s a pity that most users consider it a nuisance.
Z: Having discussed what users should do, let’s talk about companies and organizations. To adopt the wording of the GDPR, is “privacy by design” something they are committed to? Or do they see privacy regulations as a burden?
CP: The landscape is too varied to answer “yes” or “no,” but I must say that in my experience, many companies do care about privacy and security. In this sense, the GDPR and its “golden standard” surely helped. Companies work hard to ensure the data they manage stays safe.
Of course, larger companies can invest more resources than SMEs, but the latter are not without options. For example, they can choose to partner with service providers who care about their security and offer state-of-the-art, compliant solutions.
Z: Can you give us an example of what companies should look for in a service provider?
CP: There are several factors to consider, but I’d say disaster recovery plans and geographically distributed data backups if I were to name just two.
In general, a company has to take a good look at what the provider offers in the service-level agreement (SLA).
Z: Can you think of any honest mistake companies make? Meaning, instances when they believe they are doing everything by the book but actually aren’t?
CP: Oh, there are quite a few… Many companies don’t do their data protection notice right. Others don’t mention their data retention policy or have absurdly long retention periods.
There’s also a lot of confusion surrounding consent – sometimes consent is asked when it’s not necessary, other times it’s not asked when it’s mandatory, a lot of times pre-ticked boxes are used, even though they are not a valid form of consent under the GDPR. Companies also tend to rely too much on legitimate interest.
But the biggest mistake a company can make is to hire DPOs that are not up to the task. But, for instance and I know it’s going to be controvesial, if DPOs use Gmail as their email service provider… it’s not a good start.
Z: And finally: is there a myth about data protection you’d like to dispel?
CP: Privacy as an absolute right. It isn’t – actually there are no such a thing as absolute rights, strictly speaking. It is a fundamental right, but must be weighed against other fundamental ones, such as the right to democratic scrutiny in the public discourse.
In particular, privacy should not be used by governments as a smokescreen to dispel civil access to relevant information, for example to avoid responding to FOIAs.
At the same time, data protection is not an invention of the European Union for weird reasons or an oddity of bureaucrats who have pleasure plaguing our websites with meaningless cooky-law pop-ups. It’s way more than that and way more profoundly intertwined with our past, present and future life to be dismissed because of some quirks and occasional annoyances. It’s important to have it and it’s important that it is effectively implemented, with a grain of salt and avoiding meaningless and useless formalities in favour of actual protection and control.