The Italian DPA on unlawfulness of online reputation measuring

With quite a resounding decision of 24 November 2016, the Italian Data Protection Authority (“DPA”) excluded the lawfulness of the processing of personal data proposed by Mevaluate, an organisation wanting to launch a web platform capable of calculating the reputation of certain individuals in an allegedly impartial and reliable way. Such result would be achieved thanks to the collection of personal data contained in documents – such as certificates of criminal records and tax clearance, diplomas, legal claims and court judgments, etc. – uploaded by users. Then, these data would be processed by an algorithm capable of obtaining reliability indices regarding the moral image, and professional and relational census of the measured individuals, to be made available, for a fee, to all the platform users.

The DPA’s decision followed a prior checking request by the organisation, which had asked the DPA to confirm that the data processing necessary for the operation was compliant with Italian privacy law, taking into account the following circumstances: i) the measured users’ prior consent to the processing would have been collected; ii) the measuring of third parties’ reputations would be based on freely usable personal data; iii) the data processing modalities and purposes would be described in detail in a specific privacy policy; and iv) the organisation would have taken all the minimum security measures described in the Italian Data Protection Code.

After a preliminary inquiry, however, the DPA stated that the data processing described by Mevaluate was not compliant with the Italian Data Protection Code in light of its suitability to harm the dignity of the individuals concerned. The proposed processing, in fact, would have involved the collection of personal data likely to considerably affect – due to its nature and volume – the economic and social appearance of many individuals.

In particular, in the DPA’s view, the consent of the individuals included in the platform would not be freely given, since they would be forced to become part of the platform in order to question reliability indices regarding them; moreover, such indices would have been obtained on the basis of data that, even if freely accessible, should not be used without the consent of the individuals to whom they relate.

Many doubts have also been raised by the DPA with regard to the alleged objectivity of the criteria used to generate the ratings. In fact, in the absence of adequate contrary evidence, the DPA doubted the reliability of sensitive and complex decisions such as those connected to individuals’ reputations when adopted by automatic systems.

Lastly, even the alleged adoption by Mevaluate of the minimum security measures provided by the Privacy Code – mostly involving “weak” authentication systems – was not considered sufficient in itself by the DPA, due to the particular extensiveness of the data processing at issue. The privacy policy the organisation intended to adopt was considered equally inadequate, since it indicated purposes that did not correspond to those actually pursued.