A recent decision of the Italian Court of Cassation, regarding the burden of proof in cases of
unauthorized access to a home banking account, provides an interesting opportunity to make a number of considerations on the occurred case in the light of some of the new obligations
provided for by the European Privacy Regulation n.2016 / 679 (GDPR).
It comes to the Court ruling 10638, May 23, 2016: ".... Pursuant to Article 2050 Italian Civil Code mentioned in Article 15 of the Italian Privacy Code [Legislative Decree no.196/03] the organization in charge to carry out a financial
or, in general, credit activity, in its role of Data Controller is liable for the damage resulting from failing to prevent a third party in illegally accessing the computerized
tool [userid, password,...)]provided to the customer and the subsequent illegitimate transfer of money, unless the organization can prove that it is not responsible for the harmful
event because such event is the result of neglect , error (or fraud) of the customer or by force majeure......
This is coherent with the provisions of the Legislative Decree 11/2010 [transposition of the PSD1 Directive], concerning the obligation of the payment service
provider to ensure that computerized means provided to the customer for accessing and using the payment service are not accessible to persons other than the customer.... At the same time the organization is obliged to refund the account holder immediately if the latter one disavows a money transfer operation, unless there is a reasoned
suspicion of fraud,..."
Article 2050 of the Italian Civil Code: "Whoever causes damage to
others in performing a dangerous activity, due to its nature or the nature of the used means, is liable to pay damages, unless he/she can prove that he/she have taken all appropriate measures to
avoid the damage ".
Phishing and in general the cases of illicit access to online bank accounts are part of a growing
worrisome phenomenon, whose contrast requires the utmost attention from all the stakeholders including the data subjects i.e. the users of payment services.
Access to and use of an on-line money account is a case of context of personal data processing (ie
the set of purpose, type of processing, categories of personal data and data subjects), which, also in relation to the new technologies and the wide use of such service, it should undergo
to a preventive "Data Protection Impact Assessment" (hereafter DPIA).
GDPR Article 35 provides for, where a type of processing in particular using new
technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller
shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Furthermore the Controller is obliged to consult
the Data Protection Authority (DPA) where a DPIA indicates that the processing would result in a high risk. In case of failing
in complying to such provisions, the GDPR provides for high level of fines, up to 10 milion eur or 2% worldwide annual turnover (if exceeds 10 milion eur).
Therefore as a result of the DPIA mechanism and even more in case of applicability of
the DPA Prior Consultation in the presence of high risks, the payment services provider, as Controller pursuant to the law identifies and implements appropriate measures also to prevent cases of
illegal access to its services to the detriment of its customers. Therefore it is questionable whether the reference to Article 2050 of the Italian Civil Code through the national privacy
legislation, it should be in some way reviewed, given that the Controller would be, by virtue of its obligation to comply with Articles. 35
and 36 of GDPR, in a position to prove that he did everything possible, even following the specific requirements of the DPA in the case of Prior Consultation, to avoid the damage in relation to
illicit access to its services, with the obvious favorable consequences to him
Taking also into account the new requirements on security and liabilities deriving
from the national transpositions of the directive PSD2 (to be transposed by January 2018), in any case the new requirements about DPIA and Prior Consultation brought by the GDPR will be an important element in cases like the one mentioned and
subject to decision in question of the Italian Court of Cassation.
The importance of such element could further grow in relation to the privacy
certifications and codes of conduct provided for by GDPR Articles 40-43. In fact, although adherence to such codes of conduct and
certifications in no way will diminish the obligation for Controllers to be compliant with the GDPR, yet these adherences will mean that the Controller (with endorsement of an external body in
the event of certification) has at least shown to deploy specific appropriate measures for the purpose of compliance to the GDPR.
Last consideration concerns the personal data breach (GDPR Articles 33 and 34): cases
of unlawful processing as those of ruling 10638/16 of the Italian Court of Cassation, seems to be fully covered by the definition of personal data breach (GDPR Article 4 (12)): as such they shall
be notified to the DPA (usually within 72 hours from the time of awareness of the breach) and also communicated to the data subjects, without undue delay, for certain
situations. In case of failing in complying, the GDPR provides for a maximum penalty up to 10 million eur or 2% worldwide annual
turnover as in the case of the DPIA and DPA Prior Consultation.
Considering the already high and still increasing frequency of cases similar to the one treated with
ruling 10638/16 of the Italian Court of Cassation, the operating costs (for Controllers, for DPA) for the management of the personal data breaches according to GDPR are envisaged to be
substantial from all points of view.
Thus the question arises whether it will be possible both at EU level and at individual member
states level, the decision for investing more resources and more effectively in training initiatives for the users of digital / online services, in order to make them aware of the
risks and provide them with a guide on how to mitigate risks and what to do in case of problems. Such initiatives are considered as support and in addition to the obligation about customer
training already in charge to the Controllers (even explicitly by PSD2 in the case of payment services), at the purpose of real contribution to the security and success of effective European
Digital Single Market.
Please provide your reactions, considerations, contributions and proposals to address
specific issues in LinkedIn Groups where this post appears or write to gloria.marcoccio@glory.it