The Italian Data Protection Authority fines Italian university Bocconi for unlawful processing of students’ personal data

Following up on a claim filed by a student, the Italian Data Protection Authority (“Garante”) examined the processing activities carried out by the private university Luigi Bocconi (“University”) in connection with the implementation of a proctoring system (“System”) that allows it to monitor students’ behavior during written exams given online because of the pandemic emergency (Garante Decision of September 16, 2021, No. 317, doc web No. 9703988, “Decision”).

The Garante analyzed in detail how the System works and identified several violations due to (a) the processing of biometric data and the performance of profiling activities without a proper legal basis; (b) lack of information in the privacy policy (e.g., the data retention periods were not clearly established and the information on data transfer to the United States and related safeguards was vague); (c) noncompliance with minimization, data retention, and privacy by design and by default principles; (d) lack of proper safeguards for the transfer of personal data to the United States; and (e) inadequacy of the data protection impact assessment.

Based on the above, the Garante (i) sanctioned the University with a fine amounting to EUR 200,000; (ii) prohibited any further processing of students’ biometric data and personal data for profiling purposes, as well as the transfer of such data to the United States; and (iii) requested feedback on the initiatives taken by the University to implement the Decision and the measures put in place to ensure compliance with data protection provisions.

That said, the reasoning the Garante provided in the Decision offers some food for thought as to the actual meaning of the definitions of biometric data and profiling activities, as well as to the legal basis for this processing activity.

  1. The System: How it works

The System provided by Respondus Inc. (“Respondus”) includes (i) a “LockDown Browser” feature to inhibit specific functions of the devices used by students during the exam, e.g., blocking the opening of webpages and copy and paste functions; and (ii) a “Respondus Monitor” feature to detect and analyze data, such as video of the student taking the exam, changes in their face or absence of the same, the time the test is completed, the response to each question, the keys pressed on the keyboard and so on.

The University stated that the System is designed to ensure that remote exams are taken properly by providing guarantees similar to those provided during in-person exams. Indeed, at the beginning of the exam the LockDown Browser takes a picture of the student and records the identity document shown by the student, while at the end of the exam the System processes video along with data collected through the Respondus Monitor to determine whether the student may have engaged in improper behavior, indicated by warning signals (“Flags”). Furthermore, the System can determine “Review Priority,” so that the professor can then assess whether improper action has been carried out.

  1. The scope of the definition of biometric data and profiling activities

Regulation (EU) 2016/679 (“GDPR”) establishes enhanced protection for biometric data, included in the special categories of personal data, and defines them as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.” Furthermore, before the GDPR came into force, the Garante had already examined processing activities that involve the use of facial recognition technologies, stating that the condition for the processing of images to be qualified as biometric processing is that the comparisons designed to identify the individual be automated by means of special software or hardware tools (Garante’s Decision of July 26, 2017, No. 345, web doc. No. 6826368).

Based on the above, in the case in question the Garante held that the System processes biometric data because it carries out specific technical processing of a student’s physical characteristics, i.e., their face, to confirm that the student is present throughout the exam and that another person does not replace them. Although the System does not automatically identify the student, nor does it compare their face image with other images in a database, it still carries out processing of biometric data in collecting, processing, and analyzing the video produced by the software using an artificial intelligence algorithm to produce Flags. Consistently, Respondus has stated that the software creates a biometric template, even if it is not directly used for identification or verification purposes.

The Flags are also assessed based on the analysis of student behavior through the Respondus Monitor features, as described above. Therefore, the Garante stated that profiling activities are carried out by the University, since it uses partially automated means to process students’ personal data for the purposes of evaluating certain personal aspects—specifically, analyzing or predicting aspects of their behavior and reliability. Thus, once again, profiling can be found to exist irrespective of whether or not there is a consequent entirely automated decision.

  1. The legal basis for processing biometric data and for profiling activities

The University has based biometric data processing on student consent, under Article 9.2.a) of the GDPR. However, the Garante considered that unsuitable as a legal basis and said that the processing is carried out by the University for the purpose of issuing a degree having legal value, which should be considered to fall under performance of a task in the public interest. Specifically, the Garante noted that the GDPR does not provide different regimes applicable to public and private entities, but instead takes into account only the functional aspect of data processing; therefore, as both public and private universities pursue that same public interest, the processing activities carried out by them must be based on that interest (under Article 9.g) of the GDPR and Articles 2-b and of Legislative Decree No. 196/2003, “Italian Data Protection Code”).

That said, according to Article 2-e of the Italian Data Protection Code, the processing of special categories of personal data necessary for reasons of substantial public interest shall be allowed if it is provided in EU or national law or, where provided by law, in a national regulation. Such law or regulation shall specify the main characteristics of the processing. Nevertheless, in the case at stake, there are no law provisions allowing and regulating data processing for the purposes pursued through the System; thus the University is carrying out the processing without a proper legal basis.

Furthermore, according to the Garante, in this case consent does not constitute a legitimate legal basis, nor can it be considered an “expression of free will,” because of the imbalance of the students’ position with respect to the University. Indeed, the only alternative offered to students, if they did not give their consent, was to take the exam in person, with procedures to be agreed upon with the relevant professor, thus putting students’ health at risk and leading them to fear negative consequences for their choices.

That said, for biometric data processing, the Garante has ruled that profiling activity also must be based on the pursuit of a public interest and that, in the absence of a legal provision that makes such processing legal and governs it, that, too, is unlawful.

This decision is interesting in its implication for the use of biometrics not only for identification and verification purposes, but also for the attribution of behaviors to an identifiable person, as well as for considerations concerning the notion of profiling and freedom of consent.

Follow us on