The Italian Supreme Court provides further guidance on valid consent for personal data processing

This order draws to a close a lengthy judiciary matter that began in 2016. The Italian Data Protection Authority issued an injunction against a web portal using algorithms to provide reputation scoring to natural and legal persons. The Court of Rome partially revised and invalidated that injunction, but in 2021 the Supreme Court invalidated the judgment of the Court of Rome and referred the matter again to that court for a new ruling—for more details see our previous article on the matter here.

The Court of Rome applied the Supreme Court’s principle stating that in the case in question the web portal did not provide the necessary information about the algorithm, since it listed the elements that the algorithm took into account, but not how the algorithm processes them. Consequently, the data subject did not have all the information needed in order to express a valid consent. This judgment was eventually appealed before the Supreme Court, which overturned it. The Supreme Court stated that, based on the findings of the Court of Rome, the web portal actually provided the information needed to understand how the algorithm worked. In doing so, the Supreme Court provided a framework to be applied when assessing the meaningfulness of information provided to a data subject about an algorithm.

• Where algorithms are involved, consent may be considered freely given and specific if the data subject is able to use the provided information to “know” the algorithm, which must be described unambiguously and in detail. A mathematical explanation of the algorithm has no bearing. For instance, the web platform claims that the mathematical functioning scheme of the algorithm can be freely consulted via sources from the European Patent Office (since a European Patent was requested), but this is not what data subjects need to know—such information is too technical to be meaningful to them.

• The information must clarify the process that leads from input to output, known as the “execution scheme” (“schema esecutivo”), but this does not mean that the data subject must know in advance and with certainty the outcome of an assessment made by the algorithm.

• The data subject must understand the parameters that algorithms use and how they use them to determine possible outcomes. Such parameters must be sufficiently determined. In this regard, in the overturned judgment the Court of Rome held that the information about the algorithm was not meaningful, since it merely explained how variables were evaluated in relation to each other—e., whether they had a greater or lesser impact, in a favorable or unfavorable sense, in the calculation—without providing the “specific weight” of each parameter in determining the outcome. The Supreme Court rejected that interpretation, noting that the scientific term “specific weight” (weight per unit volume) is not relevant to this assessment, since valid consent requires information about the parameter system used by the algorithm—and in the case at stake that was sufficiently provided.

This new order offers a chance to investigate further the complexity of differentiating between understanding the mathematical workings of an algorithm and describing it in everyday language. This complexity also involves the use of scientific concepts whose meanings are sometimes difficult to employ in legal reasoning. The Supreme Court pointed out that the use of scientific terms, such as “specific weight,” in the field of law is not always appropriate. In addition, it is worth mentioning that, when addressing reputational rating by means of algorithms, the step that precedes the input of the algorithm should be subject to close attention. That requires examining the sources of the data processed through the algorithm and the possibility of identifying them clearly.

[1] With order No. 28358/2023.