With order No. 14381/2021, the Italian Supreme Court delivered a landmark decision on the lawfulness of processing personal data using algorithms. Italian courts already had opportunities to tackle similar issues in previous decisions, most notably in a series of judgments issued by administrative courts with respect to the use of algorithms in the context of administrative procedures for the assignment of public school personnel. Said judgments focused, however, on a very specific point, i.e., whether the software implemented by the Ministry of Education could meet the requirements set forth by the law in terms, among other things, of publicity and transparency in accordance with the constitutional principles governing public administration.
However, in the case in question the Supreme Court took a different tack, i.e., establishing the circumstances under which data subjects can provide their valid consent to the processing of personal data carried out through algorithms by private entities.
The facts of the case and the order of the Supreme Court
Specifically, the case concerned a reputational scoring system for natural and legal persons implemented by a private company with a view to countering the problem of fake reviews.
In the first step of the proceedings, the Italian Data Protection Authority (resolution No. 5796783
of November 24, 2016) found that the processing of personal data by the web portal was incompatible with a variety of provisions of the Italian Data Protection Code (Legislative Decree No. 196/2003), implementing Directive 95/46/EC, which was in force at the time. Therefore, the Data Protection Authority ordered that processing operations be blocked pursuant to Article 154 of Legislative Decree No. 196/2003. The injunction was then partially revisited and invalidated by the Court of Rome, and eventually the Italian Data Protection Authority appealed that decision before the Supreme Court.
In the view of the Supreme Court, the Court of Rome failed to grasp the key point that the order preventing processing of personal data from continuing had already highlighted, i.e., the lack of proper legal grounds for the activity to be carried out by a provider of reputation scoring services. Regardless of the existence of an ad-hoc piece of legislation governing such commercial activities, the problem at issue was to determine whether the system designed by the private entity met the requirements for lawful processing of personal data, something the Court of Rome had not properly addressed.
For its part, the Supreme Court pointed out that the applicable provisions (and likewise the provisions applicable after the entry into force of the GDPR) require the processing of personal data to rely upon one of the permissible legal bases. The legal basis in this case requires data subject consent, which, the court noted, is valid only when informed, i.e., when the data subject has been provided all the necessary and relevant details on the characteristics of the processing at stake. This means that the processing must be specifically determined in order for consent to be provided in a free and specific manner. Only under these circumstances can the data subject, after having received all the pieces of information that make consent valid in accordance with applicable legislation (and the GDPR), properly express consent.
In the view of the Supreme Court, the assessment of the value of the consent provided by the data subject must take into account the information disclosed to the subject, including any elements relating to algorithms underlying the rating system. In the words of the court, joining a platform cannot per se imply the acceptance of an automated scoring system that relies on the use of algorithms if the data subject is not informed about the program and the technical input that the algorithms in question use to work and to process data.
It is worth noting that the order from the Italian Supreme Court comes in the context of a very important debate in case law and among scholars on the legal impact of algorithms. One of the most hotly debated issues lies with the value of Article 22 of the GDPR in governing the adoption of automated decisions requiring the processing of personal data. However, as previous judgments of the Italian Council of State (the highest administrative court) seem to show, the general principles enshrined in the GDPR, such as those requiring transparency and the possibility for a data subject to know and understand the processing operations, most notably in the context of automated systems, may prove influential far beyond the domain of the GDPR and personal data.
In the case at issue, however, for processing operations involving the use of algorithms to be deemed lawful, the Supreme Court simply resorted to the well-established category of consent, interpreting the requirements provided by law for its validity in light of the nature of the technology at hand. While creation of new and ad-hoc rules is a frequent occurrence, the GDPR still proves to work.