GDPR art. 9, entitled “Processing of special categories of personal data”, after having setting forth the general rule, specifically that “1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person‘s sex life or sexual orientation shall be prohibited,” identifies at paragraph 2 a few exceptions to that prohibition, which include – at letter e) – cases regarding processing that “relates to personal data which are manifestly made public by the data subject”.
This exception raises doubts as to the interpretation of the precise definition of its scope, especially when it calls attention to the important phenomenon of the indistinct mass of personal information that is shared on social networks every day.
For this evaluation I believe it is opportune to 1st consider the traditional meaning ascribed to the expression “public” as interpreted and applied by the Italian Privacy Code.
The first place in which our laws refer to the concept of personal data made “public” is set forth by the general consensus relating to the processing of – ordinary – data contained in “public registers, lists, acts or documents that are accessible to anyone”, set forth in art. 24, para. 1, letter c) of the Italian Privacy Code.
Considering the application of this provision, noting that the Italian DPA clarified in the decision dated 11 January 2001 (“Political communications, e-mail, acts and documents accessible to anyone”, published in Bollettino “Cittadini e società dell’informazione” n. 16, p. 39) that the provision set forth in art. 24, para. 1, letter c) of the Italian Privacy Code: “refers not to any personal data that is indeed accessible to a plurality of persons, but only to personal data that in addition to being included in “public” registers, lists, acts or documents (…) is subject to a legal regime of full knowledgeability by anyone, a regime which, however, can also include modalities or temporal limits (…)”: namely, in this context, for the legitimacy of use of the personal data it is not sufficient that such data is present in sources that are freely accessible, but it is also necessary that the purpose of such use is compatible with those reasons that justify its presence in the source, which is, indeed, public.
The consequence of this is – for example – the long-standing case law of the Italian DPA that forbids the use of personal data drawn from professional bodies for purposes that are not directly connected to those provided as the reason for such information’s publication , as with the traditional affirmation of the principle according to which the fact that an email address is accessible to anyone because it can be easily retrieved on the Internet does not authorize third parties to use it for sending advertising messages on an indiscriminate basis, needing instead to consider, in identifying permitted uses, the specific purposes, in the actual case in point, of public availability of the email address (for example, a list of addresses of professors published on a University website are usable only for contacts linked to their institutional activities).
Naturally this framework also applies regardless of the fact that personal data are contained in “public registers, lists, acts or documents accessible to everyone” because they were inserted by third parties or by the data subject itself, as occurs in social networks: with specific regard to the reuse of personal information published on social network profiles, one must note that the “guidelines for materials consisting of promotional activities and spam” dated 4.7.2013 (doc. Web 2542348, par. 6.1) affirms that it is illegitimate to send “ marketing message relating to a specific product or service from a company that obtained the user's personal data from the user's profile on a SN”, on the basis of the consideration that “the circumstance whereby personal data (such as phone numbers or email addresses) can be retrieved easily on the Internet does not allow using such data to send automated marketing messages without the recipients' consent”.
The application of the exclusion set forth at art. 24, para. 1, letter c) of the Italian Privacy Code is therefore based on the prevalence of the principle of finality (art. 11, para. 1, letter b) and d) of the Italian Privacy Code), on the basis of which the data may be gathered and registered for purposes that are determined, explicit and legitimate and may be used for other types of processing that are compatible with those purposes.
One case in which the Italian Privacy Code specifically refers to personal data made “public” is that in which “data concerning circumstances or events that have been made known either directly by the data subject or on account of the latter's public conduct” in the context of journalistic pursuits or by other means of expression (including arts), as results from the combination of the provisions of art. 137, para. 3 and art. 136 of the Italian Privacy Code.
As is widely known, in this specific context the communication and diffusion of even sensitive personal data “made known directly by the data subject or through their behavior in public” (and therefore also the information posted on social networks) is permitted not only without the consent of the data subject and authorization of the Italian DPA, and in particular without the obligation to provide prior information to data subjects, but also in the absence of the specific limitations that the law generally sets forth for the exercise of the press freedom: primarily the timeliness and relevance for the public interest of the information subject to processing (on this point jurisprudence of the Italian DPA has been consistent since 1999: see Provv. “Privacy and information” – 18.10.1999: “there is no violation of privacy nor the Code of Practice Concerning the Processing of Personal Data in the Exercise of Journalistic Activities whether the information is made known directly by data subject or through their behavior in public”; Provv. “Publishing data made known directly by the data subject does not violate privacy” – 28.10.1999: “the diffusion by way of the press of circumstances, news and data already made known by data subject through “open letters” sent to a wide range of subjects does not violate the limits to press freedom set forth in protection of privacy”).
Instead there remain, as necessary circumstances for legitimizing the processing, compliance with the general principles of fairness and data minimization, as well as substantial adherence of the information shared to that made public by data subject itself.
In relation to such processing, these are always subject to the right to subsequently provide proof of the existence of lawful justification deserving legal protection (art. 5, para. 2, Code of Practice Concerning the Processing of Personal Data in the Exercise of Journalistic Activities), as well as the right to object, in whole or in part, on legitimate grounds, to the processing of personal data concerning him/her on the basis of art. 7 of the Italian Privacy Code.
This highly facilitated processing regime aims to guarantee the freedom of information (see. ex multis Provv. 30.12.2011 – doc. web n. 1873945), as well as the necessary balancing with a person’s fundamental rights (see Code of Practice Concerning the Processing of Personal Data in the Exercise of Journalistic Activities and Code of Conduct and Professional Practice Regarding the processing of personal data For historical purposes, respectively attached as Annexes 1 and 2 to the Italian Privacy Code)
To summarize, one may say that in the current system the reuse (by private parties, because “reuse” of information in the context of the Public Administration is a different and complex issue, which falls outside the scope of this discussion) of personal information that is “publicly available” (as per the cited articles of the Italian Privacy Code) is permitted without the data subject’s consent:
in general, with regards to “ordinary” personal data, within the limits of the principle of purpose limitation, and therefore for end uses that are consistent with those that lead to the “publication”;
instead, as a specific exception – which also extends to sensitive information – for cases in which the law identifies the possibility that the data can be used following a balancing between fundamental rights, according to the conditions specified.
Turning to the provisions of the GDPR at issue, it is necessary to underline that art. 9, para. 2, letter e) constitutes an exception to the general principle that sets forth in an absolute prohibition on the processing of personal data belonging to the specific categories indicated paragraph 1: in summary, the provision states that such information, whenever it is made manifestly public by the data subject, can be processed. However, it does not identify the rules by which this is possible.
Of particular significance, as set forth herein, is the first (and the most general) of the exceptions, namely giving the “explicit consent to the processing of those personal data for one or more specified purposes” (letter a): despite the formal manner in which the law is set out (a general prohibition with exceptions), in practice the general rule appears to be that the processing of data belonging to special categories is permitted upon receipt of express consent for one or more specific purposes, while the other exceptions to the prohibition assume the function of specific circumstances equivalent to express consent.
Therefore, because the exceptions are to be read as being alternative to each other, one may say that the action of making one’s “special categories’” personal data manifestly public equates to providing valid consent to the processing of the same: therefore, data belonging to special categories that the data subject on its own initiative makes manifestly public may be processed.
The recognition of an affirmative action by the data subject as equivalent to valid consent is therefore consistent with the characteristics that consent has in the GDPR, as deduced from the various whereas (for example, see n. 32) and the related definition (art. 4, n. 11) “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
But this does not signify that the information made manifestly public may be processed indiscriminately: without a doubt, the scope of the exception, as stated, is not to exempt it from the appropriate treatment with respect to the general principles (art. 5 GDPR), including all of those traditionally present in our legal framework, including purpose limitation principle
As a stimulating point, I remind that article 6, para. 4 GDPR specifies general condition for lawfulness of data processing – not based on consent – for different purposes than those for which the personal data are initially collected, in compatibility of such subsequent purposes with the original purposes, leaving the controller to conduct – for the related verification – the evaluation, including “(…) c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9 (…); d) the possible consequences of the intended further processing for data subjects;”.
With regard to the evaluation of the scope of protection the regulation offers to the data subject that makes its personal data “manifestly public”, it is necessary to also highlight that the GDPR definitively sets forth (see whereas4) the right to protection of personal data as a fundamental right to be considered “in light of its social function”: the substantial effect of which seems to be the extension of the related protection to other (autonomous) fundamental rights of the data subject belonging to the category of personality rights, including in particular the right to personal identity.
In this sense the “whereas” of the regulation (specifically 75 and 85) set forth indications that explicitly identify – among the risks inherent in the processing that are subject to identification, evaluation and obligatory prevention by the controller – those acts that cause “social disadvantage” to the data subject, expressly including “damage to reputation”.
Therefore, the use of this personal information must have limits, aside from the general principles that constitute the framework of the right to protection of personal data, while also respecting other personality rights of the data subject, with particular regard to personal identity: from there it follows that within the GDPR system the related processing, even if supported by a precise exception for consent and by purposes that are abstractly consistent with those for which the information was made public by the data subject itself, may be illegitimate – also considering the same regulations on the protection of personal data – whenever, for the means with which the processing is conducted or for the effects that it produces, it creates a social or reputational damage for the data subject.
There remains no doubt as to the possibility for the data subject to exercise its right to object (art. 21 GDPR) and, above all, the right to erasure (“to be forgotten”) (art. 17 GDPR).
Lastly, respect for privacy is not enough: the use of “personal data made manifestly public by the data subject” must in any case also respect all applicable norms, as those regarding copyright (for example, with regard to the use of photographs) or legal penalties (for example, laws regarding defamation).
In conclusion, I do not believe that the GDPR, once effective, will legitimize the indiscriminate use of personal data belonging to the special categories indicated in article 9 when posted on social networks: the processing, as a result of the norms under examination, will be possible, but will always need to respect the principles of lawfulness, purpose limitation, data minimization and be considered in the context of a balance of interests between the fundamental rights which – in observance of the mechanism of “accountability” – the controller shall be responsible for, and able to demonstrate compliance with.