30 October 202417 minute read

Innovation Law Insights

30 October 2024
Data Protection and Cybersecurity  

Italian Data Protection Authority sanctions company for accessing emails after employment ends

The Italian Data Protection Authority (Garante) has recently sanctioned a company for accessing the company email accounts of former employees after their employment ended. The violations pertain to principles of lawfulness, data minimization, and storage limitation, as well as labour law regulations on remote monitoring.

In this case, the Garante imposed a fine of EUR80,000, along with a prohibition on further processing of the data collected via the company’s email backup software. This issue arose from a complaint from a former employee, who reported that the company accessed their email account to collect evidence in a legal dispute involving alleged trade secret misappropriation.

Which violations did the Garante identify?

The Garante found the company’s email data processing practices for its (former) employees to be in violation of data protection laws. This was because of inadequate transparency in the privacy information notice regarding potential email monitoring, and breaches of the principles of lawfulness, minimization, and storage limitation, as well as labour law rules on employee monitoring.

The Garante highlighted specific shortcomings in the areas of:

  • Transparency – According to the Garante, the privacy information notice provided by the company didn't meet the minimum requirements of EU Regulation 679/2016 (GDPR), failing to adequately inform employees about:

    • the existence of systematic backups of corporate emails and their retention for three years after the end of the employment relationship;

    • the justification for retaining this data for three years post-employment, which was vaguely attributed to “business continuity”;

    • the possibility of company-initiated inspections of email content and the methods for conducting such inspections.

  • Lawfulness, Minimization, and Storage Limitation – The Garante found the company’s retention period of three years for emails and six months for access logs excessive for the purposes of security and business continuity. Specifically:

    • The company’s email backup software allowed detailed monitoring of employee activities on the email system, breaching the prohibition on remote monitoring as outlined in Article 4 of the Workers' Statute, which requires trade union agreement or authorisation from the labour inspectorate for such invasive practices.

    • Access to former employees’ emails, even if intended to protect the company’s rights, should be limited to specific legal disputes rather than abstract or potential defence scenarios.

Using employee emails for evidence in alleged misconduct: How to do it lawfully?

This decision is an important reference for understanding the Garante’s position on accessing employees' email accounts for defence purposes in legal proceedings and highlights the potential consequences of similar practices widely adopted by many companies. However, the Garante’s assessments and sanctions take into account several key factors, such as:

  • Minimizing Data Processing – Using appropriate measures to limit investigations to specific, relevant samples of communications critical to actual legal defence, such as through targeted filters.

  • Avoiding Automated, Indiscriminate Monitoring – Ensuring compliance with labour laws by not employing indiscriminate monitoring solutions.

  • Establishing Reasonable Suspicion of Misconduct – Having a concrete suspicion of trade secret misappropriation, which can justify access to selected emails as necessary evidence for legal defence, provided it's clearly substantiated.

Final considerations

This decision underscores the importance for companies of establishing clear, comprehensive privacy information notices, particularly regarding any potential defensive monitoring of email accounts, even after employment ends. However, these practices must always respect the prohibition on remote monitoring as per Article 4 of the Workers' Statute and implement measures that minimise data processing to protect employee dignity and fundamental rights.

Author: Deborah Paracchini

 

Italy implements the Data Governance Act: News on Legislative Decree No. 144/2024

On 25 October 2024, Legislative Decree No. 144/2024 entered into force, transposing Regulation (EU) 2022/868 (the Data Governance Act) in Italy.

Already published in the Official Journal on 10 October 2024, and preceded by the opinions of the Italian Data Protection Authority, the National Cybersecurity Agency and the Agency for Digital Italy, the decree aims to harmonize national legislation with the Data Governance Act, which is expected to promote the sharing and reuse of public and private data in a secure and transparent manner.

Updates introduced by the Data Governance Act

The Data Governance Act, applicable from 24 September 2023, is a European regulation that aims to create a regulatory framework to facilitate the reuse of data (personal and non-personal) held by public and private entities, promoting trust and transparency in the sharing of data for purposes of general interest.

Among the main innovations, the Data Governance Act introduces the possibility (but not the obligation) for the public administration to share data not covered by the previous regulation on "open data" (Directive (EU) 2019/1024 on the open data and re-use of public sector information), providing for a series of technical measures to ensure its security and confidentiality. The public administration has to pseudonymize and anonymize the data owner. And the data owner has to be shared and stored on secure servers and covered by confidentiality agreements between the public body and the re-user of the data. To facilitate the research and development of SMEs and startups, access to and re-use of data is allowed on the basis of capped rates.

The Data Governance Act also introduces the concept of "data altruism," whereby citizens and businesses can make the data they generate available for the benefit of society and for purposes of general interest, such as for scientific research projects, technological innovation and public policies. Organizations wishing to participate in these initiatives must adhere to strict transparency and security requirements, ensuring that data is protected, used ethically, and for non-commercial purposes.

To encourage the sharing and reuse of data, the Data Governance Act has also introduced the role of the data intermediary. It's an entity that facilitates the sharing and exchange of data between different actors, such as companies, public bodies and individuals, as a neutral third party, and offers cybersecurity guarantees and protection of the transparency of data flows. The intermediary doesn't own or control the data, but provides a platform or service that allows organisations or individuals to share it in a controlled manner. Their role is crucial in building trust between the parties involved, ensuring that data is processed in a manner that complies with the law and respects the rights of individuals.

What Decree 144/2024 provides for

The Data Governance Act, as a European regulation, has been directly applicable and enforceable in all its elements in Italy since 24 September 2023, with some transitional provisions applicable by 2025. However, the Data Governance Act itself has entrusted each member state with the task of adopting national legislation on specific aspects. These include the designation of competent bodies to assist public sector bodies in granting or refusing access to data re-use, as well as identifying the authority responsible for procedures related to data intermediation services.

The Italian Decree delegated these functions to the Agency for Digital Italy (AgID), which will be responsible for managing notification procedures for data intermediation services and will be responsible for managing a one-stop shop for data access and reuse, facilitating communication between public bodies and data users.

In carrying out these functions, AgID will have to collaborate closely with other authorities such as the ACN (National Cybersecurity Agency), the AGCM (Competition and Market Authority) and the Data Protection Authority, also by entering agreements that will define the coordination methods and specific competences, including the methods of preliminary consultation.

Finally, the Decree gives AgID a crucial role in monitoring and applying the rules introduced by the Data Governance Act, also defining the sanction applicable in the event of violation. Without prejudice to the penalties already provided for by the GDPR and the competence of the Italian Data Protection Authority for personal data breaches, the Decree provides that AgID can impose administrative fines in the event of violation of various obligations of the Data Governance Act, such as those relating to the transfer of non-personal data to third countries or notification obligations for providers of data intermediation services. These penalties can range from a minimum of EUR10,000 up to a maximum of EUR100,000, or, for companies, up to 6% of the total annual worldwide turnover of the previous year.

During the sanctioning procedure, which is regulated by the Digital Administration Code (CAD), AgID will have to consider several factors, including the nature, severity, extent and duration of the violation, the corrective actions taken, the recurrence of the violation, the financial benefits obtained from the violation and other aggravating or mitigating factors.

Final thoughts

Following the entry into force of the transposition decree, achieving the Data Governance Act's ambitious objectives of creating an open and transparent data economy is now closely linked to the activity of AgID, which will have to adopt measures to facilitate and technically and organisationally regulate data sharing mechanisms, ensuring maximum security.

A crucial element for effectively implementing the new legislation will be the cooperation with the Italian Data Protection Authority, to ensure that data sharing takes place in a secure and GDPR-compliant manner. And it's important to avoid data intermediation and altruism resulting in conflicts between the two regulations or divergences between the practices that can be implemented for personal data and non-personal data.

Author: Marianna Riedo

 

Sports Media and Entertainment

Rules and sports regulations under debate: The Diarra ruling and FIFA rules

The recent ruling (frequently called as the Diarra ruling) by the Court of Justice of the European Union will have a substantial impact on the sports sector.

It stems from a preliminary question raised by the Court of Appeal of Mons, Belgium. The case concerns the compatibility of certain provisions of the "FIFA Regulations on the Status and Transfer of Players" (FFTR) with the rules of the Treaty on the Functioning of the European Union (TFEU), particularly regarding the free movement of workers (Art. 45 TFEU) and competition rules (Art. 101 TFEU). The referral to the court came as part of a dispute between FIFA and French footballer Lassana Diarra, who challenged the compliance of FIFA's rules with the rights conferred by the EU Treaty.

The case revolves around a fundamental issue: to what extent FIFA's rules, governing the early termination of contracts between players and clubs, are compatible with EU law. Diarra contested the legitimacy of sanctions imposed on players who terminated their contracts without just cause, and the consequences for clubs that decided to sign such players.

The dispute between Diarra and Lokomotiv Moscow began when the player decided to unilaterally terminate his contract for just cause. However, under FIFA's rules, this required the payment of significant compensation to the club, calculated based on the remaining value of the contract. FIFA also imposed sanctions on any club that subsequently signed the player, making it difficult for Diarra to find a new team willing to take this risk.

In this specific case, Belgian club Sporting Charleroi expressed interest in signing the player, but the lack of an International Transfer Certificate (ITC) issued by the Russian Federation prevented the transfer being formalized because of the ongoing dispute between Diarra and Lokomotiv Moscow.

In 2015, FIFA ruled that Diarra should compensate Lokomotiv with an amount of EUR10.5 million. This decision was upheld by the Court of Arbitration for Sport (CAS), leading Diarra to sue FIFA and the Russian Federation in Belgian courts, seeking compensation for the damages suffered due to FIFA's restrictions.

The Court of Justice was called upon to rule on the compatibility of FIFA's rules with the provisions of the TFEU. In addressing the case, the court emphasized the importance of separately analysing the issues related to Art. 45 (free movement of workers) and Art. 101 (competition), as each pursues distinct objectives and imposes different conditions for application.

According to the court, the FFTR rules, which blocked the transfer of players in the event of a dispute with the original club, violated Article 45 TFEU, as they represented a clear obstacle to the free movement of workers within the European market. The mere existence of a dispute prevented the player from moving, while the financial risks and sporting sanctions made it impossible for a new club to hire him.

The court acknowledged that some restrictions on free movement may be justified to ensure the stability of contracts between clubs and players, an element considered essential for the regularity of sporting competitions. However, it ruled that the sanctions imposed by FIFA's rules were disproportionate and excessively favoured the interests of clubs over the rights of players.

Regarding competition, the court found that FIFA's rules constituted a restriction on competition, violating Article 101 TFEU. These rules hindered the ability of clubs to freely sign players, creating artificial barriers that limited competition in the transfer market.

One of the issues raised by the ruling concerns its potential scope: is it a judgment limited to the specific rules examined by the court, or does the decision call into question the entire system of transfers regulated by FIFA?

Although critical of certain provisions, the court doesn't seem to challenge the general principle of contractual stability that governs relations between clubs and players, which underpins the transfer system. Rather, the court's focus was on the disproportionate sanctions and excessive obstacles to player mobility.

In conclusion, the European Court of Justice ruling highlights the limits of some provisions of FIFA's transfer regulations, as they're incompatible with EU law regarding free movement and competition. But the decision doesn't imply a complete rejection of the transfer system, recognising that some restrictions may be justified by the need to ensure contractual stability and the regularity of sporting competitions. Nonetheless, FIFA's rules will require adjustments to ensure greater proportionality and transparency. Following the ruling by the CJEU, FIFA has already announced its willingness to improve player transfer regulations and is open to dialogue with the various stakeholders involved.

Author: Vincenzo Giuffré

 

Technology Media and Telecommunication

BEREC launches public consultation on private and public 5G networks

On 3 October 2024, the Body of European Regulators for Electronic Communications (BEREC) launched a public consultation on the "Draft BEREC Report on the evolution of the private and public 5G networks in Europe."

The report outlines BEREC's preliminary view on the current status, needs, and regulatory issues related to the implementation of private and public 5G networks from the perspective of national regulatory authorities. As stated in the report, BEREC drafted it considering the responses provided by national electronic communications authorities to internal surveys. These responses revealed that, to date, only a few member states have adopted dedicated frameworks concerning private 5G networks.

The report under consultation is divided into five chapters, which address the following topics:

  • Firstly, the report presents some general considerations and outlines the reasons why, in BEREC’s view, it's necessary to analyse the evolution of private and public 5G networks, such as the clear need for harmonization at the European level of regulations applicable to 5G networks, in light of the fragmented approaches adopted by various European countries.
  • The draft report then clarifies the definitions of “private networks,” “private mobile networks,” and “non-public networks” that BEREC intends to use for the purpose of the report and explains the technical architecture of these networks, the status of radio spectrum regulation for private networks in various European countries, including references to the frequency bands used for private mobile networks.
  • The report dedicates the third chapter to the issue of numbering resources, posing specific questions to the participants of the public consultation. It addresses the management of these resources, the challenges encountered, and the measures adopted by different countries to ensure unique numbering resources for private mobile networks and avoid interference with other networks.
  • The report also analyses the drivers behind the implementation of private networks, inviting public consultation participants to respond to specific questions. The report includes some case studies, emphasizing that BEREC considers it necessary to analyse the reasons behind the implementation of private mobile networks, which are identified in the advantages offered by 5G services from the technological point of view in terms of performance, and the need for businesses to digitalize.
  • The final chapter of the report presents BEREC’s conclusions based on the analysis in the previous chapters. BEREC believes that an analysis on the development of private 5G networks is essential, also in light of the fact that European countries have adopted different approaches, particularly regarding the allocation of numbering resources and spectral resources for the networks.

BEREC’s goal, at the conclusion of the public consultation, is to produce a final report for national regulatory authorities that will cover the following topics:

  • the extent of the use of public and private 5G networks in Europe
  • the numbering aspects relevant to private 5G networks and the kinds of numbering resources these networks might require and apply for
  • the drivers behind the implementation of private 5G networks
  • the evolution of private 5G networks
  • the relationships between private and public 5G networks

Authors: Massimo D'Andrea, Flaminia Perna, Matilde Losa


Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo BardelliCarolina BattistellaCarlotta BusaniGiorgia Carneri, Noemi Canova, Gabriele Cattaneo, Noemi CanovaMaria Rita CormaciCamila CrisciCristina CriscuoliTamara D’AngeliChiara D’OnofrioFederico Maria Di VizioNadia FeolaLaura GastaldiVincenzo GiuffréNicola LandolfiGiacomo LusardiValentina MazzaLara MastrangeloMaria Chiara MeneghettiDeborah ParacchiniMaria Vittoria Pessina, Marianna RiedoTommaso RicciRebecca RossiRoxana SmeriaMassimiliano Tiberio, Federico Toscani,  Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’AndreaFlaminia Perna and Matilde Losa.

For further information on the topics covered, please contact the partners Giulio CoraggioMarco de MorpurgoGualtiero DragottiAlessandro FerrariRoberto ValentiElena VareseAlessandro Boso CarettaGinevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as a report analyzing key legal issues arising from the metaverse qui, and a comparative guide to regulations on lootboxes here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.

Print