Italy, Court of Cassation, 6177/2023, supreme instance, 1 March 2023

Member State
Italy
Topic
Use of automated processing of data in administrative procedures
Sector
Judicial Interaction Techniques
Deciding Court Original Language
Corte di Cassazione
Deciding Court English translation
Court of Cassation
Registration N
6177/2023
Date Decision
1 March 2023
ECLI (if available)

N/A

National Follow Up Of (when relevant)
Not a direct follow up
EU legal sources and CJEU jurisprudence

Directive 95/46/EC (as the facts of the case predates the GDPR); Regulation 679/2016 (GDPR); Article 8(2) ECHR; Directive 2016/680/EU; Directive 2016/681/EU; Directive 2004/82/EC; Council of Euroope Recommendation CM/Rec(2021)8

C-465/00, Rechnungshof;

AG Conclusions in C-817/19, Ligue des droits humains

ECtHR Jurisprudence
No
Subject Matter
The First Civil Section of the Court of Cassation overturned the ruling no. 4609/2020 of the Court of Rome which had upheld the administrative fine of €40,000 that the Italian Data Protection Authority (Garante per la protezione dei dati personali) had imposed on the National Institute of Social Security (INPS) for the use of the "SAVIO" data mining software. The Court of Cassation accepted two of the five grounds of appeal presented by the INPS and thus and legitimizes the use of the SAVIO software.
Legal issue(s)
The case involves a legal dispute between the INPS and the Garante regarding an administrative fine imposed on the INPS for violations of data protection law in relation of the use of the "SAVIO" software, which automatically assigned a score to medical certificates produced by workers, thereby optimizing the system for medical-legal checks. The violations that prompted the authority's intervention, included the processing of sensitive data (including health data), without an appropriate notice, and the processing of such data through profiling, without prior notification to the authority.
Request for expedited/PPU procedures
No
Interim Relief
No
National Law Sources
Articles 2 and 97 of the Italian Constitution, Legislative Decree n. 196 of 2003 (Privacy Code), Legislative Decree n. 82 of 2005, Legislative Decree n. 75 of 2017, Legislative Decree n. 51 of 2018, Legislative Decree n. 101 of 2018, Law  n. 689 of 1981, 
Facts of the case
By judgment no. 4609 of 3 March 3 2020, the Court of Rome dismissed the appeal against the injunction order no. 492 of 29 November 2018, requiring the payment of an administrative fine of €40,000, imposed by the Italian Data Protection Authority ("Garante") pursuant to Articles 13, 20, and 27 of Legislative Decree no. 196 of 2003 (Privacy Code) for the use of the software SAVIO.
According to the Garante, sensitive data were processed without providing an appropriate information notice (violation of Article 13), an unlawful processing of personal data, including data that could reveal health status, was carried out without the necessary conditions (violation of Article 20), and, finally, profiling activities were carried out using the personal data of workers, including data that could reveal health status, without prior notification of such processing to the authority (violation of Article 37).
The INPS filed an appeal to the Court of Cassation against the rejection ruling, based on five grounds.
Reasoning (role of the Charter or other EU, ECHR related legal basis)
The Court of Cassation rejected the first, second and fifth grounds of appeal presented by the INPS which concerned issues on the failure to contest the violation to the alleged offender, limitations period and failure to apply the reduced penalty. However, it accepted the third and fourth grounds of appeal.
As regards the third ground, the Court of Cassation first assessed the legal framework provided by Articles 13, 24, and 27 of Legislative Decree No. 196 of 2003 (the so-called "Privacy Code," in force at the time of the events), stressing that such provisions which derive from Directive 95/46/EC. Then, it ruled that the INPS could use the SAVIO tool as one of the responsibilities of the social security institution includes the processing of personal data of the individuals concerned without prior consent and notice. According to Articles 13(5)(a) and 24 of the Privacy Code, information about the purposes of the processing is not required if the data is processed based on a legal obligation, and consent is not needed if the processing is necessary to comply with a legal obligation. The individuals concerned voluntarily submitted their medical certificates to support their respective social security claims, and in order to process this request, the data must necessarily be processed using the software. Consequently, the data received by the INPS was transmitted by the individual themselves, who thus tacitly consents to its use. Thus, since the processing of data is functional to the institutional tasks of the INPS, the Rome Court was wrong in considering that the data collection was not required by law or necessary. 
Citing its previous case law, (judgment no. 10280 of May 20, 2015), the Court stressed that data protection rules must be properly balanced with constitutional provisions protecting other rights, including the effectiveness, transparency, and impartiality of administrative activities. Interpreting these principles in C-465/00, Rechnungshof, the EU Court of Justice repeatedly stated that exceptions to the prohibition of processing personal data without the consent of the individual are legitimate if aimed at pursuing proportionate and necessary public interests. In this case, the fulfilment of legal obligations by the public administration is considered a prevailing interest. 
Even though GDPR was not temporally applicable to the case, the Court stressed how it integrated the provisions contained in Directive 95/46/EC and referred to its distinction between fully-automated decision-making processes and those involving human input. The Court concluded that, in the case at issue, it was not a purely automated process since the INPS medical personnel carried out additional checks based on parameters suggested by the system.
The Court also stressed how the use of internal IT systems to support institutional tasks has become a pressing requirement within the legal system. It referred to and quoted the Advocate General conclusions in the case C-817/19, Ligue des droits humains, to stress that the balance between the individual and society in the era of data is one of the main dilemmas of the constitutionalism. 
The fourth ground, concerning the profiling activity, since, according to the Garante, the data processing constituted profiling, for which the INPS had failed to notify the Garante as required by Article 37 of the Privacy Code. The Court of Cassation instead found that the case at issue did not involve profiling. First, each application was assigned a score, linked to specific variables such as the duration of the prognosis, age, gender, salary, industry sector, and type of employment relationship, that is, factors independent of any subjective profiling but were solely related to the specific benefit claim. Accordingly, each application was associated with an index related to the probability of recovery, with the aim of assisting medical staff in rationally planning and concentrating control visits. Second, the individuals concerned were never placed into specific categories.
The Court reconstructed the notion of profiling under Article 4(1)(1) GDP, stressing that it corresponds to the definition under Directive 2016/680 (transposed in Italy by Legislative Decree 51 of 2018) and Recommendation CM/Rec(2021)8 of the Council of Europe on the protection of individuals with regard to automatic processing of personal data in the context of profiling. Profiling means the automated processing of data that applies a profile to a specific individual, with the aim of recording their preferences, consumption choices, etc. Once the existence of profiling is established, it will then be necessary to evaluate whether it is permitted, according to the rules under Articles 14 and 37 of the Privacy Code (deriving from Article 15 of Directive 95/46/EC), and, after 2018, Article 23 GDPR.
However, the Court of Cassation found that the activity of the SAVIO software does not fall under the definition of profiling under Article 14 of the Privacy Code. SAVIO assigned a probability score to the medical certificate related to the worker, but without assigning any specific category to each individual worker. Thus, there were no “profiles” that could characterize a category of people or be applied to a specific individual. As a result, the Court of Cassation annulled the judgment of the Rome Court and the corresponding fine issued by the Garante.
Relation of the case to the EU Charter
The EU Charter was not invoked
Relation between the EU Charter and ECHR
N/A
Use of Judicial Interaction technique(s)
Consistent interpretation
Horizontal Judicial Interaction patterns (Internal – with other national courts, and external – with foreign courts)
N/A
Vertical Judicial Interaction patterns (Internal – with other superior national courts, and external – with European supranational courts)
The Court of Cassation engages with an in-depth assessment of the judgment of the Court of Rome and upheld the appeal of the INPS, (see Reasoning). The Court of Cassation State also referred to some of its previous judgments on the matter (n. 10280 of 2015, n. 15075 of 2018, n. 18770 of 2019, n. 14381 of 2021) and well as the case law of the Consiglio di Stato (Council of State) (n. 8472 of 2019) supporting, in the context of administrative proceedings, the use of computerized procedures that, through algorithms, lead administrative bodies to make final decisions. There was no constitutionality review involved.
The Court of Cassation referred to the jurisprudence of the ECJ. In particular, it quoted the judgment in C-465/00, Rechnungshof, to stress that the ECJ has accepted that exceptions to the prohibition of processing personal data without the consent of the individual are possible when certain conditions are met. It also referred to the Advocate General Conclusions in C-817/19, Ligue des droits humains, to highlight the challenges of using IT systems in administrative procedures (see Reasoning).
Strategic use of judicial interaction technique (purpose aimed by the national court)
The Court of Cassation assessed the use of the SAVIO software in light of the Privacy Code, interpreting it in light of Directive 95/46/EC which it implemented. It thus relied on consistent interpretation in order to solve the dispute pending before it. The Court of Cassation also referred to the GDPR, which, although not in force at the time of the dispute, provided a reference point in interpreting matters of data protection and automated data processing.
Impact on Legislation / Policy
N/A
Notes on the national implementation of the preliminary ruling by the referring court
N/A
Did the national court quote case law of the CJEU/ECtHR (in particular cases not already referred to by the CJEU in its decision) or the Explanations?
The Court of Cassation quoted case law of the CJEU (see Reasoning and Vertical Judicial Interaction Patterns).
Did the national court quote soft law instruments, such as GRECO Reports, Venice Commission, CEPEJ Reports, or CCEJ Reports?
The Court of Cassation quoted Recommendation CM/Rec(2021)8 of the Council of Europe on the protection of individuals with regard to automatic processing of personal data in the context of profiling to reconstruct the notion of profiling  (see Reasoning).
Did the national court take into account national case law on fundamental rights?
The Court of Cassation took into account its case law on fundamental rights. In particular,  judgment no. 10280 of 2015 where it noted that the right to data protection, although falling within the fundamental rights under Article 2 of the Constitution, is not a "tyrant" or a "totem" to which other equally relevant constitutional rights must always be sacrificed. On the contrary, the rules on the protection of sensitive data must be coordinated and balanced with constitutional provisions that protect other, potentially more prevailing rights, such as the public interest in the speed, transparency, and effectiveness of administrative activities. In order to determine whether a party has violated the legal rules on the management of others' data, these rules must be interpreted by balancing the interests they protect with other constitutionally protected interests that may be in conflict.
If the court that issued the preliminary reference is not a last instance court, and the “follow up” was appealed before a higher court, include the information
The Court of Cassation is a last instance court.
Was there a consensus among national courts on how to implement the CJEU's preliminary ruling; and were there divergences between the judiciary and other state powers regarding the implementation of the preliminary ruling?
The Court of Cassation is a last instance court.
Impact on national case law from the same Member State or other Member States
N/A
Connected national caselaw / templates
N/A
(Link to) full text

Please contact the author of the case note or TRIIAL partners for the full text of the judgment.

Author
Martina Coli, University of Florence (UNIFI)
 
Project implemented with financial support of the Fundamental Rights & Citizenship Programme of the European Union
© European University Institute 2019
Villa Schifanoia - Via Boccaccio 121, I-50133 Firenze - Italy