RESPONSABILITÀ E ACCOUNTABILITY IN MATERIA DI PROTEZIONE DEI DATI PERSONALI: IL CONTESTO DELL'INTERNET OF THINGS

This work aims to investigate the adequacy of accountability and civil liability systems in the context of the Internet of Things.

In order to carry out this examination, different approaches have been used: in particular, the benefits of historical, sociological and technical analysis have been relied upon, to be integrated with the study of norms, decisions and practices typical of the jurist.

The first chapter aims to provide the main coordinates for understanding the phenomenon of the Internet of Things: this required a historical and technical approach, albeit minimal. Today's state of the art is in fact the result of the development of fundamental technologies such as cloud computing, and the more modern edge computing and fog computing. These, in turn, required an introduction to how they work.

In the second chapter, the focus shifted to the relationship between law and technology, with a focus on digital technologies. The protection of personal data, that is the subject of this thesis can in fact be traced back to the vast field of studies known as Law&Tech, characterised by the influence that technology exerts on law.

In addition to this, the second chapter was dedicated to the framing of personal data, the object of the protection of the discipline under examination. The main reference was Article 4 of the GDPR and Opinion No. 4 of 2007 of the Article 29 Working Party. The latter, by issuing soft law acts (opinions and guidelines) plays a key role in the interpretation of data protection provisions. A great importance was attached to soft law in the course of the thesis: the acts of the European Data Protection Board, of the Italian Data Protection Authority, of the European Data Protection Supervisory, and the European agencies (such as Enisa) constitute first-rate references for the analysis of regulatory texts and for the evaluation of technological implementation practices.

The third chapter was devoted to the accountability principle. This has been considered by important commentators as the element on which the modernisation of the data protection discipline was based: it was in fact introduced by the GDPR, and in contrast to the former Directive 95/46/EC, it imports a series of obligations aimed to making the main figures accountable for processing: the controller and the processor.

This paradigm shift is analysed by retracing the main stages that led to today's accountability principle, with particular emphasis on the minimum security measures provided for in Article 33 of the former Italian privacy code.

The fourth chapter focuses instead on civil liability for unlawful processing of personal data. The reference provision is Article 82 of the GDPR, and starting from it, the active and passive subjective profiles, the objective profiles, the nature of the criterion of imputation of liability, and the relationship between the injured party and the damaging party were examined. The protracted study took into consideration the unresolved problems of Italian civil liability, especially as regards the criterion of imputation of liability and the relationship between the injured party and the damaged party.

This analysis was supplemented by a systematic reading of the Regulation, with the consequence of finding the minimum and maximum limits of civil liability in the compliance with the principle of accountability. In particular, the balance set by the GDPR between the circulation and protection of personal data, the principle of adequacy, and finally the limits of the state of the art and implementation costs were examined.

The results obtained in the third and fourth chapters on accountability and civil liability systems were then tested in the context of the Internet of Things. This necessitated an introduction on the circulation model of personal data, and the risks arising from it: in particular, algorithmic discrimination and influences on personal self-determination were examined.

Algorithms were taken into consideration, by virtue of their great inferential capacity, as tools for the extraction of new data, sometimes burdened by biases imprinted at the time of design, and at other times vitiated by biases that emerged later than the time of programming.

Respecting the principle of accountability in the IoT, so as not to be condemned for damages under Article 82 GDPR, is very complex. The technological phenomenon in question is very intricate, characterised by great opacity and chains of processing. The lack of transparency makes it complex to be accountable, while the concatenation of accountable treatments, in certain cases, can lead to the inconsistency of personal data protection.

Finally, some problematic liability profiles linked to the industrialisation of relations were compared to those arising from their digitalisation.