By Order no. 14382/2021 the Italian Supreme Court ruled on the lawfulness of the personal data processing carried out through an online platform for measuring the reputation rating.

The Order was issued following the appeal brought by the Italian Data Protection Authority (DPA) against a decision of the Court of Rome of 4 April 2018, which had accepted the appeal brought by the association Mevaluate Onlus. The latter had challenged the decision of the DPA (commented upon here in our blog), which had prohibited any processing operation carried out by Mevaluate in connection with the services offered through the “Mevaluate Immaterial Infrastructure for Professional Qualification”.

In fact, Mevaluate was determined to launch on the market an online platform aimed at developing reputational profiles of natural and legal persons and capable of calculating the reputation of the subjects in an allegedly impartial and reliable way. However, following a request for the assessment of the processing compliance, submitted by Mevaluate itself to the DPA, the latter had deemed the related processing to be non-compliant with Italian Privacy Code’s provisions and had prohibited it. Mevaluate, considering its data processing lawful, had recourse to the Court of Rome, asking for the annulment of the DPA’s decision.

The Court of Rome had partially accepted the appeal, ordering the annulment of the DPA’s decision with the exception of the prohibition set out regarding the processing of the personal data of third parties not associated to Mevaluate and not registered on its platform. Such personal data, the Court had clarified, were processed to obtain an independent assessment not based on the data subjects’ consent, although they came from freely available data (e.g., press articles or judicial decisions). On the other hand, the Court had found the compliance of the data processing regarding the subjects registered on the platform, as it was based on the consent of the latter when they joined the platform. In fact, once registered, the members could voluntarily upload the documents drawn up by third parties relating to their reputational profile, that were necessary for the platform to define a specific reputational rating.

Against this decision, the DPA brought an appeal before the Italian Supreme Court, which preliminarily noted that the consent for the processing of personal data must be given in respect of “clearly identified” data processing, in order to legitimise it. This means that the data subject who gives the consent must be previously informed «in relation to processing clearly defined in its essential elements, so it can be said that the consent has been given freely and specifically».

In this respect, the Supreme Court found that the lack of transparency of the algorithm for the processing of the data uploaded by the platform’s users – and aimed at generating the reputational rating – had been questioned by the DPA but had not been contested by the Court of Rome which had, on the contrary, asserted that the validity and quality of this rating was a matter to be left to market assessment. The Supreme Court did not agree with this position, since the issue in question was the validity of the consent given.  In respect of this, the Supreme Court concluded that «it cannot logically be argued that the act of joining the platform by the affiliates also includes the acceptance of an automated system – which uses an algorithm – for an objective personal data assessment, where the algorithm’s executive scheme and the elements taken into account to that end are not disclosed».

Consequently the Supreme Court annulled the contested decision and referred the case back the Court of Rome, which must comply with the following legal principle: «with regard to the process of personal data, the consent is legitimately given only if it is freely expressed in respect of clearly identified data processing; it follows that, in the case of a web platform (with an IT archive) aimed at processing reputational profiles of natural and legal persons and with a computing system based on an algorithm aimed at determining reliability ratings, the requirement of awareness cannot be considered fulfilled if the algorithm’s executive scheme and its elements remain unknown or not knowable by the data subjects».