(by Federica, lawyer and manager of Aidr Regione Lombardia) On 1 April last, the INPS website underwent an important data breach.
The very high number of accesses for the request of the € 600 bonus recognized following the emergency from Covid19 literally threw the site and the data of a considerable number of taxpayers were disseminated illegally and remained visible for some time , exposing data subjects to serious risks for their rights.
The situation would have been sufficiently disastrous in this way, but to further aggravate it was added the sharing on social networks of the screenshots of the "violated" profiles which evidently contributed to the further dissemination of the data.
The fundamental point concerns precisely this "wild" sharing of the screenshoots, although it was carried out in order to document the INPS data breach.
There are two different aspects to consider: the functioning of the Network on the one hand and the legislation on the protection of personal data on the other.
Let's start with the functioning of the Network.
The publication of online content allows users to re-share what others have published, effectively amplifying its diffusion, as the target audience expands.
The higher the number of shares, the greater the disclosure of the content in question.
This means that the negative value of the news, as in the case of the data shown in the clear for the malfunction of the INPS site, is directly proportional to the number of shares, that is, to the number, even if only potential, of subjects who can learn about it.
It is easy to understand, therefore, that the damage has greater scope if one contributes, in various ways, to spreading the news.
And there is no doubt that taking screenshots of other people's personal data and posting them online helps to aggravate the damage already created by the data breach itself.
Turning to the regulatory data, the European Regulation 2016/679 on the protection of personal data, defines in art. 4, violation of personal data "the breach of security that accidentally or unlawfully involves the destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed".
The episode, or rather the episodes, which occurred on the INPS website fall within this effect in all respects.
European legislation also provides for specific notification obligations to the Guarantor, but nothing says about the obligations imposed on those who, for various reasons, should be involved in a data breach.
This does not mean that users should not respect any constraints, since they are in any case subject to the general principles of the GDPR, with the consequence that they cannot process, and therefore disclose, personal data without a valid legal basis.
Translated into practice, this means that the diffusion of screenshots of the private profile with a user's social security position, also in order to give notice of the anomaly and therefore of the data breach, cannot be made sic et simpliciter on social networks.
The diffusion, triggered by the mechanism by which the network and individual social networks work, has the effect of amplifying the propagation, in a wild and uncontrolled manner, of the same data of which the violation is reported.
In other words, the user with his / her shares helps to increase the negative effect and potential damages deriving from the dissemination of the data.
It should also be added that, lacking a valid legal basis for the treatment, the sharing of the screenshoots becomes, in the same way, an illicit treatment which, at least in theory, could expose to the sanctions foreseen by the GDPR and by the Legislative Decree 101 / 2018.
Different, however, the hypothesis in which the screenshoots in question had been shared after darkening of personal data, for the sole purpose, therefore, of proving the malfunction of the INPS site.
The sharing of screenshots and personal data, in the specific case, has taken on such a scale as to require an official intervention by the Guarantor.
With the press release of April 2, 2020, in order to limit the dissemination of data and the negative potential of their circulation, the Authority specified that "In order not to amplify the risks for people whose personal data were involved in the breach and not to incur possible offenses, the Authority draws attention to the absolute necessity that anyone who has come to know of personal data of others should not use them and avoid communicating them to third parties or disseminating them, for example on social channels, addressing rather to the same Guarantor to report any relevant aspects ".
The attention therefore for everything that is shared must always be kept at the highest levels, especially as regards personal data, since the risk of increasing the value and the real danger for the rights of the subjects involved is much greater than what you can think.
Each assessment, therefore, on the lawfulness of a sharing must take place exactly a moment before sending, since once published the content has irreparably left our availability, it is no longer possible to control and manage it with all the consequences, including legal ones which they derive from it.