'Personal Data Made Public By The ‘Data Subject' And Use Of Information Published On Social Networks: Early Observations Of Gdpr Art. 9, Para. 2, Letter E) [First Part]

GDPR art. 9, entitled "Processing of special categories of personal data", after having setting forth the general rule, specifically that "1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited," identifies at paragraph 2 a few exceptions to that prohibition, which include - at letter e) - cases regarding processing that "relates to personal data which are manifestly made public by the data subject".

This exception raises doubts as to the interpretation of the precise definition of its scope, especially when it calls attention to the important phenomenon of the indistinct mass of personal information that is shared on social networks every day.

For this evaluation I believe it is opportune to 1st consider the traditional meaning ascribed to the expression "public" as interpreted and applied by the Italian Privacy Code.

The first place in which our laws refer to the concept of personal data made "public" is set forth by the general consensus relating to the processing of - ordinary - data contained in "public registers, lists, acts or documents that are accessible to anyone", set forth in art. 24, para. 1, letter c) of the Italian Privacy Code.

Considering the application of this provision, noting that the Italian DPA clarified in the decision dated 11 January 2001 ("Political communications, e-mail, acts and documents accessible to anyone", published in Bollettino "Cittadini e società dell'informazione" n. 16, p. 39) that the provision set forth in art. 24, para. 1, letter c) of the Italian Privacy Code: "refers not to any personal data that is indeed accessible to a plurality of persons, but only to personal data that in addition to being included in "public" registers, lists, acts or documents (...) is subject to a legal regime of full knowledgeability by anyone, a regime which, however, can also include modalities or temporal limits (...)": namely, in this context, for the legitimacy of use of the personal data it is not sufficient that such data is present in sources that are freely accessible, but it is also necessary that the purpose of such use is compatible with those reasons that justify its presence in the source, which...