Luca Bolognini - Academia.edu (original) (raw)

Papers by Luca Bolognini

Diritto, Economia e Tecnologie della Privacy, 2025

This open access paper examines the extensive powers and tasks of the European Data Protection Bo... more This open access paper examines the extensive powers and tasks of the European Data Protection Board (EDPB), highlighting its role as an independent administrative authority with major influence over data protection law and policy in the European Union. The paper critically analyses the procedural legitimacy of the EDPB's regulatory powers, emphasizing the need for prior consultation and discussion with stakeholders to ensure democratic legitimacy.

The EDPB's decisions, which often imply assessments of the necessity of technological deployments and innovations involving personal data processing, are scrutinized for their possible lack of participatory tools and consultation with interested parties. The document argues that the EDPB's regulatory powers should be balanced, among other accountability measures, through participatory procedures, in compliance with the principle of due and fair administrative procedure.

From an Italian administrative law perspective, the paper underscores the importance of prior consultation and discussion with stakeholders to ensure the procedural legitimacy of the EDPB's decisions. It criticizes the current framework for not mandating such consultations, which undermines the democratic legitimacy of the EDPB's regulatory actions. More in general, the paper highlights the existence of a risk of inadequate due process guarantees on EDPB decision-making process, which could also include a possible deficiency of transparency of the Board’s working groups/task forces as well as of plenary meeting discussions, clear appeal avenues against EDPB decisions, opinions and guidelines before the CJEU, explicit incorporation of the right to be heard in EDPB processes, etc. – even though this derives from the GDPR insufficient specification of stringent constraints for EDPB’s procedures.

Overall, the document provides a comprehensive analysis of the EDPB's "super-powers" and their implications for data protection law and policy in the European Union, with a particular focus on the procedural aspects and the need for greater stakeholder consultation.

The Authors of this paper, in their conclusions, also explore some possible solutions - both interpretative or amending the GDPR and the internal functioning rules of the EDPB and the national Data Protection Authorities - in order to overcome the deficit of participation and consultation in the administrative procedures for binding and non-binding opinions, guidelines, and other decisions to be adopted.

Diritto Economia e Tecnologie della Privacy, 2024

Il modello 'pay or consent' - con gli opportuni aggiustamenti e rispettando criteri di equivalenz... more Il modello 'pay or consent' - con gli opportuni aggiustamenti e rispettando criteri di equivalenza e fungibilità dei servizi a prezzi ragionevoli – potrebbe rappresentare, a parere degli Autori, un approccio valido e legittimo nell'ecosistema digitale, coerente con il quadro legislativo dell’Unione Europea. Dopotutto, il modello in esame introduce un elemento di scelta per gli utenti, offrendo loro la possibilità di decidere attivamente come interagire con i servizi online. Il modello, cioè, consentirebbe di rendere sostenibili – sia dal lato della domanda, sia dal lato dell’offerta – un'ampia gamma di servizi digitali, traducendosi in un meccanismo in grado di bilanciare, da una parte, le esigenze commerciali delle aziende che forniscono i servizi e, dall'altra, la scelta dell'utente di usufruirne concedendo il consenso o, in alternativa, pagando il corrispettivo richiesto che, a meno che non si tratti di un cosiddetto servizio pubblico essenziale (valutazione che dovrebbe essere rimandata al legislatore), potrebbe essere determinato autonomamente dal fornitore nell'esercizio del suo diritto alla libertà di impresa.

Diritto Economia e Tecnologie della Privacy, 2024

The 'pay or consent' model - with appropriate adjustments and respecting criteria of equivalence ... more The 'pay or consent' model - with appropriate adjustments and respecting criteria of equivalence and fungibility of services at reasonable prices - may represent, in the Authors’ opinion, a valid and legitimate approach in the digital ecosystem, consistent with the current legal framework of the European Union. After all, the model under consideration introduces an element of choice for users. The model would make it possible to sustain – both on the demand side and on the supply side – a wide range of online services. A mechanism capable of balancing, on the one hand, the business needs of the companies providing the services and, on the other, the user's choice to make use of them by granting consent or, alternatively, by paying the required fee which, unless it is a so-called essential public service (an assessment that should be referred to the legislator), could be determined autonomously by the provider in the exercise of its right to freedom of enterprise.

Springer eBooks, 2019

The use of general descriptive names, registered names, trademarks, service marks, etc. in this p... more The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

Computer Law & Security Review, Apr 1, 2017

In order to carry out the so-called "Big Data analysis", the collection of personal data seems to... more In order to carry out the so-called "Big Data analysis", the collection of personal data seems to be inevitable. The opportunities arising from the analysis of such information need to be balanced with the risks for the data protection of individuals. In this sense, the anonymization technique might be a solution, but it seems to be inappropriate in certain circumstances, among which Big Data processing can be included. In fact, anonymization has a high degree of uncontrollability of the impacts of profiling directed to individual targets whose data has been anonymized. In this sense, pseudonymization can be used both to reduce the risks of reidentification and help data controllers and processors to respect their personal data protection obligations by keeping control over their activities. On the one hand, pseudonymization ensures the capability to reconstruct the processes of identity masking, by allowing re-identification. On the other hand the accountability of the data controller and data processor is guaranteed, thanks to the fact that there will always be a person who can re-identify subjects included in a cluster, acting as a "data keeper".

Zenodo (CERN European Organization for Nuclear Research), Sep 28, 2022

This article considers the possibility of an economic valorisation of personal data without the c... more This article considers the possibility of an economic valorisation of personal data without the consent of data subjects but rather, alternative legal bases such as article 6(1)(b) of the GDPR (performance of a contract), or article 6(1)(f) GDPR (legitimate interest of the controller). For article 6(1)(b), the concept of exchange-commerce and RTM is contemplated, where consideration is paid by the data subject, allowing (like a license) the temporary use of some personal data for profiling and/or marketing purposes by the controller. While several remuneration models can exist, the main focus of jurists should be on making these models safe and balanced for data subjects, rather than prohibiting them. Moreover, when considering the legitimate interest of the controller, rather than it being recognized only as a 'quasi' right if harmless and indifferent to the rights of data subjects, this legal base can implement the "bridge of crossing and balancing" between privacy and fundamental rights and freedoms. Consequently, instead of anchoring to the idealization of consent as the only legal basis suitable for legitimizing the commercial exploitation of personal data, the focus should be on the accountability of the controllers of the processing as well as safeguarding data-driven fundamental rights and freedoms, without suffocating, but indeed encouraging economic initiative and innovation.

Internet of things, 2019

This chapter will provide an overview of international data protection norms. It will specificall... more This chapter will provide an overview of international data protection norms. It will specifically discuss and explain the recent evolution in Europe with the adoption of the European General Data Protection Regulation and its impact on other countries. It will clarify the main concepts and the differences among the various geographic areas.

CERN European Organization for Nuclear Research - Zenodo, Sep 28, 2022

This article considers the possibility of an economic valorisation of personal data without the c... more This article considers the possibility of an economic valorisation of personal data without the consent of data subjects but rather, alternative legal bases such as article 6(1)(b) of the GDPR (performance of a contract), or article 6(1)(f) GDPR (legitimate interest of the controller). For article 6(1)(b), the concept of exchange-commerce and RTM is contemplated, where consideration is paid by the data subject, allowing (like a license) the temporary use of some personal data for profiling and/or marketing purposes by the controller. While several remuneration models can exist, the main focus of jurists should be on making these models safe and balanced for data subjects, rather than prohibiting them. Moreover, when considering the legitimate interest of the controller, rather than it being recognized only as a 'quasi' right if harmless and indifferent to the rights of data subjects, this legal base can implement the "bridge of crossing and balancing" between privacy and fundamental rights and freedoms. Consequently, instead of anchoring to the idealization of consent as the only legal basis suitable for legitimizing the commercial exploitation of personal data, the focus should be on the accountability of the controllers of the processing as well as safeguarding data-driven fundamental rights and freedoms, without suffocating, but indeed encouraging economic initiative and innovation.

Diritto, Economia e Tecnologie della Privacy - ISSN 2239-7671, 2022

This article considers the possibility of an economic valorisation of personal data without the c... more This article considers the possibility of an economic valorisation of personal data without the consent of data subjects but rather, alternative legal bases such as article 6(1)(b) of the GDPR (performance of a contract), or article 6(1)(f) GDPR (legitimate interest of the controller). For article 6(1)(b), the concept of exchange-commerce and RTM is contemplated, where consideration is paid by the data subject, allowing (like a license) the temporary use of some personal data for profiling and/or marketing purposes by the controller. While several remuneration models can exist, the main focus of jurists should be on making these models safe and balanced for data subjects, rather than prohibiting them. Moreover, when considering the legitimate interest of the controller, rather than it being recognized only as a 'quasi' right if harmless and indifferent to the rights of data subjects, this legal base can implement the "bridge of crossing and balancing" between privacy and fundamental rights and freedoms. Consequently, instead of anchoring to the idealization of consent as the only legal basis suitable for legitimizing the commercial exploitation of personal data, the focus should be on the accountability of the controllers of the processing as well as safeguarding data-driven fundamental rights and freedoms, without suffocating, but indeed encouraging economic initiative and innovation.

Giuffrè Francis Lefebvre, 2022

Saggio contenuto nel trattato "Responsabilità, rischio e danno in sanità"

Giuffrè, 2018

Saggio contenuto nel trattato "Responsabilità civile dei professionisti e degli altri imprenditori"

Diritto, Economia e Tecnologie della Privacy, 2022

Il Metaverso materializzerà intorno a noi un mondo nuovo, vivificato da un continuo fluire di inf... more Il Metaverso materializzerà intorno a noi un mondo nuovo, vivificato da un continuo fluire di informazioni e immagini, tra cui anche dati personali come human characteristics e dati inferiti. Da parte nostra, noi continueremo a riflettere e a porci molte domande sulla sua attuazione, sul suo funzionamento e sul ruolo che rivestirà nel futuro della nostra quotidianità, in particolare dal punto di vista del possibile impatto sui nostri diritti e libertà. Nello specifico, sotto il profilo della protezione dei dati personali, nelle pagine che precedono ci siamo già chiesti come potranno trovare applicazione le categorie concettuali normativamente previste dal GDPR e in che modo potranno trovare attuazione tutti i principi e le tutele ivi stabiliti.

Può osservarsi ora come, probabilmente, tali questioni andranno inquadrate e risolte, oltre e più che in termini di regolazione e legal enforcement, anche attraverso il ricorso alla cd. industry standardization e, cioè, lasciando che il mercato e le sue dinamiche concorrenziali lascino affiorare regole e standard tecnologici e di condotta adeguati alle novità e alle peculiarità delle dinamiche del Metaverso. Del resto, il Metaverso non rappresenterà una piattaforma social appartenenti ad un brand soltanto come quelle cui siamo oggi abituati ma configurerà un nuovo ambiente complesso nel quale saranno chiamate a operare e a confrontarsi tante piattaforme, piccole, medie e grandi. In tal senso, le più adeguate garanzie e forme di tutela per i diritti e le libertà degli interessati potranno nascere e svilupparsi anche in seno al mercato e per effetto di sinergie competitive che, anche incorrendo in inevitabili prove ed errori, plasmeranno policies e regolazioni negoziali destinate via via a sedimentarsi nella generale prassi applicativa.

Fermo restando che sono molte ancora le domande prive di una risposta, possiamo tuttavia confermare con entusiasmo che sono moltissime anche le aspettative per il parallelo aumento dei diritti e delle opportunità a beneficio di tutti noi. Dobbiamo pertanto guardare al futuro del Metaverso con positività, oltre che con razionale lucidità.

Diritto, Economia e Tecnologie della Privacy - ISSN 2239-7671, 2022

On the occasion of the Privacy Symposium 2022 in Venice, an Italian Institute for Privacy and Dat... more On the occasion of the Privacy Symposium 2022 in Venice, an Italian Institute for Privacy and Data Valorisation’s new open access paper has just been published: “The future of personal data in the Metaverse“. It relates to the complex aspects of the protection of rights, freedoms and personal data in the Metaverse.

This thought-provoking legal study deals with intriguing questions of high interest for the future of digital regulation, such as: What is the nature of human characteristics’ data? How should we consider inferred data? How to legitimise personal data processing in the Metaverse? The study also analyses possible “augmented impacts” on individuals, aiming to frame, from a brand new juridical perspective, secondary uses and data sharing in the Metaverse. Finally, a reflection on the potential bright side, focusing on “augmented rights” which could be enabled by virtual and augmented reality, unlocking the value of the Metaverse.

Co-authors of this paper are Luca Bolognini, President of the Italian Institute for Privacy and Data Valorisation (Istituto Italiano per la Privacy e la Valorizzazione dei Dati – IIP – Rome – Italy) and Marco Emanuele Carpenelli, Fellow of the IIP.

Proceedings of the 21st Pan-Hellenic Conference on Informatics

Personal data have become merchandisable asset encouraging stakeholders to collect and trade them... more Personal data have become merchandisable asset encouraging stakeholders to collect and trade them without end-user's awareness and acceptance. Although EU is adapting the legal framework, the extent of applications most of which are developed from outside the EU jurisdiction, strongly limit the possibility to effectively impose a privacy-protection framework globally. The Privacy Flag project researches and combines the potential of crowdsourcing, ICT technologies and legal expertise for enabling citizens monitoring and controlling their privacy1.

Internet of Things Security and Data Protection

Internet of Things Security and Data Protection, 2019

This chapter will discuss and present a new model of voluntary compliance commitment tool to brid... more This chapter will discuss and present a new model of voluntary compliance commitment tool to bridge legal gaps between European and non-European legislations, with a focus on data processing of IoT data. This tool was developed in the context of the H2020 Privacy Flag project (http://privacyflag.eu/) that intended to develop a collective privacy protection framework enabling citizens to better control and protect their personal data. In addition to a set of tools and solution enabling the data subjects to collectively assess and control the level of risk for their privacy in the context of web, smartphone apps and Internet of Thing deployments, Privacy Flag also researched and developed a voluntary legal binding mechanism for companies located outside of Europe to align with and abide to European standards in terms of personal data protection.

Diritto, Economia e Tecnologie della Privacy, 2025

This open access paper examines the extensive powers and tasks of the European Data Protection Bo... more This open access paper examines the extensive powers and tasks of the European Data Protection Board (EDPB), highlighting its role as an independent administrative authority with major influence over data protection law and policy in the European Union. The paper critically analyses the procedural legitimacy of the EDPB's regulatory powers, emphasizing the need for prior consultation and discussion with stakeholders to ensure democratic legitimacy.

The EDPB's decisions, which often imply assessments of the necessity of technological deployments and innovations involving personal data processing, are scrutinized for their possible lack of participatory tools and consultation with interested parties. The document argues that the EDPB's regulatory powers should be balanced, among other accountability measures, through participatory procedures, in compliance with the principle of due and fair administrative procedure.

From an Italian administrative law perspective, the paper underscores the importance of prior consultation and discussion with stakeholders to ensure the procedural legitimacy of the EDPB's decisions. It criticizes the current framework for not mandating such consultations, which undermines the democratic legitimacy of the EDPB's regulatory actions. More in general, the paper highlights the existence of a risk of inadequate due process guarantees on EDPB decision-making process, which could also include a possible deficiency of transparency of the Board’s working groups/task forces as well as of plenary meeting discussions, clear appeal avenues against EDPB decisions, opinions and guidelines before the CJEU, explicit incorporation of the right to be heard in EDPB processes, etc. – even though this derives from the GDPR insufficient specification of stringent constraints for EDPB’s procedures.

Overall, the document provides a comprehensive analysis of the EDPB's "super-powers" and their implications for data protection law and policy in the European Union, with a particular focus on the procedural aspects and the need for greater stakeholder consultation.

The Authors of this paper, in their conclusions, also explore some possible solutions - both interpretative or amending the GDPR and the internal functioning rules of the EDPB and the national Data Protection Authorities - in order to overcome the deficit of participation and consultation in the administrative procedures for binding and non-binding opinions, guidelines, and other decisions to be adopted.

Diritto Economia e Tecnologie della Privacy, 2024

Il modello 'pay or consent' - con gli opportuni aggiustamenti e rispettando criteri di equivalenz... more Il modello 'pay or consent' - con gli opportuni aggiustamenti e rispettando criteri di equivalenza e fungibilità dei servizi a prezzi ragionevoli – potrebbe rappresentare, a parere degli Autori, un approccio valido e legittimo nell'ecosistema digitale, coerente con il quadro legislativo dell’Unione Europea. Dopotutto, il modello in esame introduce un elemento di scelta per gli utenti, offrendo loro la possibilità di decidere attivamente come interagire con i servizi online. Il modello, cioè, consentirebbe di rendere sostenibili – sia dal lato della domanda, sia dal lato dell’offerta – un'ampia gamma di servizi digitali, traducendosi in un meccanismo in grado di bilanciare, da una parte, le esigenze commerciali delle aziende che forniscono i servizi e, dall'altra, la scelta dell'utente di usufruirne concedendo il consenso o, in alternativa, pagando il corrispettivo richiesto che, a meno che non si tratti di un cosiddetto servizio pubblico essenziale (valutazione che dovrebbe essere rimandata al legislatore), potrebbe essere determinato autonomamente dal fornitore nell'esercizio del suo diritto alla libertà di impresa.

Diritto Economia e Tecnologie della Privacy, 2024

The 'pay or consent' model - with appropriate adjustments and respecting criteria of equivalence ... more The 'pay or consent' model - with appropriate adjustments and respecting criteria of equivalence and fungibility of services at reasonable prices - may represent, in the Authors’ opinion, a valid and legitimate approach in the digital ecosystem, consistent with the current legal framework of the European Union. After all, the model under consideration introduces an element of choice for users. The model would make it possible to sustain – both on the demand side and on the supply side – a wide range of online services. A mechanism capable of balancing, on the one hand, the business needs of the companies providing the services and, on the other, the user's choice to make use of them by granting consent or, alternatively, by paying the required fee which, unless it is a so-called essential public service (an assessment that should be referred to the legislator), could be determined autonomously by the provider in the exercise of its right to freedom of enterprise.

Springer eBooks, 2019

The use of general descriptive names, registered names, trademarks, service marks, etc. in this p... more The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

Computer Law & Security Review, Apr 1, 2017

In order to carry out the so-called "Big Data analysis", the collection of personal data seems to... more In order to carry out the so-called "Big Data analysis", the collection of personal data seems to be inevitable. The opportunities arising from the analysis of such information need to be balanced with the risks for the data protection of individuals. In this sense, the anonymization technique might be a solution, but it seems to be inappropriate in certain circumstances, among which Big Data processing can be included. In fact, anonymization has a high degree of uncontrollability of the impacts of profiling directed to individual targets whose data has been anonymized. In this sense, pseudonymization can be used both to reduce the risks of reidentification and help data controllers and processors to respect their personal data protection obligations by keeping control over their activities. On the one hand, pseudonymization ensures the capability to reconstruct the processes of identity masking, by allowing re-identification. On the other hand the accountability of the data controller and data processor is guaranteed, thanks to the fact that there will always be a person who can re-identify subjects included in a cluster, acting as a "data keeper".

Zenodo (CERN European Organization for Nuclear Research), Sep 28, 2022

This article considers the possibility of an economic valorisation of personal data without the c... more This article considers the possibility of an economic valorisation of personal data without the consent of data subjects but rather, alternative legal bases such as article 6(1)(b) of the GDPR (performance of a contract), or article 6(1)(f) GDPR (legitimate interest of the controller). For article 6(1)(b), the concept of exchange-commerce and RTM is contemplated, where consideration is paid by the data subject, allowing (like a license) the temporary use of some personal data for profiling and/or marketing purposes by the controller. While several remuneration models can exist, the main focus of jurists should be on making these models safe and balanced for data subjects, rather than prohibiting them. Moreover, when considering the legitimate interest of the controller, rather than it being recognized only as a 'quasi' right if harmless and indifferent to the rights of data subjects, this legal base can implement the "bridge of crossing and balancing" between privacy and fundamental rights and freedoms. Consequently, instead of anchoring to the idealization of consent as the only legal basis suitable for legitimizing the commercial exploitation of personal data, the focus should be on the accountability of the controllers of the processing as well as safeguarding data-driven fundamental rights and freedoms, without suffocating, but indeed encouraging economic initiative and innovation.

Internet of things, 2019

This chapter will provide an overview of international data protection norms. It will specificall... more This chapter will provide an overview of international data protection norms. It will specifically discuss and explain the recent evolution in Europe with the adoption of the European General Data Protection Regulation and its impact on other countries. It will clarify the main concepts and the differences among the various geographic areas.

CERN European Organization for Nuclear Research - Zenodo, Sep 28, 2022

This article considers the possibility of an economic valorisation of personal data without the c... more This article considers the possibility of an economic valorisation of personal data without the consent of data subjects but rather, alternative legal bases such as article 6(1)(b) of the GDPR (performance of a contract), or article 6(1)(f) GDPR (legitimate interest of the controller). For article 6(1)(b), the concept of exchange-commerce and RTM is contemplated, where consideration is paid by the data subject, allowing (like a license) the temporary use of some personal data for profiling and/or marketing purposes by the controller. While several remuneration models can exist, the main focus of jurists should be on making these models safe and balanced for data subjects, rather than prohibiting them. Moreover, when considering the legitimate interest of the controller, rather than it being recognized only as a 'quasi' right if harmless and indifferent to the rights of data subjects, this legal base can implement the "bridge of crossing and balancing" between privacy and fundamental rights and freedoms. Consequently, instead of anchoring to the idealization of consent as the only legal basis suitable for legitimizing the commercial exploitation of personal data, the focus should be on the accountability of the controllers of the processing as well as safeguarding data-driven fundamental rights and freedoms, without suffocating, but indeed encouraging economic initiative and innovation.

Diritto, Economia e Tecnologie della Privacy - ISSN 2239-7671, 2022

This article considers the possibility of an economic valorisation of personal data without the c... more This article considers the possibility of an economic valorisation of personal data without the consent of data subjects but rather, alternative legal bases such as article 6(1)(b) of the GDPR (performance of a contract), or article 6(1)(f) GDPR (legitimate interest of the controller). For article 6(1)(b), the concept of exchange-commerce and RTM is contemplated, where consideration is paid by the data subject, allowing (like a license) the temporary use of some personal data for profiling and/or marketing purposes by the controller. While several remuneration models can exist, the main focus of jurists should be on making these models safe and balanced for data subjects, rather than prohibiting them. Moreover, when considering the legitimate interest of the controller, rather than it being recognized only as a 'quasi' right if harmless and indifferent to the rights of data subjects, this legal base can implement the "bridge of crossing and balancing" between privacy and fundamental rights and freedoms. Consequently, instead of anchoring to the idealization of consent as the only legal basis suitable for legitimizing the commercial exploitation of personal data, the focus should be on the accountability of the controllers of the processing as well as safeguarding data-driven fundamental rights and freedoms, without suffocating, but indeed encouraging economic initiative and innovation.

Giuffrè Francis Lefebvre, 2022

Saggio contenuto nel trattato "Responsabilità, rischio e danno in sanità"

Giuffrè, 2018

Saggio contenuto nel trattato "Responsabilità civile dei professionisti e degli altri imprenditori"

Diritto, Economia e Tecnologie della Privacy, 2022

Il Metaverso materializzerà intorno a noi un mondo nuovo, vivificato da un continuo fluire di inf... more Il Metaverso materializzerà intorno a noi un mondo nuovo, vivificato da un continuo fluire di informazioni e immagini, tra cui anche dati personali come human characteristics e dati inferiti. Da parte nostra, noi continueremo a riflettere e a porci molte domande sulla sua attuazione, sul suo funzionamento e sul ruolo che rivestirà nel futuro della nostra quotidianità, in particolare dal punto di vista del possibile impatto sui nostri diritti e libertà. Nello specifico, sotto il profilo della protezione dei dati personali, nelle pagine che precedono ci siamo già chiesti come potranno trovare applicazione le categorie concettuali normativamente previste dal GDPR e in che modo potranno trovare attuazione tutti i principi e le tutele ivi stabiliti.

Può osservarsi ora come, probabilmente, tali questioni andranno inquadrate e risolte, oltre e più che in termini di regolazione e legal enforcement, anche attraverso il ricorso alla cd. industry standardization e, cioè, lasciando che il mercato e le sue dinamiche concorrenziali lascino affiorare regole e standard tecnologici e di condotta adeguati alle novità e alle peculiarità delle dinamiche del Metaverso. Del resto, il Metaverso non rappresenterà una piattaforma social appartenenti ad un brand soltanto come quelle cui siamo oggi abituati ma configurerà un nuovo ambiente complesso nel quale saranno chiamate a operare e a confrontarsi tante piattaforme, piccole, medie e grandi. In tal senso, le più adeguate garanzie e forme di tutela per i diritti e le libertà degli interessati potranno nascere e svilupparsi anche in seno al mercato e per effetto di sinergie competitive che, anche incorrendo in inevitabili prove ed errori, plasmeranno policies e regolazioni negoziali destinate via via a sedimentarsi nella generale prassi applicativa.

Fermo restando che sono molte ancora le domande prive di una risposta, possiamo tuttavia confermare con entusiasmo che sono moltissime anche le aspettative per il parallelo aumento dei diritti e delle opportunità a beneficio di tutti noi. Dobbiamo pertanto guardare al futuro del Metaverso con positività, oltre che con razionale lucidità.

Diritto, Economia e Tecnologie della Privacy - ISSN 2239-7671, 2022

On the occasion of the Privacy Symposium 2022 in Venice, an Italian Institute for Privacy and Dat... more On the occasion of the Privacy Symposium 2022 in Venice, an Italian Institute for Privacy and Data Valorisation’s new open access paper has just been published: “The future of personal data in the Metaverse“. It relates to the complex aspects of the protection of rights, freedoms and personal data in the Metaverse.

This thought-provoking legal study deals with intriguing questions of high interest for the future of digital regulation, such as: What is the nature of human characteristics’ data? How should we consider inferred data? How to legitimise personal data processing in the Metaverse? The study also analyses possible “augmented impacts” on individuals, aiming to frame, from a brand new juridical perspective, secondary uses and data sharing in the Metaverse. Finally, a reflection on the potential bright side, focusing on “augmented rights” which could be enabled by virtual and augmented reality, unlocking the value of the Metaverse.

Co-authors of this paper are Luca Bolognini, President of the Italian Institute for Privacy and Data Valorisation (Istituto Italiano per la Privacy e la Valorizzazione dei Dati – IIP – Rome – Italy) and Marco Emanuele Carpenelli, Fellow of the IIP.

Proceedings of the 21st Pan-Hellenic Conference on Informatics

Personal data have become merchandisable asset encouraging stakeholders to collect and trade them... more Personal data have become merchandisable asset encouraging stakeholders to collect and trade them without end-user's awareness and acceptance. Although EU is adapting the legal framework, the extent of applications most of which are developed from outside the EU jurisdiction, strongly limit the possibility to effectively impose a privacy-protection framework globally. The Privacy Flag project researches and combines the potential of crowdsourcing, ICT technologies and legal expertise for enabling citizens monitoring and controlling their privacy1.

Internet of Things Security and Data Protection

Internet of Things Security and Data Protection, 2019

This chapter will discuss and present a new model of voluntary compliance commitment tool to brid... more This chapter will discuss and present a new model of voluntary compliance commitment tool to bridge legal gaps between European and non-European legislations, with a focus on data processing of IoT data. This tool was developed in the context of the H2020 Privacy Flag project (http://privacyflag.eu/) that intended to develop a collective privacy protection framework enabling citizens to better control and protect their personal data. In addition to a set of tools and solution enabling the data subjects to collectively assess and control the level of risk for their privacy in the context of web, smartphone apps and Internet of Thing deployments, Privacy Flag also researched and developed a voluntary legal binding mechanism for companies located outside of Europe to align with and abide to European standards in terms of personal data protection.

Giuffrè Francis Lefebvre, 2023

Corriere della Sera, 2014

La generazione selfie, protagonista di questo pamphlet, è quella dei giovani nati dopo il 1975 – ... more La generazione selfie, protagonista di questo pamphlet, è quella dei giovani nati dopo il 1975 – molto tech e poco propensi al rischio concreto (e molto al sogno teorico): una popolazione di rampanti outsider senza numeri né voce in politica, vuoi per velleità, vuoi per egoismo. L’autore, Luca Bolognini, ne fa parte ma la sua è, insieme, una confessione e un pamphlet. Un j’accuse contro chi pretende di cambiare le cose guardando solo al proprio orticello e un appello ai più giovani ad alzare gli occhi dallo smartphone e a sporcarsi le mani, anche con la politica, perché, per combattere contro il mostruoso coacervo di privilegi e debito pubblico ereditato dai padri, non bastano messaggi da 140 caratteri e opinioni postate sui blog: occorre condividere realtà differenti guardandosi negli occhi e avanzare proposte concrete costruendo attorno ad esse il consenso, non solo virtuale, di tante altre persone. Come? Partendo proprio da una coalizione generazionale di uomini e donne che in comune non hanno solo l’età e le abitudini tecnologiche ma l’interesse e il bisogno di affermarsi e di invertire il corso di una società in declino.

Giuffrè Francis Lefebvre, 2019

Il volume contiene una lettura organica della vigente disciplina in materia di privacy e protezio... more Il volume contiene una lettura organica della vigente disciplina in materia di privacy e protezione dei dati personali, oggi estremamente frammentata e vasta in UE e in Italia, consentendo così un¿immediata interpretazione della materia attraverso l'analisi combinata della normativa europea e di quella nazionale, nonché dei provvedimenti dell'Autorità Garante. L¿opera, unica nel suo genere per estensione ed indispensabile per orientare il giurista nella comprensione di questa complessa disciplina, si compone di cinque parti: - nella prima parte, si trova la lettura combinata della normativa europea in materia di protezione dei dati personali (Reg. UE/2016/679) e nazionale (D.lgs. 196/2003 e D.lgs. 101/2018); - nella seconda parte si analizza la disciplina italiana in tema di e-privacy, commentando i pertinenti articoli della normativa italiana e i provvedimenti dell'Autorità Garante; - nella terza parte si approfondisce il commento al D.lgs. 51/2018, attuativo della Direttiva 680/2016(UE), avente ad oggetto i trattamenti a fini di prevenzione, indagine, accertamento e perseguimento di reati o esecuzione di sanzioni penali; - nella parte quarta si commentano gli articoli che disciplinano le misure per la sicurezza delle reti e dei sistemi informativi (in particolare, la cosiddetta normativa NIS); - nella parte quinta è contenuta una lettura interpretativa, in chiave di compatibilità con il Reg. (UE) 2016/679, delle regole deontologiche, delle autorizzazioni, delle linee guida e dei provvedimenti generali del Garante per la Protezione dei Dati personali, sia nuovi sia risalenti nel tempo.

Giuffrè Francis Lefebvre, 2021

Convergenza tra regolazioni e tutele individuali nell'economia data-driven. Questo è un libro ded... more Convergenza tra regolazioni e tutele individuali nell'economia data-driven. Questo è un libro dedicato alla convergenza tra regolazioni nel mercato data-driven e al bilanciamento tra diritti alla privacy e alla protezione dei dati personali e altri interessi, diritti e libertà. Partiamo da una constatazione: ogni processo — in qualsiasi settore pubblico o privato — è guidato dalle informazioni e percorre rotte elettroniche; molto di ciò che muove le relazioni civili, sociali ed economiche, intersoggettive e inter-oggettive, ormai, è trasformato in dati immateriali e ritradotto in elementi materiali, e viceversa. Parafrasando la vulgata biblica, si potrebbe dire: memento, homo, quia data es, et in data reverteris. Più tutto si è datificato, più la macro-disciplina privacy è divenuta base e premessa giuridica di liceità e legittimità dell’agire imprenditoriale, professionale, istituzionale ma anche esclusivamente personale, e si è mostrata rilevante per altre materie: pensiamo alle regolazioni della concorrenza e del mercato, del pluralismo dell’informazione e delle comunicazioni; ma anche a quelle finanziarie e assicurative o al mondo della cybersecurity, degli standard internazionali e dei meccanismi di certificazione nei campi più vari. Nessuna disciplina regolatoria può, a questo punto, fare a meno di considerare il rispetto dei dati personali e della privacy degli individui, nelle proprie valutazioni di merito. Ed è vero anche il contrario. Tra i protagonisti delle 18 “storie giuridiche” qui affrontate, incontrerete istituzioni analogiche che inseguono soluzioni digitali spiazzanti; cose connesse che fanno leva su registri distribuiti per tracciare e valorizzare le transazioni inter-oggettive; partenariati pubblico-privati per servizi smart ai cittadini; differenti approcci legislativi europei, statunitensi e anglosassoni per la difesa di utenti e consumatori, come singoli o come classe, dallo spam e da pratiche scorrette di trattamento dei dati; prosumer ibridi, tra vita privata e lavoro autonomo o subordinato; certificazioni di nuova generazione; libera circolazione dei dati e alleanze strategiche fra PMI locali e Big Tech globali; cartelloni digitali che osservano, ascoltano, misurano e profilano chi li guarda o ci passa accanto fisicamente; monete virtuali o dati monetizzati nell’exchange commerce; sistemi di Intelligenza Artificiale regolati come farmaci. Questo non intende essere, in definitiva, un volume per soli privacysti: è, anzi, un libro per innovatori del diritto ed esploratori d’inedite correnti regolatorie.

Giuffrè, 2016

Commentario alla nuova disciplina sulla protezione dei dati personali. Il presente volume è un co... more Commentario alla nuova disciplina sulla protezione dei dati personali. Il presente volume è un commentario completo al Regolamento (UE) 2016/679, già in vigore ma applicabile dal 25 maggio 2018. Si rivolge non solo all'avvocato e al magistrato ma anche al giurista d'impresa, al manager, al ricercatore, ai soggetti istituzionali interessati dalla normativa. L'opera, pensata per una lettura a più livelli, dunque non solo quale strumento per "addetti ai lavori", esplora tutte le novità della disciplina, come i principi di responsabilizzazione (accountability) e di data protection-by-design, il diritto alla portabilità dei dati personali, la figura del subresponsabile, quella del data protection officer, la valutazione d'impatto privacy (DPIA), l'obbligo generale di notificazione e comunicazione di violazioni dei dati, l'articolato quadro sanzionatorio, senza per questo rinunciare ad analizzare le basi concettuali della materia (informativa, consenso, condizioni di liceità, ruoli, diritti) rimodulate dal legislatore europeo. Il libro affronta tematiche di interesse concreto per il pratico, quali l'ambito applicativo materiale e territoriale del Regolamento, il trasferimento dei dati extra UE/SEE, la legge nazionale applicabile di parte speciale, i mezzi di tutela amministrativi e giurisdizionali, il danno risarcibile. Molte le tematiche vicine al mondo delle imprese, come le certificazioni, le norme vincolanti (BCR), i codici di condotta. L'opera è arricchita da riflessioni su questioni d'avanguardia o comunque di interesse attuale: rapporti fra privacy e sorveglianza di massa, profilazione, Internet delle Cose, Big Data, 3D privacy e data protecy, cloud computing, social network, riutilizzo dei dati, libertà di espressione e di informazione.

Giuffrè Francis Lefebvre, 2019

L'opera rappresenta una prima lettura delle novità introdotte dal d.lgs. 101/2018 che ha adeguato... more L'opera rappresenta una prima lettura delle novità introdotte dal d.lgs. 101/2018 che ha adeguato la normativa nazionale (cd. Codice privacy) al mutato quadro della disciplina europea in materia di protezione dei dati personali. In appendice la tabella di raffronto tra il nuovo e il vecchio testo normativo del d.lgs. 196/2003 consente di riassumere e catalogare l'insieme delle modifiche introdotte. Sono trattati in particolare: Categorie particolari di dati personali; Controlli, accertamenti e sanzioni amministrative; Nuovi delitti introdotti dal d.lgs. 101/2018; Regole nazionali e deontologiche per i trattamenti nel rapporto di lavoro; Trattamenti di dati per rilevante interesse pubblico; Validità del consenso del minore nei servizi della società dell'informazione.

Giuffrè, 2009

Commento al Codice di deontologia e di buona condotta per i trattamenti di dati personali ai fini... more Commento al Codice di deontologia e di buona condotta per i trattamenti di dati personali ai fini della difesa in giudizio.

Rubbettino, 2022

What do Titian and Leonardo da Vinci have to do with privacy and (non-) compliance with rules in ... more What do Titian and Leonardo da Vinci have to do with privacy and (non-) compliance with rules in the era of digital data and algorithms? What do Canaletto’s and Guardi’s vedute have to do with due diligence, or Pietro Longhi’s rooms with smart working? What connects a 16th Century court artist and a 21st Century Data Protection Officer? Can a painter be entirely artificial and non-human, and can a still life be made up – instead of flowers, wildfowl, and bottles – of hardware, software, and obsolete documents? Is an electronic work of art just art or can it hide, or even constitute in and of itself, valid legal titles? Is a copy – of a painting or a legal document – always a forgery and an objectionable offence? In this engaging exploration, which spans centuries of art from its most ancient forms to today’s crypto art, the author – a data protection lawyer and collector – takes us on an extraordinary metaphorical journey, interweaving the sense of beauty and the common sense of regulations, compliance and creativity, the aesthetics of innovation and of penalties. 75 years after Carnelutti’s Art of Law, The Art of Privacy is a unique book that already promises to become a classic of legal literature in years to come. It succeeds in providing the “key of imagination” for scholars, legal consultants, and business managers to free themselves from their specialist cages, while also intriguing and challenging digital art enthusiasts.

Book, Rubbettino , 2019

Extract from the pamphlet A.I. – Artificial Insanity. Human Intelligence vs. Artificial Intellige... more Extract from the pamphlet A.I. – Artificial Insanity. Human Intelligence vs. Artificial Intelligence. A slim book, but one that is brimming with the future, with a global reach, an enjoyable read that will appeal to a wider audience, not just tech or legal experts. It condenses the thoughts of the author – one of the leading European experts in privacy and data rights – and his reflections on the digital world and its rules. Easy to read in a few short hours, original and politically incorrect, for anyone interested in finding their way in the era of the Internet of Things and Big Data algorithms. This brief book offers a visionary but adept perspective on the scenarios that await us (and that, in part, we are already experiencing): an abridged yet unadulterated, open-minded and, at times, un-PC analysis of our “Destiny 4.0”. A destiny shaped by cold, robotic hyper-rationality, perhaps or… perhaps not. Hence the title: Artificial Insanity, a snipe at the relentless, all-pervading Artificial Intelligence. For a “rule of human law”.