Italy: Court of Cassation rules that algorithm must be transparent for consent to be valid
The Italian Court of Cassation issued, on 25 May 2021, its judgment in Garante per la Protezione dei Dati Personali v. Associazione Mevaluate Onlu, in relation to the Italian data protection authority's ('Garante') 2016 order to Mevaluate Italia s.r.l., which was originally quashed by the Court of Rome, to suspend the implementation of its online Artifical Intelligence system capable of analysing documents voluntarily uploaded by users to provide reputational ratings of said users.
In particular, the Court of Cassation quashed the ruling of the Court of Rome which had held that the system was lawful as data subjects had provided their consent, and accepted the appellant's arguments that the lack of transparency regarding Mevaluate's algorithms invalidates such consent, thus exposing violations of Article 8 of the EU Charter of Fundamental Rights and Articles 7, 11, 13, 23 and 26 of Legislative Decree No. 196 of 2003, and Articles 5 and 7 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). More specifically, the Court of Cassation held that consent can only be valid if the data subject is appropriately informed about the purposes of processing and freely and specifically expresses their consent to the same. Further to this, the Court of Cassation held that consent cannot be considered to be informed if the logic involved in the algorithm remains unknown to the data subjects, as was the case in Mevaluate reputational ranking system.
Therefore, the Court of Cassation quashed the Court of Rome's ruling and ordered that the case be referred back to the Court of Rome, in a different composition, for a new examination, and that the aforementioned principles (i.e. that algorithmic transparency is required for informed consent) be applied in such examination.