With the ruling published on 13 May 2024 no. 12967, the first civil section of the Court of Cassation ruled on the use of artificial intelligence systems: the use of technology for the supervision of exams must be accompanied by a rigorous assessment of the impact on data protection and documented and accessible security measures.
In 2021, Bocconi University had used the “Respondus” software during remote exams, through which it collected and analyzed biometric data such as videos and photos of students.
By order no. 317 of 16 September 2021, it had held that the University violated art. 5(1)(a), (c) and (e), 6, 9, 13, 25, 35, 44 and 46 of the GDPR, as well as Art. 2-sexies of the Privacy Code, and had ordered, with regard to the University, prescriptions to comply with the GDPR and imposed on it an administrative fine of € 200,000 as well as the ancillary one of the publication of the measure itself on the website of the Data Protection Authority.
The measure was then appealed before the Court of Milan, which had substantially accepted Bocconi’s reasons and reduced the fine to € 10,000, considering that the collection of these images did not constitute the processing of biometric data, but of common data, and that the biometric model comparison was not performed by the software. From another point of view, the Court of Milan had held that the agreement in place with the supplier company, Respondus Inc., prevented the international transfer of personal data and that compliance with the provisions (which provided for the pseudonymization of data) was suitable to guarantee data subjects adequate protection with respect to European standards.
The decision of the Court of Milan was appealed by the Italian Data Protection Authority before the Supreme Court. With ruling n. 12967/2024, the Supreme Court, recognizing the validity of the concerns of the Data Protection Authority regarding the processing of biometric data and the protection of students’ personal data, overturned the decision of the Court of Milan, establishing that:
– the processing of biometric data includes any automated processing of physical, physiological, or behavioral characteristics to uniquely identify a person;
– security measures must be specific and accessible to interested parties; and
– the international transfer of data must comply with the standard contractual clauses, ensuring adequate protection to European standards, ordering the Court of Milan to re-examine the case.
This case highlights the importance of personal data protection and European regulations, especially in educational and remote monitoring contexts. Educational institutions must ensure that any technology used complies with GDPR standards, protecting students’ rights and ensuring transparency and trust in the educational system. The use of technology for exam supervision must be accompanied by a rigorous assessment of its impact on data protection and by documented and accessible security measures. This case underlines the importance of careful and aware management of biometric data, with significant legal and ethical implications for all institutions handling sensitive personal information.
DISCLAIMER: This newsletter merely provides general information and does not constitute legal advice of any kind from Macchi di Cellere Gangemi. The newsletter does not replace individual legal consultation. Macchi di Cellere Gangemi assumes no liability whatsoever for the content and correctness of the newsletter.