Contribution by Nicola Fabiano and Filippo Bianchini
The issue of identity theft is not new, since the phenomenon is ancient.
In Italy, a definition of the phenomenon was provided by Article 30-bis of Legislative Decree no. 141 of 13/8/2010, concerning “Implementation of Directive 2008/48/EC on credit agreements for consumers, as well as amendments to Title VI of the Consolidated Banking Act (Legislative Decree no. 385 of 1993) regarding the regulation of operators in the financial sector, agents in financial activities and credit brokers”. The aforementioned Article 30-bis (entitled “Definitions”) states:
“1. For the purposes of this legislative decree, identity theft means: a) total impersonation: total concealment of one’s identity through the improper use of data relating to the identity and income of another person. Impersonation may concern the improper use of data referable both to a living person and to a deceased person; b) partial impersonation: partial concealment of one’s identity through the combined use of data relating to one’s own person and the improper use of data relating to another person, within those referred to in letter a)”.
These definitions, however, are referable to the definition of identity theft related to financial activities: this is understandable in light of the fact that the growth of credit fraud in Italy carried out through identity theft is constantly increasing: in fact, they went from 25,300 cases in 2015 to 26,100 in 2016, up to over 26,600 cases in 2017, for an economic loss exceeding 153 million Euros (source: CRIF Observatory - Mister Credit on identity theft and credit fraud in Italy).
Law 71/2017, containing “Provisions for the protection of minors for the prevention and contrast of the phenomenon of cyberbullying”, also speaks of identity theft, which in Article 1 includes in the term «cyberbullying» “any form of […] identity theft”.
There is no definition of this phenomenon, especially if we consider digital identity which is defined by Legislative Decree 82/2005 (Digital Administration Code - CAD) as “the computerized representation of the correspondence between a user and their identifying attributes, verified through the set of data collected and recorded in digital form according to the methods established in the implementing decree of Article 64”.
In jurisprudence, rulings on the matter variously identify identity theft in the use of another person’s document (Civil Court of Cassation, section III, judgment no. 3350 of 11/02/2009; Civil Court of Cassation, section II, judgment no. 7464 of 26/03/2018), in opening a fake Facebook profile (Criminal Court of Cassation, section V, judgment no. 5352 of 22/11/2017), in the improper use of other people’s credit cards (Criminal Court of Cassation, section II, judgment no. 41777 of 30/09/2015), in “mobile phone infection” (Criminal Court of Cassation, vacation section, judgment no. 46385 of 10/09/2013), as well as in the conduct of those who have unduly exploited a wireless network to post a defamatory text (Criminal Court of Cassation, section V, judgment no. 8275 of 29/10/2015).
In this context, we intend to highlight the “identity theft” phenomenon in its correlation with the issue of personal data protection. From the perspective of personal data protection, identity theft emerges as a consequence of a data breach and, therefore, as a risk hypothesis. EU Regulation 2016/679 explicitly refers to identity theft only in the “Recitals” and specifically:
(75) The risks to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or immaterial damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage;
(85) A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or immaterial damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned;
(88) When establishing detailed arrangements for the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively to limit the likelihood of identity theft or other forms of misuse. Moreover, such arrangements and procedures should take into account the legitimate interests of law enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.
As is evident, the GDPR indicates identity theft substantially in the following cases:
- risks to the rights and freedoms of natural persons
- personal data breach
- notification of personal data breaches
In the first hypothesis (recital 75) the GDPR indicates identity theft (even adding identity fraud) as a source of risk to the rights and freedoms of natural persons in the context of processing. This qualification - preliminary to the other two hypotheses - is useful to reinforce the importance of risk analysis, during which it is necessary to assess the possible incidence of any situations and the countermeasures that must be adopted.
If then there is a high risk to the rights and freedoms of natural persons, a data protection impact assessment is necessary pursuant to Article 35 and following of the GDPR. Recital 85, on the other hand, refers to the hypothesis of the consequences of a personal data breach (Article 33 GDPR) and, in particular, that of identity theft. A data breach can lead to the use of violated data for criminal activities such as identity theft. The GDPR also refers to identity theft in recital 87 which refers to the notification (Article 33) of the personal data breach, with the express specification of an analysis of the circumstances of the breach itself to assess what appropriate technical protection measures had been adopted to effectively limit the phenomenon. This specification indicates how the controller or processor must preventively evaluate the identity theft phenomenon by adopting appropriate technical protection measures.
Therefore, from reading the aforementioned recitals, on the one hand, the specific attention of the European legislator to the identity theft phenomenon emerges and, on the other, the need to consider the related risk in the assessment phase and consequent monitoring of processes relating to the processing of personal data. The identity theft phenomenon can take on different connotations as emerges from the following, non-exhaustive scheme.
It has been said that identity theft constitutes a consequence of a personal data breach whose causes can be multiple. By way of example only, a non-exhaustive scheme of the main causes that can determine identity theft is reported.
