We are approaching the summer period, an optimal time to draw some conclusions related to this first part of 2025, with a critical and never trivial look.
Personal Data
We have a cultural deficit regarding personal data that can be considered ‘serious’ to say the least. A recent example of this is the case of Chiara Poggi, in which newspapers, television stations, and YouTube channels began to divulge images of all kinds to the point of prompting the Data Protection Authority to issue an urgent measure (the number 10149350) followed by a press release quoting the sentence:
also in view of the violence inflicted on the victim – would seriously harm her dignity and that of her family members.
There, that‘it would seriously harm his dignity and that of his family‘ is the subject of discussion. A well-known morning TV programme, during an episode in which it tried to give itself a journalistic and investigative tone, showed the interior of the house, zooming in on every single trace of blood. Blood on the floor, blood on the walls, blood on the telephone, and the camera zoom zoomed in to magnify each of those stains, projecting them into the homes of Italian viewers. This phenomenon has many names, one of the most common is‘television of pain‘, in the opinion of the writer it is simply called ‘squalor’ and the Guarantor is right: the dignity of the Poggi family has already been damaged and greatly so.
We have shown – once again – that we have not understood the management of personal data at all, but not in the legal sense, but in the social sense. Those who have complained about the GDPR from the outset have failed to understand that the issue of personal data management is precisely on the latter level; by betraying the ‘dignity’ factor, one commits a far more extensive damage than mere non-compliance with the rule. But the preservation of dignity interests few and the results are now projected daily on social networks.
Cybersecurity
The subject of NIS2, its merits and demerits, its successes and failures, has already been dealt with extensively on this site, but perhaps it is worth clarifying the picture. To date, many public and private organisations impacted by NIS2 have been the target of hacker attacks and, in most cases, these attacks were not very different from those of the past. As a result, companies, even months after the Directive came into force, have continued to prefer capital accumulation to investment in cybersecurity. Among them, for instance, we have companies involved in the production of weapon systems, chemical industries, the human and animal food chain, industrial production has been attacked several times. In many cases, the logos of international standards stand out on the websites of the affected companies, and then one reads acronyms such as ISO 9001, ISO27001, ISO 27005, much vaunted and apparently guarantors of quality and security.
The certifications extolled by the companies, among other things, proved to be completely unobserved when analysing the findings of the attacks. In many cases, the files were handled in such a crude and boorish manner, that the most common rules of computer hygiene were flouted. What was perhaps most surprising, however, was the sense of disinterest shown by some targets: there were cases in which public administrations, in full violation of the GDPR, even months later, refused to publish data breach notices, to advertise sports events instead. Journalists themselves, when asked specific questions, have not received any news. The reality of the facts is therefore this, for many companies cybersecurity is a picklock to generate profit and nothing more.
This does not work.
We always point the finger at the legislation but the problem is us: it is our relationship with this data because we fail to feel its importance, its value. Speaking metaphorically, imagine putting a transparent liquid in a test tube and telling a person to carry it from one room to another: he will do it quickly and without problems. On the other hand, try saying that it is nitroglycerine, the person is unlikely to carry the test tube with the same calmness; when one is aware of the value of what is to be handled, one’s perception and attitude change profoundly. This change, however, is not easy and must be sought after and desired.
Institutions also have their responsibility. 2025 was the year in which the National Cybersecurity Agency provided inappropriate answers to a citizen who reported a data breach against politicians and other public figures. Demonstrating, on that occasion, a strong inadequacy to represent such an important sector that deserves proper attention, and above all betraying an institutional relationship with the citizen. A serious episode that, until then, had never occurred.
Recently, there has been an in-depth look at the work of theObservatory on the Law of New Technologies, which, for example, develops projects to make the youngest segment of the population (e.g. ITIS students) literate and aware in order to bring them into contact with the social and entrepreneurial problems arising from the betrayal of those norms (but above all those values) mentioned above.
Conclusions
What people fail – or don’t want – to understand is that the GDPR is a complex and profound regulation because it runs on different planes and not on a simple‘if this happens, do this‘. It is a matter of application plans where each case is different and must be analysed before it can be adopted. This reflection requires time and willpower, two aspects that are very little considered in a society that races to grab primates of dubious value.
As long as computer security, personal data and everything revolving around these worlds are understood as ‘obligations to be fulfilled’, an adequate protection response will never be achieved.
