THE SUPREME COURT DECIDES.
 With the judgment published on 13 May 2024 no. 12967, the first civil section of the Court of Cassation ruled on the use of artificial intelligence systems: the use of technology for proctoring exams must be accompanied by a rigorous assessment of the impact on data protection and documented and accessible security measures.
In 2021, Bocconi University had used the “Respondus” software during remote exams, through which it collected and analyzed biometric data such as videos and photos of students. By provision no. 317 of 16 September 2021, it had held that the University violated art. 5(1)(a), (c) and (e), 6, 9, 13, 25, 35, 44 and 46 of the GDPR and Art. 2-sexies of the Privacy Code, and had laid down, with regard to the University, prescriptions to conform the processing to the GDPR and imposed on it an administrative fine of € 200,000 as well as the ancillary sanction of the publication of the measure itself on the website of the Guarantor.
The measure was then challenged before the Court of Milan which had substantially accepted Bocconi’s reasons and reduced the fine to € 10,000 considering that the collection of these images did not constitute the processing of biometric data, but of common data, and that the comparison of the biometric model was not implemented by the software.
From another point of view, the Court of Milan had held that the agreement in place with the supplier company, Respondus Inc., prevented the international transfer of personal data and that compliance with the provisions (which provided for the pseudonymization of data) was suitable to guarantee data subjects adequate protection with respect to European standards. The decision of the Court of Milan was appealed by the Guarantor Authority before the Court of Cassation. With judgment 12967/2024, the Court, recognizing the validity of the
of the Authority’s concerns regarding the processing of biometric data and the protection of students’ personal data, overturned the decision of the Court of Milan, establishing that:
– the processing of biometric data includes any automated processing of physical, physiological or behavioural characteristics to uniquely identify a person;
– security measures must be specific and accessible to stakeholders; and
– the international transfer of data must comply with the standard contractual clauses, ensuring adequate protection to European standards, ordering the Court of Milan to re-examine the matter.
This decision highlights the importance of personal data protection and European regulations, especially in educational and remote monitoring contexts. Educational institutions must ensure that any technology used complies with GDPR standards, protecting students’ rights and ensuring transparency and trust in the education system, and it is irrelevant whether the final outcome of the processing is subsequently subjected to final verification by a natural person.
The use of technology for exam proctoring must be accompanied by a rigorous data protection impact assessment and documented and accessible security measures. This case highlights the importance of careful and conscious handling of biometric data, with significant legal and ethical implications for all institutions that process sensitive personal information.
