While the final term to align with the General Data Privacy Regulation1 (“GDPR”) is fast approaching (only a handful of months remain until the deadline of 25th May 2018) and companies and business undertakings are engaged in a significant effort to satisfy the several new requirements, new local legislation on data protection is being published on the Italian Official Gazette and new guidelines are expected for early March from the Italian data protection authority (“DPA”)2.
However, as you may read below, some of the new Italian provisions may raise some concern and have been subject to criticism.
Only a few days ago, on the 24th January 2018, the EU Commission in its Communication to the EU Parliament and the Council reiterated and underlined that the GDPR must be the “one single set of rules for citizens and business” subject to “uniform and consistent application in all Member States”. In fact, “the GDPR is the opportunity to simplify the legal environment, and so have fewer national rules and greater clarity for operations”. Also, “it is important to give operators enough time to prepare for all the provisions they have to comply with”. It is questionable whether the recent enactment of several new Italian data privacy provisions, just a few months before 25th May, is consistent with such indications.
It should be considered that back in 2012, by means of Law no. 234/2012, Italy reformed the internal procedures to ensure the State’s participation to the European Union decision making processes, and to satisfy the obligations originating from the membership to the EU. Since then, every year the Italian legislator is called to discuss and approve two distinct laws:
• the European Delegation Law, and
• the European Law.
With regard to the first, the Parliament delegates the Government to transpose into Italian law and implement EU Directives, Framework Decisions, and other EU provisions which are not directly applicable.
On the other side, with regard to the second, the Parliament directly coordinates Italian and EU legislation, by repealing and amending national laws in accordance with EU law.
Significant provisions that have a strong impact on data protection are contained in both the Italian European Delegation Law and European Law 2017.
The annual European Delegation Law (Law no. 163/2017) conferred a mandate on the Government (Article 13) to issue – by the 21st May 2018 - one or more legislative decrees which shall:
a) Repeal or amend the rules of Legislative Decree 196/2003 (the so called Italian “Privacy Code”) which are non-compatible with the GDPR;
b) Coordinate the system of administrative fines set forth by the Privacy Code with the one in the GDPR, and exercise the delegation contained therein (article 84 GDPR) by introducing other (criminal) penalties, which shall be “effective, proportionate and dissuasive”;
c) Coordinate any other national law regulating data protection issues with the GDPR;
d) Provide for the necessary conferral of powers to the Italian DPA in order to integrate and complement the data protection legal framework through its administrative provisions, authorizations and decisions of general application.
The effect will be that on the 21st May (only few days prior to the term of definitive entry in force of the GDPR, set for the 25th May 2018) fundamental Italian decrees are expected to be issued by the Government. Those decrees may significantly alter the legal framework and force Italian businesses to catch up with the new provisions very quickly.
A few weeks before the delegation of authority to the Government described in the previous paragraph, the Parliament approved the European Law 2017 (Law no. 167/2017), whose Article 28 amends Article 29 of the Privacy Code and introduces a new Article 110-bis.
a) A new paragraph 4-bis of Art. 29 of the Privacy Code now stipulates that the data processor shall be engaged by the controller by contract or appointment letter, which must : (i) the subject matter of the processing, (ii) the relevant purposes pursued, (iii) the duration of the processing, (iv) the categories of data, as well as (v) the rights and obligations of the data processor.
As a consequence, it is necessary that data controllers review and control all the engagements of internal and external data processors (e.g., agencies in charge of payroll, IT services, prize contests, etc.) to check that the content of the engagements comply with the list above3.
b) The new Article 110-bis in the Privacy Code concerns, regards the “Reuse of data for scientific research and statistic purposes” and provides that the Italian DPA may authorize the secondary use of personal data, including health data (but with the exclusion of genetic data), for scientific research or statistic purposes, on condition that the data undergoes minimization and anonymization processes which are able to protect data subjects’ interests. The DPA’s authorization, due within 45 days from the day the request is lodged, shall set forth the conditions and necessary measures that the controller has to implement to protect the data subjects’ rights and freedoms.
The provision is difficult to coordinate with the GDPR4. The Italian provisions, in fact, on one hand seem to disregard the presumption of compatibility of the re-use of health data for research purposes provided for by the GDPR, and on the other hand require the authorization of the DPA, which appears in contradiction with the principle of self-accountability of data controllers (i.e., no ex ante authorisations but ex post responsibility in case of breach).
On the 29th December 2017, a few days prior to the end of the year, the Italian Parliament came back again on data protection and introduced a series of provisions which seem neither coordinated with the GDPR nor with the Privacy Code. In particular, the Parliament entrusted the Italian DPA to issue one or more decisions by the end of March 2018, which shall:
a) Set out rules on how the same DPA will enforce the GDPR;
b) Regulate the adoption of interoperable formats by the data controller with a view to consenting the data portability from a controller to another upon request of the data subject;
c) approve a disclosure model for the processing of personal data through new technologies and automated tools based on the legitimate interest of the data controller (i.e. without obtaining the consent of the data subject);
d) Set-out guidelines and good-practices on personal data processing based on the legitimate interest of the data controller.
The law has raised some criticism. However, it seems to impose additional requirements not provided by the GDPR that will need to be applied within Italy.
Once again, the fact that such important rules will only appear in March 2018 cause some concern as data controllers must fully comply with the GDPR by end of May 2018.
The Budget Law 2018 also seems to impose additional obligations on companies, not envisaged by the GDPR.
Moreover, the law seems to go beyond the GDPR in as much as it seems to set an obligation to adopt interoperable formats for data portability while the GDPR never imposed an obligation to ensure the interoperability on the data controllers5.
In addition, the subsequent paragraphs (1022 and 1023) of the Budget Law introduce a special prior notification mechanism to the DPA in case of personal data processing carried out through new technologies and automated means which are based on the legitimate interest of the data controller; but these rules are at odds with the general framework devised by the GDPR for “critical” data processing6. Indeed, the GDPR in certain cases require the data controller to carry out a self-assessment7 and to consult the DPA, but only when the residual risk of such processing is high and upon initiative of the controller and not, in general, with prior notification to the DPA that triggers and ex ante supervision by said authority not aligned with the GDPR.
While of course everyone expects that the Italian DPA will introduce rules that are fully consistent with the European framework and do not create overlaps or frictions with the GDPR (a principle emphasized by the European Commission in its recent Communication), companies processing personal data in the EU should be vigilant with respect to the new rules that will come into force in the forthcoming months.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council.
2 Garante per la protezione dei dati personali.
3 The same new paragraph 4-bis adds that such engagements may be drawn from standardized models adopted by the supervisory authority.
4 Article 9, paragraph 2 let. J) and Recital 50 of the GDPR allows the processing of health data when the “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”, whereas Recital (50) explains that “The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. (…) Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing (…)”.
5 Recital 68 construes the right to data portability in accordance with Article 20 GDPR by pointing out that «(…) Data controllers should be encouraged to develop interoperable formats that enable data portability. (…) The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible».
6 i.e. those that imply the use of potentially invasive technological solutions which may result in the monitoring or profiling of data subjects, or those entailing the processing of special categories of data on a large scale.
7 Data Protection Impact Assessment.
The only purpose of this Newsletter is to provide general information. It is not a legal opinion nor should it be relied upon as a substitute for legal advice.