The Italian Council of Ministers, Aug. 8, approved Legislative Decree n. 101/2018 harmonizing the Italian Privacy Code (D.Lgs. n. 196/2003) and other national laws with the European General Data Protection Regulation. The decree enters into force Sept. 19, 2018.
As generally known, the GDPR was approved and came into force in 2016, but its effects were suspended until May 25, 2018, the magical date from which the European regulation has found its full and definitive application.
Why did the government decide to adopt a decree of harmonization? As known, in the case of the GDPR, the regulation does not need to be implemented by a national law. However, in 2016 the European lawmakers decided to leave to each member state some room for maneuver. For this reason, within the GDPR there are certain crucial steps where facultative delegations have been left to the member states. The goal of this procedure is to adapt the laws of different kind of societies and legal systems by also maintaining peculiarities crystalized by the national data protection authorities during the years — in the case of Italy, the Garante.
Accordingly, last November the Italian Parliament had approved an enabling act which has now been brought definitely — and finally — to the desk of the government for final approval. This comes after much pressure and difficulties, and after the approval of several drafts in first lecture by the former government and after the notable work by the Ministerial Commission chaired by Professor Giusella Finocchiaro.
I claim, once again, that the freshly approved decree does not modify in any way the GDPR, so the European law remains exactly how it is and how we have been knowing it during the last months. However, the enabling law seems to address many crucial areas, from data processing of particular categories of personal data (sensitive, judicial, genetic and biometric) to children and deceased persons' rights, passing through codes of conduct pursuant to the Privacy Code and the redefinition of criminal law to support the correct fulfillment of obligations arising from this matter.
What are the main effects and most relevant consequences of this law? In a few lines, I will try to synthesize the most salient passages for expert and non-expert readers.
- First of all, Article 2 seems to introduce an important reference to the law and to regulations as a legal basis as well as an assumption of lawfulness of processing "for the performance of a task carried out in the public interest or in the exercise of official authority" and for the communication of data from one subject to another in that context.
- The deontological rules promoted by the Garante pursuant to the GDPR will be subject to a public consultation for at least 60 days.
- Children who have turned 14 years old may consent to processing of their own data in relation to services of ICT companies directly offered to them. With regard to children under the age of 14, instead, the consent to the processing of their data remains under parental responsibility. Data controllers must write a clear, simple, concise and exhaustive privacy notice, easily accessible and understandable by the child, "in order to make his consent given meaningful."
- In the field of the processing of particular categories of data, with reference to genetic, biometric and health data, the Garante will issue, every two years, provisions on safeguard measures, aimed to identify "the security measures, like cryptography and pseudonymization procedures, minimization measures, specific methods of selective data access and to provide information to data subjects, as well as other necessary measures to guarantee the data subjects' rights." In some cases (see Article 5), the principle of equal rank is maintained to justify the processing of particular categories of personal data as sexual life, sexual orientation and health.
- The general authorizations for the processing of sensitive data according to the Privacy Code, in line with Article 21 of the decree, would be updated by the Garante with a provision only after having a public consultation.
- According to Articles 15-22 of the GDPR, data subjects' rights will be limited or excluded in specific cases when they conflict with other requirements imposed by the national law, as in the case of application of anti-money laundering, the prerogatives of the parliamentary commissions of inquiry, of the processing carried out for defending investigation activities, or the exercise of a right in court, or even in the case of whistleblowing. The same rights, if related to deceased persons and with certain limitations, may be exercised by those who have an interest of their own, or act to protect the person concerned, as a proxy, or "for family reasons deserving protection."
- it is clarified that controllers and processors can specify tasks and functions, related to the processing of personal data, carried out by individuals working for their organizations. Hence, such individuals shall be duly appointed and instructed accordingly
- There is the tendency of the lawmaker to consolidate the role of Accredia as the unique national accreditation body, leaving to the Garante the power to assume its role in case of serious breaches.
- Regarding the spontaneous receipt of CVs, the privacy notice may be provided at the time of the first useful contact, following the sending of the curriculum and the consent will not be required.
- It is left to the Garante, together with Italy's communications regulator, the AGCOM, to define the rules for the inclusion of contracting parties' personal data — and the following use — into telephone directories. Regarding this, the legislator carries out a courageous operation to rewrite articles related to Title X of the Privacy Code, including reference to telemarketing, despite the pending approval of the ePrivacy Regulations, which will replace the ePrivacy Directive. It will be necessary to analyze this section of the decree deeply because of its complexity, its delicacy, and for its impact on the market.
- With regard to the protection of their rights and in addition to lodging a complaint to the Garante, data subjects may appeal to the ordinary judicial authority. The complaint is processed within a maximum time of nine months from its submission. However, the data subject has the opportunity to submit reports to the Garante.
- With regards to the internal structure of the Garante, before the appointment of the new board, potential candidates can submit a spontaneous application ensuring a transparent evaluation process. At the expiry of the role as a member of the board, official or manager and for the following two years, it is not possible to initiate proceedings before the Garante, including the submission of complaints, requests of opinions and consultations on behalf of a third party.
- The powers of the Garante seem enhanced by also introducing a simplification mechanism for micro, small and medium enterprises.
- Criminal sanctions already introduced by the Privacy Code have been reorganized and reformulated. The new penalties will regard: unlawful data processing; illegal communication and disclosure of data processed on a large scale; untruths in the communication to the Garante and the interruption of activities of the Italian DPA; noncompliance with provisions of the Garante; violations of the provisions on remote controls and surveys of workers' opinions.
- Facilitated methods would be defined in relation to previous violations as well as previous pending proceedings in front of the Garante.
- Codes of conduct referred to in Annexes A5 and A7 of the Privacy Code will continue to produce their effects temporally, passing through a one-year path from the entry into force of the decree. With regards to the other codes (Annexes A1, A2, A3, A4, A6 of the Privacy Code), the Garante will carry out a compatibility exercise with the GDPR.
- It is very important to recall the measures that have been adopted by the Garante in twenty years of its activity: "the provisions of the Garante continue to be applied, as long as they are compatible with the GDPR and with other dispositions of the decree."
- Finally, it is important to underline that in the first eight months from the date of entry into force of the decree, the Garante will carefully pursue the application of administrative sanctions. According to the GDPR provisions, the Garante will not grant either moratorium or grace period. As the president of the Garante, Antonello Soro, has repeatedly claimed, immediate full application but with caution, an enforced judgement in the application of administrative sanctions, which as noted have an unprecedented scope and which can reach a maximum of 20 million euros or up to 4 percent of the worldwide group turnover.
The harmonization law is an important and significant measure that saves much of the Privacy Code and will help to better interpret the GDPR, to observe its obligations and to enjoy the opportunities while protecting the rights of data subjects and the prerogatives of data controllers and processors.
If you want to comment on this post, you need to login.