In his 1961 masterpiece "The Agony and the Ecstasy," Irving Stone narrates the life of Michelangelo Buonarroti, absorbed by the endeavor of creating some of the greatest artworks of mankind. Between the folds of the novel, a sculpture is conceived as a Socratic process of letting the block of marble reach its true nature through the work of the artist. In this sense, the figures are freed from the embryonic state by successive (and painful) approximations.

Likewise, the EU and Italy are waiting for the appointment by the Italian Parliament of the new Italian data protection authority’s board, whose four members ceased their mandate 19 June. Since then, the authority is running in prorogatio regime, at the same time the Garante is currently working, as well as other supervisory authorities, to shape the GDPR out of its marble cage.

This process is particularly noticeable regarding the recent approval, pursuant to Articles 40 and 41 of the GDPR, of the “Code of conduct for the processing of personal data relating to commercial information” — for which I have had the honor of assisting the applicant, ANCIC, as the relevant association of business information players — and the “Code of conduct for information systems managed by private parties regarding consumer credit, reliability and punctuality in payments.” These codes of conduct jointly represent the answer of the DPA to the questions regarding complex processing activities and huge market sectors relying on the sensitive and expansive legal basis of the legitimate interest. But it is not an Italian exception; in these days, the Dutch Autoriteit Persoonsgegevens is also working on the approval code of conduct for the ICT sector.

Trying to weigh the importance of similar initiatives, we should always take into consideration that this legal basis, jointly with the performance of contractual obligations, covers the vast majority of processing activities in the private sector. In particular market sectors, as the case of commercial information (but also journalism, defensive investigations and so on), the legal regime of a vast array of processing activities cannot be left outside the scope of a regulatory framework. In fact, even the two most accountable data controllers (and probably for a reason) could reach different conclusions when dealing with legitimate interest assessments and data protection impact assessments. Epitomizing the latter, the regulatory intervention of the DPAs (or member states) is extremely necessary — albeit shall be limited — in all the cases in which the exercise of the accountability of data controllers may pose a threat to legal and market certainty.

The Italian experience of the so-called “deontological rules” under the Directive 95/46 is the noble father of this wave of sub-regulation and should be intended as an asset to be shared among the members of the EDPB, given the fundamental role of the cooperation of DPAs.

What emerged in this year and a half of application of the GDPR is that behaviors of virtuous economic actors shall continue to be guided and directed by the work of the DPAs. 

The lesson we should learn from these initiatives is twofold: On the one hand that the uniformity to be brought by the GDPR has likely been hyped, while on the other hand, the margin of appreciation left to member states is necessary to invest the resources in a proportionate manner. In addition, for all passionate supporters of the legitimate interest as a legal basis for processing, in such codes of conduct, there is plenty of explanations on how it works in concrete.  

In any case, the codes approved by the Garante may generate interesting positive effects when shared at the EDPB level. In fact, the data protection sculptor has to operate in a choral effort, underlying the remarkable results achieved by professionals, companies and DPAs, while chiseling away eventual malpractices and national-based bias.