Italy's data protection authority, the Garante, should be acknowledged for its willingness to bring privacy out of the confines of conferences and the façade of privacy policies.
The DPA is touring the country to introduce privacy to the general public and is to be praised for its start from the south of Italy and the Italian islands — places we remember for holidays, but which sometimes struggle to have important institutional speakers from the public and private sectors.
The initiative follows a commitment from last year's so-called Pietrarsa Manifesto, when the Garante brought together professionals, including myself, Italian and multinational companies and stakeholders, to commit to promoting privacy, explaining it wanted to take digital awareness and knowledge of personal data use rights beyond conferences.
This is a laudable initiative in which everyone can participate, and that confirms the Garante's vision for concrete user transparency and awareness. This is behind its reasoning for asking companies working with vulnerable users to design a media campaign to increase public awareness, with a view toward compliance with accountability obligations. It is a demonstration that even DPOs need to go beyond checklists and think of their role as a bigger mission.
In the telemarketing sector, the Garante recently approved a Code of Conduct regulating teleselling and telemarketing activities — on which I personally worked — which aims to protect users from unwanted calls. The companies adhering to the code will adopt specific measures to guarantee the correctness and legitimacy of data processing carried out throughout the telemarketing "chain." This is the fourth code of conduct passed by the Garante after the approval of the EU General Data Protection Regulation.
Meanwhile, it is also focusing on facial recognition — a hot topic especially in view of the EU Artificial Intelligence Act, formally approved by the Council of the European Union earlier this month with the full text yet to be published in the Official Journal of the European Union. According to newspaper articles, in view of the forthcoming Jubilee in 2025, Rome's administration wants to install facial recognition cameras that could identify unseemly activity and its perpetrators.
There is already a moratorium in place in Italy until 2025 against the use of facial recognition in public places, and additionally, the practices prohibited under Article 5 of the AI Act will come into force as early as 2025. A request for clarification to the administration of Rome follows a measure against the municipality of Trento that collected personal data using microphones, cameras and social networks for research purposes for a European smart city project without providing appropriate visibility of the data processing.
In the context of AI, the Garante will host the G7 Roundtable of data protection and privacy authorities in Rome 9-11 Oct.
Finally, while the European Commission is setting up the European AI Office, the Garante has formally requested that the AI supervisory authority be an independent one. The AI Act calls for the authority to act independently, but not to be so in its composition.
EU member states are also choosing who will supervise the application of the AI Act, some opting for their data protection authority and others for an ad hoc agency. Italy has decided on a shared approach between the Agency for Digital Italy and the national cybersecurity agency, the Agenzia per la Cybersicurezza Nazionale.
According to a recent bill on AI, the AgID will be responsible for promoting the innovation and development of AI and defining the procedures, exercising functions and tasks involving notification, evaluation, accreditation and monitoring of entities in charge of verifying the conformity of AI systems. The ACN, on the other hand, will be responsible for the supervision — including inspection and sanctioning activities — of AI systems.
The AgID and the ACN will jointly establish and manage sandboxes "aimed at the implementation of artificial intelligence systems that comply with national and European Union regulations, after consulting the Ministry of Defence for aspects relating to artificial intelligence systems that can be used in a dual way."
The competences, tasks and powers of the Garante remain unaffected and the authority continues working hard on its generative AI case that attracted attention worldwide.
It will be interesting to see how member states will organize to enforce the AI Act and how relationships between authorities at the national and European level will be facilitated.
Privacy professionals and data protection officers will certainly play a key role in supporting businesses in this important preparatory phase. Let's start the game.