Saluti da Roma!

The sun is bright, gold and hot, as usual during the long Italian summer as we waited with bated breath for the election of the new members of the Italian Data Protection Authority, the Garante.

On 14 July 2020, in the midst of the long-lasting "Schrems II" debate, the Italian Parliament finally elected the four new members of the Board of the Garante. We were waiting for this vote to materialize since 19 June 2019, when the board chaired by Antonello Soro, elected seven years prior, was technically due to expire. However, since the expiration date, the Italian Parliament had repeatedly postponed this important vote. Finally, the new members of the Garante’s board, Pasquale Stanzione (chair), Ginevra Cerrina Feroni (deputy chair), Agostino Ghiglia, and Guido Scorza were appointed.

The history of the Italian DPA has its origin in 1997. Stefano Rodotà, one of the fathers of European privacy thought, chaired the founding board, which ushered in some of the pioneering initiatives in the field of privacy: the role of notice, consent and other legal basis of processing; principles and governance of data flows between data controller and processor; and the crucial interdependence with security.

These provisions, and more, were crystalized during those early years. In due course, Rodotà took the baton from Peter Hustinx as Chair of the Article 29 Working Party (now the European Data Protection Board). With this dual responsibility, Rodotà was instrumental in spearheading some of the building blocks to establish a robust data protection culture in Italy and abroad. Safe Harbor, standard contractual clauses and binding corporate rules were all crafted during that time — a time when he and Secretary General Giovanni Buttarelli worked closely together. I was witness to these incredibly productive developments while working at the Garante.

The DPA was next led by Franco Pizzetti and then by Antonello Soro, who had the task of steering the Garante to full maturity. In recent years, the Garante successfully dealt with the shift from Data Protection Directive to the EU General Data Protection Regulation. This was reinforced by strong enforcement policies and activity, particularly involving the telemarketing and telecommunications sectors. Notably, in the last six months alone, the Garante imposed fines respectively of 11.5, 27.8, and 18 million euros to three different companies.

Finally, I would like to mention the incredible commitment of the Garante during the COVID-19 pandemic, in which important documents and guidelines with national and international importance have been adopted (including FAQs on data protection, also available in English).

With this is mind, we can imagine a list of expectations for this new board’s term of office.

First, the effort of enhancing both the human and professional capital within the Garante should carry on, and where possible, human resources should be increased. The Garante should also start to diversify its human resources to rely on the experience of computer scientists, philosophers, economists, sociologists and anthropologists. Moreover, a greater synergy with other parallel Authorities - both national and international - is desirable, not only in the field of data protection, but with the antitrust and competition authorities, as well.

Following the first evaluation report of the European Commission on the GDPR, it is now necessary to make progress in adapting the national legislation to the EU regulation. The building of an increasingly close dialogue with DPOs remains paramount. I believe that this should be a priority for improved respect of privacy rules by every private and public sector player.

Finally, I hope that the new board will, once again, gain a wider visibility inside and outside Italy and to better contribute to the pan-European and international data protection communities.