The Italian privacy law integrating the GDPR has been finalized by the Board of Ministers, unveiling unexpected surprises a few days before the 25th of May 2018.
The Italian Board of Ministers issued the final text of the legislative decree integrating the EU General Data Protection Regulation. Unlike the initial draft of the decree, the new version does not completely repeal the current Italian Privacy Code, but only substantially amends some of its contents, removing sections that are already covered by the GDPR. Unfortunately, the result is very confusing, unless “tetris” was your favorite game when you were a kid and now want to re-test your skills!
The decree still has to be reviewed by the Parliament, but – given the limited timeframe left before the 25th of May – no substantial changes are expected. Below are my top 5 derogations to the GDPR provided by the Italian privacy law:
1. Criminal sanctions for privacy breaches confirmed
Unlike what provided by the initial draft of the Italian privacy law, criminal sanctions for privacy breaches provided by the Italian Privacy Code are confirmed. However, they only apply when the privacy-related breach has been performed to gain profit. This seems a strong limitation, but among the conducts whose breach can lead to criminal penalties there are also those provided by the ePrivacy Directive in relation to marketing communications which makes the potential risk quite high.
2. Privacy-related compliance organization supplemented
There has been a long debate in Italy on whether the GDPR requires to keep the roles of the so called “internal data processors” (responsabili interni del trattamento) as officers of the company in charge of monitoring privacy compliance provided by the Italian Privacy Code. The uncertainty is due to the fact that the provisions of the GDPR referring to data processors definitely are drafted having in mind entities and individuals outside the data controller’s organization.
The decree does not expressly mention “internal data processors“, but refers to internal privacy compliance roles that can be delegated to individuals within the company and expressly mentions internal data processors and the so called “persons in charge of the data processing” (incaricati del trattamento) in the explanatory note to the decree. There is no express obligation to appoint such roles, but companies need to set up under the GDPR adequate organizational measure that cannot result in making the DPO the sole “guardian” of the privacy compliance of the company.
3. Health data and judicial data might gain more flexibility
The new Italian privacy law confirms the exemptions to the need of prior consent to the processing of health data when necessary for the provision of health or social care or treatment by health professionals. But it also provides that the Italian Data Protection Authority can require the implementation of additional guarantees with reference to the processing of such data and in general special categories of personal data. These additional guarantees can result in further obligations in the processing of such data which at the moment are still unclear the Italian DPA has not issued yet the relevant decisions.
Moreover, within 90 days, the Italian Data Protection Authority will reassess the general authorizations issued with reference, among others, to heath data and might declare which of those are compliant with the GDPR. This is good news as for instance it might introduce an exemption to the need of prior consent for the processing of health data by insurance companies as part of the data processing activities functional to the insurance policies which is currently provided by the above mentioned general authorization issued under the current Italian Privacy Code.
A lower level of flexibility has been obtained with reference for the processing of data relating to criminal sanctions for which the data processing is allowed when expressly provided not only by the law (e.g. for KYC checks on director or AML investigations), but also if provided by workers collective bargaining agreements which often provide for instance for the possibility to collect criminal record checks (the “certificato dei carichi pendenti“) from employees.
4. Previous orders of the Italian DPA might remain applicable
Previous orders of the Italian data protection authority will remain in place provided that they are compatible with the GDPR. No further clarification is given on the scope of applicability of this provision.
This means that we will have to either adopt a conservative approach and consider most of the orders still in place or start a quite hard “guess work“. Also, this is an approach that is not in line with the objective of consistency across the European Union that was aimed to be achieved through the GDPR.
The scope of the potentially applicable previous orders is quite broad as it goes from the role of the so called system administrator, to stringent security measures provided for specific data processing activities (e.g. those performed by banks), to even the decision on simplified consent provided for the acceptance of cookies.
5. Italian legitimate interest puzzle repealed
The Italian budget law of 2017 had introduced a system of notification/authoritization for data processing activities performed by automated means and based on legitimate interest. This provision was quite confusing and its compatibility with the GDPR was challenged in several instances. Thankfully, the new Italian privacy law repeals these provisions, limiting the applicability of some of them only to data processing activities relating to data of minors and performed on the basis of legitimate interest.
What to do under the new Italian privacy law?
The above changes are not expected to have a major impact on the GDPR projects of companies operating in Italy. Additional work could be required in order to set up a privacy compliance organization providing for the roles of internal data processors and persons in charge of the data processing as well as system administrators. Likewise, changes will be necessary to comply with the previous orders of the Italian data protection authority which are different on the area of operation and the data protection activities performed.