The board of the Ministries approved the final text of Italian privacy law integrating the GDPR raising major concerns on the scope of the law.

On the 8th of August 2018, the Italian Board of Ministries announced to have approved the Italian privacy law integrating the GDPR. The law has not been published yet on the Official Gazette and you may remember that there was a similar announcement 3 months ago, a few days before the 25th of May 2018. Up until I don’t see the law on the Official Gazette, I will not believe it! So stay calm before celebrating

We don’t have much details of the approved text of the new Italian privacy law since the last version circulated is the same of 3 months ago, but according to the Government the decree provides the following:

1. The Italian Privacy Code is not repealed

Rather than removing the existing Italian Privacy Code, apparently the government decided to test our “Tetris” skills, just amending the existing Italian Privacy Code to align it to the GDPR and replacing whole sections by means of a cross-reference to the GDPR.

The result will be a very confusing text which inevitably cannot be 100% aligned to the GDPR and might contain mistakes.

2. Existing decisions and authorizations of the Italian Data Protection Authority saved

According to the Government, the decisions and the authorizations issued by the Italian DPA, the Garante per il trattamento dei dati personali, under the regime prior to the GDPR as well as the existing Ethical Codes will remain in place “to ensure continuity“, up until they are updated by the Italian DPA.

This is an interesting position, but if the provision is still like in the previous draft where it was made reference to their applicability “provided that they are compatible” with the GDPR, this is going to create a major uncertainty on which decisions/authorizations are actually compatible with the GDPR and companies shall start a sort of “guess work” with the result on taking on additional obligations in order to play safe.

3. Simplified modalities of compliance with the GDPR for medium/small companies

The Italian DPA will promote, under the new Italian privacy law, simplified modalities to comply with the GDPR for small and medium enterprises.

This is great, but unfortunately it might come too late when companies are likely to have already done most of the work. Also, this semplification will operate in any case within the perimeter of the GDPR that cannot be derogated, save for the aspects left to the discretionality of EU Member States. Therefore, such semplification cannot be too simple!