In line with the provisions of art. 9 of EU Reg. 2016/679, it seems that the patient’s consent for the processing of their data for purposes of diagnosis and medical treatment will no longer be necessary.
This is what emerges from the draft of the legislative decree implementing the delegated law 163/2017 for the harmonizing of the Italian legal system with the EU Reg. 2016/679 (GDPR).
It must be acknowledged that the legislative procedure is still ongoing (the decree has yet to be approved by the parliamentary committees and by the Data Protection Authority). However, the approach of the decree seems to be quite brave, faithfully reflecting the line of thinking of the new European Regulation.
The first element that should be highlighted is the fundamental choice to repeal in full the Legislative Decree 196/2006, the so-called Privacy Code (Article 102 of the draft decree).
That is to say that after the approval of the aforementioned decree, the matter will be regulated by only two measures: the GDPR and the decree itself. Therefore as the EU Reg. 2016/679 will repeal the Directive 95/46/EEC on 25 May 2018, the new decree will repeal (if the choice is confirmed) the Legislative Decree 196/2006 (Privacy Code). This will ensure greater clarity and ease of implementation of the GDPR, which will have a revolutionary impact on culture as well.
The choices regarding the processing of health data are also moving in this direction.
With regard to the processing of special categories of data (including genetic, biometric and data concerning health), Article 9 of the GDPR provides that consent is not required for “the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional”. In paragraph 4 however it allows Member States to “maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health”.
Before the draft decree it was unclear if the Italian legislator intended to keep written consent mandatory for sensitive data, as is currently envisaged in the Privacy Code.
However the legislator’s choice appears different.
Article 8 of the draft decree, entitled "Guarantee measures for the processing of genetic, biometric and data concerning health", provides that the processing of these special categories of data must be compliant with guarantee measures. These are established by the Italian Data Protection Authority with a provision adopted at least every two years, following a public consultation.
In adopting the provision, the Data Protection Authority must take into particular account the technological and scientific evolution of the sector to which these measures are addressed, as well as the free circulation of data in the European territory. In addition, they should take into consideration the guidelines, recommendations and best practices published by the European Data Protection Committee.
The gurantee measures governed by Article 8 must be adopted taking into account the specific purposes of processing (eg diagnosis and treatment). These should have technical and organizational content, and lay down security measures.
With regard to the processing of genetic data, however, it is possible for the Data Protection Authority to identify consent as an additional measure to protect the rights of the data subject.
The "general authorizations" referred to in Article 40 of the Privacy Code are not among the institutions governed by the Regulation and are therefore maintained only for a transitional period.
The writer agrees with the choices made in the draft decree.
Consent does not seem to be the most appropriate basis for the lawfulness of the processing for the purposes of diagnosis and treatment. This is because it can not be a "free" consent: Italian law provides for the freedom of choosing the location of healthcare provision (Article 32 of the Constitution and Legislative Decree 502/92) and the freedom to choose whether to undergo treatment or not, based on the free consent of the patient (Article 1 of Law 2019/2017). But once decided to receive treatment, how can the patient be allowed to deny consent to the processing of that data?
Moreover, this approach of the decree, in addition to being in line with the GDPR, unhinges an incorrect way of thinking. It is a common perception that once the consent is obtained, everything is in order, thus oversimplifying data protection by basing it solely on information and consent.
This is not how the Regulation works.
The new regulatory framework calls for a very different interpretation, which is based on new key concepts. They state that the data subject owns and must have control over their data (Recital 7 of the GDPR and Articles 12-22 on data subjects’ rights), establishes the principle of accountability for controllers and processors (Article 5 - 24 GDPR) and in general the principle of data protection throughout the entire system (Article 32 on security of processing and Article 33 on data breach of the GDPR).
We should therefore welcome a choice that forces us to change the way we think about data protection, since this is the new framework.