The Italian Board of the Ministries has approved the final text of Italian privacy law integrating the GDPR. This has raised major concerns on the scope of the law.

On the 8th of August 2018, the Italian Board of Ministries announced that they have approved the Italian privacy law integrating the GDPR. The law has not yet been published on the Official Gazette (and you may remember that there was a similar announcement three months ago, a few days before 25 May 2018). Until I see the law on the Official Gazette, I will not believe it! So stay calm before celebrating!

We don’t have many details of the approved text of the new Italian privacy law or any amends since the last version was circulated three months ago, but according to the Government the decree provides the following:

1. The Italian Privacy Code is not repealed

Rather than removing the existing Italian Privacy Code, apparently the government decided to test our “Tetris” skills, just amending the existing Italian Privacy Code to align it to the GDPR and replacing whole sections by means of a cross-reference to the GDPR.

The result will likely be a very confusing text which inevitably cannot be 100% aligned to the GDPR and might contain errors.

2. Existing decisions and authorizations of the Italian Data Protection Authority saved

According to the Government, the decisions and the authorizations issued by the Italian DPA, the Garante per il trattamento dei dati personali, under the regime prior to the GDPR, as well as the existing Ethical Codes, will remain in place “to ensure continuity“ until they are updated by the Italian DPA.

This is an interesting position, but if the provision is similar to the previous draft, where it was made reference to their applicability “provided that they are compatible” with the GDPR, this will likely create a major uncertainty on which decisions/authorizations are actually compatible with the GDPR and companies shall start a sort of “guess work”, with the result being to take on additional obligations in order to play it safe.

3. Simplified modalities of compliance with the GDPR for medium/small companies

The Italian DPA will promote, under the new Italian privacy law, simplified modalities to comply with the GDPR for small and medium enterprises.

This is great, but unfortunately it might come too late when companies are likely to have already done most of the work. Also, this simplification will operate in any case within the perimeter of the GDPR that cannot be derogated, save for the aspects left to the discretion of EU Member States. Therefore, such simplification cannot be too simple!