With the Legislative Decree no. 69/2012, Italy has implemented the Directive no. 2009/136/EC, the so-called “e-Privacy” Directive, changing some of the provisions contained in the so-called “Privacy Code” in compliance with the new regulations. The main changes include the provision in the code of the case of “personal data breach”, understood as a breach of security, which entails even accidentally the destruction, loss, alteration, unauthorized disclosure or the access to personal data transmitted, stored or otherwise processed in connection with the provision of an electronic communications service to the public.
From this inclusion descended the new obligations provided by the Privacy Code for providers of communications services to the public, together with other subjects which are entrusted with the material provision of such services (e.g. possible outsourcers), to adopt appropriate technical and organizational measures to safeguard the security of the services, and to ensure the protection of stored data. The new legislation requires these service providers to communicate without delay to the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) possible breaches of personal data, and to perform similar communication to the parties concerned where the violation threatens to damage the data or their privacy. In this respect, the Data Protection Authority has issued its own guidelines, stating that at present the legislation concerns suppliers of telephone services and Internet access, they do not concern any corporate networks, Internet point (which only make use of their terminals for internet navigation of their customers), search engines or websites that disseminate content. However, it is expected, and it is already under discussion in the EU, a future extension of the obligations to such “private” persons.
Relevant to the operators in the industry are also regulatory changes regarding cookies, the legitimacy of the use of which is now subject to a prior free and informed consent expressed by the users (so-called “opt-in”), with the abandonment of previous system, based on the possibility of a cancellation request by the user (so-called “opt-out”). It is expected, in fact, that the storage of information in the client of a user or access to information already stored therein are permitted only on condition that the user concerned has given his or her consent after being fully informed in the manner provided by law. Any technical storage or access to data stored by the provider that accesses to the extent necessary to provide the services explicitly requested by the user is excluded by the application of such regulatory changes.