The current draft of Italian privacy law repeals the Privacy Code, integrating the GDPR reveals with some interesting news, but also some concerns.
It is at least surprizing that after (almost) 2 years from the approval of the European privacy regulation and with the deadline of the 25th of May 2018 so close, a number of EU Member States still need to adopt their local law integrating the EU General Data Protection Regulation (GDPR). The GDPR will directly apply, but it leaves scope for some flexibilities to EU Member States.
Italy is among the late comers in the adoption of their local law which is still in a draft version and the current political instability of the country does not set reliable expectations on a potential quick approval.
Below are the main changes provided by the current draft law first.
1. The Italian Privacy Code will be full repealed
Rather than just removing some provisions from the Italian Privacy Code, the Parliament decided to fully repeal the current Italian privacy law and replace it (with effect from the 25th of May 2018) with a new piece of legislation which refers to the GDPR and only includes local integrations to the GDPR.
2. Old authorizations and decisions/orders remain effective if “compatible” with the GDPR
This is the result of a frequent Italian approach. We don’t like “changes” and are linked to the past… Indeed, the current draft law provides that general authorizations as well as previous decisions/ordersissued by the Italian Data Protection Authority (DPA) will remain effective provided that they are “compatible” with the GDPR. This is a quite concerning provision since
- the Italian DPA will have to identify the general authorizations (e.g. on the processing of health related and judicial data) that remain effective within 90 days and therefore after the 25th of May 2018, while
- no such clarification will be issued on their decisions/orders that will be considered compatible with the GDPR.
This means that we will have to either adopt a conservative approach and consider most of the decisions/orders still in place or start a quite hard “guess work“. Also, this is an approach that is not in line with the objective of consistency across the European Union that was aimed to be achieved through the GDPR.
3. Internal organization privacy models confirmed
There has been a long debate in Italy on whether the GDPR requires to keep the roles of the so called “internal data processors” (responsabili interni del trattamento) as officers of the company in charge of monitoring privacy compliance provided by the Italian Privacy Code. The uncertainty is due to he fact that the provision of the GDPR referring to data processors definitely is drafted having in mind entities and individuals outside the data controller’s organization.
The draft law does not exprelly mention “internal data processors“, but refers to the fact that internal privacy compliance roles can be delegated to individuals within the company. Companies need to set up under the GDPR adequate organizational measure that cannot result in making the DPO the sole “guardian” of the privacy compliance of the company.
The precaution that we adopted in some instances was to call them “privacy steward“, “privacy champions” or other similar names in order to avoid confusion with the role of the data processors provided by the GDPR.
4. Italian legitimate interest puzzle repealed
The Italian budget law of 2017 had introduced a system of notification/authoritization for data processing activities performed by automated means and based on legitimate interest. This provision was quite confusing and its compatibility with the GDPR was challenged in several instances. Thankfully, the Italian draft law repeals these provisions, limiting the applicability of some of them only to data processing activities relating to data of minors and performed on the basis of legitimate interest.
5. No more criminal sanctions for privacy breaches
The Italian Government has considered the large fines provided by the GDPR as a sufficient deterrent from breaching privacy laws. Therefore the criminal sanctions provided by the Italian Privacy Code are not confirmed by the draft law.
The above changes are not expected to have a major impact on the GDPR projects of companies operating in Italy, but this situation of uncertainty is definitely not helping them.