Background

On 20 November 2017, the Italian Parliament definitively approved the Law n. 167/2017, published in the Official Journal no. 277/2017, (hereinafter, the “European Law 2017” or the “Law”) which entered into force on 12 December 2017.

Leaving aside any comment on the opportunity of the choice of the legislator to amend the Italian Data Protection Code less than six months before the entry into force of the Regulation EU 2016/679, the Law:

  • increases the retention period of telephone traffic data, electronic communications traffic data and data related to unsuccessful calls (“traffic data”) to six years with the view of detecting and suppressing serious criminal offences and fighting terrorism (Article 24 of the Law);
  • introduces a new provision which specifies the mandatory requirements of the agreement between Data Controller and Data Processor;
  • dedicates a new disposition to the reuse of personal data for scientific purposes.

Main issue

Article 24 of the Law introduces a derogation from the ordinary rules established in Article 132 of the Italian Personal Data Protection Code, which sets a data retention period of twenty-four months for telephone traffic data, twelve months for electronic communications traffic data and thirty days for data related to unsuccessful calls. In fact, in the new provision no distinction is made between such traffic data and their retention period is extended for a period up to six years.

In order to transpose Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism, which does not explicitly refer to traffic data retention, the task of the Italian legislator was to transpose appropriate measures into national law. The new rules provided by European Law 2017 may be considered inconsistent with European legislation, especially with the EU General Data Protection Regulation 2016/679 (“GDPR”) and its jurisprudence. The latter is very sensitive to the respect for private life and the protection of personal data, having stated in several occasions that Member States should avoid adopting measures which can be considered not limited to what is strictly necessary. This caution is witnessed by the evaluations of the Court of Justice of the European Union (“CJEU”) in the Watson case and in the Digital Rights Ireland and Seitlinger and Others case of 2014, following with the invalidation of Directive 2006/24/EC(“Data Retention Directive”).

Furthermore, it is worth mentioning the clarification provided by Article 28 of the Law concerning the mandatory requirements of the agreement between Data Controller and Data Processor, which must include the obligations and the rights of the processor, the purpose, the type of personal data involved and the method of the processing. The provision appears to be a questionable attempt of the Italian legislator to harmonise Article 29 of the Italian Personal Data Protection Code with the Article 28 of GDPR in order to regulate the role of the external processor. In fact, the usefulness of the amendment is doubtful, since less than a month before the Italian Legislator had delegated, by means of the enabling Law n. 163/2017 (see Article 13), the Italian government to adapt the national law to the provision of the GDPR; which means that the provision at stake is likely to be soon modified again.

Last but not least, the Law also introduced a provision concerning the reuse of personal data for scientific purposes, which specifies that it shall be subject to the authorization of the Italian Data Protection Authority on condition that data are not only minimised but also anonymised. The amendment is debatable in consideration of the fact that Italian and European Data Protection Law are not applicable to anonymised data.

Practical Implications

Companies and providers will have to:

  • update their traffic data retention policies and procedures, as applicable;
  • expect an increase of costs in terms of long-lasting storage services and related security measures;
  • alignment efforts will have to take place quickly and may nevertheless prove useless in the long term should be the Law be brought before the CJEU and declared invalid;
  • verify the compliance of the current data processing agreement with the new mandatory requirements introduced by the Law and modify their documents, if necessary;
  • minimise and anonymise personal data and require the authorization of the Italian Data Protection Authority if they want to use them for scientific purposes.