Data Protection & Privacy 2020

Last Updated March 09, 2020

Italy

Law and Practice

Authors



Studio Prosperetti is a specialised boutique firm dedicated to IT and telecoms law, competition law and privacy. The firm was founded in 1956, focusing mostly on labour law, and Eugenio Prosperetti started the IT, competition law and privacy practice in 2001. The firm features a specialised team of four widely experienced IT lawyers, plus four other lawyers with commercial and labour law expertise and a trusted network of national/international partner firms. This enables the firm to accept a wide range of complex mandates, often acting as one-stop-shop advisory. Some examples of recent work include agreements for transferring the data of a major international bank onto a cloud infrastructure for artificial intelligence processing; an opinion regarding use of workers’ devices for multi-jurisdiction geolocation in ten countries for a multinational client; advice on the personal data aspects of the acquisition of a major Italian steel manufacturer; work on digital signatures through electronic identity; and guidance on privacy-compliance mechanisms for the peer-to-peer payment system of a major fintech service provider.

The Italian Constitution does not directly protect the right to privacy. However, the protection of such a right is clearly inferable from Articles 13 (on personal freedom), 14 (on freedom of domicile), 15 (on freedom and secrecy of correspondence) and 21 (on freedom of expression).

A peculiar protection is offered by Article 2 of the Italian Constitution (The Republic recognises and guarantees the inviolable rights of the person ...) which allows the introduction, into the Italian legal system, of compatible other rights acknowledged by international communities. The right to privacy is thus protected by Articles 7 and 8 of the Charter of Fundamental Rights of European Union and by Articles 8 and 10(2) of the European Charter of Human Rights, realising multiple levels of protection. The principles and laws that apply to the processing of personal data are considered part of these fundamental rights and are part of the Italian jurisdiction as per Article 16 of the Treaty on the Functioning of the European Union (TFUE).

Italy was one of the first member states to introduce a series of legislative measures, in order to implement the 95/46/EC Privacy Directive, in the act which became known as the Italian Privacy Code (Codice per la protezione dei dati personali, Legislative Decree No 196 of 2003 – IPC). The choice of the Directive as the legal act for implementing the protection of personal data, allowed member states to fulfil the EU's aim through the adoption of internal acts that pursued the provisions of the Privacy Directive and led to a harmonisation of legislation.

A new major landmark in this path is represented by the adoption of EU Regulation 2016/679 (General Data Protection Regulation – GDPR) of the European Parliament and of the Council of 27 April 2016.

Further to the GDPR’s entry into force, Italy approved Legislative Decree No 101/2018 which adapted and co-ordinated the IPC and other relevant domestic legislation to the new framework, as the main provisions concerning privacy were now to be found in the GDPR.

Currently, Directives 2009/136/EC and 2002/58/EC (E-Privacy Directive), concerning the processing of personal data and the protection of privacy in the electronic communications sector, remain valid and implemented in the IPC, although advanced discussions are ongoing concerning the new e-Privacy Regulation which, if approved, will produce further innovation in the Italian and EU privacy framework.

In general, it can be said that the Italian system coheres perfectly with EU general principles in the field of data protection, which are well expressed by the GDPR.

The GDPR provides for administrative penalties in the case of infringements of its provisions, and it allows member states to introduce specific regulations about such matters. The Italian legislature has made use of this option by increasing the penalties which were provided in the IPC to the maximum levels provided by the GDPR.

In the Italian legal system, administrative penalties and criminal penalties can coexist following the introduction of the so-called "two-track system” (applicable except in the case of bis in idem). This procedure involves the co-operation of the Italian Data Protection Authority (Autorità Garante per la protezione dei dati personali – IDPA) and the Public Prosecutor (Pubblico Ministero).

The IDPA is an independent administrative authority. Its independence is due to its position of impartiality with respect to the public administration and the government (the IDPA is neither controlled nor appointed by the government and is also financially independent).

The IDPA has investigative, corrective, authorising and advisory powers. In the context of its investigative powers, the IDPA could request information and documents from data controllers and processors, from data subjects and from third parties. Moreover, it has the rights of access to the premises of data controllers and processors, to perform inspections and dawn raids, by means of a special privacy unit of the financial police (Guardia di Finanza) with the prior authorisation of a competent national court, if needed and without any prior warning.

Articles 77 to 81 of the GDPR provide a means of protection against, and forms and procedures to be followed in the case of, an infringement. These are, in short, filing a complaint to the IDPA or filing for a judicial remedy.

In fact, Article 140-bis of the IPC implements such forms of protection, in accordance with the "principle of alternativity". Thus, if a data subject lodges a complaint with the IDPA then he or she cannot also file for judicial remedy and vice versa. It should be noted that even individuals who do not have the role of data subjects may issue an alert to the IDPA (but not a complaint). Once the intervention of the IDPA is sought, through complaint or alert, it is entitled to fully exercise the investigative powers conferred to it by Article 58 of the GDPR. The IDPA could however also decide to act on its own initiative if it acquires any information about potential violations (eg, through news, routine investigations, etc).

If, during its investigations, the IDPA finds infringements, the procedure for the adoption of administrative penalties begins. The IDPA will notify the alleged infringements to the potential offender. The latter may then file defences and/or documents and call for a hearing. At this point, the IDPA, depending on the outcome of the initial phase, may decide to close the case or, else, issue an injunction-order or, if necessary, further investigate. Claims against final measures adopted by the IDPA can be filed before the local court where the alleged violation of personal data has taken place (eg, the court where the infringer has its main office in Italy or its Italian servers). It should be noted that, unlike other orders or sanctions by Italian administrative authorities (eg, telecoms, antitrust, consumer, etc), data protection violations are not discussed in front of administrative courts but in front of the civil court (tribunale ordinario), which will use a special expedited procedure, substantially identical to the procedure used for treating labour law cases. Given the small number of cases which are normally subject to judicial claims and the absence of a specialised court, one potential issue is that many judges in local courts may not have sufficient experience in dealing with data protection cases.

As a member state of the EU, Italy must strive to enact the mechanisms of co-operation and consistency under the GDPR.

When co-operation among the data protection authorities (DPAs) of European member states is required, one must refer to the concept of the lead supervisory authority (LSA), which is the supervisory authority of the member state where the relevant data controller has its main establishment in the EU. DPAs shall exchange all relevant information with each other, and the LSA shall take due account of the views of other authorities before adopting binding decisions. Moreover, within the mutual assistance framework, the LSA could carry out joint operations.

Consistency is ensured by the involvement of the European Commission and the European Data Protection Board (EDPB) in the decision-making process of a DPA or an LSA in the cases referred to in the GDPR (Articles 63 to 67).

In order to fulfil the objectives of the GDPR, the EU Commission has the power to adopt non-legislative acts to supplement or amend certain non-essential elements of that regulation. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council (Recital 166 of GDPR)

In the name of co-operation among member states, the representatives of the national data protection authorities and the European Data Protection Supervisor (EDPS) come together in the EDPB, which provides highly persuasive but not binding advice, recommendations and best practices on relevant aspects of data protection law. It replaces, under the GDPR, the Article 29 Working Party established by the Privacy Directive.

Lastly, the role of the Court of Justice of European Union (CJEU) should be noted, this body, in the field of data protection law, interprets the GDPR to prevent fragmentation and legal uncertainty across the European Union, by means of its case-law. Given the above EU framework, which is directly valid and enforceable in national jurisdictions, no further national provisions have, to date, been deemed necessary on the topic of multilateral co-operation.

A key role is played by soft law tools. Indeed, the GDPR encourages – by means of the member states, the supervisory authorities, the EDPB and the Commission – the examination and approval of codes of conduct presented by organisations which have data treatment requirements, in order to contribute to the proper and uniform application of the Regulation, at national or European level. Such “codes”, drawn up by associations or other bodies representing categories of data controllers or processors, may calibrate the obligations of controllers and processors, taking into account the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. (Cf, Recital 98 and Article 40 of the GDPR).

The IPC, before the amendment of Legislative Decree No 101/2018, already provided for the possibility of adopting ethical codes with regard to particular data processing activities. After the GDPR, however, some existing codes were repealed.

The GDPR marks the final point of convergence of the national data protection laws of EU member states, even though it still leaves room for manoeuvre for national legislation. The Regulation inherits the effects of the Privacy Directive, which represented the starting point of data protection in the EU and is said to have been modelled on the very first data protection legislation enacted in Italy (Law 675/96). The GDPR is an evolution of the Privacy Directive model; the main differences are the very high level of self-awareness required of companies that have data protection requirements and the increasing difficulty for non-EU companies of enacting elusive schemes based on extra-EU data processing. Thus, the EU model now guarantees homogeneous enforcement of its principles, and a very high level of protection of personal data – perhaps too rigid in some applications – with the downside of increased compliance costs and complexity and with more time needed to negotiate agreements that entail personal data processing.

Vis-à-vis other data protection systems, it should be noted that the EU/Italian system views data protection as a subjective right of the individual: data protection does not stem from an agreement with the data controller and any entity that processes personal data without consent, and does not fall within one of the exceptions of the GDPR, is therefore potentially subject to GDPR sanctions.

Moreover, the IDPA, given its long years of activity and the fact that it started operating on a national model with strong personalities forging its methods (the first President was Prof Stefano Rodotà, one of the “inventors” of data protection in Europe), inherited a conservative approach, and is not regarded as a very forgiving authority in its enforcement activity, which, untill recently, however, was limited by sanction caps which were very much lower than those provided by the GDPR.

The year 2019 has been the first one of effective GDPR enforcement in Italy. This is because, a grace period for GDPR sanctions was conceded by the Italian implementation of the GDPR until 20 May 2019 to provide enterprises, institutions and individuals with the possibility of finishing compliance activities due to the late implementation of GDPR national co-ordination measures and subsequent uncertainty on several compliance details.

Also, in 2019, much of the legal framework was completed with the secondary regulations which could only be issued by IDPA after the revision of the Privacy Code. These pieces of legislation were very important because they contained, in most cases, the sector-specific rules essential for full compliance. So, some enterprises had to wait until 2019 to complete their compliance activities or, in some cases, had to revise their compliance in light of the newly completed framework. This was because the Italian jurisdiction, due to elections and government change, had been late in adapting national laws to the Regulation and, consequently, compliance activities could not be fully carried out by companies and public entities because of residual uncertainty on some issues.

A major development, in late 2019 and early 2020, has been the first use of GDPR-levels of fines in IDPA investigations (see 5.3 Significant Privacy and Data Protection Regulatory Enforcement or Litigation) which has focused attention on the GDPR in several industry sectors.

Controversial topics and debates, which have attracted a certain degree of public attention, include:

  • the data transfer between Whatsapp and Facebook, where the IDPA issued an order to stop any transfer of Whatsapp-user personal data to Facebook because consent was not acquired pursuant to GDPR rules;
  • the use of personal data within the so-called “Rousseau” platform, the web platform used by the 5-Star movement to organise its members and consult them through member votes on key political actions, where the IDPA sanctioned the entity managing the platform for a series of GDPR violations which, reportedly, included conservation of scrutiny results which could lead to member-profiling on political opinions; and
  • the use of personal data to perform cross-check verifications in e-government systems such as the new e-invoicing system controlled by the Italian Tax Agency and the state subsidy called “Citizenship Income”, where the IDPA prohibited the application of the e-invoicing system to medical professionals, to avoid unnecessary exposure of sensitive data contained in invoices, whereas it allowed cross-checks on personal data within the Citizenship Income platform, which have recently led to the discovery of numerous fraudulent requests for the subsidy.

Also, one very important topic is the Italian legal regime which governs and allows the use of judicial data; the amended Privacy Code allows for the use of judicial data, subject to the rules established by a Decree to be issued by the Ministry of Justice. The Ministry of Justice has, however, to date, not issued any such Decree and this has led to concerns about what seems to be a serious gap in the data protection legislation, as the IPC specifically provides for termination of the preceding authorisation to use judicial data and transfers regulatory power thereof to the Ministry of Justice, but, since the Ministry regulation is missing, rules about how to use judicial data in Italy are rather unclear and enterprises operating in business areas which require intensive use of judicial data (eg, financial diligence background checks, private investigations, banking, insurance, criminal law, etc) should dedicate specific attention to the matter.

In addition to this, one general policy issue has emerged over the last few months, perhaps due to the unexpected change of government majority, which happened in Summer 2019. Parliament has not succeeded in reaching an agreement that could command a sufficient majority to appoint the new members of the IDPA and this has resulted in the current, long expired, President and members having to stay in office with limited powers until Parliament succeeds in voting in new members.

A major development has occurred with the two aforementioned landmark cases (1.7 Key Developments) because of the very high fines levied which will undoubtedly have the effect of “scaring” large companies which acquire a significant amount of data on the market and induce them to question their GDPR approach vis-à-vis telemarketing and to further strengthen compliance and data-verification standards, especially when dealing with third-party data vendors. These cases, in particular, have demonstrated that the general opinion of many operators that the IDPA would not fully use its GDPR powers and instead remain in line with its pre-GDPR sanction regime (medium sanction: EUR100,000) was not based on any serious grounds. Enterprises relying on “soft” enforcement might be reconsidering their approach after these sanctions if their activity provides for significant data use.

As discussed above, most of the provisions contained in the IPC have been repealed, linking the relevant discipline directly to the provisions contained in the GDPR. Thus, many of the issues and conflicting provisions contained in previous omnibus laws and regulations have been absorbed by the GDPR's implementation into national law.

The IDPA also revised all its previous General Authorisations for specific data and (saving the one regarding judicial data, for the reasons described in 1.8 Significant Pending Changes, Hot Topics and Issues), organising a public consultation thereof, and has consequently amended them to comply with the new regulatory framework.

The IPC does not provide additional rules for the appointment of data protection officers (DPOs): data controllers are, however, required to notify the contact details of their DPOs to the IDPA via a specific online procedure and confirm them through electronic certified mail. The IDPA started a digital formation programme for DPOs appointed by public administrations (the T4Data programme) and is also working on a self-assessment tool for small and medium-sized enterprises (the SMEdata project).

All criteria and principles provided by the GDPR as necessary to authorise collection, use and other processing of data are now part of the Italian legislation data protection framework, so far without modifications or specifications. No specific regulation has been enacted on general principles such as privacy by design or privacy by default, or on the matter of data subjects rights, anonymisation, de-identification, pseudonymisation, big data, algorithms and so forth, even if such topics are currently under scrutiny by the IDPA. This also applies to the concept of “injury” or “harm”, for which standard GDPR definitions apply. The IDPA, however, is expected to clarify its position on many of these aspects of data protection during the next few years, by adopting general rules and specific decisions. These issues will probably be the object of the next IDPA commission mandate.

In fact, in July 2019, the IDPA performed a joint analysis with the Italian Telecommunications Authority (AGCOM) and the Italian Antitrust Authority (AGCM), and issued its guidelines and policy recommendations on big data, emphasising the need for dedicated regulation of the field, to increase transparency, accessibility and the right of access to public data, while keeping a European and international perspective on the matter. The results of the big data joint analysis were recently published by the three bodies. The Italian Ministry for Economic Development also set up, in December 2018, a task force of experts to study all phenomena related to artificial intelligence (AI) and blockchain algorithms. An official AI task force final document is expected to be issued in the next few months, to be discussed in Europe.

Note that the IDPA has so far also provided a list of types of data processing for which a data impact assessment is mandatory, with a specific decision (No 467/2018).

Although no specific regulation has been adopted by the IDPA, apart from those described above, many descriptive FAQ and infographics, as well as direct links to Article 29WP documents, are available on its website, for both data controllers and data subjects to examine.

As described in 2.1 Omnibus Laws and General Requirements, save for the General Authorisations – which existed prior to the GDPR, have been reviewed as compliant with it and which were renewed in June 2019 – the IDPA has yet to adopt specific rules and regulations regarding sensitive and sectoral data, post-GDPR approval.

During the last two years, the IDPA has focused on solving specific issues, and has yet to implement general regulations regarding recurring topics and specific issues such as the right to be forgotten or children's data rights. GDPR general rules apply except where the IDPA has issued a General Authorisation laying down specific rules. This is an ongoing process.

The current General Authorisations cover:

  • sensitive data processed for employment purposes (No 1/2016);
  • sensitive data processed by associations, foundations, churches and religious communities (No 3/2016);
  • sensitive data processed by private detectives (No 6/2016);
  • processing of genetic data (No 8/2016); and
  • sensitive data processed for scientific research purposes (No 9/2016).

Some Authorisations only apply to specific data controller categories, while others, such as Nos 8 and 9, instead apply to any data processing carried out for the specific purposes detailed therein. In both cases, the Authorisations typically mandate data controllers to implement strict privacy by design and by default measures, as well as to ensure clear and full disclosure of all relevant information regarding the data processing which they intend to carry out, specifically detailing and limiting the scope and purpose of their activities.

Most of the other rules and regulations were issued pre-GDPR and still need to be adapted to the new framework. As mentioned elsewhere in this chapter, the IDPA has in the past issued specific policies pertaining to social media, fake news, disinformation and the right to be forgotten and it is likely that in the near future these decisions will be adapted to the new framework. The recent implementation in Italy of the EU Payment System Directive No 2 (so-called PSD2) is also likely to provoke some new policies and interventions by the IDPA regarding the use of personal data in financial services, as this topic has seen no recent review by the IDPA.

Regarding browsing data and cookies, the rules issued by the IDPA between 2014 and 2015, following the relevant EU Directives are still valid and apply; these rules provide the need for a detailed privacy policy alongside specific instruments to limit and/or prevent the installation of specific types of cookies (profiling, analytics, tracking and third-party ones).

The IPC, as amended, still allows competent Authorities to wiretap audio and data traffic in telecommunications, where this is sanctioned by relevant laws and criminal regulations. In most cases, wiretapping has to be specifically requested and permitted by a judge, during a criminal investigation and for a limited period of time. It should, however, be noted that in December 2019, the Italian government issued a new reform on wiretapping, so the relevant regulation should, for the time being, be treated as a work in progress.

Geolocalisation of traffic data to provide phone premium services is allowed, according to the IPC, only when the relevant data has been anonymised or when the data subject has granted his or her consent to the processing of such data. It should be noted that this provision was already in force long before the adoption of the GDPR, therefore representing one of the first “privacy by design” standards in the EU.

As described in 1.7 Key Developments and 1.8 Significant Pending Changes, Hot Topics and Issues, the IDPA is currently investigating the levels of privacy provided by instant messaging mobile apps and social network websites, and has already sanctioned some international companies, following data breaches. Notwithstanding the current absence of specific general regulations on these topics, the IDPA has so far adopted a strong line of defence against services not considering the principles of privacy by design and by default.

Cyberbullying, hate speech, disinformation, terrorist propaganda, abusive material, political manipulation enacted with electronic means, social networks and websites have already been addressed by the Italian Government, in 2017, with a specific law (No71/2017) providing for blacklisting of web pages containing abusive materials. A joint informative campaign between the IDPA and the Ministry of Education provided data subjects with all relevant information on the matter.

The rights of access, rectification and deletion of data are continuously protected by the IDPA by adopting decisions on specific matters submitted by the data subjects.

So far, the current regulations limit commercial and/or marketing communications on a strict principle of opt-in by the data subject, prohibiting and sanctioning unsolicited spam, either by telephone or mail.

Since the implementation of the GDPR, the IDPA, although issuing its landmark sanctions on this subject (see 1.7 Key Developments and 1.8 Significant Pending Changes, Hot Topics and Issues) has not yet revised its guidelines on unsolicited commercial or marketing communications, released in July 2013, so that they still apply as originally issued.

This on one hand demonstrates a certain degree of innovativeness of the original regulation, especially since it already dealt, well before GDPR, with modern principles such as fairness, privacy by default, privacy by design and the need for an explicit privacy policy, as well as for mandatory granular and unconditioned consent to the processing of personal data for marketing purposes; on the other hand, however, this also means that such a dated regulation does not take into account any of the most recent technological innovations in the field of spam. The provisions enacted by the IDPA only marginally dealt with the concepts of “social spam” and “viral marketing”, and it should also be noted that the current formulation thereof, when dealing with the relevant sanctions, still refers to specific articles of the IPC now repealed and not replaced by any others, after the implementation of the GDPR.

Behavioural advertising and profiling for spam and marketing has not been directly regulated by the IDPA, which prefers to directly refer to the Article 29 WP guidelines on the matter.

Marketing by e-mail and telephone was regulated in 2010, with the a Presidential Decree issuing a Telephone and Postal Marketing Regulation; the regulation provides the possibility, for individuals whose landline telephone number is listed in a public telephone directory, to register their data in a special anti-spam directory, thus opting-out from any unsolicited direct marketing calls and postal mail. It is mandatory for all postal and telemarketing operators to check their contact lists with such an anti-spam directory before each marketing campaign, and refrain from contacting users inscribed therein. In 2018 the applicability of the register was extended to mobile telephone numbers, yet the government failed to issue the relevant implementing decrees within the terms established by law. It should be noted, however, that the IDPA recently issued an opinion regarding a proposed regulation on the extension of the anti-spam directory to mobile telephone numbers, so such regulation may be expected in the coming months. One of the critical points of the proposed regulation, which will probably not be easy to implement in practice, is the provision which automatically revokes all prior telemarketing consents for the fixed/mobile numbers and postal addresses with the listing of same in the anti-spam directory. These consents remain valid only for entities which have a valid service contract with a data subject who requests to be listed in the anti-spam directory. 

Privacy in the workplace was discussed by the IDPA in many of its pre-GDPR rulings. In Italy, however, this topic has also been subjected to special labour laws, in particular by the so-called Labour Law Statute, issued in 1970. Since its revision in 2015, all technical instruments that are not specifically needed to correctly perform specific working activities and that could monitor employees have to be pre-emptily authorised by labour organisations and/or the local offices of the Ministry of Labour. In any case, when such a pre-emptive authorisation is not required (such as, for example, for GPS trackers used by delivery services, when used to inform the recipient of the whereabouts of their delivery), the new regulation requires employers to pre-emptively inform all monitored employees, by means of dedicated notices, of the use of such technical instruments during their working activities, otherwise any information acquired using such instruments cannot be used in court. The same rules also apply to technical instruments used by employees at work. It is general practice, for businesses, to provide employees with written internal regulations concerning the use of technical instruments, the internet, e-mail, social media, etc. It should also be noted that before the GDPR, the use of biometric and genetic data to access working places had been discussed by both the IDPA and the Ministry of Labour, with different and conflicting opinions, still unconfirmed post-GDPR. There are no specific laws or regulations on whistle-blowing hotlines or anonymous reporting, however this practice is generally allowed by the IDPA and/or by other authorities.

The IDPA established no additional legal standards further to the ones already in place to notify alleged violation of privacy laws. Alleged violations can be notified to the IDPA via registered mail by anyone involved therein, in free form or by using the pre-printed form provided by the IDPA itself. A prior notice to the data controller allegedly involved was a prerequisite to any notification of violation to the IDPA; however, after the regulatory implementation of the GDPR this is only “suggested”, so data subjects can directly notify the IDPA of any alleged violation of their rights by a controller. The IDPA has full investigative powers on privacy issues, yet data subjects may also alternatively file a case in court, requesting compensation for damages caused by the alleged violations. Filing a lawsuit in court, however, makes it impossible for the IDPA to proceed on the same matter.

All decisions adopted by the IDPA can be challenged in court with the special procedure discussed above (see 1.3 Administration and Enforcement Process). Decisions adopted by judges following this procedure cannot be appealed, except for in the case of procedural violations. This hinders efficient judicial investigation, usually persuading the judges involved therein to confirm the sanctions originally issued by the IDPA, or, in rare cases, to reduce their amount. Following the implementation of the GDPR, many commentators believe that a review of the system will be necessary, so as to bring the appeal of sanctions issued by the IDPA into the jurisdiction of administrative judges, where such issues could be subject to fuller analysis and review in case of any issues in the decision-making process.

Most of the penalties provided in the IPC before the GDPR have been abolished; however, some criminal offences, such as “illicit personal data processing”, “illicit communication and diffusion of personal data on vast scale”, “fraudulent acquisition of personal data” and “false statements to the IDPA” persist, punishing offenders with imprisonment from six months to six years, depending on the severity of the offence. All criminal offences have to be pursued and sanctioned by the criminal courts.

The vast majority of privacy cases in Italy have, so far, been pursued directly by the IDPA, and resulted in economic sanctions being issued against the offenders.

Class actions are not allowed in privacy matters, yet data subjects may file their complaints to the IDPA through associations operating in the field of rights-protection, as well as file singular or cumulative lawsuits in court through the same associations, requesting economic compensation for damages from the alleged (or declared) offenders.

Since the matter of indemnification for privacy violations is treated as a very delicate and personal matter, there is no public case history to report in the last 12 months. A few major consumer associations, however, ran advertising campaigns over the Facebook Cambridge Analytica case, suggesting (on rather unclear grounds) that consumers file a collective lawsuit asking for damages for illicit and/or unlawful data processing.

Just a few days after the full entry into force of the GDPR, Italy also saw entry into force of Law Decree No 51/2018 (the Criminal Privacy Code or CPC) which implemented the EU Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA .

The CPC regulates the processing of personal data for the purposes of prevention and repression of crimes, execution of criminal sanctions, safeguarding against threats to public security and prevention of the same, by both the judicial authority and police forces.

In particular, the CPC provides that personal data be treated and stored only for the time necessary to achieve the purposes for which they are processed – subject to periodic examination to verify the persistent need for conservation – and deleted or anonymised once this term has elapsed. The CPC introduces a new discipline regarding the differentiation between categories of data (based on facts or evaluations) and data subjects, due to their specific procedural position.

So, the system introduced by the CPC does not require a special authorisation for police forces to treat personal data, but assigns a series of rights and guarantees to any treatment thereof.

In fact, with regard to the rights of the interested party (receipt of information, access, rectification, cancellation, limitation of treatment), the text provides that – with respect to the personal data contained in a judicial decision, in documents or documents subject to treatment during investigations or investigations, in the criminal record or in a file subject to treatment during a criminal proceeding or during a criminal execution phase – the exercise of these rights is governed by the regulatory provisions governing these acts and procedures.

In the judicial field, the protection of the interested parties is therefore ensured by guarantees that recognise the rights of defence within criminal proceedings, also, with regard to the personal data necessarily subject to processing, thus ensuring the possibility of limiting the exercise of the rights of the interested party, in accordance with the crime prevention/investigation/court proceedings requirements. To guarantee legal rights, also with reference to third parties, a special procedure has been envisaged through which any interested party, during the criminal proceedings or after its conclusion, can request the correction, cancellation or limitation of their personal data.

As regards the security of data processing, the appointment of a data protection officer is also mandatory for the judicial authority: this figure can provide assistance in the management of sensitive data, such as is carried out in court. Regarding the transfer of personal data to third countries or international organisations, it is established that this is only allowed when the data receiver is a competent authority, for the purposes of public safety covered by the Directive 2016/680 and in the presence of specific conditions – including the adoption, by the Commission of the European Union, of an adequacy decision – or, in the absence thereof, adequate guarantees.

The CPC identifies the national authority responsible for supervising compliance with the implementing rules of the Directive in relation to the protection of the fundamental rights and freedoms of natural persons involved in the processing of personal data. The CPC specifies that processing carried out by criminal judicial authorities within judicial proceedings, including processing by public prosecutors, is not subject to the IDPA’s scrutiny.

The violation of the new rules is sanctioned with administrative fines ranging from EUR50,000 to 150,000 for violations inherent to the methods of data treatment and criminal penalties for treatment carried out for illegitimate purposes.

In the case of intelligence and anti-terrorism issues, or for other national security purposes, the IPC provides that personal data required for intelligence, anti-terrorism or national security is processed under the supervision of a delegated member of the IDPA and under the applicable provisions of the CPC.

The CPC extends to the treatment of such data, the basic safeguards of the GDPR but consent is not required for data processing in this context and no prior information needs to be provided to the data subject.

One of the most interesting provisions requires a data privacy impact assessment (DPIA) to be performed in the case of new kinds of data processing and necessitates the request of an IDPA opinion where the DPIA shows a potential impact on the basic rights of the data subject.

Italy does not participate in a Cloud Act agreement with the USA and, in principle, under the GDPR framework, there is no legal basis for an organisation to simply invoke a foreign government access request as a legal basis for personal data transfer. If personal data is processed in the EU and/or transferred from the EU, GDPR principles apply, requiring that any transfer be under the GDPR framework or its equivalent. The GDPR, in fact, prohibits transfers of data to owners or managers in third countries on the basis of judicial decisions or administrative orders issued by the authorities of those third countries, unless this transfer is provided under international agreements of mutual legal assistance or similar agreements between states (see Article 48). Article 49 provides specific derogations thereto. In this regard, it must be remembered that the Regulation clarifies how it is lawful to transfer personal data to an inadequate third country only "for important reasons of public interest", in derogation of the general prohibition, but it must be a public interest recognised by the law of the owner's member state or by EU law (see Article 49, paragraph 4),, the public interest of the receiving third state, therefore, is never a valid legal basis on its own.

However, there is much debate concerning the US Cloud Act which, even if not presenting a GDPR-compliant framework (as per GDPR Articles 48-49), should always be carefully considered in complex cloud services agreements, even in Italy, given that the main vendors are US-based and may have cloud storage infrastructures fully or partly outside the EU. In a case in which an Italian multinational group enters into a cloud agreement with a US vendor, some parts of the cloud service might, in fact, fall under the Cloud Act obligations where subsidiaries of the multinational group which process personal data are in the USA or in countries which have entered into Cloud Act agreements with the USA.

One of the main issues being debated with regard to data privacy and protection in Italy is the relationship between government use of personal data and the public electronic identity issued under the framework of the so-called eIDaS Regulation. Between 2019 and 2020, the government first proposed and then repealed the creation of a state-issued electronic id replacing the current "SPID" identity which is issued by private vendors authorised by the IDPA and provides access to public and private online services. Some implied that, in so doing, the government would have the potential to control citizens' data even in private services. The proposal was repealed probably because of potential conflicts with EU competition legislation.

Other much-debated issues are about the data from judicial investigations being passed on through unknown channels to media and published, so exposing the personal data of individuals potentially involved in crimes (eg, telephone conversations).

Italy does not have any special restrictions and follows the general rules established by GDPR on international data transfers.

Italy fully applies the conditions provided by Articles 45, 46 and 49 of the GDPR. Therefore, legitimate transfers which require no IDPA authorisation are those: (i) based on an adequacy decision of the Commission, which also binds Italy; (ii) based on appropriate safeguards and on the condition that data subjects’ rights are effectively protected; or (iii) based on model contract clauses or binding corporate rules which have been approved by an EU data protection authority.

On the other hand, some transfers still require the IDPA's authorisation in cases of: (i) legally binding and enforceable tools between public authorities; (ii) binding corporate rules; (iii) standard data protection clauses; (iv) an approved code of conduct; and (v) an approved certification mechanism. The authorisation by the IDPA may be provided for accomplishing the due safeguards, in case of: (i) contracts between clauses controllers and processors; or (ii) provision of arrangements between public authorities.

International transfer of personal data may also be carried out without authorisation and without an adequacy decision (under the circumstances specified by Article 49 of the GDPR) in cases of: (i) explicit consent of data subject; (ii) conclusion and execution of a contract or implementation of pre-contractual measures; (iii) reasons of public interest; (d) legal claims; (v) protection of vital interests; or (vi) transfer from a public registry operating under EU law and under legitimate interest to the transfer.

Decisions of adequacy adopted by the Commission under the Privacy Directive (including the EU-US Privacy Shield), international agreements and the IDPA's authorisations adopted by 24 May 2016, remain in force until amended, replaced or repealed.

Following the entry into force of the GDPR, which modified the IPC by means of Legislative Decree No 101/2018, the national authorisation requirement is waived. Indeed, the legislative decree has repealed Article 44 of the IPC. However, the IDPA's authorisation is still necessary in the case of contract clauses (not approved by the Commission) or arrangements between public authorities.

Personal data processing is based on consent. When the controller intends to transfer personal data internationally, within or across the borders of the EEA, he or she shall provide the data subject with such information at the time when the personal data is obtained.

The privacy policy, if the controller would like to transfer personal data to a third country or international organisation, should mention the existence or absence of an adequacy decision by the Commission, or a reference to suitable safeguards adopted (see Articles 13 and 14 of the GDPR).

The data subject has the right to obtain information concerning the recipients or categories of recipients to whom his or her personal data have been, or will be, disclosed, in particular if such recipients are placed in third countries or are international organisations, pursuant to Article 15(1)(c) of the GDPR.

The GDPR led to a change of course in the matter of the accountability of the controller, which is the sole responsible body for the technical and organisational measures taken in order to implement the principles of privacy by design and privacy by default provided by Article 25.

Self-empowerment, as envisaged by the Regulation, does not require that the controller share any technical details with the government.

Some recent administrative case law (although not in any way related to personal data legislation) has however given trade unions access to rights to algorithms used by the government to decide on the transfer of public school teachers throughout the nation. This could lead, according to some views, to obligations of sharing algorithms when software is used for public interest purposes, but the discussion is still open.

As mentioned above (see 4.2 Mechanisms That Apply to International Data Transfers) a specific limitation is provided by Article 48 of the GDPR. This provision permits the transfer or disclosure of personal data either on the ground of a judgment of a court or tribunal, or a decision of an administrative authority of a third country, as long as the transfer is on the basis of an international agreement between the European Union (or a member state) and the requesting third country.

In this field, the agreement between the European Union and the USA, on extradition and mutual legal assistance in criminal matters of 25 June 2003 should be noted. Under Article 9, the requesting country shall use the evidence or information received for a series of defined purposes.

According to the explanatory note of the agreement, the refusal of assistance – invoking data protection reasons based on different privacy systems, for example – should be provided only in exceptional cases. This way, a broad application of data protection principles is excluded.

The Commission Delegated Regulation (EU) 2018/1100 of 6 June 2018 – which entered into force on 7 August 2018 in reaction to the US announcement of the reimposition of sanctions on Iran, after its withdrawal from the Joint Comprehensive Plan of Action (JCPOA), agreed in 2015 between Iran, China, France, Russia, the UK, Germany, the US and the EU – is relevant in this context.

The Delegated Regulation amended the annex to the European Union's Blocking Statute of 1996 in order to protect EU operators involved in lawful international trade. The update falls within the effective implementation of the JCPOA.

The original purpose of the Blocking Statute was to counter the effects of the measures adopted by the USA concerning Cuba, Iran and Libya.

Use of biometric data, which includes, inter alia, fingerprints, eye recognition, facial recognition, biometric handwritten signature, voice recognition and organic samples, is addressed by the GDPR and controlled by the IDPA under the provisions of the GDPR framework and the IPC which consider biometric data to be sensitive data. There is currently no specific regulatory definition of “biometric data”; however, it is generally agreed that biometric data is any data derived from “biological properties, behavioural aspects, physiological characteristics, living traits or repeatable actions where those features and/or actions are both unique to that individual and measurable, even if the patterns used in practice to technically measure them involve a certain degree of probability”. Nevertheless, in order to rely on harmonised wording in a highly technical context, the IDPA has determined to adopt the definitions found in ISO/IEC 2832-37 (Information Technology – Vocabulary –Part 37: Biometrics) for the purposes of analysing and classifying biometric data.

Therefore, facial recognition would fall within biometric data and developments on the topic are to be expected given the outcome of the EU Commission Artificial Intelligence Guidelines which were presented in February 2020, specifically addressing facial recognition systems.

As for geolocation, Italy has laid out specific provisions when it comes to using this technology to locate workers and, in general, the GDPR is fully applicable to geolocation. The current wording of Article 4 of the Workers' Statute (Law 300/1970), as amended by Legislative Decree No 151/2015 (implementing one of the powers contained in the so-called Jobs Act referred to in Law No 183/2014), allows remote control only if compatible with the protection of freedom and dignity of workers and, in so doing, indicates that the tools may be used exclusively "for organisational and production needs, for work safety and for the protection of company assets and can be installed after collective agreement entered into by the unitary union representative or by company union representatives "(Article 4 of the Workers' Statute, as amended by Article 23 of Legislative Decree 151/2015). The regulation of the processing shall be defined through the stipulations of a union agreement and installation of devices is subject to authorisation by the local office of the National Labour Inspectorate. As for the geolocation devices of company fleets, these are not generally considered to be instruments/devices which are used by employees for work duty purposes and, as a consequence, relevant worker protection regulation cited above does not apply.

Regarding the use of drones, the IDPA issued recommendations to the public in November 2019, pointing out that their improper use may constitute a risk to the privacy of individuals. Drone use is regulated by civil aviation authorities (ENAC) with a specific regulation which requires authorisation for drones over 2Kg and provides general limitations for APR and SAPR flight.

The IDPA has not dedicated specific attention to the internet of things (IoT); this area has been closely followed by Italian Communication Authority (AGCOM) which launched a public consultation and followed up with a study and specific regulation of IoT in the telecoms field (eg, data SIM card used in vehicles and in other systems).

For artificial intelligence, Italy has launched two expert groups: one regarding artificial intelligence in public administration which produced a white paper and another task force entrusted with drafting the general Italian AI strategy, assessing opportunities and risks. These are non-binding guidelines and one cannot say whether the government will follow-up.

Only in 2019, was the IDPA, finally given full power to enforce the GDPR and able to issue the first sanctions which were eagerly awaited by data protection practitioners because they are the key to understanding how the IDPA will interpret the wide powers with which it has been entrusted. The first cases administered by the IDPA under the GDPR (case No 83, April 4th, 2019, regarding a data breach in the “Rousseau” web platform used by the political party known as the “5 Star Movement” and case No 130 of June 12th, 2019, regarding lack of consent for promotional use of customer data collected in certain loyalty operations regarding a famous brand of baby diapers) show a very conservative approach with sanction amounts around EUR50,000 to 100,000 and blocking orders. Until the end of 2019, however, given the amount of sanctions administered, it was clear that Italy had yet to see a landmark case under the GDPR, probably due to the delayed enforcement of the new regime. The IDPA demonstrated that it intended to use the full powers of the GDPR with two cases in December 2019 and January 2020: in the first case (actually two cases against the same company) the IDPA fined an electric and gas utility company with two sanctions, totalling EUR11.5 million, for use of telemarketing data without legitimate consent which extended to undesired phone calls and contract activation (cases No 231 and 232 of 2019); in another case (case No 7 of 2020) the IDPA fined the Italian telecoms incumbent with a record sum of approximately EUR27.8 million, also for telemarketing violations: in particular, the IDPA found, inter alia, that the telecoms operator in question was using marketing personal data (telephone numbers) ignoring the specific requests of called parties not to be further contacted and/or without being able to demonstrate legitimate consent.

Apart from administrative IDPA sanctions, courts are not known in Italy for intensive or specific data protection cases for reasons discussed above (see 1.3 Administration and Enforcement Process).

Class actions, forms of collective redress and representative actions are not permitted with regard to data protection matters in Italy.

The due diligence process in Italy is performed in particular in the context of corporate acquisitions or disposals; when proceeding with the issue of financial instruments (positioning of shares or bonds); in view of the purchase of units of mutual investment funds (AIFs) closed by asset management companies; or in the case of appraisal of properties subject to judicial procedures, of sale and purchase and therefore, in general, to guarantee credit exposures.

This is usually done by a third party, not related to the offeror or those interested in purchasing.

In addition to this sector, due diligence also extends to the financial level, thus giving operators and financial institutions the possibility of collecting account information. In this case, this concerns the fight against tax evasion and is aimed at verifying the actual residence of customers, to avoid tax avoidance.

Since 2014, provisions have been implemented at EU level with Directive 2014/107 / EU of the European Council and in Italy with Law No 95/2015. Since then, the automatic exchange of information has been possible, so that all financial operators can know the rules in force for the classification of their customers and identify the holders of accounts that are not fiscally resident in Italy. Subsequently, banks and other financial institutions are required to report the information so obtained on these subjects to the Italian Tax Agency.

The introduction of the GDPR has indeed raised several concerns about due diligence operations, leading to modifications of the procedures and potential issues where data has been collected without proper GDPR attention and compliance, although no specific case has yet been pursued by the IDPA.

The need to prove corporate compliance under Legislative Decree 231/2001 (Criminal Liability of Legal Persons) has led companies to introduce a sort of privacy dossier, also known as the privacy organisational model, which, in fact, includes all the requirements necessary to ensure confidentiality and the highest degree of protection for personal data processed in companies.

The model that is similar to the one that must be prepared and updated to comply with Legislative Decree 231/2001. In fact, criminal data processing infringements can lead to criminal liability of legal persons under Legislative Decree 231/2001.

So, as part of the compliance documents which are to be disclosed, the GDPR compliance model has also been associated with the general company compliance model.

There are no major issues of data protection and privacy in Italy not already discussed in this chapter.

Studio Prosperetti

Via Gerolamo Belloni, 88
00191 Roma

+39 06 363 04 109

+39 06 363 01 896

studio@studioprosperetti.it www.studioprosperetti.it
Author Business Card

Law and Practice

Authors



Studio Prosperetti is a specialised boutique firm dedicated to IT and telecoms law, competition law and privacy. The firm was founded in 1956, focusing mostly on labour law, and Eugenio Prosperetti started the IT, competition law and privacy practice in 2001. The firm features a specialised team of four widely experienced IT lawyers, plus four other lawyers with commercial and labour law expertise and a trusted network of national/international partner firms. This enables the firm to accept a wide range of complex mandates, often acting as one-stop-shop advisory. Some examples of recent work include agreements for transferring the data of a major international bank onto a cloud infrastructure for artificial intelligence processing; an opinion regarding use of workers’ devices for multi-jurisdiction geolocation in ten countries for a multinational client; advice on the personal data aspects of the acquisition of a major Italian steel manufacturer; work on digital signatures through electronic identity; and guidance on privacy-compliance mechanisms for the peer-to-peer payment system of a major fintech service provider.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.