The Decree provides that it enters into force the day after its adoption, however the Italian Parliament has 60 days to officially adopt it through a legislative act. Only then will the Decree produce its effects in the Italian legal system. In the absence of such a legislative act, the Decree will cease to have any effect, in other words, it would be as if it had never existed. Rocco Panetta, founder and managing partner of PANETTA Law Firm, discusses the Decree and changes to the Italian privacy framework in this article.

Considering the tight timeframe, Italian MPs are currently discussing the details of the Decree and interviewing experts in various fields, including data protection consultants and lawyers, to better understand the scope, and the potential consequences deriving from the adoption of the Decree in its current form.

Law no. 205/2021 (the 'Law'), published in the Italian Official Journal on 7 December 2021, has been adopted by the Parliament, introducing further amendments to the initial version of the Decree. Evaluating the impact of such novelties is not an easy task, as the outcomes of the legislative process have been quite surprising.

What’s new?

The Decree has included some potentially impactful novelties regarding the Italian data protection framework. Specifically, through the introduction of Article 2-ter, paragraph 1-bis, to the Legislative Decree no. 196/2003 ('the Privacy Code'), as already amended by Legislative Decree no. 101/2018, which is the national law which adapted the Italian legal system to comply with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Further, Article 9 of the Decree states that the processing of personal data by a public authority, or a state-controlled company (jointly, 'PA'), is always permitted if carried out in the public interest, or for the exercise of public powers. The main point of this new provision is that, even in the absence of a law or a regulation pointing to the legal basis for a specific processing, the PA could still proceed with the intended processing of personal data, by self-determining the purposes and the legal basis because it has not been specified under which legal mechanism, for example, a general administrative act, a ministerial decree, or other secondary legislation, which the processing would fall under.

Further to that, the Decree establishes that public authorities and companies may also share personal data among themselves, as well as with private entities, if doing so in the public interest, within the application of the new Article 2-ter, paragraph 1-bis, of the Privacy Code described above. In this regard, some further precaution would have been advisable, considering that a general green light to the data sharing among different entities and across contexts would require, instead, a case-by-case assessment in order to respect the essence of the proportionality principle.

Additionally, Article 2-quinquiesdecies of the Privacy Code which addresses processing which presents high risks for the performance of a task of public interest has been entirely repealed. In other words, the Italian Data Protection Authority ('Garante') has been deprived of the power to decide upon those processing activities, subject to a high risk, carried out in the public interest by PAs.

As such, the advisory powers of the Garante towards the PA seem to be unwisely diminished, especially if we consider these novelties in the context of the overall Italian public administration's landscape, characterised by a low culture of privacy, and newly appointed DPOs, who eagerly look to the Garante's latest provisions and guidelines to guide their actions.

By adopting Legislative Decree no. 101/2018, the former Italian Government amended the Privacy Code, by increasing the level of protection for data subjects, as well as facilitating the achievement of PA objectives. Indeed, Article 2-quinquiesdecies was harmoniously interlinked with Article 36(5) of GDPR which states, '[…] Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health' and with Article 58(3)(c) of the GDPR which recites 'Each supervisory authority shall [...] authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation'.

The powers of the Garante

The Garante is consulted with regards to legislative reforms and projects realised in the context of the application of the Italian Recovery and Resilience Facility, according to Regulation (EU) no. 2021/241 ('PNRR') and to the National Investment Plan, issued with Law Decree no. 59/2021, adopted with amendments by Law no. 101/2021. The Garante is required to provide its opinion within 30 days from the day of the submission of the request, pursuant to the Decree. If such an opinion is not formulated, the reform or the project could be adopted irrespectively. Even though the reasoning behind such a provision can be easily guessed, intuitively, to ensure quick responses by the Garante, it still appears to be both unnecessary and excessive.

Considering the effort expended by the Garante during the COVID-19 pandemic, in almost every case the Garante has provided timely feedback to the national authorities, very often anticipating rather that delaying the governmental action. Examples of such promptness are, for example, the measure authorising the processing of personal data carried out through the COVID-19 Alert System - Immuni App – 1 June 2020¹, or the contributions with regard to the introduction of the Green Pass². Furthermore, the Italian Government should have allowed at least the possibility of extending the period allowed for providing feedback, particularly considering the sensitive matter which will be addressed and managed under the PNRR and its coordinated acts. Moreover, assuming that there will be some frequency to measures with a high risk which will be adopted, a scalable extension of the terms should have been envisaged so as to align with the standard ones defined under Article 36 of the GDPR (60 days plus a further two-week extension) and reiterated, at national level, in the Internal Regulation 1/2019 on the identification of time limits and organisational units responsible for administrative procedures within the Garante organisation³.

Debate in the privacy community and at an institutional level

As soon as the Decree had been published, the uproar in the Italian data protection and privacy community was massive, possibly for three main reasons:

• nobody was expecting such an incisive modification of the Privacy Code after the last major integration which was carried out in 2018;
• the extent of the changes appears wide-ranging and in conflict with the Italian legal system, as well as the GDPR; and
• the nature of the Decree, which should respond to the necessity and urgency of the matter regulated therein.

By contrasting public impressions with more institutional positions, however, this perception is being further discussed during hearings held by the Senate's constitutional affairs committee, where several improvements have been supported by the rapporteurs.

Professor Pasquale Stanzione, President of the Board of the Garante, has intervened in the discussion by representing the position of the Garante. The adjustments proposed by the Garante seem to point towards two things: on the one hand, they aim to go along with the Government's intention to simplify the action of the PA. On the other hand, they seem to confirm that the Italian data protection legal system is submerged in a wider European common framework, where substantial principles, such as the transparency, proportionality, and security principles shall always be taken into account first and foremost.

Parliamentary amendments: pros and cons of an unexpected privacy reform

The conversion Law has introduced further changes. Those changes are only partially the result of the Senate’s hearings and of the wider public debate among professionals in the field.

Undeniably, the Law has introduced some positive changes. Firstly, with regard to the resources of the Italian DPA, budgetary and staff increases have been decided, following the requests of the President of the Italian DPA on the matter. Secondly, with reference to revenge pornography, some further safeguards and details have been introduced for the victims of such abuses, especially if they are underage, for example, they can now immediately report a dangerous situation to the Garante, which can then immediately activate an internal procedure to follow-up the request within 48 hours.

Another unexpected, but welcome, amendment refers to Article 166(7) of the Privacy Code, introducing some elements of Corporate Social Responsibility ('CSR') into the data protection realm, as a mitigating or alternative factor to the issuing of a monetary sanction by the supervisory authority. Specifically, during the application and setting of an administrative fine against a data controller or processor, the Garante can evaluate the presence "of institutional communication campaigns aimed at promoting awareness of the right to the protection of personal data, on the basis of projects approved in advance by the Garante and taking into account the seriousness of the violation [or] made by the offender before the infringement was committed". Such innovation is likely to entail the widespread existence of a different mindset at a business level, by boosting a combined implementation of CSR and data protection awareness projects.

On the other hand, the scope of the modifications to the Italian data protection framework has been further extended to also encompass rules on AI-driven facial recognition systems in public spaces. In this respect, according to the new Article 9(9) of the Law, the installation and use of video-surveillance systems with facial recognition systems which operate using biometric data in public places, places open to the public, by public authorities, or private entities, are suspended until the entry into force of a legislative framework on the matter, and in any case, no later than 31 December 2023. However, despite the stance of the Italian government, Article 9(12) of the Law introduces a wide exemption by providing that the above paragraph does not apply to processing carried out for the prevention and prosecution of criminal offences or the execution of criminal penalties. Therefore, the ban on the use of facial recognition systems in public spaces failed to be an all-encompassing prohibition, given that the use of such technology by public authorities is likely to be allowed under this exemption.

Finally, with regard to the interplay between data protection rules and the pursuit of PA objectives, the Parliament chose to expressly indicate in the Law that PAs are allowed to define the purposes and means of the processing in the absence of a legal basis set forth by a law or regulation. In this sense, a general administrative law has been deemed appropriate to modify the scope of data protection rules. Furthermore, with regard to the timeframe by which the Garante must provide its opinion related to the PNRR draft provisions, 30 days have been confirmed as a sufficient time span to submit its advice. The repeal of article 2-quinquiesdecies of the Privacy Code has been also confirmed.

Notwithstanding such unexpected adoption of the Law, and despite its punctual amendments, my hope is that the national legislator has, and keeps having, a clear and solid perspective on how the Italian data protection framework should be further developed in harmony both with the European project and the Italian PA goals. To do so, it can only rely on the expertise of those, such as experts, professors, and professionals, who better know the matter at discussion, and especially the Garante itself, institutionally placed to continuously address privacy issues, guarding the, now more than ever, fragile balance between data controllers and data subjects.

Rocco Panetta CIPP/E, Founder and Managing Partner
[email protected]
PANETTA Law Firm, Rome

1. Available, only in Italian, at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9356568
2. Available, only in Italian, at: https://www.garanteprivacy.it/temi/coronavirus/green-pass
3. Available, only in Italian, at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9107640