The recent provisions of the Italian legislator on data protection
With Law n. 167/2017 and Law n. 205/2017 the Italian Legislator emitted new rules on data protection matter, taking into consideration the provisions of GDPR.
In particular, Law n. 167/2017 introduced a partial review of the role of data processor pursuant to art. 29 of the Italian Privacy Code, by adding a new Paragraph 4-bis and by replacing Paragraph 5, which regulate the data processor’s appointment procedures and requirements. On the basis of such reviews, the new Article 29 of the Italian Privacy Code establishes that “data controllers shall conclude written legal acts with the controllers, specifying the finality pursued, the typology of data, the duration of processing, the obligations and rights of the data controller, as well as the methods of processing” and that “these acts are adopted in compliance with the standard models prepared by the Italian Data Protection Authority”. Data processors shall also follow the data controller’s instructions, which may carry out periodic audits.
By this law, moreover, the Italian Lawmaker added the new Article 110-bis on the re-use of data for scientific research or statistical purposes, with the exception of genetic data, asking for the previous authorization of the Italian Data Protection Authority.
Law n. 205/2017, instead, establishes that the data controller, before carrying out a processing based on the legitimate interest which involves new technologies or automated tools, must promptly notify the Italian Data Protection Authority, by using a template that must be prepared by the said Authority within two months from the entry into force of the Law – and which has not yet been arranged -. Once 15 working days have elapsed from the sending of the information, in the absence of a reply from the Italian Data Protection Authority, the data controller may proceed to the processing; otherwise, if such Authority believes that the processing is likely to result in a high risk to the rights and freedoms of the subject concerned, he orders the prohibition to use the data. Such provision, indeed, would appear, according to the first observations in doctrine, in possible breach of the GDPR, which has actually removed the obligation to notify the supervisor authorities.
Despite the high expectations, such amendments have been felt by the majority of the scholars as unclear and ambiguous, since they did not provide the required clarifications, nor they treat the privacy matter in an organic manner. As a matter of fact, current Italian legal framework on data protection is extremely confusing.
Nonetheless, we acknowledge that the Committee, in force of the Law 163/2017 under which the Italian Lawmaker delegated the Government to harmonize the local laws to the GDPR, should shortly issue a much more comprehensive measure, with the view to wholly coordinating the national provisions with the European ones. We are confident that, on that occasion, the Italian Legislator will better define those issues and provide the necessary explanations with regard to the Laws 167/2017 and 205/2017.