by Vincenzo Tiani
The government’s latest decree-law, the so-called dl Capienze, which was long-awaited to regulate a number of pressing issues such as access to cultural, sporting and recreational activities, has also touched on aspects of personal data protection by amending the Privacy Code and the powers of the Garante.
Since the beginning of the pandemic, the government and the Garante have always had to engage in close dialogue in order to find the legal framework that would guarantee the right balance between all the interests and rights at stake: the right to health, the right to data protection, and the right to work, all in an attempt to facilitate management that is not excessively burdensome for the public and private sectors.
More powers for public administration
Perhaps as a result of the difficult management of this delicate balance, the government has launched a number of measures in its latest decree that give the public administration ample scope to process citizens’ personal data for reasons of public interest and the exercise of public powers. It should be noted, however, that these changes will not be limited to the time of the pandemic emergency but will be definitive.
In fact, Article 9 of the decree establishes that “the processing of personal data by a public administration […], including independent authorities and administrations […], as well as by a publicly controlled company […] or by a body governed by public law*, is always permitted if necessary for the performance of a task carried out in the public interest or for the exercise of public powers attributed to it. The purpose of the processing, unless expressly provided for by a legislative provision or, in cases provided for by law, by regulation, shall be indicated by the administration, the publicly controlled company or the body governed by public law in line with the task carried out or the power exercised.”
The Gdpr, the European Data Protection Regulation, prescribes that personal data can only be processed under six possible legal bases (art. 6), including the performance of a task carried out in the public interest or in connection with the exercise of public authority. The decree prescribes that this is no longer possible only by law (with all the guarantees provided for by the Italian constitution), as provided for in the European regulation, but in its absence also on the very indication of the administration or publicly controlled company.
Following the changes introduced any public administration could also decide to communicate or disseminate citizens’ data if it deemed, on its own, inherent to the public interests pursued (given the amendments to Article 2-ter of the Privacy Code).
Privacy Guarantor depowered
The other major change introduced is that precisely with regard to the performance of a task of public interest, in cases where high risks for fundamental rights and freedoms may be identified, the decree repeals the power of the Italian DPA to prescribe measures and precautions to guarantee citizens, which the public administration would have had to adopt until now (provided for in Article 2-quinquiesdecies of the Privacy Code, now being repealed).
Moreover, the power of the Garante to establish minimum security and protection requirements for traffic data and their destruction, once the time allowed for their use for the purpose of investigation and prosecution of criminal offences has elapsed, is lost.
Moreover, the Garante will have only 30 days from the request to provide its opinion on reforms, measures and projects for the implementation of the National Recovery and Resilience Plan, reforms that by their nature and given the strong interest in the digitisation of the country, could be very complex and difficult to comment on in such a short period of time.
The only positive note concerns Article 10, which recognises the role of the Garante as an interlocutor for victims of revenge porn, being able to intervene urgently, after a report, to limit the dissemination of material considered private.
*Update Monday 11 October 2021, 17:30
The text published in the Official Gazette presents changes compared to the draft circulating when the article was written.
Compared to the first version, the decree excludes from the public administrations concerned non-state controlled companies and, for public companies, the processing of personal data “related to activities carried out in a free market regime“.
It was then specified that the purpose of the processing is indicated by the administration “ensuring adequate publicity to the identity of the data controller, the purposes of the processing and providing any other information necessary to ensure fair and transparent processing with regard to the data subjects and their rights to obtain confirmation and communication of the processing of personal data concerning them.” Actually, this clarification was not necessary as it was already provided for in the GDPR.
Originally published on Wired Italia
Creative Commons Attribution, Non Commercial, Non Derivs 3.0