By Rocco Panetta – IAPP Country Leader for Italy
As we bid farewell to an eventful year and anticipate the future, the data economy landscape in Italy is marked by significant developments in both the regulatory and enforcement realms.
On 6 July, Pasquale Stanzione, chairman of the Italy’s data protection authority, the Garante, presented the annual report of the authority to the Parliament. The report outlines how the Garante, which celebrated its 25th anniversary last year, continued to assert its influence on data protection policies and played a multifaceted and essential role in Europe.
The Garante’s opinions on legislation emphasized the principles of proportionality and data minimization. It scrutinized electronic health records, the health data ecosystems, and artificial intelligence-based processing, advocating checks on analytical models to prevent biases. In internet-based profiling and revenge porn, it proposed strict provisions with direct influences on Italian criminal law.
The authority has actively engaged with EU bodies and the judiciary, promoting the culture of data protection. With a multifaceted approach, the Garante remains a vital player in safeguarding data privacy, ensuring the balance between evolving technology and citizens’ fundamental rights.
As far as its sanctions regime is concerned, the Garante ranks fourth among EU supervisory authorities for total sanctions issued since 2018 with fines equal to 150 million euros. It is worth mentioning that in if one waives the appeal of a Garante fine and pays within 30 days, the penalty is reduced by 50%. This significantly reduces the amount of sanctions collected per year, but remains an important incentive of the forum on the choice of leading authority.
The Court of Cassation has played a significant role as well. Notably, a case emerged where the court quashed the judgment rendered by the first-instance court, affirming the Garante’s legitimacy to order a search engine to delist search results obtained from a data subject’s name globally. This decision emphasized the global scope of data protection rights and the need to protect individuals’ privacy across borders.
In the dynamic field of AI, data issues have become increasingly more complex, and Italy played a primary role in early attempts at regulation.
Almost everyone remembers when the Garante acted early this year against ChatGPT due to concerns about the handling of personal data of Italian users. The DPA found issues with inadequate user information, lack of a clear legal basis for data processing, and potential exposure of minors to inappropriate content without proper age verification. In response to the DPA’s order, OpenAI made improvements, including providing clearer information notices, updating privacy notices and allowing users to opt-out of certain data processing. The Garante acknowledged these efforts but called for further measures, such as implementing an age verification system and conducting an information campaign.
On the one hand, the Italian authority took immediate action on the matter to get ahead of the technology. On the other hand, it proved not only that it wanted to secure concrete commitments to the protection of user data, but that the Garante did not intend to hinder technological development in the field of AI.
To ensure transparency and accountability, the Garante has called for comprehensive data protection impact assessments for AI-driven projects and underscored the importance of human intervention to prevent automatic reliance on algorithmic outputs. The authority has also addressed AI’s impact on individuals’ rights, specifically in cases involving large-scale processing activities based on AI tools.
In the broader EU data protection picture, predictions on privacy in the EU and Italy for the coming year are uncertain due to unexpected events such as the war in Ukraine, rising geopolitical tensions, and unprecedented technological and social complexity. However, key trends have emerged in the EU and Italy.
The relationship between data and citizens’ freedom remains a central concern. The pressing issue of the cookie wall in online publishing demands attention. Maybe even as much attention as the recent monumental EU fine of 1.2 billion euros against Meta. Both are signals of a potential transformation in the internet landscape.
Notably, new regulations on data processing for commercial profiling, including the Digital Services Act and Digital Markets Act, are on the horizon. Newspaper publishers face a critical challenge in balancing user consent for profiling cookies while upholding press freedom and individual privacy.
Among the Italy’s regulatory changes are transparency obligations as well as requirements that emerged with the implementation of the NIS directives. This regulatory-geopolitical landscape brings out the centrality of cybersecurity, a growing field that will require increasing specialization.
The Garante’s vision of using data for societal growth aligns with the goals of the EU’s data policy. Turning data into a common good, while safeguarding individual identity rights, has become a primary task for the Italian authority. It equates to raising users’ awareness of the value of personal data and the consequences of their consent.
In such a context, European and Italian democracies aim to avoid letting one fundamental right prevail over others. The goal of national authorities is to achieve a delicate balance, ensuring that privacy rights do not undermine other fundamental rights. Striking this balance will be demanding, but it remains essential as we navigate the ever-evolving data landscape.
The role of privacy professionals has become more pivotal than ever. Privacy professionals are going to become more and more crucial for organizations to navigate the complex data protection landscape, ensure compliance with new regulations and safeguard individuals’ rights.
Originally published on IAPP