Our colleague Giulio Coraggio explains how privacy legitimate interest might become difficult to manage in Italy following provisions introduced by means of the Budget Law:
The Italian legislator seems not to like legitimate interest as legal basis of data processing. Indeed, under the current Italian Privacy Code, it required a previous approval from the Italian Data Protection Authority, while a new provision of the Italian Budget Law introduces a regime (to be applicable under the GDPR) which seems a sort of “hidden prior approval“, despite of the fact that the GDPR is based on the accountability principle and requires to adopt a risk based approach.
What provides the Italian law on legitimate interest?
The Budget Law provides that data controllers which process personal data through automated means or “new technologies” on the basis of legitimate interest shall:
- send a prior notification to the Italian data protection authority (DPA), attaching an information notice (a privacy information notice or just a template to provide details on the data processing activity not to be incorporated in the privacy information notice, it is not clear!) to be drafted according to a template and guidelines that the Italian DPA shall issue; and
- wait for the approval from the Italian DPA, but
- will be able to start the data processing activity 15 days after the delivery of the material referred above
- which will not trigger a silent approval since the Italian DPA shall start in any case an investigation on the matter and might require to suspend and in most relevant cases terminate the data processing activity.
What issues I can see?
We will have to see how the matter will be regulated in the procedure and guidelines to be issued by the Italian DPA, but my first comments are:
- since the provision applies to data processing activities based on legitimate interest and performed through automated means and new technologies (which are not clarified) and we are in 2018 when any type of data processing activity is performed in a digital format, this means that any data processing activity based on legitimate interest risks to be caught by the requirements above;
- the most diligent companies that have been working for months on their GDPR compliance program, also already adopting a privacy information notice compliant with both the current privacy regime and the GDPR in order to avoid the notification of a new privacy information notice on the 25th of May 2018 and to collect GDPR compliant privacy consents, could lose part of the work already done since they might need to notify again a new version of the privacy information notice (if the information notice referred in the law is meant as a privacy information notice) because
- the template of privacy information notice and the approval procedure provided to be issued by the Italian DPA is not yet in place; and
- the template to be issued by the Italian DPA might be, even merely formally, differ from the GDPR compliant privacy information notice already adopted; and
- it is not clear what happens to data processing activities based on legitimate interested that have been started 15 days after the notification to the Italian DPA and are subsequently challenged by the Italian DPA. Indeed, this scenario risks to put companies in a difficult position of uncertainty.
Is the provision compliant with the GDPR?
The last issue that came to my mind is whether this provision falls within the scope of discretionality granted to EU Member States by the GDPR. Indeed,
- the GDPR does not provide that Member States can introduce conditions to the exercise of the legitimate interest whose terms have already been subject of the guidelines of the Article 29 Working Party;
- the procedure above and even the template of privacy information notice introduce a sort of “prior check” which is in contrast with the GDPR principle of accountability; and
- the Italian guidelines on legitimate interest cannot be inconsistent with those adopted by the Article 29 Working Party and
- if a similar procedure was introduced by Italy and, following the Italian approach, by other EU Member States the risk is to create a much higher level of uncertainty on privacy laws across the EU, which was meant to be avoided through the GDPR. This is true also because the GDPR does not provide for the so called “principle of establishment“. Therefore multinatinational companies operating from their headquarter in an EU country across the whole EU risk to comply with 27 slightly different privacy laws.
Our hope is that the Italian DPA will not issue any template of privacy information notice, but just require a notification according to a template to be issued by them or better convince the Government that such provision is not compliant with the GDPR.