Recent amendments to data protection laws in Italy

In December 2021, some substantial changes to data protection laws were introduced in Italy.

The first important change concerns the relationship between the processing of citizens’ personal data and the wider public interest. Implementing a provision contained in Article 6 of the GDPR, the Italian Personal Data Protection Code now clarifies that the processing of personal data by a public administration is permitted if “necessary for the performance of a task carried out in the public interest or for the exercise of public powers vested in it.” Furthermore, under the new rules the legitimate basis for the processing of personal data by a public administration may be a general administrative act and not only on a rule of law or regulation.

The second important change is aimed at strengthening legal protections against the so-called “revenge porn”. A new Article 144-bis has been added to the Personal Data Protection Code, allowing anyone, including minors over fourteen years old, to report to the Italian Data Protection Authority (the Garante) when he has reason to believe that computer documents of any kind (photos, audio or video recordings, etc.) with sexually explicit content concerning him, intended to remain private, can be disseminated through digital platforms without his consent. On receipt of a report, the DPA will be able to take injunctive measures against the owners of the digital platform used, and/or orders to disclose information and, more generally, all the measures provided for by Article 58 of the GDPR. The digital platform owners, on receipt of such an injunction, will have a duty to preserve evidence whilst adopting the necessary measures to prevent the identification of those concerned.

Furthermore, the DPA, when imposing any administrative penalty, may also order offenders to carry out “institutional communication campaigns aimed at promoting awareness of the right to the protection of personal data, based on projects previously approved by the Garante which take into account the seriousness of the breach”. Conversely, for the purposes of determining the sanction, the Garante can also take into account any similar awareness-raising campaigns on the subject of personal data “carried out by the offender before the breach was committed”.

Also worthy of mention is the reduction to 30 days, starting from the request (after which it will be possible to proceed independently from the submission of the opinion), of the deadline within which the Garante must submit an opinion with regard to reforms, measures and projects concerning the National Recovery and Resilience Plan.