With Legislative Decree n. 101/2018, which came into force on 19 September 2018, the Italian Legislator has finally made the local privacy legislation, Legislative Decree 196/2003 (so-called "Privacy Code"), in line with the provisions of the GDPR, by:
- repealing those rules which were incompatible with the European Regulation or which represented an unnecessary duplication thereof;
- regulating some subjects on which the GDPR has left margins of discretion to the Member States (e.g. PA, health data, scientific research, criminal sanctions).
Among the provisions recently introduced by this legislative intervention, in particular, worthy of note is Article 2-quinquies of the new Privacy Code, according to which “In implementation of Article 8, paragraph 1, of the GDPR, the child aged 14 years may give consent to the processing of his/her personal data, in relation to the offer of information society services. With regard to these services, the processing of personal data of children below the age of 14 years, based on Article 6(1)(a) of the Regulation, is lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the children”.
As it is well known, art. 8.1 of the GDPR had identified 16 years as the minimum age for lawfully giving child’s consent, in relation to the offer of information society services, leaving it to the Member States to establish a lower age, within the limits of 13 years, as the Italian legislator then did. In any case, Legislative Decree n. 196/2003 emphasises the need for the data controllers to draw up their privacy notices in a clear and simple language, which shall be concise and exhaustive, as well as easily accessible and understandable by the child, as recommended in recital n. 58 of the GDPR.
Moreover, worthy of mention are the provisions adopted in the scientific research matter, referred to in Articles 99 – 110-bis of the Privacy Code, according to which the Italian Legislator has: (i) identified some hypotheses in which the processing carried out for purposes of scientific research shall be carried out without the prior consent of the data subjects; (ii) confirmed the possibility, already provided for in Law n. 167/2017, of re-using personal data for purposes of scientific research, extending this hypothesis to genetic data; (iii) established certain rules for the re-use of data for purposes of scientific research.
Finally, it should be noted the intervention carried out in the area of criminal offences, which led, on the one hand, to the repeal of the crime provided for in Article 169 - "Security measures" of Legislative Decree n. 196/2003, by reason of the contextual repealing of the corresponding provisions (Annex B of the Privacy Code) and, on the other hand, confirmed the remaining offences and introduced two new types, respectively concerning the unlawful communication and dissemination of personal data which are subject to large-scale processing as well as the fraudulent acquisition of personal data which are subject to large-scale processing.
As expected since the last interventions on local privacy legislation made by the Italian Legislator through the enactment of Law N. 167/2007 and Law N. 205/2017, which had indeed contributed to make the Italian regulatory framework extremely confused, with Legislative Decree 101/3018 Italy has finally implemented the changes necessary to make such provisions wholly compliant with the GDPR.
Article provided by Avv. Chiara Rossana Agostin/ R&P Legal Law Firm / Italy