Home
| Databases
| WorldLII
| Search
| Feedback
Privacy Laws and Business International Report |
NOW THAT ITALY’S DATA PROTECTION LAW has been in force for more than a year, results are beginning to show. The authority has handled more than a hundred enquiries a day, and registered 250,000 businesses in the first three months of 1998. Most effort, however, has been put into interpreting the law and providing advice.
Italy was the first Member State to implement the EU Data Protection Directive. The law is the first compre- hensive data protection law in Italy. It was adopted in December 1996 and entered fully into force on 8th May
1997. While there had been initiatives for a data law since the 80’s, it was not until 1995 that a bill was approved by the Government (PL&B, June ’96, p.2).
Italy’s law, the Act on the Protec- tion of Individuals and Legal Persons Regarding the Processing of Personal Data, 675/96 of December 1996, applies both to the private and public sectors. In addition to personal data of natural persons, it also offers pro- tection to legal persons.
The law defines personal data as any data which relates to an identifi- able natural or legal person. The processing definition, which refers to any manual or automated operation on personal data, makes the scope of the law extremely wide.
The new law was accompanied by another law, 676/96, which gives power to the Government to pass further legislation in the form of decrees supplementing and amending the new act. This power has recently been extended until July 1999, and is likely to be used for a variety of issues to give effect to all of the provisions of the directive, and to deal with new issues. For example, regulations are expected about privacy protection on the Internet, and the processing of sensitive data by public bodies. Two decrees were passed in May and July 1997 on transitional provisions regard- ing the duty of general notification. The deadline for notification was extended until 31st March 1998.
MUCH EMPHASIS ON CONSENT The Italian law places much impor- tance on an individual’s consent. In fact, all processing, apart from exemptions, needs an individual’s written consent. One of the cases where non-sensitive data may be processed without consent, is in rela- tion to an employment contract. Sensitive data, however, requires written consent.
UNWORKABLE PROVISIONS FOR TRANSBORDER DATA FLOWS?
The new law has an interpretation of transborder data flows to countries outside of the European Economic Area that is tighter than that required by the Directive. The law requires that the Data Protection Authority must be notified about any transbor- der data flows before they can take place. Furthermore, apart from requiring adequate level of protection for non-sensitive data, sensitive data needs equivalent protection to that guaranteed by the Italian law.
Even though these provisions have many exemptions, the numbers of notifications likely to be received may well have a paralysing effect on the day-to-day work of the authority.
A welcome feature in the law is that an authorisation for transborder data flows may be based on the existence of a contract.
HEAVY SANCTIONS FOR BREACHING THE LAW
The heavy-handed criminal sanctions in the Italian law should act as an effective deterrent for breaching the law. It is a criminal offence not to notify, to process data unlawfully or not to comply with the authority’s orders. These offences are sanctioned with one to three years imprisonment.
LAW CREATED AN INDEPENDENT AUTHORITY
The Data Protection Authority
(Garante per la protezione dei dati personali) was established under the new law in March 1997. It has four members; Professor Stefano Rodotà , the President of the Authority, Professor Giuseppe Santaniello, Vice President, Professor Ugo De Siervo and Claudio Manganelli. Dr Giovanni Buttarelli, who can be regarded as the father of the Italian law as he was the principal author of the data protec- tion bill, is the Secretary General of the organisation. The authority employs 45 people, the highest number it is allowed to recruit under the provisions of the data protection law. According to the President of the authority, the number of staff is already too small.
The authority’s main tasks are supervising compliance with the law, holding a register of notifications, solving disputes, providing advice and granting authorisations.
The authority co-operates with the Authority for IT in the Public Administration (AIPA). AIPA pro- vides support for the public administration in its use of informa- tion systems, and sets standards for the designing, developing and manag- ing of those systems.
PRIMARY TASK:
PROVIDING INFORMATION
The Data Protection Authority’s most important function during its first year of office has been to advise the public and organisations of their new rights and duties. The law has generated a lively debate which reflects the fact that all of the provi- sions are new. Data controllers in Italy have been faced with many more changes than those in countries with previous data laws. It is, there- fore, not surprising that the office had, by the end of March, dealt with
25,000 enquiries. In addition to this, the office has met with a number of organisations and businesses for informal talks.
Written information materials that have been produced include more than sixty press releases and booklets informing the general public about the authority’s work. The authority’s first annual report, published in April, provides a detailed account of the application of the new law, the powers of the authority, develop- ments in sectoral data protection issues such as telecommunications, and international developments.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/journals/PLBIRp/1998/3.html