Long story short: GDPR in Italy is a complete mess and a shining example of legal Spaghetti Code.
Explanation: the GDPR has been passed on 2016, therefore the Italian Parliament had plenty of time to pass the necessary laws to harmonize the national legislation to the new European directions and the Italian Data Protection Authority had plenty of time to revise its general authorization and other regulatory issues so to properly meet the May 25, 2018 deadline.
They both didn’t lift a pinky and arrived deadly late: in December 2017 the Parliament, short on time and resources, decide to take a shortcut and give the Government the task to produce, by May 21 , 2018 (yes, May 21) a legislative decree aimed at harmonize the national legislation with the GDPR.
The Government didn’t met this deadline, mainly because the very first draft of this legislative decree, while pompously announced as approved by the Presidency of Councli, has been withdrawn because of the serious doubt raised about the compatibility of this text with the GDPR, and replaced by a new (deeply secret) draft finally signed by the President of the Republic on August 10, 2018 but still not published on the Official Journal just yet.
So, as the Bard said, All’s well that ends well?
To be passed, a legislative decree needs a “delegation law” issued by the Parliament that empowers the Government to do so, by setting at the same time the boundaries of this activity and a deadline. If either (or both) the limit set forth by the delegation law or the deadline aren’t met, the legislative decree cannot be passed and the ball comes back into the Parliament field.
The first draft of the legislative decree was plagued by a blatant mistake: while the Parliament asked to “amend” the Italian Data Protection Code, the Government just repelled it, thus exceeding the boundaries of the “delegation law”.
Furthermore, because of this mistake, there has been no way to match the May 21 deadline. Therefore, the Government has been given a new deadline, set to August 21, 2018. But as it is has been noted (Italian only, sorry) this extension was not legal.
There are several consequences arising from this state of the matter:
- The legislative decree that is going to become effective once published in the Italian Official Journal must be complied to, but it will be likely challenged in court when the Data Protection Authority will try to fine a Data Controller, or somebody will sue a Data Controller.
- Data Controller need to comply with this legislative decree even if there is the chance of a judicial overruling. This means a potential waste of money in compliance activities that might become no more mandatory in a possible future.
- Furthermore, as soon as the legislative decree will enter into force (and still we don’t know when) Data Controller will need to re-assess their compliance model.
- Data Controller haven’t been given the possibility to comply timely to the GDPR even if the first deadline (May 21) was met. Nevertheless, they face the actual possibility of being fined right now. And nobody – neither the Parliament, nor the Government, let alone the Data Protection Authority – has the right to delay the enforcement of the GDPR.
- Although there are “unofficial” versions of this legislative decree the definitive one is still kept more secret than the Coca Cola recipe. There is no actual reason for this secrecy that is damaging Data Controllers, Processors and Data Subjects. With a narrow timeframe to comply, making the approved available in advance would have given Data Controllers & C. the chance to save weeks, at least to run a preliminary assessment. Oddly enough, neither the Government nor the Italia Data Protection Authority went public with the final text.
Conclusion: foreign and other EU-members’ companies will have a very hard time in coping with the GDPR in Italy.