(by Michele Gorga, lawyer and Aidr observatory component for the coordination of DPO, RTD and Reputation Manager) Three changes to the Legislative Decree 30 June 2003 n. 196, in the updated version with the Legislative Decree 101 of 2018, made with the newborn Law Decree of 8 October 2021, which came into force on Saturday 9 October 2021.
The first change, which has already caused a scandal to be screamed at, but the alarm is exaggerated, concerns the necessary suppression, in view of the commitment undertaken at the European level to improve the efficiency of PNRR resources, of the preventive opinion of the Privacy Guarantor for the general acts of the PA
In order to maintain the commitment to de-bureaucratize the decision-making process of the implementing decree of the government action, the Government has repealed art. 2-quinquiesdecies of the Privacy Code. This rule provided for the treatments that presented high risks for the execution of a task of public interest, that is for those carried out by the Public Administration in the exercise of its duties, the need for the prior opinion of the Guarantor, who could prescribe measures and precautions that the data controller was then required to adopt in advance. Practically a superordinate control over the government action that was badly reconciled with the timing and streamlining of the PNR expenditure streamlining procedure.
The contextual reform that provides for the repeal of art. 22 of Legislative Decree 101 of 2018 and co. 3 of art. 9 of the aforementioned Legislative Decree 139/2021 also providing that the opinions of the Guarantor for the protection of personal data requested with regard to reforms, measures and projects of the National Recovery and Resilience Plan referred to in Regulation (EU) 2021/241 of the European Parliament and of the Council of February 12, 2021, of the National Plan for complementary investments referred to in the decree-law of May 6, 2021, n. 59, as well as the Integrated National Plan for Energy and Climate 2030 referred to in Regulation (EU) 2018/1999 of the European Parliament and of the Council of 11 December 2018, are rendered within the non-extendable term of thirty days from the request, which can proceed independently from the acquisition of the opinion of the guarantor.
A reform, therefore, necessary for Italy that does not affect the privacy rights of citizens, but only the extent of the sphere of the preventive control power of the Guarantor, and respect for the limits of the subsequent one, which does not at all suppress the right the protection of the data of the persons who may be interested in the individual procedures who will always be able to assert their rights in the competent judicial and administrative offices. It is a question, therefore, of reforms that aim at the efficiency of the administrative process and that de-bureaucratise a little Byzantine procedures, entangled in opinions halfway between unexpressed certainties and permanent uncertainties. A good start, therefore, given that if we talk about simplifications in the Public Administration, we must start somewhere.
Speculating the abrogation of art. 2-quinquiesdecies, in the matter of the preventive opinion of the guarantor, is the provision made again with the law decree 136/2021 integrating art. 2-ter of Legislative Decree 196/2003 on the legal basis for the processing of personal data carried out by public administrations for the execution of a task of public interest or connected to the exercise of public authority, providing the legislator that the processing of personal data by a 'public administration, including independent authorities, as well as by a publicly controlled company or a body governed by public law, is now always permitted if necessary for the fulfillment of a task carried out in the public interest or for the exercise of public powers attributed to it and this regardless of the purpose of the processing, whether or not it is expressly provided for by a law or regulation. The aforementioned treatments, therefore, can now be traced back to the task performed or to the power exercised and thus the possibility of maneuvering the administrative action is extended so as not to remain always chained to the existence of a law of legitimation of the treatment.
Finally, another significant modification of the Privacy Code was imposed due to the too casual use that too many subjects make of their image or data. With the introduction of a new article 144-bis of Revenge porn it is expected that anyone, including minors over the age of fourteen, has reasonable grounds to believe that images or videos with sexually explicit content concerning them, intended to remain private, may be subject to dispatch, delivery, transfer, publication or dissemination without your consent in violation of art. 612-ter of the Criminal Code, can contact the Guarantor, by means of a report or complaint, who, within forty-eight hours of receiving the request, proceeds pursuant to article 58 of Regulation (EU) 2016/679, thus expanding the urgent and precautionary powers of the Guarantor to ensure immediate and urgent protection to probable victims of the network. Finally, it is envisaged that when the images or videos concern minors, the request to the Guarantor can also be made by the parents or by those exercising parental responsibility or guardianship.