Personal data processing in the medical research sector: What's new in the italian artificial intelligence law

On October 10, 2025 the new Italian law on artificial intelligence will enter into force. This is the first national regulatory framework in Europe addressing the development, use, and governance of AI systems in accordance with the European regulatory framework (as provided by the AI Act).

Sections 7-9 lay down rules on the use of AI in the healthcare sector: in the field of healthcare and scientific research, the use of AI is allowed for the improvement of the healthcare system, providing support in prevention, diagnosis, and treatment processes.

1. SCIENTIFIC RESEARCH AND DATA PROCESSING

Section 8 introduces significant changes to facilitate scientific research and trials in the development of AI systems in the healthcare sector.

In particular, this article declares the processing of personal data to be of significant public interest according to Section 9, paragraph 2, letter g) of GDPR when carried out

• in the context of scientific research and trials for the development of AI systems for prevention, diagnosis and cure purposes as well as development of pharmaceutical products or medical devices, and
• by publicor private non-profit entities, IRCCS, or private entities working on research projects with non-profit entities,
• insofar as it is necessary for the creation and use of databases and AI models.

According to Section 9, paragraph 2 letter g) of the GDPR the processing of special categories of personal data, including health data,  is allowed when it is necessary “for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”. Consequently, given the significant public interest, the processing of health data may be carried out by the above-mentioned entities even in the absence of consent.

The regulation then provides a list of situations of significant public interest, including:

• the prevention, diagnosis, and treatment of diseases;
• the development of drugs, therapies and rehabilitation technologies;
• the creation of medical devices and human-machine interfaces, as well as areas of public health and health safety;
• the study of physiology, biomechanics, and human biology, even in contexts not strictly related to healthcare.

2. THE SECONDARY USE OF DATA

Section 8(2) of the new AI law allows – for the same purposes indicated above and by the same entities – the secondary use of personal data  already collected for for other purposes, “without direct identifying elements” and without further consent from the data subject. : In such cases, it is still necessary to provide information to the data subjects, obligation that may also be fulfilled by means of general information made available on the data controller’s website.

3. ANONYMIZATION, PSEUDONYMIZATION, AND SYNTHETIC DATA

Section 8(3) states that “processing for the purposes of anonymization, pseudonymization, or synthetization of personal data, including data belonging to special categories under Section 9, paragraph 1, of the same Regulation (EU) 2016/679, is always permitted, subject to notification to the data subject“, in the areas mentioned above and for Section 2-sexies, paragraph 2, letter v) of the Data Protection Code (planning, management, control, and evaluation of healthcare, including the establishment, management, planning, and control of relations between the administration and entities accredited or affiliated with the national health service). A legal basis is therefore established for the anonymization, pseudonymization and synthetization of data, providing clarity in the broad debate on whether or not an ad hoc legal basis is necessary for such purposes.

4. OBLIGATION TO NOTIFY THE ITALIAN DATA PROTECTION AUTHORITY

Section 8(5) states that data processing based on significant public interest and secondary use (as described above) must be notified to the Italian Data Protection Authority, providing all the information required under Sections 24, 25, 32, and 35 GDPR (details of the data controller, privacy by design and by default , security measures , the Data Protection Impact Assessment (DPIA) ), and the list of data processors pursuant to Section 28 GDPR.  The processing may only begin 30 days after the information has been sent to the Data Protection Authority, unless the latter blocks the processing.

5. CRITICAL ISSUES IN THE WORDING OF THE REGULATION

The new AI law presents some criticalities, primarily due to the lack of coordination with other existing legislation governing data management in scientific research:

• With regard to the processing of personal data for research purposes classified as being of ‘significant public interest’, the AI law makes no reference to Section 2-sexies of the Privacy Code, which implements Section 9(g) of the GDPR at national level, according to which the processing of special categories of personal data may take place when it is provided for ‘by European Union law or, in national law, by legal or regulatory provisions  or by general administrative acts specifying the types of data that may be processed, the operations that may be performed and the reason of substantial public interest, as well as the appropriate and specific measures to protect the fundamental rights and interests of the data subject.” Consequently, although Section 8 confirms the nature of the significant public interest of the research that justifies the processing, the other specific requirements of Section 2-sexies, including appropriate and specific measures to protect the fundamental rights and interests of the data subject, are not met. Secondly, the question arises as to whether the provisions of Section 8 will suffice or whether other regulations will be required. The Italian Data Protection Authority, in its “Opinion on a bill of law containing provisions and delegated powers on artificial intelligence – August 2, 2024 [10043532]’, suggested that Section 8 does not meet the requirements of certainty laid down in Section 6, paragraph 3, letter b) and 9, paragraph 2, letter g) of the Regulation, as well as 2-sexies of the Code.
• With regard to the entities authorized to process personal data for scientific research purposes based on public interest, the law chooses to derogate from the consent requirement provided for in the Data Protection Code only for public and non-profit research activities, while most medical research in Italy is privately funded.
• With regard to the secondary use of data, the law also presents problems of harmonization with the GDPR: the secondary use of data (always within the limits of the presumption of non-incompatibility of the purpose referred to in Section 5, paragraph 1, letter b) of the Regulation) requires the provision of the safeguards laid down in Section 89 of the Regulation. Section 89 of the Regulation requires that processing for scientific research purposes be subject to appropriate safeguards for the rights and freedoms of the data subject, safeguards that ensure that technical and organizational measures have been put in place, in compliance with the principle of data minimization. Section 8 does not mention  obligations on the data controller, giving rise to uncertainties in its application. The choice of the AI law to rely (for medical research) on Section 9, paragraph 2 letter g) GDPR, instead of letterj) of the same article in combination with article 89 GDPR, seems at least arguable.

Despite some uncertainties on  its provisions, the Italian AI law  marks an important step forward in the healthcare sector, opening up an era in which personal data are a valuable resource for medical and scientific research. The provisions of the law shall be implemented by delegated Government decrees over the next months, so it is probably too early to see big changes around AI development due to this law, however, it is necessary to pay attention to its future progresses.