On October 10, 2024, Italy adopted the Data Governance Decree,[1] which amends national legislation under the Data Governance Act (“DGA”).[2] The Data Governance Decree entered into force on October 25.
The DGA, which took effect on September 24, 2023, has covered data governance in the EU, including making data more available within the EU and facilitating data sharing across different sectors. The DGA impacts public and private entities and allows them to benefit from using personal and non-personal data to provide new services and products (for example, customized healthcare services).
National competent authority
The Data Governance Decree identifies the Agency for Digital Italy (Agenzia per l’Italia Digitale, or “AgID”) as the Italian authority competent on this issue. AgID is in charge of registering and monitoring data intermediation services and data altruism organizations and applying sanctions in case of infringement.
Under the DGA, data intermediation services providers act as intermediaries between data holders and data users to ensure secure data sharing. Data altruism organizations are nonprofit entities that manage data provided by individuals or companies for the public good.
AgID powers
As the national authority competent in this area, AgID must (i) monitor and verify that data intermediation services providers and data altruism organizations comply with the requirements set forth in the DGA (e.g., the obligation for data intermediation service providers to notify the competent authority when starting or stopping their activity and the prohibition against using data for purposes other than those of the service), (ii) receive notifications from data intermediation services providers, and (iii) register data altruism organizations.
AgID shall also assist public institutions in granting or refusing access to reuse the types of data classified as protected under the DGA (e.g., personal data and confidential data).
AgID works with other institutions, including the national cybersecurity agency (Agenzia per la Cybersicurezza Nazionale), the competition authority (Autorità Garante della concorrenza e del mercato), and the data protection authority (Garante per la protezione dei dati personali).
Sanctions
AgID can impose administrative fines if the DGA is infringed. Fines should be proportional to the seriousness of the infringement. They can be set anywhere from a minimum of EUR 10,000 to a maximum of EUR 100,000, or for a company up to a maximum of 6% of its total annual worldwide turnover of the previous year.
Next steps
To date, 11 organizations across the EU have been identified as intermediation service providers (under Article 37 of the DGA, such organizations must meet their obligations by September 24, 2025) and one organization has registered as a data altruism organization.
In a few months, we will be able to assess the impact of the DGA in Italy more clearly. AgID is poised to issue a decision that provides technical and organizational details for data altruism and outlines information to be provided to data subjects to reuse their data. Obviously, that decision and the requirements it lists will have bearing on the impact of the DGA and the Data Governance Decree.
[1] Legislative Decree No. 144/2024, published in the Official Journal on October 10, 2024.
[2] Regulation (EU) 2022/868.