The Decree, which entered into force on June 1, 2012, amended the Italian Data Protection Code (Legislative Decree of June 30, 2003, no. 196) introducing new requirements for providers of publicly available electronic communications services to deal with personal data breaches and new provisions on the use of cookies by website operators.
Please find below a brief summary of the main measures taken by the Italian government.
* * *
Definition of personal data breach
The Decree amends Section 4 of the Italian Data Protection Code introducing the definition of “personal data breach”, meant, in accordance with Section 2(2)(c) of the e-Privacy Directive, as a breach of security leading to the accidental destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service (new Section 4(3)(g-bis) of the Italian Data protection Code).
Procedures to deal with a personal data breach
The Decree implements in Italy the data breach notification requirements as set forth under the e-Privacy Directive (new Section 32-bis of the Italian Data Protection Code). According to the new provisions:
If the provision of an electronic communications service has been outsourced to third parties, the latter shall cooperate with the provider for purposes of compliance with the above notification requirements.
The DPA may issue guidelines and instructions concerning the circumstances under which providers are required to notify personal data breaches, the format of such notification and the modalities in which the notification is to be made.
Failure or delay to notify a personal data breach to the DPA is sanctioned with a fine ranging between EUR25,000 to EUR150,000.
Failure or delay to notify a personal data breach to the contractor or other individual is sanctioned with a fine ranging between EUR150 and EUR1,000.
Providers’ failure to keep an inventory of the personal data breaches is sanctioned with a fine ranging between EUR20,000 to EUR120,000.
The above-mentioned notification requirements currently apply only to “providers of publicly available electronic communications services”, in accordance with the e-privacy Directive.
However the same e-privacy Directive, in consideration of the fact that interest of users in being notified is not limited to the electronic communications sector, provided that mandatory notification requirements applicable to all sectors and type of data should be introduced at EU level as a matter of priority (recital 59).
The opportunity to apply the data breach notifications requirements to all data controllers has been stressed also by the Article 29 Data Protection Working Party (Opinion no. 1/2011 of April 5, 2011) and by the EU Commission in a public consultation on circumstances, procedures and formats for personal data breach notifications launched on July 14, 2011.
In this regard, the proposal for an EU data protection regulation issued by the EU Commission on January 25, 2012 provides for data breach requirements in relation to any data controllers.
“Opt-in” principle to use cookies
The Decree amends Section 122 of the Italian Data Protection Code clearly providing for an “opt-in” principle to use cookies, i.e. small files that store information on users’ hard drive or browser.
In particular, as a result of the implementation of the e-Privacy Directive:
This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service at issue.
The DPA has not clarified yet how providers can technically obtain users’ prior consent to use cookies. It is expected that it will do so in the next few months.