Cookies and surroundings: some notes on the Italian Legislative Decree 69/12, transposition of the EU directive on privacy in the sector of publicly accessible electronic communications services

With the Legislative Decrees no. 69¹ and no. 70² published in O.J. no. 126 of 31 May 2012 and both in force since June 1st, Italy has finally transposed the European Directives 2009/136/EC³ and 2009/140/EC⁴ with regard to telecommunications, introduced by EU to increase the competitiveness of industry and provide better services to customers. The new rules determine, among other things, the right for citizens to change operator in a single day without having to change phone number, to have clearer information about the services offered and to receive better protection on their data processed on line

In this way for Italy it has been finally avoided the ultimate infringement procedure provided for those Member States which have not implemented within the time allowed the transposition of these European directives (it was May 25, 2011). Currently for 5 Member States (Belgium, Netherlands, Poland, Portugal and Slovenia) it was established to refer to the EU Court of Justice because they have not still transposed the rules in question.

The Legislative Decree no.70/12 amends the Legislative Decree no. 259/2003 – Electronic Communications Code and the Legislative Decree no.69/12 modifies the Legislative Decree no.196/03 – Code for the Protection of Personal Data (Privacy Code): the notes and comments of this article concern this latter.

The changes made in the Privacy Code are many and all significant, specifically impacting on the provisions concerning the processing of personal data and protection of privacy in the electronic communications sector (Directive 2009/136/EC amending Directive 2002 / 58/CE transposed in the Code especially with the current Title X “Electronic Communications”, sections.121-133, besides the section 4 regarding the definitions of terms).

These amendments have significant implications in terms of obligations, liabilities and specific sanctions that will affect the providers of electronic communications services accessible to the public [operators in the following] and also, specifically mentioned for the first time very clearly in the Privacy Code, the other entities (their providers) to whom they entrust the provision of those services (in whole, in part). It then significantly enlarges the target audience for the new requirements, bearing in mind that the execution and delivery of a service almost necessarily requires the involvement of different companies each for their area of specialization in addition to those that effectively integrate and make available, on the market, the services to end users (for example: operation and maintenance services, provision of specific value-added services such as m-payment services, services based on geo-location in real time of the users’ terminal equipment, …). Not least in terms of impact, there are the changes that permanently constrain to the preventive, free and informed consent given by users and subscribers for the use of cookies⁵ , together with the modifications on the discipline of marketing / advertising practices of sending information by automated means without operator intervention (fax, sms, email, ..).

As a whole, the changes to the Privacy Code concern:

• new obligations concerning measures for personal data protection and

• the prior consent in relation to cookies and, in general for the use of personal data of the subscribers/users, subject to the technical needs and those closely related to fulfillment of contractual obligations.

Measures for personal data protection

The introduction of the new figure of offence “breach of personal data” entails new requirements in terms of technical / organizational / procedural security measures, in order to minimize related risks and ensuring the implementation of a security policy (changes to section 32) and in terms of mandatory notices to the Italian Authority for the protection of Personal Data (IDPA in the following) and in some cases to individual users / subscribers, in case of specific conditions for the violation of their personal data (new section 32 -bis).

Regarding the security measures it is worth highlighting that the new requirement emphasizes the need to minimize the risks even accidental of data destruction-loss-modification, enlarging the scope of measures, both technical and organizational / procedural (and thus affecting the instructions and training for the persons in charge of processing and their responsibilities …) necessary to satisfy the request. With a view to outsourcing services, these changes to the requirements for security measures and related liabilities could result also in the revision / update of the corresponding privacy agreements in place (typically the data processor designation under section 29 of the Privacy Code and related instructions, made by operators to their suppliers involved in services provisions).

The new requirements concerning the notice to IDPA and, when “the violation of personal data is likely to damage personal data or the confidentiality of the subscriber or any other person“, directly to the subscribers / users, require non-trivial efforts by operators (and their providers) if they operate through organizations complex, distribuited and dynamic in response to market trends, and to technological upgrades applicable to their business. In particular the measures to ensure “undue delay” in the notices in question require specific attention as well as the creation and updating of the “inventory of breaches occurred”, a new measure which will require close coordination between all actors involved in the service. It is also explicitly reported in the new rules that IDPA may determine detailed measures in order to provide limits and operational practices required by the new requirements of notices in case of breaches of personal data (such as to provide the practical criterion to determine when it is necessary to notice the subscribers / users, information to be included in the description of the violation, …).

It should then to take into account also the provisions required by the new section132-bis: operators are required to establish internal procedures for answering the requests made ​​in accordance with the existing legal provisions concerning access to personal data and provide to IDPA, if requested, information on these procedures and data concerning their use (number of requests received, the legal justification invoked and answers given).

The new section 162-ter introduces substantial administrative penalties in case of violation of the provisions on mandatory notice when “personal data breaches” occur (new section 32-bis): these sanctions will be applied against the providers of the operator , if they have not fulfilled the requirement of communicating without “undue delay” to the operator the information necessary for the purposes of compliance to the new notice obligations.

In addition, the amended section 168 now provides for a criminal offense, if false declaration or incorrect information is given to IDPA, concerning the “breach of personal data”: the offences are punished with imprisonment from six months to three years..

The (ultimate?) victory of the Opt In approach for collecting and handling the consent

The requirement of preventive, informed, free (and, non-trivial operatively: documented) consent is affirmed by the Legislative Decree no.69/12: in general for the processing of traffic data for purposes of marketing electronic communications services or for provision of value added services (amendment to section 123), for the use of cookies (sections 121 and 122) and for sending via automated means (without the intervention of an operator) advertising materials or direct selling or for carrying out market surveys or commercial communications (amendments to section 130) also with a view of services for the Information Society, where applicable (introduced references to regulations of Legislative Decree 70/03, Italian transposition of the European Directive 2000/31/EC, well-known as e-commerce Directive).

All what concerns in particular the issue of prior consent for the use of cookies is set to stay for a long time in the spotlight due to the variety of their implications as enablers or less to commercial activities performed via the Internet and related aspects of On Line Behaviour, such as in the case of advertising (OBA On line Behavioural Advertising).

Collection and handling of the consent for those activities involving on line monitoring of the users will give rise to unavoidable impacts on the aspects most closely linked to the respect of the privacy of individuals and it is expected a debate neither simple nor destined to find in short time the due balance between distant and conflicting interests. In this sense also is read, in amended section 122, the involvement of the most representative national associations of consumers and economic groups concerned, for the decisions which IDPA will be required to take in order to determine simplified procedures for the provision of the Information to data subjects, pursuant to section 13 of the Code.

It is hardly necessary to emphasize how the issue concerning cookies and the approach to consent “Opt In versus Opt Out” deals with interests and involves scenarios that cannot be simply faced only at national level or even at the EU level:

• last February the president of the United States B. Obama has signed an important report for the future aspects of privacy in on line commercial activities ⁶

• in March the U.S. Federal Trade Commission issued the report “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers”⁷ which outline the specific privacy best practices that American companies should follow

• thanks to the active participation of leading international players involved in online business, is well in progress the definition of standards and mechanisms for implementing “Do Not Track” for navigation tool on the Internet (see the recent work on the subject conducted by the W3C, World Wide Web Consortium), with the appreciation publicly expressed by Neelie Kroes Vice-President of the European Commission, and with the attention shown to them by the WP 29 on the occasion of the exchange of “opinions” about the approach for Online Behavioral Advertising proposed by major global organizations representing the sector (EASA, IAB)⁸

The extent and complexity of the regulatory changes introduced by Legislative Decree 69/12 are therefore substantial and there is a risk of underestimating the effort that must be spent by companies concerned, in order to achieve a robust level of compliance. As just one example: in the United Kingdom where the Directive 2009/136/EC has been transposed by 25 May 2011, the ICO (the English privacy authority) has provided a so-called grace period of one year, during which no inspections / sanctions have been activated and the companies concerned were given time to take the necessary actions required to activate the new measures in particular as regards the prior consent for the use of cookies.