Cookies and surroundings: some notes on the Italian Legislative Decree 69/12, transposition of the EU directive on privacy in the sector of publicly accessible electronic communications services
With the Legislative Decrees no. 691 and no. 702 published in O.J. no. 126 of 31 May 2012 and both in force since June 1st, Italy has finally transposed the European Directives 2009/136/EC3 and 2009/140/EC4 with regard to telecommunications, introduced by EU to increase the competitiveness of industry and provide better services to customers. The new rules determine, among other things, the right for citizens to change operator in a single day without having to change phone number, to have clearer information about the services offered and to receive better protection on their data processed on line
In this way for Italy it has been finally avoided the ultimate infringement procedure provided for those Member States which have not implemented within the time allowed the transposition of these European directives (it was May 25, 2011). Currently for 5 Member States (Belgium, Netherlands, Poland, Portugal and Slovenia) it was established to refer to the EU Court of Justice because they have not still transposed the rules in question.
The Legislative Decree no.70/12 amends the Legislative Decree no. 259/2003 – Electronic Communications Code and the Legislative Decree no.69/12 modifies the Legislative Decree no.196/03 – Code for the Protection of Personal Data (Privacy Code): the notes and comments of this article concern this latter.
The changes made in the Privacy Code are many and all significant, specifically impacting on the provisions concerning the processing of personal data and protection of privacy in the electronic communications sector (Directive 2009/136/EC amending Directive 2002 / 58/CE transposed in the Code especially with the current Title X “Electronic Communications”, sections.121-133, besides the section 4 regarding the definitions of terms).
As a whole, the changes to the Privacy Code concern:
new obligations concerning measures for personal data protection and
the prior consent in relation to cookies and, in general for the use of personal data of the subscribers/users, subject to the technical needs and those closely related to fulfillment of contractual obligations.
Measures for personal data protection
The introduction of the new figure of offence “breach of personal data” entails new requirements in terms of technical / organizational / procedural security measures, in order to minimize related risks and ensuring the implementation of a security policy (changes to section 32) and in terms of mandatory notices to the Italian Authority for the protection of Personal Data (IDPA in the following) and in some cases to individual users / subscribers, in case of specific conditions for the violation of their personal data (new section 32 -bis).
Regarding the security measures it is worth highlighting that the new requirement emphasizes the need to minimize the risks even accidental of data destruction-loss-modification, enlarging the scope of measures, both technical and organizational / procedural (and thus affecting the instructions and training for the persons in charge of processing and their responsibilities …) necessary to satisfy the request. With a view to outsourcing services, these changes to the requirements for security measures and related liabilities could result also in the revision / update of the corresponding privacy agreements in place (typically the data processor designation under section 29 of the Privacy Code and related instructions, made by operators to their suppliers involved in services provisions).
The new requirements concerning the notice to IDPA and, when “the violation of personal data is likely to damage personal data or the confidentiality of the subscriber or any other person“, directly to the subscribers / users, require non-trivial efforts by operators (and their providers) if they operate through organizations complex, distribuited and dynamic in response to market trends, and to technological upgrades applicable to their business. In particular the measures to ensure “undue delay” in the notices in question require specific attention as well as the creation and updating of the “inventory of breaches occurred”, a new measure which will require close coordination between all actors involved in the service. It is also explicitly reported in the new rules that IDPA may determine detailed measures in order to provide limits and operational practices required by the new requirements of notices in case of breaches of personal data (such as to provide the practical criterion to determine when it is necessary to notice the subscribers / users, information to be included in the description of the violation, …).
It should then to take into account also the provisions required by the new section132-bis: operators are required to establish internal procedures for answering the requests made in accordance with the existing legal provisions concerning access to personal data and provide to IDPA, if requested, information on these procedures and data concerning their use (number of requests received, the legal justification invoked and answers given).
The new section 162-ter introduces substantial administrative penalties in case of violation of the provisions on mandatory notice when “personal data breaches” occur (new section 32-bis): these sanctions will be applied against the providers of the operator , if they have not fulfilled the requirement of communicating without “undue delay” to the operator the information necessary for the purposes of compliance to the new notice obligations.
In addition, the amended section 168 now provides for a criminal offense, if false declaration or incorrect information is given to IDPA, concerning the “breach of personal data”: the offences are punished with imprisonment from six months to three years..
The (ultimate?) victory of the Opt In approach for collecting and handling the consent
Collection and handling of the consent for those activities involving on line monitoring of the users will give rise to unavoidable impacts on the aspects most closely linked to the respect of the privacy of individuals and it is expected a debate neither simple nor destined to find in short time the due balance between distant and conflicting interests. In this sense also is read, in amended section 122, the involvement of the most representative national associations of consumers and economic groups concerned, for the decisions which IDPA will be required to take in order to determine simplified procedures for the provision of the Information to data subjects, pursuant to section 13 of the Code.
It is hardly necessary to emphasize how the issue concerning cookies and the approach to consent “Opt In versus Opt Out” deals with interests and involves scenarios that cannot be simply faced only at national level or even at the EU level:
last February the president of the United States B. Obama has signed an important report for the future aspects of privacy in on line commercial activities 6
in March the U.S. Federal Trade Commission issued the report “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers”7 which outline the specific privacy best practices that American companies should follow
thanks to the active participation of leading international players involved in online business, is well in progress the definition of standards and mechanisms for implementing “Do Not Track” for navigation tool on the Internet (see the recent work on the subject conducted by the W3C, World Wide Web Consortium), with the appreciation publicly expressed by Neelie Kroes Vice-President of the European Commission, and with the attention shown to them by the WP 29 on the occasion of the exchange of “opinions” about the approach for Online Behavioral Advertising proposed by major global organizations representing the sector (EASA, IAB)8
1 LEGISLATIVE DECREE May 28, 2012, no. 69
Amendments to the Legislative Decree 30 June 2003, n. 196, Code for the protection of personal data in the implementation of the directives 2009/136/EC, with regard to the processing of personal data and protection of privacy in the electronic communications sector, and 2009/140/EC relating to electronic and electronic communications services and Regulation (EC) n. 2006/2004 on cooperation between the authorities’ authorities responsible for enforcement of consumer protection
2 LEGISLATIVE DECREE May 28, 2012, no. 70
Amendments to the Legislative Decree of 1 August 2003, no. 259, amending the Electronic Communications Code to implement the directives 2009/140/EC, with regard to electronic communications networks and services, and 2009/136/EC as regards the processing of personal data and privacy
3 DIRECTIVE 2009/136/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 25 November 2009: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:en:PDF
4 Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009:
5 software agent that, once installed in the users’ terminal equipment (computer, mobile phone, …) are able to insert / retrieve information, including personal, and that can be used to monitor the on line behavior of users
6 Please not the sub-title: “A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”, http://www.whitehouse.gov/sites/default/files/email-files/privacy_white_paper.pdf
8 Some references can be found in “On line behavioural advertising: surfing between EU – not EU regulations”,