The new EU Regulation concerning the protection of personal data (Regulation 2016/679), approved on 14 April 2016 by the European Parliament and published in the Official Journal of the European Union on 4 May 2016, marks the beginning of a new era for the privacy of European citizens in their relationships with public administrations and businesses.
The regulation is, in fact, very important not only because of the attempt to harmonize the rules regarding privacy which are in force in the various member States of the European Union, but also because it introduces the principle of accountability into the delicate subject matter of confidentiality of personal data.
What does «accountability» mean exactly? It means that the controller must be able to prove he has adopted a procedure composed of juridical, organizational and technical measures for the protection of personal data.
This change marks a real “Copernican revolution” with regard to privacy protection.
In fact, the privacy code in force in Italy (Legislative Decree 196/2003) does not directly provide the principle of accountability, but a system of civil, criminal and administrative liabilities established ex post in case of failed fulfilment of a series of formal rules (information, consent, notification to the Data Protection Supervisor, etc.).
According to the new regulation the data processor is, instead, liable “in advance”, so to speak.
Therefore, the principle of accountability for businesses (and for whoever, due to their activity, have to process personal data), translates into a principle of actual guarantee towards the data subject, which implies an even greater transparency compared to the present regime.
The controller will actually be able to prove that the data processing complies with the European regulation on protection of personal data through the adoption of the safety measures or the adhesion to the codes of conduct or to a certification mechanism, and also through the processing of specific organizational models, analogous to those used in the implementation of Italian Legislative Decree 231/2001.
The publication of Regulation 2016/679 in the Official Journal of the European Union marks the beginning of the two year term (which will expire on 25 May 2018) fixed by the European lawmakers in order to allow the single member states to adjust their national legislations to the Regulation and integrate them in those aspects which are subject to the discretionary assessment of the national legislators.
Therefore, Italian businesses will have to start quickly an important organizational re-examination process to have their business organization comply with the rigorous provisions of the Regulation and to avoid incurring in breaches which might imply not only criminal liability for the controllers and processors, but also very substantial fines.
With reference to the latter, one need only to consider that art. 83 of the Regulation provides that, in case of infringement of some of its main provisions, an «administrative fine up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher» shall be imposed.
(Bologna Office – Stefano Campogrande – 0039 (0)51 2750020)
