THE IMPLEMENTATION OF DIRECTIVE 95/46/EC IN ITALY
Directive 95/46/EC, was initially transposed into Italian law by Act no. 675 of 31 December 1996 on the protection of individuals and other subjects with regard to the processing of personal data. This law was enacted to fully implement the Directive. However, following the application of the law especially in relation to the rules of the Directive, it was described as unsatisfactory and more cumbersome than any other national law transposing the Directive. The 1996 Act contained elements which were either inconsistent with or contradictory to the Directive. Of particular interest are the requirements for consent and the adoption of security measures. While unambiguous consent is all that is required by the Directive, in the 1996 law effective consent could only be; freely given, in a specific fashion, and documented in writing. Moreover, the rules on notification set in the Act ignored the Directive’s rules on the simplification or exemption of the notification process. The Act created more security requirements than provided for in the Directive rendering its application complex and difficult. Nonetheless the 1996 law adopted most of the Directive’s rules and ensured a considerable level of protection for Italian citizens.
The 1996 Italian data protection Act was replaced in 2004 by the Italian personal data protection code. This code is a combination of all regulations and laws on data protection existing since 1996 including, EC Directive 2002/58. This new code offers more protection for data subjects while simplifying most of the existing complex procedures and rules. And it is moreover a better adaptation of Directive 95/46/EC. The new rules on notification laid out in the code are in line with the Directive’s requirement for the simplification or exemption of the notification process unless the data subject’s rights could be adversely affected. Furthermore, according to the new code written consent would only be necessary for the processing of sensitive data and not for all forms of personal data as previously required, and the Directive’s rules on the processing of sensitive data have been fully adopted. The 2003 code also introduces a new principle of data minimisation which requires, less and when possible no use of personal data at all especially if anonymous data could be just as effective except in cases of necessity.
Act no. 675 of 31 December 1996 on the protection of individuals and other subjects with regard to the processing of personal data http://www.privacy.it/legge675encoord.html
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://www.cdt.org/privacy/eurdirective/EU_Directive_.html#HD_NM_22
Italian personal data protection code: legislative decree no.196 of 30 June 2003
CONFINDUSTRIA: Implementation of Directive 95/46/EC in Italy I http://ec.europa.eu/justice_home/fsj/privacy/docs/lawreport/paper/confindustria_en.pdf
Garante per la protezione dei dati personali: An overview of Italy’s new data protection code http://www.garanteprivacy.it/garante/doc.jsp?ID=311113