09 October 2018

GDPR. Legislative Decree no. 101/2018 and its immediate and full application: considerations

Legislative Decree no. 101/2018, recently issued, has regulated the adaptation of national legislation concerning protection of personal data to the EU Regulation no. 679/2016, reforming the Privacy Code (Legislative Decree no. 196/2003).

Legislative Decree no. 101/2018, infact, aims to harmonize laws contained in the Privacy Code with the provisions of the European regulations, directly applicable and binding from 25 May 2018.

At present, therefore, concerning protection and personal data safeguarding, an extremely complex regulatory framework is outlined, which includes the GDPR as its primary source, directly applicable even at the expense of national laws and the Privacy Code, as amended by Legislative Decree 101/2018.

"This Decree and the provisions of national law shall be interpreted and applied in the light of the European Union rules concerning protection of personal data, and shall ensure the free transfer of personal data among Member States, in accordance with Article 1(3) of Regulation (EU) No 2016/679" [Legislative Decree No 101/2018, Article 22(1)].

The Italian Antitrust Authority has not conceived any "soft" trial period of the new rules application, no transition time, despite the recommendations made by the Chamber of Deputies and the Senate (Explanatory Report of Article 22 of the Decree[1]), going in the opposite direction, suggesting a transitional period of eight months for the full application concerning protection of personal data new regulation, in order to ensure the absorption of the resulting regulatory framework.

The provision contained in the Legislative Decree 101/2018, on the other hand, limits itself to recommend a period of eight months of classification, but only in relation to the application of any penalties. A period of time only for the purpose of defining the criteria that the Guarantor Authority must take into account in defining the financial penalties to be imposed.

The Guarantor (as well as the Judicial Authority and any public administration, service company or research and study structure) is required to give full and complete application to all the new regulations.

An ordinary regulatory gap, therefore, despite that our country has clearly shown to be in a dangerous delay in the process of adjustment to the discipline provided by the GDPR. Precisely in the Italian context, it would certainly have been appropriate to follow the recommendations of the Chamber and Senate and establish a period of longer regulatory gap, to give more time to citizens, employers and managers to align themselves with a discipline that, if addressed without planning and forecasting, is likely to heavily affect companies and users, as has already happened.

The intention is certainly to avoid any possible controversy or antinomy in the application, ensuring the rules of the legal system consistency and conformity with the European regulatory framework.

Such a reversing decision seems to be little indicated, considerating the current situation of gradual adaptation to European discipline within the Italian landscape.

In the final analysis, and by the interpretative method resulting from the system of sources, the GDPR becomes to all intents and purposes a parameter of legitimacy of the national legislation: any interpretation and application of this legislation that is contrary to the provisions contained in the GDPR constitutes a flaw of illegality.

From now onward, we must bear in our mind that the entire Italian data protection legislation is based on the competence of the Italian legislator deriving from the GDPR and, consequently, must be interpreted and applied in the light of the new European Regulation.

A principle that is certainly right and acceptable, but which, in our opinion, would have required a longer period of "gestation".


[1] Illustrative Report to Legislative Decree 101/2018, cit. "Paragraph 1 contains, first of all, an interpretation clause of general application, which requires to interpret and apply, in fact, this decree and the other national rules in the light of the European rules on the protection of personal data. At the same time, paragraph 6 provides, with a general safeguard clause, that references contained in laws or regulations to the provisions of Legislative Decree no. 196 of 2003 are to be understood as referring to the corresponding provisions of the Regulation or of this decree, insofar as they are compatible".