Jump to ContentJump to Main Navigation
Bulk CollectionSystematic Government Access to Private-Sector Data$

Fred H. Cate and James X. Dempsey

Print publication date: 2017

Print ISBN-13: 9780190685515

Published to Oxford Scholarship Online: October 2017

DOI: 10.1093/oso/9780190685515.001.0001

Show Summary Details
Page of

PRINTED FROM OXFORD SCHOLARSHIP ONLINE (oxford.universitypressscholarship.com). (c) Copyright Oxford University Press, 2021. All Rights Reserved. An individual user may print out a PDF of a single chapter of a monograph in OSO for personal use. date: 24 January 2021

Systematic Government Access to Private-Sector Data in Italy

Systematic Government Access to Private-Sector Data in Italy

(p.111) 5 Systematic Government Access to Private-Sector Data in Italy
Bulk Collection

Giorgio Resta

Oxford University Press

Abstract and Keywords

This chapter focuses on Italian law as it pertains to the variety of legal provisions relevant to data protection and the access to private-sector data by law enforcement. The relevant sources of law can include interpretations of constitutional provisions by the Italian courts, implementation of EU law in Italian law, and statutory provisions, in particular the Italian “Data Protection Code.” Special rules apply to data processing in specific sectors, in particular the judicial sector, law enforcement, and national security. Several statutes make a broad reporting of private-sector data mandatory. Legislation provides individuals with the opportunity to assert their rights either by filing a private lawsuit or by filing a complaint with the Italian Data Protection Authority.

Keywords:   data protection, law enforcement, private-sector data access, Italian courts, Data Protection Authority

I. Abstract

Italian law contains a variety of different legal provisions relevant to data protection and access to private data by law enforcement.

The relevant sources of law can include interpretations of constitutional provisions by the Italian courts, implementation of EU law into Italian law, and statutory provisions, in particular the Italian “Data Protection Code”; general civil law is also relevant.

Special rules apply to data processing in specific sectors, in particular the judicial sector, law enforcement, and national security.

Several statutes make a broad reporting of private-sector data mandatory. This can include, for example, tax data, data relevant to anti-money-laundering obligations, data relating to mobile phone usage, data of hotel clients, and insurance data.

Legislation provides individuals with the opportunity to assert their rights either by filing a private lawsuit or by filing a complaint with the Italian Data Protection Authority.

II. National Legal Context and Fundamental Principles

The Italian Constitution does not explicitly protect the right to data privacy. This Constitution was adopted in 1947, when computers and electronic databanks were still unknown. It is not surprising, therefore, that no provision comparable to Article 13 of the Federal Constitution of the Swiss Confederation—according to which “[e]‌veryone has the right to be protected against the misuse of their personal data”—is to be found in Italy. However, Italy is committed to the rule (p.112) of law and the safeguarding of fundamental rights,1 and several articles of the Constitution provide for the protection of a range of interests that are strictly related to information privacy. One might mention, for instance, Article 14 (inviolability of the home) and Article 15 (privacy of communications). Such provisions have been frequently referred to—together with the general clauses on personal liberty and dignity2—as a constitutional basis for the right to privacy.3

More importantly, Articles 11 and 117 of the Constitution, recognizing the limitations of sovereignty necessary to achieve international cooperation, have opened the Italian legal system to the influence of European Law.4 As a result, the right to data protection has acquired—although indirectly—constitutional status. Indeed, it should be recalled that, according to Article 8 of the European Charter of Fundamental Rights, “everyone has the right to the protection of personal data concerning him or her” (following the entry into force of the Lisbon Treaty, the Charter has the same legal status as the European Union Treaties). In a similar vein, the European Court of Justice and the European Court of Human Rights have repeatedly asserted that the right to data protection ranks among the fundamental rights guaranteed by European law.5 One can conclude, therefore, that information privacy has constitutional (or at least para-constitutional) status in Italy, not through explicit guarantees, but as a result of the interaction between internal and European law.6

The influence of European law has proven extremely significant on a statutory level as well. Indeed, until 1996, Italy had no general regulation on data privacy. The only relevant sources were sparse and fragmentary provisions dealing, for instance, with the protection of workers’ privacy, or privacy of communications. Italy signed the 1981 Strasbourg Convention for the protection of individuals with regard to automatic processing of personal data; however, this covenant has (p.113) not been transposed into Italian law until recently. Only in 1996 did Italy pass a bill on the protection of individuals with regard to the processing of personal data, implementing the Directive 95/46/EC.7

In 2003 this act had been repealed and substituted by a “Data Protection Code” (hereinafter Data Protection Code) (d.lgs. 196/2003). This statute is conceived as a general law on information: it applies to the processing of personal data (defined as “any information relating to natural persons that are or can be identified, even indirectly, by reference to any other information including a personal identification number”) with or without electronic means. Article 2, paragraph 1 states the purposes of the Data Protection Code as follows: “[t]‌his consolidated statute […] shall ensure that personal data are processed by respecting data subjects’ rights, fundamental freedoms and dignity, particularly with regard to confidentiality, personal identity and the right to personal data protection.”

The linkage between the information privacy and the category of fundamental rights cannot be overlooked.8 On a statutory level, this provision confirms the primary status of the right to data protection, conceived as an expression of dignity. Consistent with this approach, the second paragraph of Article 2 lays down the principle that “[t]‌he processing of personal data shall be regulated by affording a high level of protection for the rights and freedoms referred to in paragraph 1 […]”. The Italian Constitutional Court has indirectly confirmed the particular relevance of the right to data protection. In a 2005 ruling, for instance, the Court decided that, in the event of a conflict between the Data Protection Code and a regional law (Italy is not a federal state, but regions have the power to legislate in several fields), the former shall prevail, as information privacy is part of the general civil law framework (ordinamento civile) mentioned by Article 117 Const.9 The institutional safeguards established by state law cannot therefore be infringed by contrasting provisions adopted by the regions.

III. Statutory and Regulatory Overview

The rules on information processing set out in the Data Protection Code are applicable both to the private and the public sector. Given the wide scope of application of the statute, the right to data protection must be constantly balanced against conflicting interests. Many of them have constitutional status as well. To name a few: freedom of expression (Article. 10 Const.), proper and fair operation of public affairs (Article 97 Const.), fair administration of justice (Article 111 Const.), and protection of health (Article 32 Const.). Striking a balance between (p.114) such values is never an easy task, and this is even more so in the public sector. Two factors play a major role. On the one hand, the greater expansion of the welfare state has enhanced the need for a capillary system of information retrieval and processing, not only with the purpose of making social services available, but also of preventing fraudulent behaviors. Several databanks have been established with this purpose in mind. Suffice it to mention, as a single example, the social security benefits database (Casellario dell’assistenza).10

On the other hand, the development of information and communication technologies and the increasing computerization of the public administration have made the setup and interconnection of data sets much easier, giving rise to more comprehensive and intrusive collections. It should also be added that the financial crisis has strengthened the pressure toward the adoption of measures aimed at curtailing tax evasion (Italy is among the top three ranking countries of the world for tax evasion)11 and fraudulent behaviors in the field of social security benefits. As a result, “systematic” access to private data,12 despite its strong impact on fundamental freedoms, is increasingly resorted to by the government.13 However, the Data Protection Code laid down a detailed set of rules and principles aimed at striking an acceptable balance between private and public interests involved in the processing of personal data by public bodies.14 I will stress here only three points.

  1. (a) First, the whole regime is based on the principle of use limitation. The processing of personal data is not allowed for all purposes; public bodies are only permitted to process personal data “in order to discharge their institutional tasks” (Article 18, paragraph 2). Such a requirement is consistent with Article 7 of the Data Protection Directive, according to which personal data may be processed—among other conditions—if the “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed.”

  2. (p.115) (b) Second, different standards have been laid down in the Code, depending on the features of the data. (i) If the processing concerns sensitive data15 and judicial data, it is allowed only if authorized by a law “specifying the categories of data that may be processed and the categories of operation that may be performed as well as the substantial public interest pursued” (Article 20). Lacking such a statutory basis, public bodies may request the Data Protection Authority (Garante per la protezione dei dati personali, hereinafter Garante) to determine the activities that pursue a substantial public interest among those they are required to discharge under the law. However, the Code makes clear that the processing of sensitive and judicial data by public bodies should be carried out only in exceptional situations; that is, it should be considered as extrema ratio. According to Article 22, paragraph 3, public bodies may process such sensitive and judicial data as are “indispensable for them to discharge institutional tasks that cannot be performed, on a case by case basis, by processing anonymous data or else personal data of a different nature” (this is frequently referred to as the principle of necessity, or data minimisation).16 Also, particular technical measures should be adopted, in order to enhance the security of processing operations.17 (ii) Data other than sensitive and judicial can be processed even in the absence of laws or regulations expressly providing for such processing. Particular rules apply to the communication18 of such data to third parties, including public bodies. In this case, the communication is permitted only if it is envisaged by laws or regulations. Lacking such laws or regulations, the communication is allowed if two conditions are met: a) it is necessary in order to discharge institutional tasks; and b) the Garante has been notified of the intention to communicate the data and has not withheld its approval within 45 days.

  3. (c) Last, one should note that, according to Article 18 of the Data Protection Code, public bodies must abide by the rules, requirements, and limitations set out in the Code. This means, in particular, that (p.116) personal data undergoing processing must be “relevant, complete and not excessive in relation to the purposes for which they are collected or subsequently processed”;19 and that “[i]‌nformation systems and software shall be configured by minimizing the use of personal data and identification data.”20 Such principles are particularly relevant because they work as an indirect limitation of the government’s power to indefinitely expand the size and number of databases containing personal data. Indeed, when called upon to issue recommendations on proposed bills and regulations pursuant to Article 154 Data Protection Code, the Garante has frequently referred to these principles.21 In several cases, the government has been required by the Garante to adopt changes on proposed bills, on the ground that they did not conform to the principles of “necessity and data minimisation.”22 These principles can be regarded, therefore, as important parameters to assess the proportionality of statutes and regulations providing for the collection and systematic access to personal data.

IV. Rules Applying to Special Sectors

Different rules apply to the sectors of the administration of justice, law enforcement, and national security. They are generally characterized by a policy of weaker protections for data subjects and stronger support for the interests of data controllers. The relevant sources are to be found both in the Data Protection Code and in special statutes.

(p.117) A. Processing of Personal Data in the Judicial Sector

The processing of personal data in the judicial sector is regulated by Articles 46–49. If personal data are collected, stored, or processed for “purposes of justice”—that is, if the processing “is directly related to the judicial handling of matters and litigations, […] or if it is related to auditing activities carried out in respect of judicial offices”23—a series of rules set out in the Code will not apply.24 Among them are the provisions concerning a data subject’s right to access (Articles 9–10), the duty to inform (Article 13), termination of processing (Article 16), general principles concerning processing by public bodies (Articles 18–22), duty of notification to the Garante (Articles 37–38), trans-border data flows (Articles 42–45), and nonjudicial remedies before the Garante (Articles 145–151).

By contrast, the principles enshrined in Article 11 are applicable also to the judicial sector. Therefore, personal data undergoing processing shall be processed lawfully and fairly; collected and recorded for specific, explicit, and legitimate purposes, and used in further processing operations in a way that is not inconsistent with said purposes; accurate and, when necessary, kept up to date; relevant, complete, and not excessive in relation to the purposes for which they are collected or subsequently processed; and kept in a form that permits identification of the data subject for no longer than is necessary for the purposes for which the data were collected or subsequently processed.

These safeguards are particularly relevant in the judicial sector, as court databases—which may have a significant impact on an individual’s rights and freedoms—need to be extremely accurate and always kept up to date. As regards the access by judicial authorities to data, information, and records from other public bodies,25 Article 48 provides that such acquisition “may also take place electronically. To that end, judicial offices may avail themselves of the standard agreements made by the Minister of Justice with public bodies in order to facilitate interrogation by said offices of public registers, lists, filing systems and data banks via electronic communication networks, whereby compliance with the relevant provisions as well as with the principles laid down in Sections 3 and 11 of this Code shall have to be ensured.”26

(p.118) B. Law Enforcement

The processing of personal data by police forces for purposes of law enforcement and public security is also subject to a special regime.27 It does not differ too much from the one relating to the judicial sector. Indeed, according to Article 53, several provisions of the Code shall not apply “to the processing of personal data that is carried out either by the Data Processing Centre at the Public Security Department or by the police with regard to the data that are intended to be transferred to said centre under the law, or by other public bodies or public security entities for the purpose of protecting public order and security, or the prevention, detection or suppression of offences as expressly provided for by laws that specifically refer to such processing.” As explained above in more detail, among the provisions exempted are Articles 9, 10, 12, 13, and 16; 18 to 22; 37, 38(1) to (5), and 39 to 45; and Articles. 145–151. As regards the conditions that have to be satisfied in order to gain the exemptions mentioned by Article 53, the processing has to be carried out: (1) by police authorities or equivalent public bodies; (2) for the purpose of protecting public order and security, or the prevention, detection, or suppression of crimes; and (3) pursuant to a statute (not simply a regulation) that specifically provides for such processing.

Particularly relevant for the issue of systematic access is Article 54. It provides that, in order to acquire data, records, and documents from other subjects (in accordance with the laws and regulations in force), public bodies “may avail themselves of agreements aimed at facilitating interrogation by said bodies or offices, via electronic communication networks, of public registers, lists, filing systems and data banks in pursuance of the relevant provisions as well as of the principles laid down in Sections 3 and 11.”28 It has to be emphasized that, upon a favorable opinion given by the Garante, the Minister for Home Affairs shall adopt such standard agreements.29 This is an important institutional safeguard, aimed at ensuring that information privacy is adequately protected, and that access is limited only to the personal data necessary to the purposes mentioned by paragraph 1. The Garante has made use of its powers of advice and oversight on several occasions.30 Also, prior communication shall be given to the Garante as regards the technical measures taken to safeguard data subjects, whenever they face higher risks of harm, “having regard, in particular, to genetic or biometric (p.119) data banks, technology based on location data, data banks based on particular data processing techniques and the implementation of special technology.”31

Furthermore, it is provided that the Data Processing Centre at the Public Security Department—which is one of the biggest and most important databanks in this sector, and probably one of the biggest of all Italian databanks—“shall be responsible for ensuring that the personal data undergoing processing are regularly updated, relevant and not excessive, also by interrogating—as authorised—the register held by the Criminal Records Office and the register of pending criminal proceedings at the Ministry of Justice pursuant to Presidential Decree no. 313 of 14 November 2002 as well as other police data banks that are required for the purposes referred to in Section 53” (Article 54, paragraph 3).32 Finally, according to Article 57, “a Presidential Decree issued following a resolution by the Council of Ministers, acting on a proposal put forward by the Minister for Home Affairs in agreement with the Minister of Justice, shall set out the provisions implementing the principles referred to in this Code with regard to data processing operations performed by the Data Processing Centre as well as by police bodies, offices and headquarters for the purposes mentioned in Section 53.”

We should also mention the much-debated issue of a central DNA database.33 Italy ratified in 2009 the Treaty of Prüm,34 providing for the establishment of a national DNA database containing human biological materials and genetic profiles of persons convicted of serious crimes or under arrest. Judicial authorities and police forces shall only access such data for purposes of personal identification, or in order to accomplish tasks required by the cross-border collaboration between police forces.35 Given the particular risks involved, the DNA database has been put under the oversight of the Garante, which has already issued several recommendations concerning safety measures and access to the database.36 After a long discussion, the DNA database has been set up and made operative on the basis of the Decree 7-4-2016, n. 87.

(p.120) Particularly relevant are the rules concerning the privacy aspects of the operations aimed at searching evidence of crimes: telephone and electronic traffic data retention, wiretapping, and interception of Internet communications.

1. Data Retention

The retention of telephonic traffic data for the purposes of detecting and countering criminal offenses is regulated by Article 132 Data Protection Code, as amended first by law n. 48/2008, implementing the Budapest Convention on cybercrime (2001), and then by legislative decree 48/2008, implementing the Directive 2006/24/EC.37

Article 132, in its original version, adopted different periods of data retention, depending on the seriousness of the offenses and the purposes of the investigation. The amended version has laid down a unitary regime. Traffic data shall be retained by the provider for 24 months; electronic communications traffic data shall be retained for 12. As regards the data relating to unsuccessful calls, they shall be stored for 30 days.38 Within the 24 months, the public prosecutor (also at the request of private parties involved in the proceedings) may issue a motivated order, acquiring the data from the provider.39

It is worth noting that European Court of Justice annulled the EU Data Retention Directive in 2014;40 nonetheless the Italian regulatory framework as of today remains unchanged.

2. Freezing

An important tool for investigations is represented by so-called “freezing” orders, that is, a nonjudicial proceeding consisting of the access by the police to electronic traffic data (and namely Internet communications data) held by IT and Internet service providers (also known as “preservation orders”). Article 132, paragraph 4-ter Data Protection Data, grants the Minister for Home Affairs or the heads of the central offices specializing in computer and/or IT matters from the police forces (Polizia di Stato, Carabinieri and Guardia di Finanza) the power to order IT and/or Internet service providers to retain and protect Internet traffic data (“traffico telematico”) for no longer than 90 days, in order to carry out the pretrial investigations referred to by Article 226 Norme di attuazione, coordinamento e transitorie del codice di procedura penale, or else with a view to the detection and suppression of specific offenses. The term of 90 days may be (p.121) extended, on legitimate grounds, up to six months, while specific arrangements may be made for keeping the data under control as well as for ensuring that such data cannot be disposed of by the IT and/or Internet service providers and operators and/or third parties.

According to Article 132, paragraph 4-quater, any provider who receives such an order shall comply without delay and is required to keep the request confidential. The measures taken under paragraph 4-ter shall be notified in writing to the public prosecutor, who shall endorse them if the relevant preconditions are fulfilled. If the public prosecutor withholds its consent, the measures cease to be enforceable.41

3. Interceptions

Whereas Article 132 Data Protection Code deals with the traffic data, the main legal source relating to wiretapping and interception of private communications is the Criminal Procedure Code.42 Telephone, electronic, and live (“environmental”) interceptions are among the most important tools for investigations. Indeed, they are massively employed in Italy: according to the Minister of Justice, the total number of telephonic interceptions carried out in the year 2011 is 135,533. Out of them, 121,072 were wiretappings, 11,888 live (“environmental”) interceptions, and 2,573 were interceptions of a different kind (in particular electronic interceptions).43 However, they are also among the most intrusive tools, as they strongly interfere with the liberty and confidentiality of communications, protected by art. 15 Const., and with the inviolability of the home, protected by art. 14 Const. Personal communications may be intercepted only under the conditions set by Articles 266–269 Criminal Procedure Code. Interceptions have to be authorized by judicial authorities and can be carried out exclusively in investigations of serious offenses.44

C. National Security

A special regime also applies to the processing operations carried out by the Italian intelligence agencies (AISI: Internal Information and Security Agency; AISE: External Information and Security Agency), as well as for classified information.45 In accomplishing their tasks, intelligence agencies have to abide (p.122) by the principles laid down by Articles 3 and 11 (data minimization, necessity, lawfulness, fairness, use limitation, accuracy) and by a series of further provisions, such as the ones concerning the prohibition of profiling (Article 14), the liability for damages (Article 15), the security measures (Articles 31 and 33), and the relationship with the Garante (Articles 154, 160, and 169). The solutions adopted by the Data Protection Code seem to be quite innovative and courageous, at least from a comparative law perspective.46 Indeed, a sector traditionally characterized by the priority of public interests over individual rights and by the almost complete absence of external checks, consistently with the idea that salus rei publicae suprema lex esto, has now been subject to some of the most important rules and principles of the Data Protection Code.

V. Laws Requiring Broad Reporting of Personal Data

Several statutes make a broad reporting of private-sector data mandatory. What follows is an overview of some of the most important examples.

A. Tax Laws

A significant expansion of the hypotheses of systematic access to private-sector data can be observed in the fiscal sector. The need to fight against the extremely high level of tax fraud and tax evasion—magnified by the economic and financial crisis—is clearly the most important factor behind such policy. An emblematic example is represented by the new legal regime concerning personal information that can be accessed and obtained by the tax registry office. The so-called “Save-Italy” Decree, adopted by the emergency government led by Professor Monti in December 2011,47 imposed on financial operators the obligation to periodically notify the tax registry office of activity in all the accounts held with them and any other information concerning such accounts needed to carry out tax controls.48 Transactions of less than €1,500 carried out using a postal current account in-payment form are exempted from such notification duties.49

It should be stressed that the duty to communicate is automatic and independent from any charge or suspicion of tax evasion. Also, the General Manager of the Italian Revenue Agency can issue specific regulations, expanding the typology (p.123) and the amount of information that has to be communicated. Furthermore, the Italian Revenue Agency and the Guardia di Finanza are to be notified by the National Institute of Social Security (Istituto nazionale di previdenza sociale) of the records of all beneficiaries of social benefits; such data shall then be matched with tax returns in order to prevent tax evasion.50

The Garante has played an important role in the regulatory process; following a communication by the General Manager of the Revenue Agency, it required a series of changes to the draft decrees relating to access to financial records, with the aim of increasing the safety of the system and reducing the risk of leaks in the information flow or abusive access to the data.51

Another example of mandatory communication of personal data is offered by the Decree-Law n. 78/2010, which makes it compulsory for financial operators to notify the Italian Revenue Agency of the purchases made by private individuals using credit cards and e-money for an amount of more than €3,600.52

B. Anti-money Laundering Legislation

Money laundering legislation also places obligations on a wide range of subjects (financial operators, non-financial enterprises, and various professionals, such as accountants, public notaries, lawyers, etc.) to make reports on suspicious transactions to the Financial Intelligence Unit.53 Such a Unit was established at the Bank of Italy, pursuant to Art. 6 Legislative Decree 231/2007. It is charged with the task of carrying out financial analysis of the suspicious transactions and of examining any other fact that could be related to money laundering or terrorist financing. Once completed, the results of the analyses have to be transmitted to judicial and police authorities—also foreign authorities—for subsequent investigation.54 The Garante has issued several recommendations concerning the data privacy aspects of such information exchanges.55

C. Hotel Clients

Italy differs from many Western countries in that it has long had an intrusive system of automatic reporting of the identity of hotel clients to police authorities. (p.124) Originally provided for by Article 109 TULPS (Testo unico leggi di pubblica sicurezza), enacted in 1931 under the fascist dictatorship, the duty of hotelkeepers and similar subjects to identify their clients (Italians and foreigners), register their personal particulars, and notify the police without delay of such information was never eliminated during the Republican era and is still effective today. January 2013 the Minister of Internal Affairs, following a formal consultation with the Garante,56 has issued a new decree, regulating the whole matter. It provides that the hotelkeepers shall report the personal particulars of their clients within 24 hours to police authorities.57 Such data may be transmitted by electronic means and will be recorded in a central database established at the Ministry for Internal Affairs. The data shall be accessed only by judicial and police authorities for the purpose of protecting public order and security, or the prevention, detection, or suppression of offenses.58 After five years, the data have to be erased.

D. Cell Phones

Another example of compulsory reporting of private-sector data, particularly relevant in practice, is offered by the Electronic Communications Code. According to Article 55, paragraph 7, telecommunications companies are required to identify at the time of the activation of the service all subscribers and buyers of prepaid cell phone cards, and notify (also by electronic means) the Ministry of the Internal Affairs of the list of these names. Judicial authorities may access these data “for justice purposes,”59 that is for purposes “related to the judicial handling of matters and litigations.”60

E. Insurance Frauds

Fraudulent behaviors with regard to compulsory insurance are unfortunately quite common. Therefore, art. 135 Private Insurance Code establishes a database on car accidents, with the aim of enhancing “prevention and combating of fraudulent behaviours in compulsory insurance for motor vehicles registered in Italy.”61 Pursuant to this provision, insurance companies are required to notify (p.125) the Institution for the supervision of private insurance (ISVAP, now IVASS) of the data about the accidents in which their policyholders are involved, on the basis of the procedures established by regulation adopted by the same Institution. This regulation was issued in 2009, following a consultation procedure with the Garante.62 It is provided that such data shall be accessed by judicial authorities, public bodies in charge of detecting fraudulent behaviors in the sectors of compulsory insurance, insurance companies, and a series of other subjects, for the purpose of preventing and combating frauds. The nominative records will be stored for no longer than five years. Most of the principles laid down by the Data Protection Code shall apply to the processing operations.

VI. Courts

According to Article 145 Data Protection Code, the data subject’s rights may be enforced either by filing a lawsuit or by lodging a complaint with the Garante. Given the shorter time and the lesser costs involved in an action before the Garante, nonjudicial remedies have frequently been preferred over judicial ones. Therefore, the case law of the Garante—easily accessible on the Internet—is extremely important to grasp the state of the art in the field of information privacy.63 However, the Italian courts have been called upon to decide important cases as well. The Italian Court of Cassation ruled that the debits and credits records of condo tenants and owners—although “personal data” according to the Data Protection Code—may be lawfully communicated by the condo manager to other members of the condominium.64 In 2013 the Court of Naples reviewed the so-called Redditometro regulation (enabling the Revenue Agency to analyze household spending patterns and compare these with the household’s earnings, with the aim of curtailing tax evasion),65 and declared it void (p.126) as against the right to information privacy, protected by arts. 2 and 13 Const., and by arts. 1, 7 and 8 European Charter of Fundamental Rights.66 This decision has been much debated and occasionally criticized,67 but is a good example of the delicate problems arising from the systematic access by the public bodies to private-sector data.


(1.) Art. 2 Italian Constitution.

(2.) Arts. 2, 3, and 13 Italian Constitution.

(3.) See, for instance, the decisions of the Italian Constitutional Court 34/1973; 38/1973; 81/1993; 372/2006. On the protection of privacy under Italian constitutional law see G.M. Salerno, “La protezione della riservatezza e l’inviolabilità della corrispondenza,” in R. Nania & P. Ridola, eds., I diritti costituzionali, vol. I (Torino: Giappichelli, 2001), 417.

(4.) See, in particular, art. 117, par. 1: “Legislative power belongs to the state and the regions in accordance with the constitution and within the limits set by European Union law and international obligations.”

(5.) See, for example, ECJ, Case C-293/12, Digital Rights Ireland Ltd. v. Minister for Communic’s, Marine and Natural Res., 2014 E.C.R (2014); ECJ, Case C-362/14, Maximilian Schrems v. Data Protection Commissioner [Ireland], 2015; EuCtHR, Roman Zacharov v. Russia, App. No. 47143/06 (2015).

(6.) G. Resta, “Il diritto alla protezione dei dati personali,” in F. Cardarelli, S. Sica & V. Zeno Zencovich, eds., Il Codice dei dati personali: Temi e problemi (Milano: Giuffre, 2004), 31–39; S. Niger, Le nuove dimensioni della privacy: dal diritto alla riservatezza alla protezione dei dati personali (Padova: CEDAM, 2006).

(7.) Law 675/1996, Tutela delle persone e di altri soggetti rispetto al trattamento dei dati personali.

(8.) S. Rodotà, “Tra diritti fondamentali ed elasticità della normativa: il nuovo Codice sulla privacy,” in Eur. Dir. Priv. (2004), 2.

(9.) See Corte cost., 271/2005, in Giur. cost., 2005, 2519, with a comment by A. Celotto, “Una additiva di principio ‘inutile’ o ‘ridondante?’ ”.

(10.) This database has been set up on the basis of Art. 13, Decree-Law 78/2010 and Decree 206/2014.

(11.) See http://www.repubblica.it/economia/2012/10/03/news/corte_conti_evasione_italia_primissimi_posti-43782971/ (quoting the declaration of the head of the Italian Court of Auditors) (last visited April 30, 2017).

(12.) On this notion see Fred H. Cate, James X. Dempsey & Ira S. Rubinstein, “Systematic Government Access to Private-Sector Data,” 2 Int. Data Privacy L. 195 (2012).

(13.) See infra, par. 4.

(14.) See A. de Tura, “Le regole ulteriori per i soggetti pubblici,” in V. Cuffaro, R. D’Orazio & V. Ricciuto, eds., Il codice del trattamento dei dati personali (Torino: Giappichelli, 2007), 163–91.

(15.) Sensitive data are defined by the Code as “personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life.”

(16.) R. D’Orazio, “Il principio di necessità nel trattamento dei dati personali,” in V. Cuffaro, R. D’Orazio & V. Ricciuto, eds., Il codice del trattamento dei dati personali, above note 14, at 163–91.

(17.) Art. 22, par. 6 and 7, Data Protection Code.

(18.) As regards the distinction between the “communication” and the “dissemination” of personal data, see art. 4, Data Protection Code.

(19.) Art. 11 Data Protection Code.

(20.) Art. 3 Data Protection Code.

(21.) According to Art. 154, one of the main tasks of the Garante consists in “drawing the attention of Parliament and Government to the advisability of legislation as required by the need to protect the rights referred to in Section 2, also in the light of sectoral developments.” Paragraph 3 of the same Article 154 provides also that “The Prime Minister and each Minister shall consult the Garante when drawing up regulations and administrative measures that are liable to produce effects on the matters regulated by this Code.”

(22.) See, for instance, Garante prot. Dati, 7-7-2011, Sistema informativo nazionale per la prevenzione nei luoghi di lavoro (SINP) e regole per il trattamento dei dati, web doc. n. 1829704; Garante prot. dati, 21-3-2012, Parere del Garante al Ministro della salute in ordine a uno schema di decreto recante “Modifiche al decreto del Ministro del lavoro, della salute e delle politiche sociali del 17 dicembre 2008, pubblicato nella Gazzetta Ufficiale n. 9 del 13 gennaio 2009, recante “Istituzione del sistema informativo per il monitoraggio delle prestazioni erogate nell’ambito dell’assistenza sanitaria in emergenza-urgenza”, web doc. n. 1892560; Garante prot. dati, 17-4-2012, Parere del Garante su uno schema di decreto del Ministro della salute concernente “Modifiche al decreto del Ministro del lavoro, della salute e delle politiche sociali recante “Istituzione della banca dati finalizzata alla rilevazione delle prestazioni residenziali e semiresidenziali”, web doc. n. 1907937.

(23.) Art. 47, par. 2, Data Protection Code.

(24.) For a detailed analysis see G. Buonomo, “Il trattamento dei dati personali in ambito giudiziario,” in V. Cuffaro, R. D’Orazio & V. Ricciuto, eds., Il codice del trattamento dei dati personali, above note 14, at 277.

(25.) See G. Buonomo, “Il trattamento dei dati personali in ambito giudiziario,” above note 24, at 293.

(26.) The database relating to children suitable for adoption set up in February 2013 by the Ministry of Justice (and specifically provided for by Art. 40, law 149/2001) is just one example of the many databases established for “justice reasons” (see http://www.giustizia.it/giustizia/it/mg_2_5_8.wp).

(27.) I. Iai, “Il trattamento dei dati personali da parte delle forze di polizia e per la difesa e sicurezza dello Stato,” in V. Cuffaro, R. D’Orazio & V. Ricciuto, eds., Il codice del trattamento dei dati personali, above note 14, at 303.

(28.) On this see ibid., at 313–16.

(29.) Art. 54, par. 1, Data Protection Code.

(30.) See, for instance, Garante prot. dati, 26-5-2011, Convenzione fra il Ministero dell’interno-Dipartimento della pubblica sicurezza e l’Agenzia delle entrate per l’accesso da parte delle forze di polizia alla banca dati dell’Anagrafe tributaria attraverso l’applicativo denominato Puntofisco, web doc. n. 1822278.

(31.) Art. 55 Data Protection Code.

(32.) See Iai, “Il trattamento dei dati personali da parte delle forze di polizia e per la difesa e sicurezza dello Stato,” above note 27, at 318–19.

(33.) See L. Scaffardi, “Le banche dati genetiche per fini giudiziari e i diritti della persona,” in C. Casonato, C. Piciocchi & P. Veronesi, eds., Forum BioDiritto 2008: Percorsi a confronto (Padova: CEDAM, 2009), 453.

(34.) Law n. 85/2009, Adesione della Repubblica italiana al Trattato concluso il 27 maggio 2005 tra il Regno del Belgio, la Repubblica federale di Germania, il Regno di Spagna, la Repubblica francese, il Granducato di Lussemburgo, il Regno dei Paesi Bassi e la Repubblica d’Austria, relativo all’approfondimento della cooperazione transfrontaliera, in particolare allo scopo di contrastare il terrorismo, la criminalità transfrontaliera e la migrazione illegale (Trattato di Prum).

(35.) Art. 12 Law n. 85/2009.

(36.) Garante prot. dati, 15-10-2007, Banca dati DNA, web doc. n. 1448799.

(37.) On this see A. Cappuccio, “Privacy e comunicazioni elettroniche,” in G.F. Ferrari, ed., La legge sulla privacy dieci anni dopo (Milano: EGEA, 2008), 237–46; Garante prot. dati, 17-1-2008, Sicurezza dei dati di traffico telefonico e telematico, web doc. n. 1482111.

(38.) Art. 132, par. 1-bis, Data Protection Code.

(39.) Art. 132, par. 3, Data Protection Code.

(40.) See e.g. ECJ, Case C-293/12, Digital Rights Ireland Ltd. v. Minister for Communic’s, Marine and Natural Res., 2014 E.C.R (2014).

(41.) Art. 132, par. 4-quinquies, Data Protection Code.

(42.) For an overview see Intercettazioni di conversazioni e comunicazioni: Un problema cruciale per la civiltà e l’efficienza del processo e per le garanzie dei diritti. Atti del Convegno: Milano, 5–7 ottobre 2007 (Milano: Giuffrè, 2009).

(43.) See Relazione del Ministero sull’Amministrazione della Giustizia. Anno 2012 (Roma, 2012), 249, http://www.giustizia.it/giustizia/protected/812055/0/def/ref/NOL811573/.

(44.) Offenses with a maximum sentence of up to five years’ imprisonment and other offenses specifically mentioned in Article 266.

(45.) See I. Iai, “Il trattamento dei dati personali da parte delle forze di polizia e per la difesa e sicurezza dello Stato,” above note 27, at 320.

(46.) See generally, G. Romeo, “Il diritto alla privacy e la lotta al terrorismo,” in G.F. Ferrari, ed., La legge sulla privacy dieci anni dopo, above note 37, at 181–201; one of the best comparative analyses on this issue is F. Bignami, “European versus American Liberty: A Comparative Privacy Analysis of Anti-terrorism Data-Mining,” 48 Boston College Law Review 609 (2007).

(47.) Decree-law n. 201/2011, Disposizioni urgenti per la crescita, l’equità e il consolidamento dei conti pubblici, converted into law by law n. 214/2011.

(48.) Art. 11, par. 2, Decree-law n. 201/2011.

(49.) Art. 7, par. 6, Presidential Decree n. 605/1973.

(50.) Art. 11, par. 6, Decree-law n. 201/2011.

(51.) Garante prot. dati, 17-4-2012, Comunicazione dei dati contabili all’anagrafe tributaria da parte di banche e operatori finanziari: parere all’Agenzia delle entrate sulle modalità di trasmissione e di conservazione dei dati, web doc. n. 1886775; Garante prot. dati, 18-9-2008, Anagrafe tributaria: sicurezza e accessi, web doc. n. 1549548.

(52.) Art. 21, Decree-Law n. 78/2010, Misure urgenti in materia di stabilizzazione finanziaria e di competitività economica, converted into law by law n. 122/2010.

(53.) Arts. 10-35 Legislative Decree n. 231/2007, implementing Directive 2005/60/EC.

(54.) Art. 9 Legislative Decree n. 231/2007.

(55.) Garante prot. dati, 25-7-2007, Nuova disciplina antiriciclaggio, web doc. n. 1431012.

(56.) Garante prot. dati, 18-10-2012, Schema di decreto ministeriale sulla comunicazione alle autorità di P.S. dell’arrivo di persone alloggiate in strutture ricettive, web doc. n. 2099252.

(57.) Art. 1 Minister of Internal Affairs Decree 7-1-2013, Disposizioni concernenti la comunicazione alle autorita’ di pubblica sicurezza dell’arrivo di persone alloggiate in strutture ricettive.

(58.) Art. 4 Decree 7-1-2013.

(59.) Art. 55, par. 7, Leg. Decree n. 259/2003, Codice delle comunicazioni elettroniche.

(60.) Art. 47, par. 2, Data Protection Code.

(61.) Art. 135, Leg. Decree n. 209/2005, Codice delle assicurazioni private. For a detailed analysis see A. Longo, “Privacy e assicurazioni,” in V. Cuffaro, R. D’Orazio & V. Ricciuto, eds., Il codice del trattamento dei dati personali, above note 14, 570–74.

(62.) ISVAP Regulation 1-6-2009, n. 31, Regolamento recante la disciplina della banca dati sinistri di cui all’articolo 135 del decreto legislativo 7 settembre 2005, n. 209—Codice delle assicurazioni private; Garante, 30-11-2005, Parere sullo schema di regolamento per il trattamento dei dati sensibili e giudiziari dell’Istituto per la vigilanza sulle assicurazioni private e di interesse collettivo (Isvap), web doc. n. 1212464.

(63.) For an overview see G.F. Ferrari, ed., “La legge sulla privacy dieci anni dopo,” above note 37.

(64.) Court of Cassation, n. 1593/2013. On this issue see also Garante prot. dati, Data Protection and Management of Condos, Provision of 18 May 2006, web doc. n. 1332463.

(65.) Minister of Finance Decree 24-12-2012, Contenuto induttivo degli elementi indicativi di capacità contributiva sulla base dei quali può essere fondata la determinazione sintetica del reddito. On this regulation see H. Burggraf, “Italians Protest as Redditometro Unveiled to Pursue Tax Cheats,” International Adviser (January 21, 2013), http://www.international-adviser.com/news/tax-regulation/italians-protest-as-redditometro-unveiled. A. Johnston, “Italian Tax Dodgers Uncovered by the Redditometro,” BBC News (January 21, 2013), http://www.bbc.co.uk/news/business-21064030.

(67.) V. Onida, “Sbagliato giustificare l’evasione in nome del diritto alla privacy,” Corriere della sera (February 26, 2013) 60; but see also, from a different perspective, P. Ostellino, “Il redditometro del Dottor Stranamore,” Corriere della sera (January 6, 2013) 32.