The opinion no. 477 issued on 2 August 2024 by the Italian Data Protection Authority (DPA) expresses its opinion on the Italian AI Bill “Schema di disegno di legge recante disposizione e deleghe in materiale di intelligenza artificiale” (Bill outline stating orders and authorizations on AI).
Having examined the individual rules proposed in the bill in light of the principles introduced by the GDPR, the Italian DPA delivered its favorable opinion on the text, but asked for the adoption of some adjustments.
The Italian AI Bill
In conjunction with the adoption of the AI ACT by the European Parliament (EU Regulation 20214/1689) on 23 April 2024, the Italian Council of Ministers proposed the adoption of a bill on artificial intelligence.
The Bill (in Italian DDL), which was presented to the Senate on 20 May 2024, aims at adapting the internal regulation to the AI ACT, by regulating the use of artificial intelligence systems in particularly sensitive fields referred to the discretion of each member states.
The text, drafted with the goal of promoting “a correct, transparent and responsible use of artificial intelligence, in an anthropocentric dimension, aimed at seizing the opportunities it offers” (Art. 1 of DDL), is composed by 26 articles, with the purpose to regulate the use of AI in the healthcare sector (Artt. 7, 8 and 9), in the workplace (art. 10 and 11), in the exercise of intellectual professions (art. 12), in the public and court administration (art. 14 and 15), in the field of copyright (art. 23 and 24) and, lastly, in the criminal law field (Art. 25).
With particular attention to the use of AI in the healthcare field, art. 8 of the DDL regulates the use of personal data – also particular data (previously known as sensitive data) – for AI systems development purposes. According to this rule, the processing of personal data for research and testing purposes is of particular public interest in the development of AI systems in the healthcare field and, by doing so, it legitimizes the secondary use of data for such purposes.
This rule, however, imposes to respect the obligation to inform the data subjects – to be fulfilled also through the publication of a general information notice on the controller’s website and without any other consent from the data subject – and the obligation to notify the DPA, arranging a tacit consent mechanism allowing the continuation of the processing activities, if no injunction is received within 30 days from the communication.
Given the close correlation between the use of AI systems and the protection of personal data, the Presidency of the Council of Ministers asked the Italian DPA to express its opinion on the text of the bill.
The opinion of the Italian DPA
The Italian DPA analyzed in detail the formulation of each article contained in the bill and gave its positive opinion on the text. Nevertheless, it highlighted the need to amend the text of the DDL in order to make it compliant to the GDPR and the AI ACT.
First of all, it suggested to introduce a specific article with a transversal application, containing a general conformity obligation of the personal data processing to the provisions of the GDPR.
Particular attention was reserved to the rules on the use of AI in the healthcare field. Here the DPA requested the most significant adjustments suggesting, in particular, that the legislator rephrase artt. 7, 8 and 9 of the DDL integrating the stricter limits that art. 10 of the AI ACT requires for particular data processing.
Moreover, with respect to art. 8 of the DDL, the DPA highlighted the need to adapt the rule to the requirements of determination, indicated in art. 6 to art. 9 of the GDPR, and to the guarantees of art. 89 of the GDPR. In addition, the DPA asked to delete the reference to the possibility to fulfill the obligation to inform through the publication of a general information notice on the processing controller’s website, considering such hypothesis not compatible with a secondary use of the data.
Finally, with respect to the tacit consent mechanism expressed in art. 8 of the DDL, the Italian DPA highlighted that the 30-days period does not deplete the typical powers of the Authority which, even at a later date, can ascertain and sanction possible wrongdoings.
Ilaria Feriti