The evaluation of the legitimate interest of personal data processing in light of the 2018 Italian Budget Law

A few months before the direct applicability of the EU Regulation 2016/679 on personal data protection, scheduled on May 25, 2018,  the Italian Parliament adopted a number of interesting provisions on privacy, included in the paragraphs from 1020 to 1025 of article 1, 2018 Italian Budget Law (law no. 205/2017), which entered into force on January 1, 2018.

Paragraphs from 1022 to 1023 foresee that the controller of the processing “if performing a processing grounded on the legitimate interest foreseeing the use of new technologies or of automatized instruments” shall communicate it immediately to the Italian supervisory authority before beginning the processing through a circular on the object, the end and the context of the processing itself. If the authority fails to give an answer within 15 days from the sending of the circular, the controller can start the processing.

On the base of the circular, the supervisory authority starts a trial to evaluate the possible existence of a risk of damage for the rights and the freedom of the data subjects, in that case he will settle the restraining order for the usage of the data.

The Parliament has also stated that the supervisory authority will define with its own measure the best practices on personal data processing based on the legitimate interest of the controller.

However, the deadline for the adoption of the measure, of two months from the entrance in force of the Italian Budget Law, lapsed without any intervention of the controlling Authority.

Some observations on the discipline described are imperative.

First of all, it is to underline that if on the one hand the Italian Privacy Code fixed consent as main condition of the lawfulness of data processing, thinking to a series of “exemption conditions”, on the other under the effect of the EU Regulation the legitimate interest of the controller becomes a legal base for the processing at the same level of the consent and as its alternative, at the condition that the interest of the data subject or his rights don’t prevail, as per the so-called “Balance of interests”.

And there’s more. The legitimate interest of the controller shall be preferred to the consent as legal base of the processing anytime the data subject cannot give his “free” consent, as happens in occasion of an employment relation.

Nevertheless, the Regulation does not provide information on the content of the legitimate interest of the controller, at the exception of some specific examples at points from 47 to 49.

The Regulation refers the evaluation of the balance of interests entirely to the controller, in accordance with the principle of accountability, heart of the new European privacy discipline. With the risk of running into high sanctions if the ground chosen for the processing turns out to be unfair.

The recent Italian Budget Law intervened on this background to furnish an interpretative to undertakings, foreseeing the intervention of the controlling Authority by the elaboration of guidelines to be followed in this evaluation.

It is to judge if the prevision of this new process of preventive communication to the supervising authority really complies to the EU Regulation which had already erased the body of notification and of preliminary analysis replacing them with the introduction of the Data Protection Impact Assessment (DPIA) by the controller of the processing and subordinating the intervention of the Authority to the evaluation of the existence of a high residual risk by the controller itself.

We wait for the results of the new Italian Government’s next lawmaking on this point on the base of the European Law of Delegation no. 163/2017.

Till then, each controller willing to base a processing on its own legitimate interest shall communicate it in advance to the Authority and, unless in case of negative response, notify the data subject informing him of his right to oppose this processing.