2023-12-29

Interview With the President of the Italian Data Protection Authority (GPDP) Prof. Dr. Pasquale Stanzione

---

1. Can you, please, share your experience in implementation of the GDPR in Italian legal framework. How would you assess this process?

The General Data Protection Regulation (GDPR), which protects fundamental rights and freedoms of natural persons while laying down rules relating to the free movement of personal data, as it is known, is directly applicable within the EU and is aimed at strengthening citizens' rights uniformly. Although it is considered an evolution rather than a revolution with regard to its predecessor Directive 46/95/EC, the GDPR required significant changes in the European and national legal frameworks, in order to ensure its full and effective implementation and considering that it contains also some not-directly applicable provisions. Not only have new data protection ‘rights’ been codified (e.g. the right to erasure (or ‘right to be forgotten’), previously acknowledged only by the jurisprudence of the European Court of Justice or by national courts), but also new requirements for data controllers and new redress mechanisms for data subjects have been established, resulting inevitably in the need to adapt existing procedural rules or to introduce new ones.

Key changes included: the enhanced cooperation with the other EU supervisory authorities to handle complaints and breaches related to cross-border data processing activities, accompanied by new tasks for the single authorities. The European Data Protection Board, which replaced ‘Article 29’ Working Party’, went on working to provide guidance on the implementation of the new legal framework grounded in the GDPR.

The Italian legislative decree n. 101/2018, aimed at adapting the national regulatory framework to the provisions of the GDPR and which made substantial amendments to the 1996 national data protection law, i.e., legislative decree No. 196/2003 (‘Code’), was adopted based on the following criteria: repeal expressly the provisions of the existing DP Code incompatible with the provisions contained in the GDPR (e.g. prior checking); change the Code to implement the not-directly applicable provisions of the GDPR; coordinate the provisions in force with the provisions contained in the GDPR; where appropriate, provide for the use of specific supplementary measures to be adopted by the Garante; adapt the criminal and administrative sanctioning system in force with provisions for criminal and administrative penalties to be effective, dissuasive and proportionate to the seriousness of the violation of the provisions themselves; amending rules applying to processing activities in the law enforcement sector, which have been taken out of the data protection Code (they are now regulated separately by legislative decree No. 51/2018).

In particular, following the entry into force of the legislative decree 101/2018 further to the GDPR, the work done at the Garante in second part of 2018 was focused on the new legal framework, with initiatives of also administrative nature. The legislative process intended to adapt the national legal system to the GDPR was monitored closely by the Garante.

In particular, the GDPR has confirmed the need for a formalised, legally stringent approach as regards all inspection/enforcement activities (e.g.: full compliance with the right to be heard principle; key role of the minutes drafted to report on-site inspection activities; etc.). This was already part of the experience developed by the Garante and is actually mostly grounded in basic principles of (administrative) law. The changes brought about by the GDPR mainly concern internal -organizational and procedural issues. The separation between preparatory/fact-finding phase (falling within the remit of the Office of the Italian SA) and the decision-making phase (falling within the remit of the Commissioners’ panel) was enhanced further (see, in particular, Garante’s Regulation n. 1/2019). The GDPR also provided new impetus for a balanced approach to enforcement, focusing both on deterrence (through ‘exemplary’ fines, in particular) and on fostering compliance (through fewer fines and more guidance/corrective measures). Several domestic factors come into play in this respect, which are related at times to different enforcement priorities and national specificities.

Relevant for the transition was also the work done regarding the Code of conducts. The Garante had to assess to what extent the provisions set out in some of the existing ‘Codes of practice’, attached to the DP Code were compatible with the GDPR: the compatible provisions were grouped into ‘Rules of conduct’ attached to the amended Code, including ‘Rules of conduct applying to the processing of personal data in connection with journalistic activities’.

Another innovation brought about by the GDPR (Article 36(4)) is the obligation to consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament which relates to data processing (although this practice has already been carried out successfully at domestic level in the past): the underlying rationale is to consider the Garante a fundamental institutional partner in order to make sure that the modernization of the Nation, as based on an enhanced digital infrastructure, can take place in full compliance with personal rights and fundamental freedoms.

Finally, the transition brought about by the GDPR was also accompanied at the Garante by an increase of personnel, required to fully and efficiently enforce the new legal framework.

 

2. In your opinion, what role do you see data protection authorities playing in shaping the future of data protection policies and regulations?

As a supervisory authority we have a special role to play and a great responsibility, in ensuring that individuals can exercise in every context, without distinction, their right to the protection of personal data, which is instrumental to the protection and exercise of other fundamental rights and freedom. Data protection is a prerequisite of freedom and democracy, as it can ensure, on the one hand, the conditions for the free construction of one’s self and, on the other hand, it should afford society the right balance between private and public, between rights and solidarity. The greatest strength of this right, never despotic, in fact, is its "meekness", its capacity to realize unexpected synergies with the various interests involved, providing anthropocentric governance to innovation, so that technology is at the service of mankind and not vice-versa.

With this background, the different data protection supervisory authorities (DPAs) give an enormous support in shaping the future of European and non-European regulations. European DPAs, and the Italian SA as one of them, have already (and are still) widely contributing to the current debate on the new European digital framework, shaping related policies and law and defining, among others, the European approach to Artificial Intelligence (AI): both as part of the EDPB and autonomously, DPAs regularly attend policy meetings, issuing opinions and recommendations either on the draft legislations and on the initiatives implementing them (e.g. on DMA, on AI Act and more recently on the proposal for Regulation on some procedural rules for the GDPR enforcement).

Furthermore, given the technological and economic convergence that we are witnessing, there is also an increasing need for interplay and convergence of different fields of law: i.e.: data protection framework and competition law, for instance, which in turn begs the question of the convergence of regulatory approaches by different regulatory authorities: a multidisciplinary approach to rights protection is of paramount importance for an harmonized and comprehensive protection of fundamental rights and freedoms, so that lawyers, economics experts, computer and data scientists can talk and learn from one another.

Challenges are also raised by divergences in national law and procedures as well as economic and political choices.

A merely national approach would not have much sense. A broad, shared vision is rather necessary for an increased policy and regulatory convergence at the supranational level, also in order to avoid the risks of detrimental different approaches and fragmentations.

As the Italian DPA, we have experienced cooperation, with other national regulatory authorities (competition and consumer protection Authorities), as requested by the national DP Code (art. 154: “Garante cooperates with other national independent administrative authorities in carrying out their respective tasks”)  and we are an active player also at the international level, i.e. within the Council of Europe’s ad-hoc Committee (”T-PD”); within the OCSE’s Information , Computer and Communications Policy Committee as well as a member of the GPA, the Global Privacy Assembly and at the G7 of the DP and privacy authorities, which next year we have the honor to host in Italy.

Finally, as Garante, an example of our role in shaping the future of data protection policies might be given, among others, by our intervention regarding age verification by big platforms such as Tik Tok or the use of Chat-GPT (see more details on www.gpdp.it).

3. How do you ensure that your authority stays current with emerging technologies and their impact on data privacy?

Regarding the third question, it must be stressed, first of all, that the GDPR should not be considered as an obstacle to innovation and technological development (e.g. A.I.), rather as an opportunity: the compliance with its basic principles and rules can play an important role and provide competitive advantages and opportunities for companies in a data-driven economy: actually, Art. 1 of GDPR states that it aims at ensuring the free flow of data, while protecting fundamental rights.

At Garante, we closely follow the development of new technologies and their impact on privacy. Besides a research service, we have a specific Technological Department, with computer scientists and engineers who deal daily with technological issues and our personnel regularly contribute to research studies, participate in international conferences and publish papers devoted to these issues.

4. Can you describe your vision for the future of data protection and what steps your authority is taking to realize that vision?

Among the tasks of supervisory authorities, provided for by GDPR, there is that of promoting the awareness of data controllers, according to a collaborative approach: we need (and we are working for) a fruitful dialogue with stakeholders to develop really common and shared rules, capable of ensuring greater effectiveness of the actions undertaken to protect personal data and with them, people. In other words, dialogue and cooperation should be prioritized in privacy and data protection, without relying only and necessarily on monetary fines.

DP authorities will need to play also a supporting role towards (public and private) actors that are required to comply with rules, thus fostering a paradigm shift with the ultimate goal of protecting and respecting rights (mere compliance is not the goal!). Still, DPAs need also to retain their role of oversight regarding activities that impact on personal data, driving data processing and correcting those activities which might undermine freedoms and rights of individuals.

While the recent pandemic has proven how crucial the services provided by Big Tech and platforms may be, it has also stressed the need for a defensive strategy with respect to their pervasive 'digital stalking', to their contractual supremacy, to the "cultural and informative hegemony”, created e.g. via targeted advertising and micro-targeting. This is compounded by the concentration, in the hands of few platforms, of a power that is not only economic, but also cultural, social, even decision-making (which has been termed ‘digital capitalism’). There is the need for cooperation with platforms, preventing them from becoming an “anomic”, lawless space, where rights can be infringed with impunity, without, however, entrusting them with an arbitration role regarding fundamental freedoms and their balance, as such role is to be reserved always for the public authority.

This is the direction in which also the new legislative instruments of the European digital strategy are going (e.g. DSA, DMA, Data Governance Act), which have introduced new accountability requirements.

Accountability is, actually, one of the GDPR main principles, and we can say that it has been taken as a model, in some ways, also for the elaboration of those other European Regulations in the digital sector, in an attempt to reconcile economic development, innovation and human dignity and to balance rights and freedoms as is typical of European constitutional traditions.

GDPR already recognizes more discretion to data controllers (in decisions related to data processing), but also more "accountability" since the burden of proving compliance with the GDPR rests with the controller. Accountability means reporting, giving an account of the assigned responsibilities, so it is not a new principle, but a new approach to ensure effectiveness and compliance with existing principles: a new way of thinking, a paradigm shift and the data protection authorities are also called upon to help in bringing about this change. ‘Accountability' is not equivalent to 'compliance' with the rules, but it has an impact on the degree of responsibility of the data controller when the Authority is called to evaluate its conduct: more autonomy means more responsibility and requires additional commitment by the data controller, who must make assessments, analysis, precise choices relating to the data processing operations undertaken and the measures adopted in order to protect individual rights.

In this regard, we need to stress the importance of ensuring an ‘effective’ personal data protection (enforcement), i.e. rooted in the real experience, which responds to the needs of the data subjects and is ensured also through safeguards put in place by data controllers themselves (like the Codes of conduct, encouraged and promoted by the GDPR, which entail a fruitful dialogue between DPA and data controllers or categories of).

Cooperation among DP authorities is also crucial for the near future: the current cooperation system and its procedural rules, established by the GDPR, are currently being improved to precisely enhance enforcement of the main principles and of safeguards mechanisms provided for by the GDPR.

The GDPR inevitably makes the protection of the individual its focus of attention compared to market-driven requirements, however it also promotes the social function of personal data protection.

Given the predatory attitude of some platforms vis-à-vis personal data, freely exploited as if they were res nullius, it is imperative to emphasize, once more, the importance of the individual self-determination: the latter requires proper information including on the logic behind algorithm functioning in order to ensure a really free consent. Informational self-determination is, in fact, the necessary prerequisite for free choices - especially in a context in which seemingly free services are instead provided against the high price of our personal data and, therefore, of our freedom.

Finally, we would like to stress another point. In a context faced with highly structured and complex processing activities (think about the increasing use of A.I. and the related algorithmic decision-making), where the individual might not always be capable of understanding and taking a decision regarding his/her data and therefore his/her rights, the exercise of effective oversight by the DPA on respect for the rights of individuals and the societal model that is taking shape is of paramount importance, in order to avoid or at least limit the possible related risks, such as of discrimination, of social exclusion, of manipulation, mass surveillance and of authoritarian drifts.

We need to adequately ponder what future and what kind of society we want to live in and whether we are ready to fight for preserving fundamental freedoms and rights or can accept relinquishing those freedoms and rights in the name of technological determinism and market predominance. Data protection could (and should) have a pivotal role in this regard, as an instrument for the reallocation of information power as well as for an inclusive and human-centric technological development.

The right to data protection and, more generally, individual protection in respect to the power of the technique, needs universal safeguards, which overcomes regulatory asymmetries, inadequate to a reality, such as the digital one, which prescinds from territorial borders.