Almost twenty years after the entry into force of the first Italian law on the subject of privacy, the European regulation was published last May which substantially integrates the legislation on the subject. The aim is to recognize a higher and more uniform level of protection of personal data and to guarantee citizens greater control over the use of information concerning them.
Although the regulation does not need to be transposed, the Member States have two years to adapt their national legislation, and the companies concerned – mostly public administration bodies, large private companies providing services as well as banks and financial intermediaries – have equal availability of time to adapt to the new regulatory framework, which however is rather demanding and not without problematic aspects.
The wide sphere of rights recognized to citizens in fact provides for a strong responsibility of companies and the need to proceed with organizational interventions that involve a large part of the company structure. In strictly operational terms, what has been said translates into a substantial increase in costs, made necessary by the restructuring of internal processes and the implementation of IT procedures designed to meet the new needs for handling customer information.
A burdensome commitment in this sense concerns, for example, the introduction of the obligation for each interested company to maintain over time a timely and exhaustive record of the activities carried out under its responsibility regarding the processing of customer data. With reference to lending, this provision carries the risk of introducing particularly complex and unjustified operating methods, in a context of activity which over the years has not presented specific occasions for conflict in the relationship between individuals and banks.
A further commitment for companies concerns the need to acquire new and specific internal professional skills, such as the one referred to the figure of the "Data Protection Officer" who must necessarily be present within the companies where the processing of information involves specific risks .
The regulation, moreover, recognizes citizens the right to be represented by a non-profit body, whose activity is recognized as being in the public interest, which will be able to lodge a complaint and exercise compensation for damages on behalf of customers in the event of violations of the provisions of the regulation itself. This regulatory provision presents the risk of "encouraging" litigation brought by private individuals against companies, in the hope of pursuing "easy" compensation made possible by provisions conceived with the specific aim of protecting the rights of one of the parties in dispute.
Finally, a considerable increase in the pecuniary and administrative sanctions envisaged by the new system must be underlined, which may reach a maximum of 20 million euros or up to 4% of the total annual turnover of the entity responsible for data processing; moreover, each Member State is left free to adopt further and more incisive sanctions.
We will therefore see in the near future how the national legislator will concretely proceed in transposing the new regulatory system, trusting that the right requirements related to the protection of citizens' privacy are adequately reconciled by the equally important needs of businesses and banks to operate without excessive burdens, in a correct perspective of proportionality and balance, especially in the current context of crisis marked by the continuous proliferation of prudential rules, which are gradually becoming more binding and pervasive.
