Opinion of the Italian DPA on the DDL AI: essential amendments for compliance with the GDPR and the AI Act

Within the framework of the adoption of the draft law (“disegno di legge”) concerning provisions and delegations on artificial intelligence (“DDL AI”), adopted by the Council of Ministers on April 23, 2024, the Italian Data Protection Authority (the “Garante Privacy”) expressed its opinion through provision no. 477 of August 2, 2024 (the “Opinion”), in accordance with Article 36, paragraph 4 of Regulation (EU) 2016/679 (“GDPR”).

The DDL AI establishes rules and principles of a programmatic, sectoral, and promotional nature, aimed at regulating the research, experimentation, development, adoption, and application of AI systems and models (for a more detailed examination of the DDL AI’s content, please refer to our previous contribution, available here). The provisions encompass five key areas: national strategy, national authorities, promotional actions, copyright protection, and criminal sanctions. Furthermore, the draft law includes a delegation to the government to align national legislation with Regulation (EU) 1689/2024 (“AI Act”).

The Garante Privacy issued a favorable opinion regarding the DDL AI, contingent upon the incorporation of specific modifications and enhancement, as well as a recommendation to acknowledge a more active role for the Garante Privacy within the newly established regulatory framework.

But what are the recommendations of the Garante Privacy? 

Below is a summary of the primary concerns raised by the Garante Privacy regarding the various sectors addressed by the DDL AI.

1.    Protection of personal data

  • Regulatory coordination. The programmatic nature of many provisions within the DDL AI may create a potential risk of overlap with certain provisions of the AI Act. Consequently, with respect to the protection of personal data, the Garante Privacy recommends the inclusion of a specific and cross-cutting article in Chapter I (“Principles and Purposes”) of the DDL AI, which would impose a general obligation to comply with the GDPR and the Italian Privacy Code (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018).
  • Privacy as a fundamental right. The Garante Privacy suggests amending Article 3, paragraph 1 of the DDL AI by replacing the reference to the “principle of personal data protection” with a more precise reference to fundamental rights (Article 8 of the Charter of Nice).
  • Minor’s right. The Garante Privacy points out that Article 4, paragraph 4 of the DDL AI should be reformulated, referencing not the current age threshold for minors’ access to AI technologies (currently set at fourteen years), but rather Article 2-quinquies of the Privacy Code. This flexible reference would enable the DDL AI to maintain consistent alignment with existing regulations. Furthermore, the Garante Privacy suggests for the integration of provisions establishing appropriate measures to ensure the effectiveness of age verification systems, thereby preventing easy circumvention of the established age threshold for consent.

2.    Healthcare sector

  • Greater Guarantees. The Garante Privacy finds the generic reference to data protection in Article 7 of the DDL AI to be inadequate and calls for a direct reference to Article 10 of the AI Act. The latter indeed established essential guarantees not addressed by Article 7 of the DDL AI, including the preference for using synthetic or anonymized data, specific restrictions on the use of health data (such us prohibition on transmission, transfer, or communication), and limitations on data retention. Additionally, the reference to Article 10 of the AI Act should also be incorporated into Article 9 of the DDL AI (Provisions regarding electronic health records, surveillance systems in the healthcare sector, and digital health governance).
  • Regulatory coordination. The Garante Privacy asserts that Article 8 of the DDL AI, pertaining to the legitimization of the processing of personal data for research purposes in the field of AI , requires amendments to ensure compliance with the requirements laid down in Articles 6, paragraph 3, letter b) and 9, paragraph 2, letter g) of the GDPR, as well as Article 2-sexies of the Privacy Code. These provisions emphasize the need for a clear and specific legal basis for the processing of personal data. Additionally, with regard to the secondary use of data, Article 8 of the DDL AI should align with the guarantees provided for in Article 89 of the GDPR, including the implementation of technical and organizational measures to ensure compliance with the principle of data minimization. The Garante Privacy has also highlighted the need of removing the reference to the option of fulfilling the obligation to inform in a general manner by publishing such information on the data controller’s website, deeming it incompatible with the secondary use of data. Lastly, the requirement for prior notification to the Garante Privacy concerning processing, using a silence-consent mechanism, should be clarified to specify that the thirty-day timeframe does not limit the Garante Privacy’s power of oversight and potentially enforcement.

3.    Labor sector

  • Protection and non-discrimination needs. The Garante Privacy suggests the integration of Article 10 of the DDL AI by referencing Articles 22, paragraph 3, and 88 of the GDPR, as well as Articles 113 and 114 of the Privacy Code. This integration is essential to ensure compliance with the necessary safeguards for the use of AI in the labor sector, where the demands for protection and non-discrimination are particularly pertinent. These considerations not only apply after the establishment of the employment relationship but also during the pre-hiring phase, specifically concerning personnel selection processes.

4.    Role of the Garante Privacy within the framework of the DDL AI

  • The Garante Privacy recommends a more proactive role in shaping the national strategy for AI (Article 17 of the DDL AI) to ensure that the measures and policies proposed do not conflict with data protection regulations. Furthermore, it emphasizes the necessity of active participation in the work of the Coordination Committee (Article 18 of the DDL AI ), with an obligation for other authorities to consult the Garante Privacy when addressing issues related to the protection of personal data.

5.    Legislative delegation for aligning internal legislation with the AI Act

  • Alignment of the DDL AI with the AI Act. The Garante Privacy asserts that paragraph 2 of Article 22 of the DDL AI should be supplemented with specific directives concerning the regulation of the authorization of “real-time” remote biometric identification systems in publicly accessible spaces for law enforcement purposes (Articles 5, paragraphs 3 and 5 of the AI Act ). It suggests the designation of the Garante Privacy as the competent authority for conducting such authorization assessments, drawing upon its established expertise in overseeing algorithmic decision-making processes that involve personal data. Furthermore, the Garante Privacy highlitghts the importance of designating itself as the competent authority for high-risk AI systems operating within the biometrics sector, particularly when employed for law enforcement, border management, justice, and democracy processes, or when utilized by law enforcement agencies (Article 74, paragraph 8 of the AI Act referring to Annex III, points 1 and 6 of the AI Act).
  • Adequate involvement of the Garante Privacy. The Garante Privacy emphasizes the necessity of its adequate participation in the establishment of the regulatory sandbox spaces referred to in Article 57 of the AI Act. It also seeks to be included among the competent authorities responsible for the protection of fundamental rights, as provided for in Article 77 of the AI Act.

***

The Opinion of the Garante Privacy regarding the DDL AI highlights the critical need for systematic coordination between the provisions governing AI and the existing data protection regulations. Key recommendations include the incorporation of a cross-cutting article on personal data protection, the revision of provisions related to AI in healthcare and labor contexts, and enhanced participation of the Garante Privacy in both decision-making and strategic processes.

The execution of these modifications is essential to prevent regulatory overlaps, ensure the safeguarding of fundamental rights, and confirm that the adoption of AI in Italy is conducted ethically and responsibly, in accordance with the rights of data subjects.