The new data retention provisions in Italy: from bad to worse

On November 27th last, Law no. 167 of 20 November 2017 was published in the Official Journal of the Italian Republic (“law 167“). Law 167 contains a heterogeneous array of law provisions, of which Article 24 is certainly of paramount importance for those interested in data protection, as it denotes a populist approach to the issue of data retention for the purposes of serious crimes investigation and prosecution. Namely, Article 24 contains new data retention provisions which appear to defy the boundaries of legality that since 2014 have been designed by the EU Court of Justice.

A little bit of jusidicial history is necessary in order to put the Italian data retention legal framework in context.

As is known, that data retention EU legislation has attracted the scrutiny of the EU Court of Justice since the seminal Digital Rights Ireland judgement of 8 April 2014 (case C-293/12 – link below).

In Digital Rights the EUCJ declared the invalidity of Directive 2006/24 on the retention of data processed in connection with the provision of public electronic communication services. The Directive was considered invalid because at odds with Articles 7 and 8 of the EU Charter of fundamental rights (the “Charter”). The flaw identified by the EUCJ  was firstly that Directive 2006/24 would cover, in a generalised and indiscriminate manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime. As such, Directive 2006/24 applied even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime and no exception was provided. The Directive would therefore seriously interfere with the fundamental rights to respect for one’s own private life and to protection of personal data, without any attention being given to the issues of proportionality and strict necessity.

The Digital Rights Ireland case was one of the few in which the role of the EUCJ as a Constitutional Court of Europe made itself apparent, in that the Court not only slashed a piece of EU legislation, but did so on grounds of protection of the defining values of a democratic and liberal society. This transpires from the reasons that the Court used to give substance to the interference with the fundamental rights enshrined in the Charter and particularly where the Court held that, even though the Directive did not permit the retention of the content of the communication, it would not be inconceivable that the retention of the data in question might have an effect on the use, by subscribers or registered users, of the means of communication covered by that directive and, consequently, on their exercise of the freedom of expression guaranteed by Article 11 of the Charter. In this vein, the Court also embraced the suggestion that  the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance. The EUCJ in Digital Rights took a commendable approach that was not willing to trade the values of liberal democracies for the battle against serious crimes such as international terrorism.

Italy implemented Directive 2006/24 by way of Legislative Decree no. 109 of 30 May 2008, which inter alia amended article 132 of the Italian Data Protection Code. These provisions have almost verbatim transposed into Italian law those of Directive 2006/24 and mandate the generalised and indiscriminate retention of telephone and internet related traffic data by communication service providers for 24 and 12 months respectively. The Italian legislature has not considered necessary to repeal or amend the law after the Digital Rights judgement. As a matter of fact, Article 132 of the Data Protection Code continues to apply and is a much used source of information by public prosecutors in criminal investigations, as a gateway to the data retained which enable to reconstruct with precision the web of communications of the individuals under investigation and through them of virtually any other individual the suspect has been in contact with. Independent judicial review for enabling access to this wealth of data retained by communication service providers is practically non existent.

On 21 December 2016, the EUCJ delivered a second judgement on the data retention issue (case C-203/15 – hereinafter Watson), this time to rule on the compatibility with the EU Charter of national legislation adopted on the basis of the invalidated Directive 2006/24 (link below).

It came as no surprise that in Watson the Court, taking stock of Digital Rights, held that the principles set out in Articles 7, 8, 11 and 52(1) of the Charter preclude national legislation which for the purposes of fighting crime provides for the general and indiscriminate retention of all traffic and location data of all users relating to all means of communication. A second answer provided to the referring courts in Watson further found for the incompatibility of national data retention legislation, in connection with access to the retained data, where access is not restricted to serious crime, is not subject to prior review by a court and it is not provided that the data holder reside in the EU. This judgement was rendered in connection with Swedish and UK data retention legislation but, given the features of Article 132 of the Italian Data Protection Code, read in conjunction with Legislative Decree no. 109/2008 and with the procedural rules governing access to data, the same conclusion should be expected also with respect to the Italian data retention regime.

However, as mentioned at the beginning of this article, very recently Italy appears to have taken a further step in a direction opposite to the one that the EUCJ has pointed to in Digital Rights and in Watson. As a matter of fact, Article 24 of Law 167, starting from 12 December 2017, will oblige providers of communication services to retain telephone and internet related traffic data for as long as 72 months (6 years). To be sure, Article 24 is presented as a derogation from the general data retention provisions set out in Article 132 of the Data Protection Code, in that the obligation to retain traffic data for 72 months is in Article 24 is required by the law solely for the prosecution of certain specifically identified criminal offences mentioned in it, amongst which those concerning international terrorism. However, the devil is in the detail, because as drafted Article 24 may well result in an obligation for all communications service providers to extend the data retention period from the 24 or 12 month period set forth in Article 132 of the Data Protection Code to 72 months for all traffic data and for all subscribers. As a matter of fact, although Article 24 of Law 167 as drafted, prescribes the 72-month retention period only with respect to certain serious crimes, identified by way of cross reference to the provisions of the code of criminal procedure, yet it does not appear possible for communication service providers to know, at the time traffic data is generated and retention starts, whether the individuals concerned may be implicated in the relevant serious crimes. Therefore, in my opinion, as a matter of practice, the provider will be forced – in order to avoid breaching the law – to retain all data of all subscribers/registered users for 72 months. As in fact Law 167 does not provide for a mechanism to target specific individuals, whose data should be retained on the basis of objective evidence revealing links with the planning or commission of the relevant serious crimes, then it appears inevitable that those individuals may be singled out only retrospectively, i.e. by the public prosecutor, when she will start an investigation on the relevant serious crimes as contemplated by the law.

I may be missing something and would welcome comments that may allay my concern, but it seems to me that the new data retention regime set forth under Article 24 of Law 167 is not compatible with the findings of the EUCJ in Digital Rights and in Watson. In the latter case the EUCJ has identified certain positive features that a data retention framework should possess, in order for it to be found compliant with the principles of the Charter. In particular, the EUCJ has called for the provision of adequate safeguards, which should prospectively clearly circumscribe the data retention to a specific public that, based on objective evidence, may be reasonably held to reveal a link, even an indirect one, with serious offences. Such safeguards are not visible in either Article 132 of the Data Protection Code or Article 24 of Law 167. This not to mention the very long retention period (6 years) which signals yet another self-standing clash with the principles of proportionality and necessity in a democratic society.