The National Recovery and Resilience Plan (PNRR) Next Generation Italia is not just a project to help economic recovery, but primarily a unique occasion to overcome the dramatic effects of the pandemic period. The main target is to make Italy a greener, more digital and more resilient country, thanks to the availability of considerable financial resources and focusing on values related to the quality of individual life and on increased cohesion, inclusion and equity in the communities.
It is worth reminding that the Plan fits into a wider reform framework, aimed at regulating the European Union’s technological innovation process. In fact, with the presentation of the Digital Service Act and of the Data Governance Act, the European Commission showed its willingness to define new paradigms to strengthen the internal digital service market.
“Mission 1: Digitalisation, innovation, competitiveness, culture and tourism” of PNRR aims at building momentum for the relaunch of Italian competitiveness and productivity. Such a huge challenge requires a far-reaching intervention, leveraging on various key elements of the Italian economic system to attain innovation, sustainability and a promotion of Italy’s image and brand.
Next Generation EU’s boost to the digital revolution will nonetheless lead to an inevitable and exponential increase in personal data processing, which will have to comply with the key GDPR principles. Therefore, all private and public entities intending to benefit from the advantages available under the PNRR will necessarily need to have completed, or at least have started, the adjustment process to reach full compliance with the personal data protection regulation, which is essential for digital innovation.
The Italian Data Protection Authority intervened on this point, drawing attention on the dual purpose of the protection provided by the GDPR within the scope of the reform project under the National Recovery and Resilience Plan: on the one hand, instilling confidence in citizens with reference to the activity of public entities when performing their functions and, on the other hand, guaranteeing the innovation process’ security and thus increasing competitiveness without limiting individual rights and freedoms.
On the occasion of the presentation of the Council’s annual report, the Italian Data Protection Authority emphasised that the only possible way to complete the Missions under the PNRR is the implementation of an effective synergy between Data Protection and Cybersecurity, since only the combination of these two factors can guarantee not only the attainment of an effective digitalisation and innovation process without threatening the security of the Country - currently safeguarded by the National Cybersecurity Framework - but also the safeguard of individual citizens’ dignity.
The Authority also underlined the key importance of a dialogue between institutions and the Authority itself within the scope of the planning and implementation of the reforms. Thanks to its independence, the Authority can provide precious advice and meaningful ideas to help balance contrasting interests, such as technological progress and the safeguard of individual rights and freedom.
In addition, besides complying with GDPR principles, it will be necessary to exercise care and pay particular attention to the guarantees offered by providers and sub-providers, specifically Over The Top (OTT) players providing cloud technologies and artificial intelligence services.
On this point, the Recovery and Resilience Plan expressly mentions the so-called cloud first strategy: Public Administrations will have the possibility to choose whether to migrate to a new cutting-hedge national cloud infrastructure (National Strategic Hub, in Italian Polo Strategico Nazionale or PSN) or to a public secure solution, keeping into due consideration the type and volume of personal data processed and the type of services offered.
The digitalisation of the Public Administration (PA) is one of the top priorities of the Recovery and Resilience Plan. To achieve this objective, various measures have been devised, aimed at guaranteeing citizens and businesses higher quality, more efficient and innovative public services.
The digital infrastructures, both in the private and public sector, actually play a key role for most daily activities of the citizens and represent the backbone of the digital service system the Public Administrations use and offer to citizens and businesses. Guaranteeing Italy’s technological autonomy, in a moment in history when most national interests are digital, is mandatory as well as instrumental to guarantee the control over the security of citizens’ data, increasing meanwhile the resilience of digital services.
In the light of the above, the correct identification of all providers involved in the supply chain is essential, also when considering the transfer of personal data towards Extra EU Countries. Judgement no. C-311/18 by the Court of Justice of the European Union[1], also known as “Schrems II” imposed to all public and private organisations to reflect upon their compliance strategies, thus altering the balance of the global digital ecosystem. The abovementioned judgment will inevitably impact also on the enforcement of the PNRR, cloud computing being a vital technology for Italy’s effective digitalisation process and to guarantee the actual provision of a homogeneous level of services to citizens nationwide.
The European Data Protection Supervisor (EDPS) recently undertook analyses[2] aimed as assessing the compliance of the contracts entered into by European Institutions with two of the main US Cloud Services OTTs - i.e. Amazon Web Services (AWS) and Microsoft - with the principles of the Schrems II judgement. According to the EPDS opinion, transfers of personal data to the US are particularly critical. In the light of the above and upon due consideration of the importance cloud computing will have in the future for the development of State infrastructure, the EDPS deemed it advisable to devise a European strategy for the transfer of personal data by public entities, focused on a risk-based approach and on accountability - a great novelty for the GDPR - as well as on the collaboration between national Authorities and Public Administrations.
In this context, GDPR certifications will acquire specific importance, as they will allow holders to prove the attainment of a level of compliance able to increase the trust of users, clients and providers, giving a clear indication of the positive outcome of their adjustment process visible to third parties.
Finally, the Public Administration’s digitalisation strategy, advocated in the Recovery and Resilience Plan, provides a major investment for the interoperability of databases. The aim is to improve the quality of the services offered, leveraging on the PA’s wealth of information, whose use has often been characterised by serious inefficiencies due to a lack of coordination among the various public administrations. This scenario, as you may guess, always translated into further costs and red tape for both citizens and businesses.
In order to find a solution to this issue, the investment contained in the PNRR involves the creation of a National Digital Data Platform (Piattaforma Digitale Nazionale Dati or “PDND”) on which each public entity may share and make information available through a list of digital interfaces (Application Programming Interface or “API”). The interoperability of databases will lead to a significant reduction in management costs and time necessary for data sharing, often rather significant due to the over-bureaucratisation characterising Public Administration processes. Citizens and businesses will be able to access public services based on the “once-only” e-government principle, according to which users have to provide their information to authorities and administrations “once-only”, thus sharing on a single occasion all information necessary to the various interested administrations. To this end, the Agency for Digital Italy (Agenzia per l’Italia Digitale or “AGID”) will adopt Guidelines and define technical criteria and technological standards for the management of the National Digital Data Platform, as well as the process for authentication and use of API resources.
As far as the impact of this system on personal data is concerned, the Italian Data Protection Authority already expressed its favourable opinion on 8 July 2021[3], acknowledging that AGID has defined a framework of guarantees and measures aimed at ensuring the integrity and confidentiality of personal data, often particularly sensitive, exchanged between databases, complying with the privacy by design and privacy by default needs, as set forth by the GDPR obligations.
In conclusion, the Digitalisation mission within the National Recovery and Resilience Plan (PNRR) guarantees incentives and tax credits to businesses for IT products and for programming, consultancy and related services. This boost will encourage businesses in the private sector to undertake their path towards digitalisation. The trends recorded so far actually reveal, also in the private sector, the adoption of cloud computing, the introduction of artificial intelligence algorithms, Internet of Things or IoT, Robotics Process Automation or RPA, as a driver to perform low-value added routine activities, thus requalifying personnel for higher-value added activities.
Also in this case, it will be crucial to define suitable privacy by design and privacy by default processes, identifying the need to process personal data, specifying the relevant aims and identifying the correct legal bases legitimising the processing, in compliance with the fundamental GDPR principles.
Subjects processing data will need to be identified and authorised with specific instructions or, if external, proceeding with the examination of the necessary appointments as data controller. Particularly important will be the identification of the entire supply chain, so as to have control over the data processing.
Particularly important for cloud services, but not just for them, is the identification of the places where data are processed, in order to apply the correct guarantees for possible transfers outside the European Economic Area.
The evolution of digitalisation needs to be supported by a concurrent evolution of cybersecurity measures, which, in any case, may introduce some issues related to the potential control of remote workers. A careful analysis of the balance of interests should lead to adequate management procedures, to be agreed upon with the authorised subjects, in compliance with the provisions of the Workers’ Statute.
Moreover, as concerns the evolution of digitalisation, specific attention will have to be paid to algorithms which may affect the data subjects’ fundamental rights, such as those able to make autonomous decisions on data subjects or those performing profiling aimed at identifying attitudes or behavioural habits. In such cases, the impact on the data subjects’ rights needs to be carefully evaluated, without prejudice to the compliance with GDPR principles, assessing the various methodologies and defining the correct protection measures. And without forgetting that data subjects have the right not to be subject to decisions based only on automated processing: to this end, it will be extremely important to inform them about their right to require a human intervention and to adopt the necessary procedural provisions to guarantee them the right to object the decision.
[1] Court of Justice of the European Union (CGUE), Judgement no. C-311/18, Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, 16 July 2020, https://eur-lex.europa.eu/legal-content/it/ALL/?uri=CELEX:62018CJ0311.
[2] https://edps.europa.eu/press-publications/press-news/press-releases/2021/edps-opens-two-investigations-following-schrems_en.
[3] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9682994.
