The Supreme Court set the limits in which a privacy breach can amount to a crime in Italy, narrowing down the scope in a regime with considerably high GDPR fines.
With decision No. 2243 of January 20, 2022, the Italian Supreme Court ruled on a proceeding where the manager of an investigation agency was sentenced to six months imprisonment for the crime referred to in Article 167 of the Italian Privacy Code.
In particular, the manager was guilty of the above crime because, in collaboration with the instructing party, he had collected and stored data relating to his wife without the consent of the individual and outside the cases provided for by the Italian Privacy Code, as well as beyond the terms established by the mandate given by the instructing party.
In the case in question, the Supreme Court provided some significant clarifications regarding the crime of unlawful data processing referred to in article 167, paragraphs 1 and 2, of the Italian Privacy Code, according to which:
- “Unless the act constitutes a more serious offence, anyone who, to gain profit for himself or others or to cause damage to the interested party, operating in violation of the provisions of Articles 123, 126 and 130 or the measure referred to in Article 129 causes damage to the interested party, shall be punished by imprisonment from six months to one year and six months“; and
- “Unless the act constitutes a more serious offence, whoever, to gain profit for himself or others or to cause damage to the interested party, by processing personal data as per articles 9 and 10 of the Regulations in violation of the provisions of articles 2-sexies and 2-octies, or of the guarantee measures as per article 2-septies causes damage to the interested party, is punished with imprisonment from one to three years“.
In the first place, the Supreme Court pointed out that the offences in question are not specific to the data controller or processor, since they are common crimes that can be committed by “anyone” and, on the other hand, that the term “harm” referred to in the provisions mentioned above is to be understood as a legally relevant prejudice of any kind, whether financial or non-financial, suffered by the person to whom the protected personal data refer as “damage-consequence”, indemnifiable according to articles 185 of the Italian criminal code and articles 2034 and 2059 of Italian civil code.
Moreover, this “harm” represents a constitutive element of the offences under discussion, not an objective condition of punishability, with the difference that, for the offence referred to in the second paragraph of article 167, the material object of the illicit conduct is only the data referred to in articles 9 and 10 of the GDPR. Therefore, these are crimes of concrete danger, rather than presumed danger, with respect to which the harm “performs the function of giving effect to the protection of the confidentiality of personal data“.
However, the most relevant statement that can be found in the judgment in question is the fact that, according to the Supreme Court, for the purposes of the crime referred to in article 167 paragraph 2, the pure and simple violation of the prohibition of data processing is not sufficient, being also necessary that this takes place in violation of Articles. 2-sexies and 2-octies, or the safeguards under article. 2-septies of the Privacy Code.
Therefore, in order for the privacy crime referred to in article 167, paragraph 2, to be committed in Italy, it is necessary that the illicit conduct either (i) causes damage to the individual; or (ii) is carried out with the specific intent to gain profit, for oneself or others, or cause damage to the individual; or (iii) constitutes a violation of the provisions referred to in articles 2-sexies and 2-octies, or of the guarantee measures referred to in article 2-septies of the Italian Privacy Code. In the absence of these elements, the mere violation of the ethical rules of conduct constitutes an administrative offence under article 166, paragraph 2, of the Privacy Code.
This decision is relevant since it takes into account how the new provisions of the Italian Privacy Code that were introduced as a consequence of the applicability of the GDPR have narrowed down the scope of a crime for privacy breaches in Italy, maybe also because of the considerably higher administrative sanctions introduced by the EU Data Protection Regulation.
On a similar topic, it is possible to read the article “Italy among the countries with the highest GDPR fines in 2021 for DLA Piper report“.