ITALY: Personal data “CAN” be transferred under the Privacy Shield

Following the Schrems Judgment, there was some uncertainty as to the legal basis to transfer personal data from Italy to the US.

Consistently with other European Data Protection Authorities, also the Italian Data Protection Authority (Garante per la protezione dei dati personali, “the Italian DPA”) authorized the transfer of personal data to the US under the so-called Privacy Shield, i.e. the new agreement signed between the EU and the US which served as the alternative for the old Safe Harbour that was invalidated by the European Court of Justice (for further information see here).

In light of the above, it can now be confirmed that also the Italian jurisdiction formally conforms to the latest European Commission Adequacy Decision that declared that an adequate level of protection is granted for the data of EU residents that are transferred to US organizations certified under the Privacy Shield mechanism.

The Italian DPA has nevertheless reserved the right to further verify the compliance of the data transfer, adopting, where necessary, all restrictive measures provided by the Italian Privacy Code. In this respect the Italian DPA made a specific reference to the Article 29 Working Party statement which emphasized the role of the DPAs joint review of the Privacy Shield mechanism, including a right to directly access all necessary information, including elements allowing a full evaluation of the necessity and proportionality of the collection and access to the personal data transferred. Certain commercial aspects, as well as the access to the personal data by the US public authorities, will no doubt be under a closer scrutiny during the so called Privacy Shield First Annual Joint Review as referred in the European Commission Decision.

Is this the end of the EU-US data transfer saga? Probably not, as some commentators do not exclude that the Privacy Shield validity will still be challenged in the future. Under such circumstances, it may well be assessed other data transfer solutions, including, for instance, the EU Standard Contractual Clauses which also allow transfers involving other jurisdictions than the US.