Scope and framework

In response to the pandemic and economic crisis, the EU adopted, in December 2020, Council Regulation (EU) 2020/2094 of 14 December 2020 establishing a European Union Recovery Instrument to support the recovery in the aftermath of the COVID-19 crisis², known as the Next Generation EU ('NGEU'), a programme of unprecedented scope consisting of two main instruments: the Recovery and Resilience Facility³ ('RRF') and the Recovery Assistance for Cohesion and the Territories of Europe⁴ ('REACT-EU').

From an economic standpoint, Italy was the first beneficiary of the economic aids provided for by these two programmes. In particular, the RRF alone provided for over €190 billion, for the period between 2021 and 2026, to be used for various objectives, including bolstering the digital transition of the country.

In order to use these economic aids efficiently, Italy adopted, in May 2021, the PNRR, a vast programme of reforms and investments articulated in the following six 'missions':

• digitalisation, innovation, competitiveness, culture, and tourism;
• green revolution and ecological transition;
• infrastructure for sustainable mobility;
• education and research;
• inclusion and cohesion; and
• health.

Some commentators argued that the PNRR should be construed as a fundamental part of a broader framework of European regulations which includes, among others, the Regulation (EU) 2022/2065 of 19 October 2022 on a Single Market For Digital Services and Amending Directive 2000/31/EC (Digital Services Act)⁵ ('DSA'), Regulation (EU) 2022/1925 of 14 September 2022 on Contestable and Fair Markets in the Digital Sector and Amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act)⁶ ('DMA'), the Proposal for a Regulation on Harmonised Rules on Fair Access to and Use of Data (Data Act)⁷ ('the Draft Data Act'), and Regulation (EU) 2022/868 of 30 May 2022 on European Data Governance and Amending Regulation (EU) 2018/1724 (Data Governance Act)⁸ ('DGA'). This framework aims at stimulating a competitive data-driven market, establishing a level playing field for businesses, and creating a safer digital space where the fundamental rights of users are protected.

Comments from the Ministry for Economic Development and the Garante

In May 2022, for the 25^th anniversary of the Italian data protection authority ('Garante'), the Italian Minister for Economic Development, Giancarlo Giorgetti, commented on the intersections between the PNRR and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Minister declared that the PNRR represents "a unique opportunity for the country to undertake a digital transformation; also it is important that large companies continue to look at Italy to install data centres and cloud services, thus helping the country bolstering its progress". According to the Minister, it is necessary "that the investments provided for by the PNRR aim at fostering the transition of companies to reliable and modern IT systems, capable of performing thousands of operations in a short time and leveraging the full potential of artificial intelligence". Therefore, in line with other global trends, the PNNR will lead to increased (local) data processing.

This will require an increased effort in terms of cybersecurity and resilience. The Garante emphasised that the only way to fulfil the six missions envisaged by the PNRR is working on the combination of data protection and cybersecurity. Indeed, only by merging these two aspects, the digitalisation and innovation process could be developed effectively without jeopardising security. This is particularly relevant, taking into account the fact that, as stated in its 2021 annual report⁹, the Garante warned that the number of data breaches notified in 2021, by both public and private entities, increased by 50% compared to 2020.

In this regard, the Garante stressed that 'the safeguards provided for by the GDPR have a twofold objective in the context of the reforms and projects envisaged by the PNRR'. On the one hand, they aim at building trust in citizens relating to the activities carried out by public entities in the performance of their functions; on the other hand, they aim at ensuring a secure innovation process, with a competitive market that also allows for the protection of the fundamental rights and freedoms.

Digitisation and cloud

Among the missions set forth by the PNRR, mission No. 1 'digitalisation, innovation, competitiveness, culture, and tourism' is considered as the most relevant for the realm of data protection. Besides the compliance with the fundamental GDPR principles (e.g. minimisation, security, transparency, accountability, etc.), this necessitates particular scrutiny in order to adequately monitor the sub-contractors and technology suppliers (including the large players offering cloud services and artificial intelligence ('AI') systems).

In this regard, the PNRR introduced the so-called 'cloud first strategy' whereby public administrations shall decide whether to opt for cutting-edge national cloud (i.e. the National Strategic Hub¹⁰) or purchase a commercial cloud solution available on the market. While making this choice, public administrations shall take due consideration of the categories of personal data being processed (common or special categories of personal data), the volume of such data, and the characteristics of the services provided. Cloud services clearly offer public administrations a great opportunity to modernise their internal and external procedures.

However, the infrastructure and functionalities of these services often leverage upon other 'sub-cloud service providers'. Therefore, data controllers - whether public or private - shall pay due attention to all the sub-providers involved in the supply chain. This will no doubt confirm a trend of strict data mapping and further scrutiny for data transfers, as already initiated following the well-known Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II').

Interoperability

The PNRR addresses another historical inefficiency of the Italian public administrations, i.e. the absence of interoperability between the respective databases. In this regard, the PNRR sets forth substantial investments to upgrade the architecture and the means of interconnection of public databases in order to reach full interoperability and access services more efficiently. More in detail, the so-called 'once only principle' will grant citizens and businesses the possibility to provide their data only once to the relevant public entity, without having to provide further data to other requesting public entities. All public entities potentially interested in the data concerned will in fact be able to obtain such data from the previous public entity which first received the data from the data subject/business, without any further communication being required from the same data subject/business.

To this end, the PNRR established the National Digital Data Platform ('PDND'), which is a central digital catalogue through which public administrations will be able to exchange data mutually. The PNRR also mandated the Agency for Digital Italy ('AGID') to adopt specific guidelines to define the criteria and technical standards for the management and use of the PDND. In July 2021, the Garante welcomed such reforms¹¹, specifically stating the that AGID defined a framework of safeguards that ensure the integrity and confidentiality of citizens' personal data, in compliance with the GDPR obligations, including the Privacy by Design and by Default principles.

Conclusion

The NGEU represents a unique occasion for economic growth and welfare of the EU as a whole. Within this framework, the PNRR specifically addresses some historical weaknesses of Italy. The strong incentives for the digitalisation and innovation of public administrations and companies will certainly lead to a substantial increase of personal data being processed. A careful analysis of data protection implications will be necessary at each step of the implementation process. To this end, it will prove crucial to establish a constant and efficient dialogue between the Garante and all involved public entities.

Giangiacomo Olivi Partner
[email protected]
Dentons Group B.V., Milan

1. Available at: https://www.mise.gov.it/index.php/it/pnrr/documenti (only available in Italian)
2. Available at: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=uriserv:OJ.LI.2020.433.01.0023.01.ENG
3. See at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021R0241
4. See at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32020R2221#PP2Contents
5. Available at: https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/IMCO/DV/2022/06-15/DSA_2020_0361COD_EN.pdf
6. Available at: https://data.consilium.europa.eu/doc/document/PE-17-2022-INIT/en/pdf
7. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022PC0068&from=EN
8. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R0868&from=ENhttps://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R0868&from=EN
9. Available for download at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9787195 (only available in Italian)
10. See at: https://docs.italia.it/italia/cloud-italia/italian-cloud-strategy-docs/it/stabile/4_cloud_strategy_for_the_public_administration.html
11. See at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9682994 (only available in Italian)