With the second draft of the legislative decree of harmonization to the GDPR, the legislator significantly altered the provisions of the previous version, abandoning the idea of a total repeal of the Privacy Code.


A few days before the entry into force of the GDPR, scheduled for 25 May 2018, the legislative decree of harmonization has not yet taken a definitive form, despite its approval must take place before 21 May. A second draft of the text of the decree has recently been received by the general accountant of the State. The content of the text considerably differs from that of the previous one, dating back to March. If the latter provided for a total repeal of the current Legislative Decree 196/2003, better known as the Privacy Code, the new version, which consists of 28 articles, opts instead for a more delicate work of only selective abrogation, enriched by some reformulations as well as by additions to the current text.

Among the most significant aspects that differentiate the second draft from the first, is, to begin with, that concerning art. 167 of the Privacy Code, which imposes criminal sanctions for the unlawful processing of personal data. The full decriminalization initially conceived by the legislator, which would have also led to the repeal of the provision under examination in order to replace the criminal sanctions with administrative sanctions, has failed in the new text. According to the new version, not only the art. 167 would remain untouched, but two additional cases would be added to it, namely the “Illegal disclosure and dissemination of personal data referable to a large number of people” (Article 167bis), as well as the “Fraudulent acquisition of personal data” (Article 167ter), punished respectively with imprisonment from one to six years and with imprisonment from one to four years.

The profiles related to the protection of the under-sixteen year old’s are also of interest, since the art. 2-quinquies of the new draft, according to the provisions of Article 8 of the GDPR, provides that the processing of personal data of the under-sixteen year old’s is lawful on condition that consent is given or authorized by the holder of parental responsibility.

This is the other way in which the new draft moves away from the previous one, where it was suggested to lower this limit to the age of fourteen.

It remains to be seen what measures will actually be adopted by the main social networks to verify the actual age of their users.

The messaging service Whatsapp, owned by Facebook, has for now required a sort of self-certification. In fact, following the last update of the application, before the access to your chats you must confirm you are sixteen years old or above. It is clearly useless measure, since it will be enough for the under sixteen years to lie about their age, without being subjected to any further control over the veracity of what was declared, in order to continue using the app exactly as before. Moreover, even crossing the data of Whatsapp with those of Facebook, the problem would not be solved, because the users could falsify their date of birth on the social network. It, therefore, appears complicated to predict which type of verification could possibly be introduced so that the adjustment to the GDPR can acquire a real meaning.

In the hypothesis in which the under sixteen years instead declare their real age, Facebook (as well as Instagram, always owned by him) has planned to request the insertion of the email address of a parent, so that the latter can give consent to the use of the social by the child.