On Wednesday 13 March 2024, the European Parliament approved the draft text of the so-called “AI Act”, the first Regulation on artificial intelligence. The Regulation establishes obligations in relation to the use of AI on the basis of possible risks and level of impact with the aim of protecting individuals’ fundamental rights, democracy and environmental sustainability from “high-risk” systems.
“High risk” means AI systems intended to be used:
For more information on this topic, please contact us at info@delucapartners.it
With order no. 642 of 21 December 2023 entitled “Computer programs and services for the management of e-mail in the workplace and metadata processing”, the Italian Data Protection Authority (‘DPA’) has provided guidelines for public and private employers on the use of computer programs and services for corporate e-mail management.
The document was issued following investigations carried out by the Italian DPA during which it emerged that there was a risk that computer programmes and services for e-mail management, marketed by providers in cloud or as-a-service mode, could collect by default, in a pre-determined and generalised manner, metadata relating to the use of e-mail accounts in use by employees, retaining them for an extended period of time. “Metadata” means information such as, for example, the day, time, sender, recipient, subject and size of the e-mail.
To ensure compliance with data protection legislation as well as the sector regulations on remote control – as is well known, governed by Article 4 of Italian Law no. 300/1970 (the “Workers’ Charter”), employers must:
In other words, if, to meet organisational and production needs, the protection of company assets and occupational safety, the retention of data cannot be limited to the periods indicated by the DPA, employers will have to sign a trade union agreement or obtain an authorisation from the Labour Inspectorate.
In the absence of this, there is considered to be remote control of worker’s activities which may also have criminal consequences, in addition to breach of the personal data protection legislation with the following consequences; (i) the unlawfulness of the processing of personal data, (ii) the breach of the principle of limitation of retention, and (iii) breach of the principles of data protection by design and by default as well as the principle of accountability.
In any event, it should be noted that, pending the completion of the guarantee procedures, the metadata must not be used.
Other related insights:
Italian Legislative Decree no. 24/2023, which implements Directive (EU) 1937/2019 and introduces the new legal framework on whistleblowing has come into effect. Laws on whistleblowing have already been in force for some years in companies required to implement the 231 Models and detailed and specific provisions on procedure and sanctions now apply to all companies.
The term “whistleblowing’ refers to the activity of reporting breaches of national or EU regulatory provisions of which workers have become aware in the context of work. For companies with more than 250 employees, the obligation to adopt adequate reporting systems has been in force since 15 July 2023, while for small and medium-sized enterprises the obligation came into force on 17 December.
Conduct, acts or omissions that harm the public interest or the integrity of the public administration or private entity and that consist of breaches attributable to the specific cases listed in the decree must be reported.
A person who believes that the conditions for a report are met may use the following channels: (i) internal reporting; (ii) external reporting, if there is no mandatory activation of the internal reporting channel, or if this has already been done without follow-up, if the whistleblower has reasonable grounds to believe that the internal report would not be followed up or there would be a risk of retaliation or if the whistleblower has reasonable grounds to believe that the breach constitutes a danger to the public interest; (iii) public disclosure, if the whistleblower has already made an internal and/or external report without feedback, if there is reasonable ground to believe that the breach may constitute a danger to the public interest, or if there is reasonable ground to believe that the external report may involve the risk of retaliation or may be ineffective; (iv) complaint to the judicial authority, at any stage.
Internal channels must ensure the confidentiality of the reporting person, the content of the report, the facilitator and the person concerned. When establishing internal reporting channels, it is necessary to use suitable tools to receive reports both orally and in writing, as the whistleblower is guaranteed both methods.
In this regard, the Italian National Anti-Corruption Authority (Autorità Nazionale Anticorruzione, ‘ANAC’) with resolution 311 of 12 July 2023 considered that ordinary e-mail and certified e-mail (PEC) did not guarantee confidentiality, and thus required the use of online platforms. As far as the paper report is concerned, the ANAC has requested that it be placed in two sealed envelopes (one with the identification data and the second with the actual report), then both envelopes should be inserted in a third sealed envelope with the external wording “confidential” for the manager of the report.
To implement the new regulatory obligation, companies must identify the channel in an organisation specific document; inform trade union representatives; make clear information available to the reporting person about the channel, procedures and conditions for making internal or external reports (e.g. via the website or platform page); guarantee the training of those who are entrusted with the management of the reporting channel and of all internal staff; adapt the 231 organisational model (if adopted) and put in place all the measures required under the regulations on the protection of personal data and the processing carried out to comply with it. Finally, companies will have to adopt a sanctioning system in the event of breach of the decree provisions.
In conclusion, under the regulatory framework that arises from Italian Legislative Decree no. 24/2023, companies and operators must pay great attention to the preparation of policies and organisational and management tools necessary for the implementation of legal obligations to ensure the protection and enhancement of each organisation’s ethical principles.
By judgment of 26 September 2023, no. 46188, the Italian Court of Cassation, Third Chamber, ruled on the components necessary for the offence referred to in Article 4 of Italian Law no. 300 of 1970 (the “Workers’ Charter”) stating that the installation of a video surveillance system without the authorisation required by law does not constitute an offence if there are no employees within the company premises and if the system does not imply effective monitoring of work activities.
The Court of Messina held the owner of a commercial establishment to be criminally liable for the offence referred to in Article 4 of Italian Law no. 300 of 1970 , ordering it to pay a fine of EUR 3,000 for having installed a video surveillance system inside its business premises in the absence, in this case, of authorisation from the Territorial Labour Inspectorate (Ispettorato Territoriale del Lavoro, “ITL”).
The owner appealed against this decision to the Italian Court of Cassation, on the ground, among others, of the breach of Article 4 of the Workers’ Charter arguing that the Court of first instance had not provided information on two central aspects of the offence, namely (i) whether the system was used to record images and (ii) whether employees were employed at the owner’s company.
The applicant stated that the system installed was closed-circuit, did not involve any image recording, and that its company had no staff.
In ruling on the case, the Italian Court of Cassation took the opportunity to briefly summarise the rules and principles in force regarding video surveillance and remote monitoring of workers.
First, it pointed out that the presence of employees in the place filmed by the video surveillance systems is “an essential requirement for the offence in dispute”, since the provision referred to in Article 4, paragraph 1, of the Workers’ Charter is specifically aimed at regulating the employer’s use of audio-visual systems – and other tools which may also enable remote monitoring – “of workers’ activities”.
Secondly, the Italian Court of Cassation noted that there is no breach of the legislation if a system, although installed in the absence of an agreement with the legitimate trade union representatives or an authorisation from the ITL, “is strictly for the purpose of protection of the company’s assets”, provided that (i) “its use does not imply significant monitoring of the ordinary performance of employees’ work activities” or (ii) “necessarily remains “confidential” to enable the investigation of serious unlawful conduct”.
However, the decision of the court of first instance did not clarify whether the conditions referred to in paragraphs (i) and (ii) above were fulfilled in the present case. Consequently, an assessment of the merits of those conditions required the Court to set aside the judgment and refer the judgment under appeal back to the same Court sitting in a different composition.
Other related insights:
Vittorio De Luca took part in the conference promoted by RSM Studio tributario e societario entitled: “The new whistleblowing law: small step forward or breakthrough?”.
In the course of his speech, Vittorio addressed the employment law aspects of the whistleblowing regulations: in particular, he examined the measures put in place to protect those who report unlawful acts that have come to their knowledge in the work context (so-called whistleblowers) by Italian Legislative Decree no. 24/2023, as well as the burdens and obligations imposed on companies to comply with the regulations in force and to be able to handle any reports received in the best possible way.
In particular, the following topics were addressed:
