Italian Legislative Decree no. 24/2023, which implements Directive (EU) 1937/2019 and introduces the new legal framework on whistleblowing has come into effect. Laws on whistleblowing have already been in force for some years in companies required to implement the 231 Models and detailed and specific provisions on procedure and sanctions now apply to all companies.
The term “whistleblowing’ refers to the activity of reporting breaches of national or EU regulatory provisions of which workers have become aware in the context of work. For companies with more than 250 employees, the obligation to adopt adequate reporting systems has been in force since 15 July 2023, while for small and medium-sized enterprises the obligation came into force on 17 December.
Conduct, acts or omissions that harm the public interest or the integrity of the public administration or private entity and that consist of breaches attributable to the specific cases listed in the decree must be reported.
A person who believes that the conditions for a report are met may use the following channels: (i) internal reporting; (ii) external reporting, if there is no mandatory activation of the internal reporting channel, or if this has already been done without follow-up, if the whistleblower has reasonable grounds to believe that the internal report would not be followed up or there would be a risk of retaliation or if the whistleblower has reasonable grounds to believe that the breach constitutes a danger to the public interest; (iii) public disclosure, if the whistleblower has already made an internal and/or external report without feedback, if there is reasonable ground to believe that the breach may constitute a danger to the public interest, or if there is reasonable ground to believe that the external report may involve the risk of retaliation or may be ineffective; (iv) complaint to the judicial authority, at any stage.
Internal channels must ensure the confidentiality of the reporting person, the content of the report, the facilitator and the person concerned. When establishing internal reporting channels, it is necessary to use suitable tools to receive reports both orally and in writing, as the whistleblower is guaranteed both methods.
In this regard, the Italian National Anti-Corruption Authority (Autorità Nazionale Anticorruzione, ‘ANAC’) with resolution 311 of 12 July 2023 considered that ordinary e-mail and certified e-mail (PEC) did not guarantee confidentiality, and thus required the use of online platforms. As far as the paper report is concerned, the ANAC has requested that it be placed in two sealed envelopes (one with the identification data and the second with the actual report), then both envelopes should be inserted in a third sealed envelope with the external wording “confidential” for the manager of the report.
To implement the new regulatory obligation, companies must identify the channel in an organisation specific document; inform trade union representatives; make clear information available to the reporting person about the channel, procedures and conditions for making internal or external reports (e.g. via the website or platform page); guarantee the training of those who are entrusted with the management of the reporting channel and of all internal staff; adapt the 231 organisational model (if adopted) and put in place all the measures required under the regulations on the protection of personal data and the processing carried out to comply with it. Finally, companies will have to adopt a sanctioning system in the event of breach of the decree provisions.
In conclusion, under the regulatory framework that arises from Italian Legislative Decree no. 24/2023, companies and operators must pay great attention to the preparation of policies and organisational and management tools necessary for the implementation of legal obligations to ensure the protection and enhancement of each organisation’s ethical principles.
By judgment of 26 September 2023, no. 46188, the Italian Court of Cassation, Third Chamber, ruled on the components necessary for the offence referred to in Article 4 of Italian Law no. 300 of 1970 (the “Workers’ Charter”) stating that the installation of a video surveillance system without the authorisation required by law does not constitute an offence if there are no employees within the company premises and if the system does not imply effective monitoring of work activities.
The Court of Messina held the owner of a commercial establishment to be criminally liable for the offence referred to in Article 4 of Italian Law no. 300 of 1970 , ordering it to pay a fine of EUR 3,000 for having installed a video surveillance system inside its business premises in the absence, in this case, of authorisation from the Territorial Labour Inspectorate (Ispettorato Territoriale del Lavoro, “ITL”).
The owner appealed against this decision to the Italian Court of Cassation, on the ground, among others, of the breach of Article 4 of the Workers’ Charter arguing that the Court of first instance had not provided information on two central aspects of the offence, namely (i) whether the system was used to record images and (ii) whether employees were employed at the owner’s company.
The applicant stated that the system installed was closed-circuit, did not involve any image recording, and that its company had no staff.
In ruling on the case, the Italian Court of Cassation took the opportunity to briefly summarise the rules and principles in force regarding video surveillance and remote monitoring of workers.
First, it pointed out that the presence of employees in the place filmed by the video surveillance systems is “an essential requirement for the offence in dispute”, since the provision referred to in Article 4, paragraph 1, of the Workers’ Charter is specifically aimed at regulating the employer’s use of audio-visual systems – and other tools which may also enable remote monitoring – “of workers’ activities”.
Secondly, the Italian Court of Cassation noted that there is no breach of the legislation if a system, although installed in the absence of an agreement with the legitimate trade union representatives or an authorisation from the ITL, “is strictly for the purpose of protection of the company’s assets”, provided that (i) “its use does not imply significant monitoring of the ordinary performance of employees’ work activities” or (ii) “necessarily remains “confidential” to enable the investigation of serious unlawful conduct”.
However, the decision of the court of first instance did not clarify whether the conditions referred to in paragraphs (i) and (ii) above were fulfilled in the present case. Consequently, an assessment of the merits of those conditions required the Court to set aside the judgment and refer the judgment under appeal back to the same Court sitting in a different composition.
Other related insights:
Vittorio De Luca took part in the conference promoted by RSM Studio tributario e societario entitled: “The new whistleblowing law: small step forward or breakthrough?”.
In the course of his speech, Vittorio addressed the employment law aspects of the whistleblowing regulations: in particular, he examined the measures put in place to protect those who report unlawful acts that have come to their knowledge in the work context (so-called whistleblowers) by Italian Legislative Decree no. 24/2023, as well as the burdens and obligations imposed on companies to comply with the regulations in force and to be able to handle any reports received in the best possible way.
In particular, the following topics were addressed:
On 10 July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework ensuring that the United States of America guarantees an adequate level of protection of personal data comparable to that of the European Union.
The adequacy decision is one of the tools provided for by Regulation (EU) 2016/679 (the ‘Regulation’) to transfer personal data from the European Union to third countries that, upon prior assessment by the European Commission, offer ‘an adequate level of protection’, i.e. a level of protection of personal data equivalent to that guaranteed within the EU.
The consequence is that personal data can be transferred securely and can be managed in the same way as data transmissions that take place within Europe.
What does the new EU-US Data Privacy Framework entail?
The EU-US Data Privacy Framework is structured around a self-certification mechanism whereby US companies undertake to comply with a number of personal data protection obligations, including, but not limited to, compliance with the principles of purpose limitation, data minimisation and retention, as well as specific obligations regarding data security and data sharing with third parties.
The organisations’ undertakings will be renewed on an annual basis and are subject to checks and monitoring by the U.S. Department of Commerce, which will process certification applications and periodically verify compliance with the requirements by participating companies.
European citizens will benefit from several independent and impartial remedies in the event that their data is processed in a non-compliant manner, including the newly established Data Protection Review Court (DPRC).
US law will provide a number of safeguards, including limiting access to personal data by public authorities to what is necessary and proportionate to protect national security or to enforce criminal law.
In any case, the Data Privacy Framework will be subject to periodic revisions by the European Commission together with representatives of the European data protection authorities and the competent US authorities. The first review will take place within one year of the entry into force of the adequacy decision.
The other instruments provided for by the Regulation
It is worth remembering that in addition to the adequacy decision, the Regulation also provides for other tools to ensure the correct transfer of data outside the European Union, including:
◊◊◊◊
As most recently pointed out in the information note of the European Data Protection Board (EDPB) of 18 July 2023, all the protections provided by the US government in the field of national security apply to all transfers of personal data made to companies in the United States, regardless of the transfer mechanisms used. Therefore, these guarantees also serve to facilitate the use of the other instruments provided for by the Regulation.
Other related insights:
Workers must be informed of the use of fully automated decision-making or monitoring systems. In particular they must be informed of the aspects of the relationship involved, the purposes and purposes of the systems, and how they operate.
The emergence of technologies using artificial intelligence systems and their increasing use has ushered in a new round of debate on the key ethical, social and legal issues surrounding the use of such technologies and their consequences.
At EU level, the need has emerged to ensure that new technologies develop while respecting the fundamental rights and dignity of individuals, to achieve goals that do not conflict with the interests of the community. To this end, the European Commission put forward a Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence launched in Brussels on 21 April 2021 and approved on 14 June 2023 (Artificial Intelligence (AI) Act).
The work environment is not immune to such changes, if we think, for example, of the systems used for logistics management in warehouses as well as the platforms employed by riders.
The AI Act classifies as ‘high-risk systems’ those used ‘in employment, workers management and access to self-employment, [intended to be used] for recruitment and selection of natural persons […] for making decisions on promotion and termination […] for task allocation, and for monitoring and evaluating performance […] of persons in such relationships’. This classification stems from the fact that ‘those systems may appreciably impact future career prospects and livelihoods of these persons’.
In relation to the rapid development in the work environment of automated systems and the associated risks, the European Union has also stressed the importance of workers being fully and promptly informed of the fundamental terms and conditions of their employment. To this end, the national legislature implemented Directive (EU) 2019/1152 on transparent and predictable working conditions. This has resulted in employers being required to provide workers and employment organisations with information regarding the use of automated decision-making or monitoring systems (Article 1-bis of Italian Legislative Decree No. 152/1997, introduced by the Transparency Decree, Italian Legislative Decree No. 104/2022). The purpose, as outlined in the introduction and Article 1 of the EU Directive, is to improve working conditions by promoting more transparent and predictable employment, while ensuring labour market adaptability to new technologies. Specific disclosure is required when the manner in which workers’ services are performed is organised through the use of automated decision-making and/or monitoring systems, which provide relevant information regarding the recruitment, assignment, management or termination of employment, assignment of tasks or duties, and supervision, evaluation, performance, and fulfilment of workers’ contractual obligations.
The full version can be accessed at Norme e Tributi Plus Lavoro of Il Sole 24 Ore.
