The new seat the our Law Firm in Rome

Our Clients could meet Mr. Di Resta and his team in the new seat of the Di Resta Lawyers Law Firm in Viale Mazzini, 123, our new seat is very close to the Appeal Court�of Rome and also to Civil Tribunal of Rome.




Intervista radiofonica dell’Avvocato Di Resta in ordine alla conservazione dei dati di traffico

Approvata la legge che estende ulteriormente i termine di conservazione dei dati di traffico telefonici e telematici portanto i termini di conservazione a 72 mesi in deroga all’art. 132 del Codice della Privacy. Per finalit� di lotta al terrorismo si ripercorre la strada della conservazione massiva dei dati di traffico degli italiani, come se la disponibilit� di immensi database sui cittadini consentisse anche l’immediata disponibilit� di dati utili per le indagini, equazione evidentemente non vera. La storia recente sul tema ha mostrato come la conservazione massiva sia inutile, si veda la storia relativa al decreto Pisanu. Questi i temi affrontati durante l’intervesta dell’avvocato Di Resta. Per maggiori dettaglio �

possibile ascolare l’intera intervista

nel link sottostante:

EU regulation on data protection: One continent, one law and the impact of the new requirements by Fabio De Resta

The article of Fabio Di Resta, Lecturer at Sapienza University of Rome and member of the Editorial Board of the Journal of Data Protection and Privacy, has been recently published. To read the abstract see the link underneath:

Di Resta provides his contribution on the public consultation on Data Protection Officer

Here you can find the contribution of the European Privacy Centre (EPCE) to the public consultation on the Data Protection Officer published by the Article 29 Working Group. Di Resta participated as the President of EPCE, click underneath to read more in detail:

Released The Draft Adequacy Decision on Transatlantic Data Flows: Privacy Schield

The 2013 Communication by the

European Commission is confirmed as the action plan to draft the Privacy Shield and the�Umbrella Agreement.

Here you can read all the

legal texts�released by the European Commission today:

To read our previous comments on Privacy

Shield, click here:


E.U.-U.S. Privacy Shield: Still Self-Certification but Stronger Transparency Is a Real Improvement in respect of Safe Harbour Agreement

Fabio Di Resta – Attorney, LL.M., Founding partner at Di Resta Lawyers, Member of the Board of Directors at the Master Privacy at the �Roma Tre� University in Rome, Law Department

As is well-known, on October 6 2015, the European Court of Justice with the judgment C-362/14 declared the decision n. 520/2000/EC of the European Commission invalid, this approved the scheme of personal data transfer under the old Safe Harbour framework. The judgment confirmed the Commission’s approach since November 2013 to review the Safe Harbour arrangement, to ensure a sufficient level of data protection as required by EU law.

In its preliminary ruling, the Court recognized to Data Protection Authorities the power to evaluate and monitor the data flows protection of the state of destination (U.S.), and in particular, this power consists of analyzing all the relevant legal aspects to consider this “essentially equivalent” with the European Directive 95/46/EC.

Under the Data Protection law approach, the Court considered the actual U.S. legislation not compliant with the �essentially equivalent � test and that �of

three fundamental rights: the right on personal data protection, on reserved personal and family communications and the right on effective juridical assistance ( articles 7, 8 and 47 of the Charter of Fundamental Rights of the EU).

The impact of the judgment would have been enormous and bursting on the world digital economy, it should also be noted that it has influenced more than about 4,500 American businesses operating on Safe Harbour, including Internet giants such as Apple, Google, Microsoft, Facebook, Yahoo; in particular, until 2013� the adherent companies were around 3,246, of these 51% used to transfer personal data from the E.U. to U.S. on the human resources purpose, meanwhile, 60% of these ones were businesses with less than 250 employees.

On 2 February the U.S. and EU Authorities, after having disputed on subject for months, have finally announced the new signed agreement which replaced the old Safe Harbour.

Under the new agreement called E.U.-U.S. Privacy Shield, according to the official communication by the European Commission, the new international deal is based on three pillars:

  • enforcement of strong obligations on adherent companies handling Europeans� personal data and implementing measures: although the self-certification system is maintained from the old Safe Harbour, the new agreement is reinforced with �robust obligations� on data processings including publicity of these obligations, as well as the guarantees for the rights protection of European citizens under monitoring and supervision by the U.S. Department of Commerce. In line with the judgment of the Court of Justice, it is stated that any company handling human resources data from Europe has to be compliant with the decisions by European DPAs.
  • clear safeguards and transparency obligations on U.S. government access for the Public Authorities: the US has given the E.U. assurances on the access for the public authorities and for the NSA, the exceptions for limited access must be only to the extent necessary and must be proportionate, any discriminate mass surveillance on the personal data transferred to the U.S. is to be rolled out. To regularly monitor the functioning of the arrangement there will be an annual joint review by the European Commission and the U.S. Department of Commerce, which will also include the issue of national security access, besides, national intelligence experts from the U.S. and European Data Protection Authorities are invited to it;
  • effective protection of E.U. citizens’ rights with several redress possibilities: this is very much alike to the European data subjects� rights, in fact, any European citizens can complain on companies (included the so-called subject access request); moreover, companies have deadlines to replay to complaints, European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute Resolution will be free of charge. Moreover, a new Ombudsman will be created for complaints on possible access by national intelligence authorities.

Although a new deal has been announced and achieved with great difficulty, actually we should wait for the full text of the agreement to analyze preconditions and effective measures, but it is already clear that this agreement is compromise solution of the problem with little room for a rigorous approach of the application of the European law standards .

More in detail, the draft �adequacy decision� still to be drawn up by European Commission, also through the involvement of WP29, this will happen within the next weeks, after this period we will see if the specific transparency requirements, safeguards and available redresses will be sufficient to the protection of Europeans� fundamental rights.

It appears clear that one requirement come first in order of priority, transparency requirement is a critical element in this agreement, without effective transparency no protection is possible, when European Commission says �strong obligation� this should be meant, firstly, as the obligation relating to adherent companies to the Privacy Shield to publish adequate privacy policies which should include privacy conditions of �any contracts adherent companies concluded with subcontractors, e.g. cloud computing services�. Situations in which there were onward transfers from Safe Harbour self-certified companies to third parties acting as �agents� needed notifications to Department of Commerce of privacy safeguards to minimize risks, according to European Commission�s statements (COM 847 final, 27.11.2013, page 18).

According to the European Commission the above-mentioned situation was one of the strong weaknesses of the Safe Harbour Agreement. The European Commission also stressed that privacy policy should indicate clearly when exceptions for national security, public interest and law enforcement requirements are applied.

This position is fully coherent with the recent communication of Working Party Article 29 (WP29)which stated last 3 February that: �Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred�.

The WP29 requires that the Privacy Shield guarantees that individuals be �reasonably informed�, exactly in line with the European Commission�s approach since November 2013, publicity of extensive privacy policy with specific reference to exceptions is the precondition to any possible protection of fundamental rights.

Also the US Department of Commerce has recently published a briefing in which it has stressed that the importance of transparency obligations and has stated more in detail that the agreement brings �new contractual privacy protections and oversight for data transferred by participating companies to third parties or processed by those companies� agents to improve accountability and ensure a continuity of protection�.

In general terms, on one hand, the “essentially equivalent” test should not be meant as a direct application of the European legislation on the U.S., but common legal requirements to guarantee European fundamental rights should be.

On the other hand, in respect of the Safe Harbour Agreement the solution adopted is a further step towards the alignment between the European and American legislation systems on data protection law, and last but not least this is the reply which provides legal certainty to the numerous enterprises operating in world digital economy.

In conclusion, it is to be considered that this political agreement will give an effective protection to any European citizens to the extent that Europeans will be timely and adequate informed from the companies which will be obliged to timely reply on the request to access their personal data, to fulfill this robust obligation could be not as easy as it could appear, taking also into account the involvement of the European DPAs whose decisions will be binding for the companies.


Privacy Shield Replaced the Old Safe Harbour Agreement

As is well-known, on October 6 2015, the European Court

of Justice with the judgment C-362/14 declared the decision n. 520/2000/EC of the European Commission invalid, this approved the scheme of personal data transfer under the old Safe Harbour framework. The judgment confirmed the Commission’s approach since November 2013 to review the Safe Harbour arrangement, to ensure a sufficient level of data protection as required by EU law.

Here you can

find the communication by European Commission:

Here you can find the communication by WP29:

Conference “A quality education for the new challenges of privacy” – 24th November 2015

The conference on the new privacy challenges�at the University of Rome next 24th November 2015 at 14.30, during the conference it was introduced the new Master on Data Protection Officer, a Master held

under the patronage of �the Italian Data Protection Authority .

The event is divided into several sessions referred to privacy critical issues:�the role of the Data Protection Officer; privacy and transparency; privacy and health issues of electronic communications and big data.

The program requires the involvement of many institutional speakers including Prof. Licia Califano component of the Italiana Data Protection Authority�and the Consultant�of the the Prime Minister Office Dr. Alberto Stincarelli, Prof. Carlo Colapietro, Professor of Public Law in addition to the Attorney Fabio di Resta, President of the European Privacy Centre (EPCE).

Free admission to the event, for info:


Authors: Fabio Di Resta and Nicola Fabiano (published in 2012 by IAPP)


In the new proposed regulation on EU data protection law there are many important provisions, most of them are necessary to address the future challenges of data protection in the Internet environment.  The principles of effectiveness (i.e. stronger powers to DPAs, PIAs, mandatory appointment of DPO, the principles ofprivacy by design and by default, etc.), accountability and transparency are the founding stones on which the new proposed regulation was built.

The main objectives of the regulation draft is to fulfill the ambitious harmonisation of the data protection laws of EU Member States and the enhance to consumers’ trust on the Internet through stronger data protection rules at the EU level.

In this article different legal aspects of the proposed framework will be analysed.


Extra-territorial criterion: more specific exemptions

In respect of external scope, it should be considered that the main reason of the broad scope of the existing 95/46/EC Directive is to ensure that individuals are in any case not deprived of EU data protection law  and to prevent actions from circumventing the EU law.

The choice of the European Commission to enhance the threshold – as recently amended in the published draft – to trigger the application of EU law outside the EU/EEA seems appropriate to address the future challenges of Internet but still could use some amendment, such as more structured exemptions to not discriminate complex organizations. In respect of this point different situations are exempted from the EU law application (article 3 par. 2 and article 25): any controller established in third countries which ensures an adequate level of data protection; any public body; any controller only occasionally offering goods and services to data subjects residing in the EU and all enterprises employing fewer than 250 persons.

This last exemption – which referred particularly to SMEs – could use some amendment. Also to be considered is the complexity of organizations which operate through the Internet and offers of specific products or services often come from single departments or business units which belong to an organization as a single controller, these departments and units – also with limited staff – have their own budget connected to specific activities (products and services). Thus the quantitative or dimension criterion of 250 persons with regard to the overall activity of big organizations should probably be rethought and the relevance (ancillary or otherwise) in the specific organization of the products or services offered in EU (recitals 20, 63 and 64 of the EC regulation draft) should be taken into account.

The mandatory appointment of a representative established in the EU/EEA could impact negatively on the activity of these departments and business unit – in case they are considered data processor and not a controller – and this provision could be considered too dissuasive by big organizations which only have ancillary activity in Europe, especially owing to the fact that these rules already apply to SMEs

Consequently, without an enlargement of the exemption there could be several negative effects, for example, the representative appointment could be an economic barrier which restrict the choice of EU/EEA consumers who will not be able to purchase on-line products and services coming from organizations located outside of the EU.


Cloud computing scenario: comparative analysis under the existing 46/95/CE Directive and under the Regulation draft (one-stop-shop and the main establishment criteria)

In the following paragraphs one scenario will be analysed, both under the existing EU/EEA directive and the new regulation draft.

In this IT model personal data are usually processed and stored on servers in several places around the world. The exact place where the data are stored is not always known and it can change over the time. In order to trigger the applicability of EU Law the relevant information is the context of activity of the establishment within the EU (principle of establishment) and the location of the equipment.

In order to deeply understand the applicable law issues, the first step is to identify the data controller and its activities. In this context, the buyer of the cloud service could be a data controller. A company uses an agenda service on-line: if the company uses the agenda in the context of activity of its establishment in the EU, the EU law will be applicable. However, the cloud provider could also be, under some circumstances, a data controller. This is the case when it provides for an agenda on-line and document sharing where private parties can upload all their personal appointments and contacts,  theirsynchronization and they can upload documents storing them and sharing with them selected persons. Different key factors should be taken into account: the context of activity of the establishment; its degree of involvement and its nature of activity. Where the cloud provider is a data collector located in the UK, Germany and Italy and all of them are establishments,  server and technical staff for the agenda on-line are located in UK, meanwhile the servers, software and technical staff for the document sharingactivity are located in Germany. On the contrary, the establishment in Italy is not involved in this activity. According to art. 4 of the existing Directive, English law is applicable to the establishment located in UK, likewise German law applies to the establishment located in Germany with the further consequence to obliged to deal with German and English DPAs, lastly, Italian law is not applied the this data processing not being the Italian establishment involved.

One of the implications of the approachmentioned above is the risk of the overlap of national laws applicable to the same data processing with the further consequence to deal with several jurisdictions and Data Protection Authorities. In order to overcome this problem and to give more legal certainty, in the EU regulation draft the main establishment principle was worded, this principle – also called one-stop shop criterion-  will apply when a data controller or processor is established in more Member States (Recitals 13 and 98 – article 51 paragraph 2).

This is a good principle because it gives legal certainty to companies who do business in Europe with the possibility to comply with one law for the whole of the EU territory and to deal with a single data protection authority (lead authority).  Analysing the mentioned cloud computing scenario – in light of the EU regulation draft –once  the context of activity of establishments has been identified, also the purpose, means and conditions should be taken into account. Thus, it could be considered that all the services offered by the cloud provider to users – which upload data for the agenda and documents for storing and/or sharing them- has the same purpose, so it should be regarded that only one process is operated. Furthermore, considering that the English establishment manages the main activity, being the place of central administration which decides in order of the processing of the users, then only the English law will be applicable and the English Information Commissioner will be the Lead Authority to address all complaints from data subjects resident in the EU territory.


The principles of privacy by design and by default and the Commission’s controls

The new legal framework about data protection proposed by the EU Commission introduces, with respect to the Directive 95/46/EC, the reference to “data protection by design and by default” (article 23 of the Proposal for a Regulation and article 19 of the Proposal for a Directive). Also, even though these articles do not describe the data protection by design and by default, they compel the controller to “implement appropriate technical and organisational measures and procedures…” and also to “implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing…”. The EU Commission preferred to describe the controller duties instead of setting legal status of the data protection by design and by default. It is very important to clarify the meaning of “data protection by design and by default”, focusing on the true sense of these terms. On the other hand, it is as interesting to distinguish the expression “data protection by design” from “data protection by default” and to find the actual meaning of each term because the phrase used by the EU Commission seems to highlight a difference between the two terms. According to the text of the article it is clear that the EU Commission shall consider “by design” and “by default” as different concepts even if they are used in the same sentence.

This approach seems quite different from the one officially used by the International Conference of Data Protection and Privacy Commissioners, that last year adopted a resolution on Privacy by Design proposed by Dr. Ann Cavoukian (Information and Privacy Commissioner of Ontario – Canada).

In this context the expression Privacy by Design is used to describe a method to deal with privacy issues in this new era, where the most valuable aspect is a correct approach to privacy. In this respect, it should be said that in the approach “by design” or “by default” of the new EU legal framework the term “data protection” is used instead of “privacy”. Furthermore, the Commission’s proposal seems to paya lot of attention to the technical and security aspects instead of the legal concerns.The specific reference to “measures and procedures”  seems oriented towards the PETs (Privacy Enhancing Technologies) that are certainly important but the future of privacy is Privacy by Design. In conclusion, the hope is that the expression “by design and by default” will not represent a cutting-edge movement or a system founded on the technological and security support, but a real methodological approach to handle the future of our privacy according to the International statements and to become a worldwide privacy standard in the near future.

The right to judicial remedy against data controller

The article art. 75, paragraph 2 provides that in case of infringements of data protection rights: “proceedings maybe be brought before the courts of the Member States where the data subjects has its habitual residence” . This article also entails that jurisdictional and international issues will be also brought beforethe national courts- which will decide in order to the compensation of damages ofdata subjects – requiring judges highly specialized both in EU data protection law and in international issues and even to decide in  order of  the appeal the decision of other countries’ DPA.

On the other hand, the new consistency mechanism increases the power of the European Commission a lot, which becomesalso the ultimate supervisory authority on protection of data subjects, including the power to suspend the draft measures adopted by national DPA through both the presence of serious doubts on the their consistency with the EU regulation and a reasoned decision. Furthermore, with regard to the cloud computing above analysed, more and more data subjects resident in the EU will be able both to access one national lead Authority and to take action against national courts of that country (in which the main establishment is located). Lastly, as stated in the paragraph 4 of the article 75: “all the Member States shall enforce final decisions by the courts”.  This paragraph underlines further consequences of the regulation draft adoption, both a stronger  free movements of judgments on data protection and the need to assure the recognition of the judgments on data protection from other countries’ courts.


Data protection officer requirement and its impact on the national laws

The EU legal framework introduces the data protection officer and, according to the article 35 of the proposal for a Regulation, this rule is mandatory if:

  1. a) processingis carried out by a public authority or body;
  2. b) processing is carried out by an enterprise employing 250 persons or more;
  3. c) core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.

There is no doubt about the relevance of the choice to set up the data protection officer; this solution, strongly hoped by some Italian privacy professionals, shows how the EU Commission has taken the data protection officer into account, demonstrating that there is a great need to pay attention to privacy matters. It is necessary for people dealing with privacy to have specific expertise and proficiency. This will obviously have consequences on the national law that needs to be implemented to set up the data protection officer, according to the EU legal framework; in this way public bodies and enterprises will have a specific department for the competence on privacy matters. Although not mandatory, data protection officer rule considerationsshould be regardedas very important also for the other organizations with less than 250 employees because privacy is a fundamental right that is not related to the size of a company. Furthermore, this measure goes in the direction of making the EU data protection law more user-centred.

Data protection impact assessment requirement

A valuable concept introduced by the EU proposal is the assessment of the data protection impact.   The main reference is article 33 of the proposal for a Regulation: “where processing operations present specific risks to the rights and freedoms of data subjects” the controller “shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”. Recently, the EU public bodies started talking about impact assessments and particularly about the PIA (Privacy Impact Assessment). The privacy legal framework in force (Directive 95/46/EC) does not contain reference to the impact assessment and there are only a few recent European official documents about this topic. Therefore, the choice of the EU Commission to include the data protection impact assessment in the proposal for a Regulation and for a Directive is very key but certainly the PIA (Privacy Impact Assessment) is well-known in the international context. The aforementioned article 33 describes when and how it is necessary to set up a data protection impact assessment (DPIA).

Explicit consent requirement and navigation over the Internet

According to the aforementioned EU legal framework (article 7) the controller shall acquire the data subject’s consent for specified purposes and “The data subject shall have the right to withdraw his or her consent at any time”. In this respect, article 4states that consent “means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. In case of minors, “child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian”. Last but not least, the provision about rights to be forgottenis very relevant in the Internet environment,this also guarantees to users the right to withdraw their consent when “there are no other legitimate grounds for retaining the data”.


The European Data Protection Board

The EU regulation shall establish a European Data Protection Board that, according to article 66 of the proposal for a Regulation; “shall ensure the consistent application of this Regulation. To this effect, the European Data Protection Board shall, on its own initiative or at the request of the Commission”. This article describes different actions that the DPB can realise, and that it shall regularly and frequently inform the Commission about the outcome of its activities. Finally it should be pointed out that the Supervisory Authority will supersede Art. 29 Working Party and it will play a relevant role in the consistency mechanism to guarantee the unity of EU law application.



The European Commission’s proposal deserves to be appreciated especially because it addresses the main crucial challenges for data protection law in a globalised world. However, a detailed analysis shows that this proposal could use some amendments. Particularly, more attention should be paid to widespread involvement of all stakeholders, especially multinationals and oversee Authorities, such as Federal Trade Commission. Furthermore, in respect of the exterritorial jurisdiction of the EU Law, the worry is that all the provisions will be considered a mere theoric principles by Extra EU/EAA Countries without further international legal agreements and a worldwide cooperation which will probably require to amend the text in favor of the enforceability of EU law.

On the other hand, the implications of the DPA jurisdiction among the member States where the processor has the registered office in a Country while the data subject lives in another one should be also considered; Likewise, it is needed to deepen the rule of the EDPB (European Data Protection Board) in order to avoid an European privacy body depending only on the politicians’ choices  – far from the real privacy issues – and living in a ivory tower. Lastly, the recent updating of the privacy policy by Google inc. seems to underline a relevant weakness in the worldwide context of a the new proposed regulation.