18 Dec The Italian Data Protection Authority issues a warning to the Revenue Agency: the electronic invoicing must be revised due to a “disproportionate collection of information and risks of misuse”
On November 15, the Italian Supervisory Authority (here after referred to as “Garante”) issued decision no. 9059949 (hereinafter: “Decision”) in which it notes that electronic invoicing, or the so-called ‘e-invoicing’, as regulated by the Tax Agency (“Agenzia delle Entrate” or “Agency”), “presents major critical issues regarding its compatibility with the legislation on the protection of personal data”.
As provided for by Budget Law 2018 (Law no. 205 of 27 December 2017, art. 1, spec. para. 909), from 1 January 2019 the new obligation of electronic invoicing, which has already been applied to the public administration, will also be extended to relationships between suppliers (B2B) and between suppliers and their consumers (B2C). On April 30, 2018, the Tax Agency adopted measure no. 89757 in order to define the rules on the issuing, transmitting, receiving and storing of electronic invoices; however, without any prior consultation with the Garante as is required by Article 36, paragraph 4, of EU Regulation 2016/679 (“GDPR“). The Decision was issued as a result of complaints received by the Garante as well as acting in the exercise of the corrective power of warning recognized by art. 58 (2(a)) GDPR.
The new obligation of electronic invoicing, according to the Garante, presents “a high risk for the rights and freedoms of data subjects, as it entails a systematic, generalised and detailed processing of personal data on a large scale, potentially relating to every aspect of the daily life of the entire population, which is disproportionate to the public interest objective[…] pursued”.
In particular, the aforementioned critical issues emerge from the following aspects of the new e-invoicing system:
- the ability to archive and use the system for monitoring purposes, which may include data that is not compulsory for tax purposes; such as the actual invoice containing further detailed information on the goods and services purchased, habits and kinds of consumption, or even information about medical or legal services, would entail in this context a mandatory, generalised and detailed processing of personal data;
- the need to upload all digital invoices in digital format on the Agency’s portal – even when no such request has been made by the consumers, including the cases where the customer opted to receive the printed or digital invoice directly from the supplier – appears to be in conflict with the principle of data protection by design and by default, as well as with the principle of data minimisation (articles 25 and 5 (1 (c)) GDPR respectively);
- the role assumed by the intermediaries; who are entrusted by the taxpayer to transmit,collect and store the e-invoices and who often work with a variety of other companies,entails the concentration of enormous amounts of personal data (big data), resulting to increased security risks and risks relating to further processing and unlawful processing of the personal data;
- the modalities of transmission through the System of Exchange (“SDI”) exchange system as well as other related services (such as data storage), may violate the GDPR with respect to the security aspects, the lawfulness and the transparency of the processing activity. This can be proven, for example, through the non-encrypted e-invoices and the fact that the use of PEC (i.e., certified e-mails) addresses are not foreseen for the exchange of invoices, which may imply that data can be stored on the electronic mail servers.
The Garante also points out that the Agency failed to give effect to the prior consultation obligation provided for by article 36(4) GDPR. According to the Garante, this step could have assured the new e-invoicing system’s compliance with current personal data protection rules, from the initial stages of planning and designing.
In the meantime, a joint round-table meeting has been set up between the two parties on the subject of electronic invoicing with a view to address the shortcomings of the new system with regard to the protection of personal data.
The practical implications of the Decision of the Garante are not yet foreseeable. The legal obligation for citizens to adopt electronic invoicing from January 1, 2019, remains; however, the Decision demonstrates the use of the currently envisaged system to be problematic, as it does not comply with the basic principles on the protection of personal data (see the GDPR and Privacy Code as amended by Legislative Decree 101/2018). It is hoped that the appropriate adjustments will arise soon from round-table meeting, given the imminent and fast approaching application of the obligation. However, given the massive investments already made by companies, this seems not to be feasible.In fact, an adjustment seems to have been excluded by the Garante itself in a recent radio interview, during which it suggested the imposing of penalties on the Tax Agency if it will remain non compliant on January 1st 2018.
Antonello Soro, President of the Italian Data Protection Authority for the Protection of Personal Data, stated during the interview:“the controller of the processing is the Tax Agency and under the new legal framework it is the controller of the processing who is responsible for everything that occurs under his/her responsibility and therefore it is their issue. We do not intend to slow down or put a brake on the launch of the system on January 1st. Nevertheless, we would like to point out that, as the data controller is responsible, we also have the responsibility, after the event, to verify compliance with the law and to draw the necessary conclusions”. In addition, the President commented that “the provision that we have issued is of a fairly new kind, that of the warning, which follows from the new European legal framework and which allows the recipient of the warning – in this case the Tax Agency – to take note of our considerations and to adapt their measures to the norm, reserving of course a posteriori judgment on the processing, once it was initiated, but giving the data controller of the processing of these data, the Revenue Agency, the possibility to not trigger a violation of the laws and the related penalties”.