Diritto & Internet

The Data Protection Authority against the Tax Office: yes to electronic billing, but in compliance with respecting “privacy”

Paper billing would seem to have had its time for everyone, or almost everyone. Electronic billing, which is already obligatory for public administrations and has been extended to Business to Business operations as just a possible alternative to “paper”, will become obligatory from 1st January 2019 for all transfers of goods and services between parties who are resident or established in Italy. This is provided for by Art.1, Para.916 of Law 27 of 27th December 2017, No. 205 (2018 Budget Law). The effect of this provision will be to introduce the general obligation of electronic billing, with the only exception being for operators who legally come under the reduced or flat rate regimes – for whom it will be optional – and clearly also for agricultural producers, as they are totally exempt from the billing process.

This basically refers to invoices in a predefined XML format, transmitted by the Sistema di Interscambio (SDI) (the Exchange System) provided by the Ministry of Economic Affairs and Finance and managed by the Agenzia delle Entrate (the Tax Office). As it is devised, the new system of electronic billing also involves the Tax Office processing all the data present in the invoices which are issued.

According to regulatory measures 89757 and 291241, which were adopted by the managing director of the Tax Office on 30th April and 5th November 2018 respectively, we can deduce that the Tax Office will carry out obligatory, generalised and detailed processing of the personal data contained in the bills. In particular, processing will affect data aimed at identifying the goods and services transferred, with a description of the services and the relationships between the vendor and the purchaser and other parties. The data might refer to discounts applied, fidelity programmes and consumer habits and to obligatory data imposed by specific sector regulations, especially regarding transport and the supply of energy or telecommunication services (type of consumption, regularity of payment, belonging to a certain user category). In addition to these, there must be added the particular categories of personal data, which can be found on the electronic invoice issued, such as the data from operators working in the health sector.

The Italian Data Protection Authority has issued a regulatory measure (No 481, 15 November 2018) regarding the Tax Office, in which it has identified a series of relevant critical issues concerning the new regulations in relation to the protection of personal data.

First of all, the Authority notes the failure of the Tax Office to consult it before the measures were adopted, a violation of Art. 36, Para. 4 of (EU) Regulation 2016/679, which establishes the necessary involvement of the controlling Authority “during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing”.

Secondly, it considers that the new regulation provides for the large scale processing of personal data contained in a bill and that this presents a high level of risk for the rights and freedom of the interested parties. In the Authority’s opinion, as the data controller, the Tax Office should consequently have carried out a data protection impact assessment according to Art. 35 of the Regulation.

Measures 89757 and 291241 also require that, after delivering the invoice in its role as “postman”, the Tax Office should not only file the personal data necessary for complying with tax obligations, but also the invoice itself in XML format, which also contains information not necessary for tax purposes. In this regard, the Authority argues that this constitutes generalised processing which is not commensurate with the public interest pursued and is in contrast with the principle of limiting the purposes, data minimisation and privacy as provided for by Art. 5, Para.1, letters b), c) and f) of the GDPR.

The Authority also identified a further critical issue regarding the choice of making all electronic invoices in XML format available to consumers on the Tax Office’s web portal, even in the absence of a precise request from consumers themselves for this to be done, and without considering that they have the right to obtain a digital or analogue copy directly from the operator. According to the Data Protection Authority, this kind of processing is clearly at odds with the principles of privacy “by design” and “by default” according to Art.25 of the Regulation.

Following this intervention by the Data Protection Authority a technical panel was set up between the Tax Office and the Authority to try to find appropriate solutions to the “privacy problem”.

To date, a good number of uncertainties still remain. In particular, there is the question of how the Tax Office will respond and whether it will manage to adapt to the Regulation within the period provided for by the coming into force of obligatory electronic billing.

Dott. Carla Cerasa