A decision by the Italian Garante issued on 20 December 2018 set out the conditions for the Italian Revenue Agency to start processing activities under the new e-invoicing legislation that came into force on 1 January 2019 – whereby e-invoices will have to be issued for all payment transactions between suppliers of goods and services as well as between suppliers and consumers of those goods and services.
The December 20 Decision followed a previous decision by the Garante of 16 November 2018 where several criticalities had been highlighted in terms of data protection compatibility of the implementing mechanisms envisaged by the Agency. The November decision had led the Garante actually to issuing its first-ever ‘warning’, by relying on the new powers set out in Article 58 of the EU GDPR. The warning was addressed to the Revenue Agency to point out the ‘major criticalities related to the systematic, generalised, detailed processing of personal data on a large scale’ envisaged by the Agency, which was requested by the Garante to clarify how they planned to bring the relevant processing operations into line with the Italian and European legal framework.
An ad-hoc working party was set up by the Agency with the Garante and the Ministry of economics and finance to tackle and do away with those criticalities, involving additional stakeholders such as the National Council of Chartered Accountants and Accounting Experts, the National Council of Occupational Consultants, and the Association of Producers of Management and Accounting Software (AssoSoftware).
The working party dealt with the shortcomings pointed out by the Garante in its November decision, which were multifarious in nature. Indeed, the Revenue Agency had planned to store and make available, on its web portal, all e-invoicing files in full (about 2.1 billion in 2017), but those files include detailed information on the purchased goods and services that is per se irrelevant for taxation purposes. On the other hand, that information can disclose consumption patterns in the most diverse areas ranging from utilities and telecoms to transportation (highway tolls, flight tickets, hotel bookings) up to legal and health care services (where the e-invoice includes references to criminal or other proceedings or the medical diagnosis performed on a given patient undergoing treatment). This was found to be disproportionate compared to the public interest purpose the new legislation was intended to achieve.
The revised e-invoicing system envisages storage by the Agency of only the data required for the automated checks the Agency is called upon to perform for taxation purposes – e.g., in terms of consistency between e-invoicing data and the information held by the Agency on a given taxpayer; no information describing the purchased goods or services will be stored. Additionally, no e-invoices will have to be issued for health care services or goods. Storage of and access to the full contents of e-invoices will only be possible (after the initial implementing period) on the taxpayer’s specific request and based on agreements for which the Garante’s green light will be necessary.
Two additional major criticalities had been detected by the Garante, who had warned the Agency of the need to remedy them prior to the final roll-out of the system. One had to do with the role played by the intermediaries taxpayers may rely on for transmitting, receiving and storing their e-invoices; since those intermediaries may happen to provide their services to several companies and entities at the same time, there is an increased risk of data leaks or misuse due to cross-referencing and combination of huge amounts of information. Secondly, there were several IT security risks in the system, starting from the lack of data encryption mechanisms especially for the e-invoices transmitted via ‘certified’ emailing systems, which the Garante had urged the Agency to address.
Those additional criticalities were remedied in part by the working group and the Garante called upon the Agency in December to make further efforts in that direction. In particular, the Agency will have to carry out an additional data protection impact assessment exercise by the 15th of April this year, pursuant to Article 35 of the GDPR. The Garante had already emphasized that the Agency should have taken care to carry out a DPIA prior to submitting the e-invoicing project to the Garante’s scrutiny, in line with the requirements for a data protection by design approach that is set forth in the GDPR; indeed, the Garante had pointed out that such a requirement was already envisaged in the pre-GDPR legislation under the ‘prior checking’ umbrella.
For Further information, please contact the Italian SA directly: garante@garanteprivacy.it