PHR2004 - The Italian Republic

Italian Republic

The Italian Constitution, adopted in 1948, has several limited provisions relating to privacy.[1] Article 14 states, "(1) Personal domicile is inviolable. (2) Inspection and search may not be carried out save in cases and in the manner laid down by law in conformity with guarantees prescribed for safeguarding personal freedom. (3) Special laws regulate verifications and inspections for reasons of public health and safety, or for economic and fiscal purposes." Article 15 states, "(1) The liberty and secrecy of correspondence and of every form of communication are inviolable. (2) Limitations upon them may only be enforced by decision, for which motives must be given, of the judicial authorities with the guarantees laid down by law."[2]

A new Privacy Code[3] relating to the protection of personal data was enacted by a Legislative Decree of June 30, 2003 no. 196.[4] The Code replaced both the Data Protection Act (which was enacted on December 31, 1996, after twenty years of debate,[5] to fully implement the European Union (EU) Data Protection Directive) and the various decrees enacted after 1996 to regulate data protection in specific sectors, such as security requirements,[6] the processing of medical information,[7] the processing of information for journalistic,[8] scientific or research purposes,[9] and personal data held by public bodies.[10] The new Privacy Code (the Code) therefore covers all the requirements from previous data protection decrees, as well as from the EU Directive on Privacy and Electronic Communications (2002/58/EC) and some codes of conduct already approved by the Italian Data Protection Authority. The Code creates more protections for data subjects while simplifying the applicable rules. The Code is arranged in three sections with the first containing provisions dealing with the rules applicable to the processing of personal information in the public and private sector, the second dealing with "special requirements" which would apply in those specific sectors, such as debtors or the health sector, and, the third concerning administrative and judicial issues.[11] Violators of the Code may also face harsh administrative or criminal penalties. Although the Code has been in effect since January 1, 2004, individuals or organizations processing data had until June 30, 2004 to implement the required measures in order to comply with the new standards.

The Italian Data Protection Code is enforced by the Supervisory Authority for Personal Data Protection (Garante per la Protezione dei Dati Personali, or Garante).[12] The Garante maintains a register of databases, conducts audits and enforces the laws. The Garante can also audit databanks not under its jurisdiction, such as those relating to intelligence activities. The decree on the internal organization of the Garante[13] establishes the procedures for keeping the Register of Data Processes and regulates access to the register by citizens, or for investigations, registrations and inspections. As of June 2004, the Garante had 93 staff persons.

The Garante is responsible for carrying out many activities. In particular, the Garante deals with many complaints from the public and requests for information. During the period between January 1, 2003 and March 31, 2004,[14] queries were broken down in the following manner:

· 38,180 requests for information and clarification could be dealt with via the telephone help desk;

· 4,080 claims and reports were dealt with in writing;

· 834 answers were provided to specific questions/requests for clarification;

· 775 complaints were dealt with in connection with the failure by data subjects to exercise their rights (this is a strictly regulated type of proceeding, which is to be finalised within 50 days from its start);

· 464 requests for access to and/or verification of the information contained in the Schengen Information System were complied with;

· 9,791 notifications of data processing operations were entered into the relevant register;

· 69 on-the-spot audits were carried out;

· 5,754 answers were provided to citizens by the Garante's front office via e-mails, faxes and/or letters.[15]

When looking at some of the figures in greater detail from the calls which were dealt with via the help desk, about 40 percent had to do with clarification on the provisions set out in the new Data Protection Code, 10 percent related to the activities of credit reporting agencies, five percent dealt with spamming and unsolicited communications and about 30 percent concerned miscellaneous issues.

The Garante dictates the direction for the implementation of data protection in Italy. In October 1998, the Garante decided that phone companies need not mask the phone numbers on bills and that phone companies should allow for anonymous phone cards to protect privacy. Between December 2000 and February 2001, the Garante made several declarations on privacy issues, including on whether employees are entitled to access information about them included in evaluation reports drafted by their employers;[16] provided that political associations can not collect e-mail addresses from the Internet to send unsolicited political messages;[17] regulated the processing operations of the Italian armed forces corps; finding that the Carabinieri failed to comply with the Data Protection Law;[18] ruling that the personal information on identification badges worn by employees who are in regular contact with the public should be relevant and not excessive to the purpose;[19] that banks cannot take fingerprint scans of those entering the premises since doing so would be disproportionate to their security needs;[20] providing that in insurance liability cases, the personal data in medical expert opinions must be accessible to the data subject, but may be temporarily deferred in order not to affect the outcome of the investigation.[21]

The Garante carries out several different functions with regards to data protection. For example, in 2001 the Garante issued a Code of Conduct and Ethics Regarding the Processing of Personal Data for Historical Purposes, including guidelines on the protection of personal data in electric activities such as campaign literature and elections.[22] In 2002, the Garante released a report on the treatment of personal data obtained through general video surveillance.[23] The report sets forth concerns related to such surveillance, and addresses the obligations of a data collector to protect information and the rights of those whose person are observed.[24] In 2003, the Garante launched a public information television campaign to inform the public of their rights with regards to the collection of personal data.[25] In the same year, the Garante began work on a do-not-call scheme to deter unwanted marketing calls.[26] In addition, nearly every year the Garante hosts a conference in Rome. Topics have ranged from human genetics to the future of privacy.[27]

Wiretapping is regulated by Articles 266-271 of the Penal Procedure Code and may only be authorized in the case of legal proceedings.[28] Government interceptions of telephone and all other forms of communications must be approved by a court order. Court orders are generally granted for investigations of crimes punishable by life imprisonment or imprisonment for more than five years; for crimes against the administration punishable by no less than five year imprisonment; for crimes involving the trafficking of drugs, arms, explosives, and contraband; and for insults, threats, abusive activity and harassment carried out over the telephone. The law on computer crime includes penalties on interception of electronic communications.[29] Interception orders are granted for 15 days at a time and can be extended for the same length of time by a judge. The judge also monitors procedures for storing recordings and transcripts. Any recordings or transcripts that are not used must be destroyed. The conversations of religious ministers, lawyers, doctors or others subject to professional confidentiality rules can not be intercepted. There are more lenient procedures for anti-Mafia cases. Some 44,000 orders were approved in 1996, up from 15,000 in 1992.[30] A June 2002 report indicated that Rome, by itself, had nearly 13,000 wiretaps over the period of a year.[31]

In October 2001, the Italian Parliament passed a decree[32]in which the offense of criminal association for purposes of terrorism was re-defined; however, the blanket surveillance of communications by law enforcement bodies was expressly ruled out. Telephone tapping and electronic surveillance were facilitated butonly with authorization and under the supervision of judicial authorities, and, only with regard to very serious offences. Additional safeguards apply to the use of investigational findings and the prohibition to disclose such findings.[33]

Italy also has several laws relating to workplace surveillance,[34] statistical information, electronic files, and digital signatures.[35] For example, the Workers Charter prohibits employers from investigating the political, religious or trade union opinions of their workers, and in general, on any matter which is irrelevant for the purposes of assessing their professional skills and aptitudes.[36] The 1993 computer crime law prohibits unlawfully using a computer system and intercepting computer communications.[37]

In October 2000, medical researchers from the International Institute of Genetics and Biophysics opened a "genetic park" in Southern Italy. The inhabitants of ten remote villages will be part of an elaborate experiment to identify the causes of diseases such as Alzheimer's, asthma, cancer and hypertension. Over the next two years the researchers plan to build a database combining the church records, medical histories, blood and DNA samples of the inhabitants.[38]

The Italian authorities quieted arousing speech on various occasions in 2002. Prompted by the Catholic Church, Italian officials seized local Web sites that portrayed religious figures alongside sexual imagery and harsh language.[39] Officials asserted justification based on the illegality of blasphemy in Italy and because such depictions "offended the 'dignity of the people.'"[40] Later in the year, a group of activists were arrested for forming a "subversive association."[41] According to a report, the protestors were "accused of political conspiracy by association aimed at disrupting the exercise of government . . . by '[organizing] and provoking clashes between numerous demonstrators and the police to make public order unmanageable,' and of continuous distribution of subversive propaganda, sometimes using Internet, to 'violently subvert the economic order of the State.'"[42] The activists were ultimately released, but remained under investigation.[43]

Recently, some Italian fashion retailers have begun, or expressed intentions to begin, attaching radio frequency identification (RFID) tags to clothing in order to keep tabs on store inventory.[44] Another benefit, according to the proponents of RFID, is that "[t]he technology creates a seamless shopping experience designed to enhance customer relationships."[45] According to opponents, "the transmitter would let the retailer identify and track customers," and "sensors hidden in the retailer's clothing could be used to create a global surveillance network."[46] Against a backlash of negative publicity to the United Colors of Benetton's announcement that it would begin to implement RFID, the clothing retailer quickly issued a reassurance to customers that no RFID technology was currently incorporated into their clothing line, though they reserved the right to implement it at any time.[47]

Also in 2003, Italy's market for counterfeit products[48] was shaken when the state enacted stronger regulations on anti-piracy.[49] The new anti-piracy act applies to music and film, offering wider protection for copyrighted works and subjecting offenders to greater punishments for violation of the act. While the act was still in its proposal stage, the Italian Associazione Software Libero started an on-line petition against the legislation.[50] The Italian police, authorized by the legislation, have begun "combing through the e-mail accounts of thousands of Italians they suspect of having downloaded music and films to swap on the Internet."[51]

A decree-law issued in March 2004 increased the responsibilities of Internet Service Providers (ISPs) and now makes them report their users who engage in peer to peer file-sharing.[52] If the ISPs fail to monitor and control their users, they will be automatically liable for their subscribers' activities. At the end of May 2004, Italy passed one of the world's toughest laws geared at fighting piracy and file-sharing.[53] Penalties include a prison term of up to three years whereas fines can exceed USD 300,000. The Culture Ministry said that the law was necessary in order to protect the intellectual property rights of artists in light of the growing popularity of peer-to-peer networks.

The compulsory limit for the data retention oftelephone traffic was increased from 30 months to four years in February 2004 as a result of an Act (No. 45/2004)[54] issued further to a decree proposed by the Italian government.[55] The latter decree (No. 354/2003) had been approved by the government cabinet "as a result of 'the extraordinary need and urgency for the regulation of the modes of storage of traffic data relating to telephone and Internet communications, so as to prevent its loss in case its acquisition should prove necessary for the scope of the repression of particularly serious crimes.'"[56] Also following the advice provided by the Italian Data Protection Authority, the Act passed in February 2004 applied the expanded retention period to telephone traffic data only. The relevant requirements will unfold in the following manner: during the first 24 months service providers must retain telephone traffic data in case it will be required for the investigation of criminal offences, and, during the final 24 months, stricter access guidelines will be attached whereby it can be requested for more serious crimes only, including terrorism[57]

The newly approved Privacy Code of Italy considers the sending of unsolicited emails to be a very serious offence.[58] If an individual is found guilty of sending spam and trying to profit from such emails, he could face up to three years in prison. Since many companies are losing a large amount of bandwidth as a result of dealing with spam, the Italian government has now equated spam as an act of theft. Italy is one of the first countries to implement legislation which actively deals with combating spam. Critics remain skeptical of Italy's law since many of the sources of spam are from outside the country and therefore outside the Italian court's jurisdiction. Italy is currently one of few European countries to be fully compliant with EU Directive 2002/58/EC which prohibits the sending of unsolicited email.[59]

Throughout 2003, Italy has enacted several laws which contain provisions which effectively compromise the privacy rights of its citizens. For example, Act No. 140 from June 20, 2003,[60] contains provisions on interceptions and acquisition of reports concerning conversations and/or communications of MPs as intercepted within the framework of judicial proceedings concerning third parties. This Act provides, in particular, for the need to destroy reports and recordings concerning irrelevant interception activities.[61] The latter provision is related to general data protection principles, in that its violation may also entail the impossibility of using the personal data being processed – as per Section 11 of the Data Protection Code.

Legislative Decree No. 269 of September 30, 2003,[62] converted with amendments into Act No. 326 of November 24, 2003,[63] sets out the requirements to monitor health care expenditure. During the process leading to the conversion of the legislative decree, the Garante drew Parliament's attention to the sensitive issues raised by Section 50 in the decree, providing, inter alia, for the establishment of a database containing the fiscal identification codes of all health care beneficiaries in order to monitor health care expenditure. The Garante pointed out that the purpose sought by the decree was undoubtedly in line with streamlining supervision over the State's expenditure; however, the tools envisaged to that end might jeopardize citizens' rights to the protection of their personal data – in particular the data concerning health, which are covered by special safeguards.[64]

In addition to legislative action, there have been a number of decisions on the judicial front which have dealt with the right to privacy. A decision by the Council of State (Consiglio di stato) addressed the relationship between the right of access and the right to privacy, ruling that the laws in force do not provide general guidance on how to balance these two rights. The decision allows an administrative body holding sensitive data to assess each specific situation in order to determine whether access is necessary or not to establish or defend a claim that is at least equal to the data subject's claim to privacy.[65] In another decision concerning this issue, the Council of State ruled that the right of access, albeit in its "softened" version, i.e., as the right to inspect records, should override the right to privacy if knowledge of the information is required to exercise the right of defense with regard to circumstances amounting to a criminal offence.[66] Furthermore, in two decisions issued in 2003, the Court of Cassation (Corte di cassazione), which is the highest court in Italy, ruled that non-pecuniary damage should be construed as a wide-ranging category including all cases in which there is violation of a value pertaining to human beings. Among the cases the Court considered to entitle to protection against the damage caused by the violation of individual-related interests devoid of pecuniary value, the use of unlawful means in collecting personal data was expressly mentioned.[67]

The Garante has also made several decisions concerning important issues over the past year regarding video surveillance, biometrics and access to personal data contained in clinical records. A decision adopted by the Garante on April 29, 2004 referred to the basic principles applying to video surveillance and described the general requirements to be fulfilled by any video surveillance system. Guidance was also provided in respect of specific data processing operations concerning the use of video surveillance in schools, hospitals, on board transportation means, and at the workplace. The Garante reserved the right to take ad hoc measures in particular situations on a case-by-case basis. It was determined that the basic criterion should be respect for citizens' fundamental rights and freedoms and personal dignity, with particular regard to privacy, identity and personal data protection.[68] Accordingly, the Garante pointed out that individuals may not be deprived of the right to move without interferences that are incompatible with a free democratic society[69] such as those resulting from invasive and oppressive data acquisitions in respect of an individual's whereabouts and movements. The Garante also drew inspiration from the guidelines issued by several international and Community fora such as, in particular, the Council of Europe's guidelines on video surveillance of May 20-23, 2003[70] and the documents drafted by the European data protection authorities within the framework of the Article 29 Working Party.[71]

The use and appropriateness of biometrics was considered by the Garante in relation to a project called S-Travel, which envisaged initial tests at the Athens and Milan Malpensa airports. Biometric authentication technologies, using fingerprints and/or iris scans, with particular regard to check-in and boarding operations, were the main issue. The Garante pointed out that it was necessary to comply with data minimization and proportionality principles, as well as with data relevance and non-excessiveness requirements. In the case at stake, the technologies to be implemented were only partly suitable for achieving enhanced security of airport controls. Furthermore, the collection of biometric data related to both fingerprints and iris scans of both eyes was found to be excessive and disproportionate compared with the purposes of the processing.

Finally, in a decision from July 2003, the Garante specified the conditions in which the right to privacy and the right of access to clinical records held by health care institutions could be balanced. This is an issue arising mostly in connection with the requests made by defense counsel carrying their own investigations in order to access records containing data relating to health and/or sex life. In particular, the so-called "equal importance" principle entails that the processing of personal data in order to enable access is only allowed if the right to be defended through the request for accessing administrative records is at least as important as the data subject's rights, or else consists in a personal right or another fundamental, inviolable right or freedom. In other words, the defendant's rights must be equal to, or outweigh, the other individual's fundamental right to privacy.

The Italian Government has also been in the process of developing a National Services Card, an identification card which may include biometric data in the future and will give the user access to e-government services.[72] According to current plans, the ID card contains personal data including the holder's blood type and fiscal code coupled with a digital signature. The personal data and digital signature are stored on the card's microchip and can only be released if the holder gives permission by inserting a PIN code. As of yet, the information is not stored on any central database. The cards were first launched in 2001 but have not yet been widely distributed. The goal is to replace older identification cards with these new cards over the next five years.[73]

Italy is a member of several organizations that influence the country's treatment of privacy and personal data. Most notably, Italy is part of the Council of Europe (CoE). Italy signed and ratified the CoE's Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.[74] In addition, Italy ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms[75] and signed the CoE's Convention for Cyber-crime, but has not ratified it yet.[76] Italy is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

[1] Constitution of the Italian Republic (Costituzione della Repubblica Italiana), available at <http://www.notarlex.it/codici.jsp>.

[2] Id. at Article 15.

[3] Available at <http://www.garanteprivacy.it/garante/document?ID=727068> (in Italian and English).

[4] "Italy Enacts a New Privacy Code," BNA World Data Protection Report Vol. 3, Issue 9, September 2003, at 19.

[5] Legge No. 675 (December 31, 1996), amended by Decreto Legislativo No. 123 (May 9, 1997) and Decreto Legislativo No. 255 (July 28, 1997), available at <http://www.privacy.it/dl1997123.html>; Legge 31 Dicembre 1996, N. 676, Delega al Governo in materia di tutela delle persone e di altri soggetti rispetto al trattamento dei dati personali, available at <http://www.privacy.it/legge96676.html>.

[6] Decree of the President of the Republic (Decreto del Presidente della Repubblica) No. 318 (July 28, 1999), available at http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Normativa%2FItaliana%2FLeggi+e+decreti+legislativi

[7] Legislative Decree (Decreto Legislativo) No. 282 (July 28, 1999), available at http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Normativa%2FItaliana%2FLeggi+e+decreti+legislativi

[8] Legislative Decree (Decreto Legislativo) No. 171.(May 13, 1998), available at http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Normativa%2FItaliana%2FLeggi+e+decreti+legislativi

[9] Legislative Decree (Decreto Legislativo) No. 281 (July 30, 1999), available at http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Normativa%2FItaliana%2FLeggi+e+decreti+legislativi

[10] Legislative Decree (Decreto Legislativo) No. 135 (May 11, 1999), available at http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Normativa%2FItaliana%2FLeggi+e+decreti+legislativi

[11] Id.

[12] "Garante Per La Protezione Dei Dati Personali," available at <http://www.dataprotection.org/>.

[13] Decreto del Presidente della Repubblica No. 501 (March 31, 1998), reprinted in Gazzetta Ufficiale No. 25 (February 1, 1999), available at <http://193.207.119.193/MV/gazzette_ufficiali/25/2.htm>. The decree was subsequently partly repealed by the Data Protection Code.

[14] This time period was used because the information was gathered from the Annual Report recently submitted to the Italian Parliament.

[15] E-mail from Antonio Caselli to Dina Mashayekhi, IPIOP Clerk, Electronic Information Center (June 22, 2004) (on file with EPIC).

[16] Italian Data Protection Commission, "Employee Evaluation Data Are Personal Data,", February 6, 2001, available at <http://www2.garanteprivacy.it/garante/frontdoor/1,1003,,00.html?LANG=2>

[17] Italian Data Protection Commission, "The Garante Says No to Political Spamming," January 11, 2001 <http://www2.garanteprivacy.it/garante/frontdoor/1,1003,,00.html?LANG=2>

[18] Italian Data Protection Commission, "Italy: Flawed Data Protection Approach by a Police Corps," January 11, 2001, available at <http://www2.garanteprivacy.it/garante/frontdoor/1,1003,,00.html?LANG=2>

[19] Italian Data Protection Commission, "Employee's Badges: Less Personal Data for More Privacy," December 11, 2000, available at <http://www2.garanteprivacy.it/garante/frontdoor/1,1003,,00.html?LANG=2>

[20] Italian Data Protection Commission, "No Taking of Fingerprints to Enter a Bank," December 11, 2000, available at <http://www2.garanteprivacy.it/garante/frontdoor/1,1003,,00.html?LANG=2>…

[21] Italian Data Protection Commission, "Right of Access—Personal Data Included in Medical Expert Opinions for Insurance Purposes: Access May be Deferred," December 28, 2000, available at <http://www2.garanteprivacy.it/garante/frontdoor/1,1003,,00.html?LANG=2>

[22] Italian Data Protection Commission, "Personal Data and Elections-Instructions for Use," March 7, 2001, available at <http://www2.garanteprivacy.it/garante/frontdoor/1,1003,,00.html?LANG=2>>

[23] Italian Data Protection Commission, "Relazione 2002—Nuovi diritti, riservatezza, dignita della persona: sei anni dalla legge 675," 11750/02/IT, WP 67, available under "Attivita dell'Authorita" at <http://www.<http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Attivit%E0+dell%27Autorit%E0%2FRelazioni+annuali+al+Parlamento%2F2002>.

[24] Id.

[25] "Non e' una firmetta!," Newsletter of the Garante per la Protezione dei Dati Personali, No. 163 (March 17-23, 2003), available at http://www.garanteprivacy.it/garante/doc.jsp?ID=66974>.

[26] "Nuovi elenchi telefonici: chiarezza nelle informazioni agli abbonati," Newsletter of the Garante per la Protezione dei Dati Personali, No. 163 (February 24-March 2, 2003), available at <http://www.garanteprivacy.it/garante/doc.jsp?ID=34804>.

[27] See generally Garante per la Protezione dei Dati Personali <http://www.garanteprivacy.it>.

[28] Decreto del Presidente della Repubblica No. 447, Approvazione del Codice Procedura Penale (September 22, 1988).

[29] Legge No. 547 (December 23, 1993).

[30] French Commission Nationale de Contrôle des Interceptions de Sécurité, Annual Report (1996).

[31] British Broadcasting Corporation Worldwide Monitoring, "Italian News Agency ANSA review of the Italian press for 7 Jun 02," (June 7, 2002).

[32] Decree No. 374/2001, converted into Act No. 438/2001.

[33] On January 7, 2003, Giuseppe Pisanu, the Italian Interior Minister, went before parliament to address terrorism concerns. His testimony was supplemented by a "report in which he warned of a growing climate of 'widespread political illegality' which must be monitored and combated," "Italy: Interior Minister Link Terrorism and Activists," Statewatch News Online (February 2003), at <http://www.statewatch.org/news/2003/feb/02italy.htm>.

[34] Legge No. 93 (March 29, 1983).

[35] Decreto del Presidente della Repubblica No. 513 (November 10, 1997), available at <http://www.privacy.it/dpcm19990208.html>.

[36] Legge No. 300, § 8 (May 20, 1970).

[37] Legge No. 547 (December 23, 1993).

[38] Rory Caroll, "Meet the People of Genetic Park," The Guardian (London), October 30, 2000.

[39] "Italian Police Censor U.S.-Hosted Sites," Global Internet Liberty Campaign Newsletter, 6:5 (July 23, 2002); see also "Italy Gags 'Porno' Virgin Mary sites," BBC News Online (July 10, 2002) at <http://news.bbc.co.uk/hi/english/world/europe/newsid_2119000/2119780.stm> and Associated Press,"Italian police shut down U.S.-based porn sites," USATODAY.com (July 10, 2002), available at <http://www.usatoday.com/tech/news/2002/07/10/italy-porn.htm>.

[40] "Italian Police Censor U.S.-Hosted Sites" supra.

[41] "Italy: Activists Arrested for 'Subversive Association,'" Statewatch News Online (November 2002), at <http://www.statewatch.org/news/2002/nov/06italy.htm>.

[42] Id.

[43] "Update: Italy: Activists Freed, but Still Under Investigation," Statewatch News Online (February 2003), at <http://www.statewatch.org/news/2003/feb/02italy.htm>.

[44] "Prada Personalizing Customer Experience at New York Epicenter Store Using Texas Instruments RFID Smart Labels," Business Wire (April 23, 2002).

[45] Id.

[46] Ann Bednarz, "Privacy Concerns Dog Initial RFID Plans," Network World (April 28, 2003).

[47] Id.; see also "Benetton: No Microchips Present in Garments on Sale," United Colors of Benetton Press Release (April 4, 2003) available at <http://www.benetton.com/press>.

[48] Italy is the third largest global producer of counterfeit products "and Europe's greatest consumer of counterfeit products." Laurence Morel-Chavillet,"Anti-counterfeiting in Europe - a Difficult Struggle," IPR No. 4 (October 2002) available at <http://www.statewatch.org/news/2002/nov/06italy.htm>.

[49] Decreto Legislativo No. 68 (April 29, 2003), available at <www.altalex.it>.

[50] "Petition against Copyright Law in Italy," EDRI-gram, No. 4, March 12, 2003<http://www.edri.org/cgi-bin/index?id=000100000055 .>.; see generally Associazione Software Libero online <http://www.softwarelibero.it>.

[51] "Italian Police Cracking down on Illegal Music Downloads," GigaLaw.com Daily News, June 4, 2003 <http://www.gigalaw.com/newsarchives/2003_06_03_index2.html>.

[52] Decreto Legislativo No. 72, March 22, 2004, enforcing urgent actions to fight the illict diffusion of audio-visual works, and to sustain movie and entertainement activities.

[53] Aidan Lewis, "Italy Passes Tough Internet Piracy Law," USA Today, May 28, 2004, available at <http://www.usatoday.com/tech/news/techpolicy/2004-05-28-italy-piracy-law_x.htm?POE=TECISVA>.

[54] Legge No. 45 (February 26, 2004)<http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Normativa%2FItaliana%2FLeggi+e+decreti+legislativi> (in Italian).

[55] EFF Italy, "Civil Rights and Ambiguity of Crime 'Prevention'," January 24, 2004 <http://www.alcei.it/english/actions/crimprev.htm>.

[56] "Italy to Retain Communications Data for Five Years," Statewatch, <http://www.statewatch.org/news/2004/jan/03italy-dataretention.htm>.

[57] See Section 132 of the Data Protection Code.

[58] Will Sturgeon, "Italy Plans to Jail Spammers," Silicon.com, September 5, 2003 <http://www.silicon.com/research/specialreports/thespamreport/0,39025001,10005895,00.htm>.

[59]"EU Directive on Privacy and Electronic Communications enters into force," Interchange of Data between Administrations, November 3, 2003 <http://europa.eu.int/ISPO/ida/jsps/index.jsp?fuseAction=showDocument&parent=whatsnew&documentID=1722>.

[60] Legge No. 140 (June 20, 2003).

[61] Id. at § 6.

[62] Decreto Legislativo No. 269 (September 30, 2003).

[63] Legge No. 326 (November 24, 2003).

[64] Indeed, it would arguably always be possible to trace each data subject's medical history based on the information concerning prescriptions and specialists' advice. The Garante pointed out that the legislation in force already sets forth procedures to monitor health care expenditure without setting up centralised databases, and stressed that the need to increase the effectiveness of such procedures should not result in limiting the right to personal data protection. According to the Garante, in order to comply with personal data protection legislation, the monitoring system would have to prohibit the processing of identification data, and the setting up of a centralized database, if any, should be based exclusively on the use of anonymized data. E-Mail from Antonio Caselli, supra.

[65] Cons. Stato. 4002/2003 Foro It. V.

[66] Cons. stato. 9276/2003 Foro It. V.

[67] Cass. 8827/2003, 8828/2003.

[68] See § 2(1) of the Data Protection Code.

[69] See Article 8 of the European Human Rights Convention as ratified in Italy by Legge No. 848/1955.

[70] Council of Europe, European Committee on Legal Co-operation (CDCJ), Report Containing Guiding Principles for the Protection of Individuals with regard to the Collection and Processing of Data by Means of Video Surveillance, May 20-23, 2003, available at <http://www.coe.int/T/E/Legal_affairs/Legal_co-operation/Data_protection/Documents/Reports/B-Report%20guiding%20principles.asp>.

[71] Article 29 Data Protection Working Party, Opinion 4/2004 (WP 89) on the Processing of Personal Data by means of Video Surveillance, February 11, 2004 available at <http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2004/wp89_en.pdf>; Article 29 Data Protection Working Party, Working Document on the Processing of Personal Data by means of Video Surveillance (WP 67), November 25, 2002, available at <http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2002/wp67_en.pdf>.

[72]"Italian Government Ready to Roll out Electronic ID cards," Interchange of Data Between Administrations, April 19, 2004, <http://europa.eu.int/ISPO/ida/jsps/index.jsp?fuseAction=showDocument&documentID=2428&parent=chapter&preChapterID=0-140-194-329-339>.

[73] Id.

[74] European Treaties Series ("ETS") Nos. 108, 181 (enacted July 1, 1997).

[75] ETS No. 5 (ratified on October 26, 1955).

[76] ETS No. 185 (signed on November 23, 2001).