I. Legal framework
The Data Protection Code1 relating to the protection of personal data was enacted by a Legislative Decree of 30 June 2003.2 The Code replaced the Data Protection Act (which was enacted on 31 December 1996, after 20 years of debate,3 to fully implement the European Union (EU) Data Protection Directive 1995/46/EC as well as the various decrees enacted after 1996 to regulate data protection in specific sectors, such as security requirements,4 the processing of medical information,5 the processing of information for journalistic,6 scientific, or research purposes,7 and personal data held by public bodies.8 The new Data Protection Code (the Code) therefore covers all the requirements from previous data protection decrees, and from both the EU Directive 2002/58/EC on Privacy and Electronic Communications and the EU Directive 2006/24/EC on Data Retention, along with some codes of conduct already approved by the Italian Data Protection Authority.9 Among the most relevant amendments to the Code that have occurred in recent years, it is worth mentioning the Legislative Decree No. 207 that doubled the fines for all administrative violations.10 In 2009, the Law No. 15 integrated Article 1 of the Code by providing that "reports about the performance benefits of anyone employed on a public function and its evaluation are not subject to the protection of privacy".11
After strong criticism of the old law, the Code aimed to create, with little practical effect, a higher level of protection for data subjects while simplifying the applicable rules.12 The Code is arranged in three sections: the first one contains provisions dealing with the rules applicable to the processing of personal information in the public and private sector; the second section focuses on "special requirements" which would apply in those specific fields, such as debtors or the health sector; finally, the third section concerns administrative and judicial issues.13 Violators of the Code may also face harsh administrative or criminal penalties, as occurred in the Google-Vividown case decided by the Tribunal of Milan on 24 February 2010. On that occasion, three Google executives were sentenced to a six-month suspended jail for violation of the data protection law.14
There are some important provisions about data protection in the field of electronic communications that are stated in other laws or regulations. The reference is to the anti-spam rules contained in the Italian Law of electronic commerce (Legislative Decree No. 70 of 9 April 2003) and to the secrecy of correspondence rules in the Italian Code of Electronic Communications (Legislative Decree No. 259 of 1 August 2003).
Data protection authority
The Supervisory Authority for Personal Data Protection (Garante per la Protezione dei Dati Personali or Garante) enforces the Italian Data Protection Code.17 The Garante maintains a register of databases, conducts audits and supervises the enforcement of the law. The Garante can also audit databanks not under its jurisdiction, such as those relating to intelligence activities. The Decree on the Internal Organisation of the Garante18 establishes the procedures for keeping the Register of Data Processes and regulates access to the register by citizens, or for investigations, registrations, and inspections.
The Garante is responsible for carrying out many activities. As of May 2010, there are 33 different sectors in which the Garante has intervened. Among these sectors there are video surveillance, public transport, telemarketing and communications, spamming, minors and security measures, journalism and the health sector, biometrics, insurance and finance, and associations.
Enforcement actions the Garante carries out are mainly based on both the reaction to complaints lodged by data subjects for failure to exercise their rights (access, rectification, deletion), and on inspection or audit activities carried out either ex officio (based on an annual action plan identifying specific sectors and/or processing operations) or following complaints and reports.
Significant enforcement activities were carried out in the biometrics sector. The Garante stopped two initiatives by public bodies considering the use of fingerprint-based systems. In one case, the data controller required low-income university students and/or scholarship recipients to submit their fingerprints if they wanted to receive discounted access to restaurants and shops. In another, a local municipality required their employees to be fingerprinted to check their attendance at the workplace. The Italian DPA argued that the use of biometrics-based mechanisms was disproportionate compared with the purposes to be achieved, and that specific privacy safeguards (such as enhanced security measures) were necessary given the highly sensitive nature of biometric information.19 In 2008 the Garante authorised several banks to use biometric systems for security purposes.20 Recently, on 15 April 2010, the Garante authorised the bank Brescia to use fingerprints in order to allow access to clientsâ€™ safe deposit boxes.21
Some of the Garante's decisions have had an impact on Italian public opinion. For example, in October 2006, the Garante blocked the broadcast of a media investigation revealing that an Italian Member of Parliament used cannabis extensively. This decision raised strong criticism, mostly based on the alleged lack of jurisdiction over the issue.22
In May 2008, the Italian Revenue Office(Agenzia delle Entrate) released the fiscal records of Italian citizens online.23 After a few days, the Garante tried to block the massive disclosure of personal information published on the Internet and through peer-to-peer networks.24 In July 2008, a small company in Milan sold an online database with email addresses, fax, and telephone numbers â€“ lawfully taken from public records, but the company did not inform the data subjects to whom those data belonged. The Garante prohibited the company from continuing to use, store, and sell that data.25 On 6 October 2008, the Garante fined two marketing research firms for a breach of privacy. The companies carried out an opinion poll without informing the data subjects of the purpose for which their opinions were collected.26 On the same day, the Garante ruled that access to personal data contained in records concerning a deceased person must be guaranteed free of charge to the deceased's family.27
&&On 15 January 2009, the Garante ordered a famous Italian publisher to redesign its own online database containing the articles of the most important Italian newspaper, Il Corriere della Sera, so as to prevent the possibility that that information could directly be traced back by a search engine. As a case of the individual's "right to be forgotten," the Garante aimed to strike a balance between personal data protection and people's right to be informed, so that the data subject's request to have his name deleted from the article was dismissed by the supervisory authority. Two other cases handled by the Garante during 2009 concerned newspapers and TV channels that had published pictures taken directly from Facebook when commenting on the death of two individuals, even though the pictures in question did not correspond to the deceased individuals but rather to namesakes. The Garante considered that publication of those pictures was in breach of data protection legislation as the accuracy of the information collected had not been checked thoroughly and erroneous personal information had been disseminated. Another important decision in this area reiterated that filming and using images of individuals within private premises without the individuals' consent was unlawful. The Garante prohibited the dissemination/publication by whomsoever of images acquired and/or obtained in breach of the safeguards applying to private premises, in particular considering the privacy-intrusive techniques implemented to capture those images, the lack of consent by the relevant data subjects, and the exclusively personal nature of the activities shown in those images.28 However, on 11 September 2009, the Garante declared that other pictures of Mr. Berlusconi, namely on a pier and in his private beach in Villa Certosa, Sardinia, are legal and do not represent an illicit treatment of personal data, due to the nature of the places.29
Along with enforcement actions and the ever-growing number of its case studies, the Garante carries out further functions with regard to data protection. These functions involve the drafting of guidelines and codes of conduct. Since 2001, the Garante issued a Code of Conduct and Ethics Regarding the Processing of Personal Data for Historical Purposes, including guidelines on the protection of personal data in election activities such as campaign literature and elections.30 In 2005, the Garante issued guidelines on privacy issues related to RFID tags, loyalty cards, digital TV (e.g., pay-per-view) and video communications.31 In 2006, the Garante released guidelines on the collection of personal information of employees in the workplace.32 In 2006-2007, the Garante continued to work on the draft of a code of practice applying to the Internet with the participation of a large number of representatives from the private sector.33 In 2007, the Garante promoted a round table with Internet Service Providers, access operators, and other concerned bodies to enforce the draft code of practice. As of June 2010, this self-regulation draft code is still a work in progress, with no prospect of a release date.34 In 2008, the Garante established the legal framework for all of the electronic systems processing personal data. In November 2008, the Garante issued another Code of Conduct and Ethics Regarding the Processing of Personal Data for Private Investigations carried out by lawyers and their "private eyes".35 In 2009, new guidelines were delivered in the health sector, concerning the management of health dossiers and e-files, as well as online medical reports.36
On 27 November 2008, the Garante simplified the security measures contained in the technical specifications to the Data Protection Code (set out in Annex B).37 On the same day, the Authority adopted a Decision concerning Measures and Arrangements Applying to the Controllers of Processing Operations Performed with the Help of Electronic Tools in View of Committing the Task of System Administrator.38
On 25 June 2009 the Garante reviewed and recast this decision to enhance the safeguards for data subjects in connection with the activities performed by "system administrators" â€“ a concept that is actually not defined expressly by the Italian law.39 The new text was meant to clarify various points, partly to take account of queries lodged with the Garante. The requirements set forth by the Garante had to do more specifically with access logging (systems must be in place to log accesses to processing systems and electronic databases as performed by system administrators); supervision by data controller on the activities performed by system administrators (to verify that they are compliant with the organisational, technical and security measures provided for in data protection legislation); drafting of a list of system administrators and their features (containing information to identify system administrators including a list of the functions committed to them), which should be reported by each data controller in an internal document that should be made available for inspection by the Garante.
Since 2003, the Garante has launched public information television campaigns to inform the public of their rights with regard to the collection of personal data.40 In the same year, the Garante began work on a do-not-call strategy to deter unwanted marketing calls.41 In addition, nearly every year the Garante hosts a conference in Rome. Topics have ranged from human genetics to the future of privacy.42 During the 2009, the Garante decided to launch an initiative targeted to students on the occasion of European Data Protection Day (28 January).43 Additionally, a booklet was produced by the Garante in 2009 to provide guidance (especially to youth) in dealing with social networks and making a knowledgeable use of their potential.44
Major privacy and data protection case law
In addition to legislative action, there are several decisions on the judicial front that have crucially dealt with the right to privacy.45 A decision by the Council of State (Consiglio di Stato) addressed the relationship between the right of access and the right to privacy, ruling that the laws in force do not provide general guidance on how to balance these two rights. The decision allows an administrative body holding sensitive data to assess each specific situation in order to determine whether access is necessary or not to establish or defend a claim that is at least equal to the data subject's claim to privacy.46 In another decision concerning this issue, the Council of State ruled that the right of access, albeit in its "softened" version, i.e., as the right to inspect records, should override the right to privacy if knowledge of the information is required to exercise the right of defence with regard to circumstances amounting to a criminal offence.47 Furthermore, since two relevant decisions issued in 2003, the Court of Cassation has ruled that non-pecuniary damage should be construed as a wide-ranging category including all cases in which there is violation of a value pertaining to human beings. The use of unlawful means in collecting personal data was expressly mentioned among the cases the Court considered to entitle to protection against the damage caused by the violation of individual-related interests devoid of pecuniary value.48
On 4 October 2006 the Court of Brescia ruled that it is a Constitutional violation if the Public Prosecutor seizes a computer belonging to a non-investigated person and collects data not related to the investigation itself.49
On 1 August 2008, the Court of Bergamo issued a preliminary investigation order requesting the "seizure" of the Pirate Bay website. The Pirate Bay displayed a collection of links to allegedly copyright-infringing material; however, the website is hosted outside Italy. On 10 August 2008, the order was implemented by forcing Italian Internet providers to block the domain name of the website as well as its associated IP numbers. On 29 September 2009, the Court of Cassation (Corte di Cassazione), which is the highest court in Italy, declared the "seizure" legal pursuant to Article 171 ter (2 a bis) from Act No. 633/1941.
Then, on 16 August 2008, Electronic Frontiers Italy (ALCEI-EFI) reported the violations of law contained in the preemptive seizure order issued by the Judge for the preliminary investigation of the Bergamo Tribunal to the Italian Data Protection Authority.50 ALCEI-EFI explained that the enforcement of the Court order exceeded what the Judge had said. "Users attempting to connect to the 'seized' site are redirected to the IP number 220.127.116.11, belonging to servers located in the United Kingdom and apparently registered by the pro-music.org domain, a music industry association protecting intellectual property rights. If the above is true, then a private association, outside the Italian jurisdiction, is collecting Internet traffic data that, when matched with those retained by the ISPs, will allow the identification and possible criminal investigation of third parties absolutely not involved in the Bergamo's criminal case."51
On 7 October 2008, the Bergamo Criminal Court overruled the seizure. According to ALCEI-EFI, "The Bergamo Court had overruled the seizure, but only on a legal technicality. As it had been pointed out by ALCEI, that 'seizure' cannot be interpreted as 'traffic hijacking'."52 Even after the aforementioned decision by the Court of Cassation from 29 September 2009, this crucial issue still seems controversial.
Among the most relevant recent cases is the aforementioned Google-Vividown case decided by the Tribunal of Milan on 24 February 2010. The reasons why three Google executives were sentenced to a six-month suspended jail hinge on Article 167 of the Code, i.e., illicit treatment of personal data, and Articles 23 and 26 on sensitive data. The defendants, in other words, were convicted because they would have obtained an illicit gain by participating in the processing of the video of a disabled teenager without either his consent or the authorisation of the Garante. Most scholars, however, argue that users should be personally held liable for what they do online, as confirmed by cases of defamation and privacy or copyright infringements, so that ISPs as well as social network services should be held liable only when they fail to remove illegitimate content after having been asked to do so by a judicial or administrative authority. The decision has sparked lively reactions while raising a number of hot legal issues, e.g., the applicability of the Italian law on data protection to this case, the distinction between data processor and data controller, ISPs duties of information on the Web 2.0, and the idea that cookies on people's PCs should be considered as an "equipment" pursuant to Article 4(1) of the EU Directive on data protection. A decision by the Court of Appeal in Milan is expected in 2011.
- 1. Decreto Legislativo No. 196. The consolidated text of the Code is available in Italian and English at http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Norm....
- 2. "Italy Enacts a New Privacy Code," BNA World Data Protection Report Vol. 3, Issue 9, September 2003, at 19.
- 3. Legge No. 675 (Law), 31 December 1996, amended by Decreto Legislativo No. 123 (Legislative Decree), 9 May 1997, and Decreto Legislativo No. 255, 28 July 1997, available at http://www.privacy.it/dl1997123.html; Legge No. 676, 31 December 1996, Delega al Governo in materia di tutela delle persone e di altri soggetti rispetto al trattamento dei dati personali (Delegation to the Government on the Protection of Persons and Other Subjects Regarding the Processing of Personal Data).
- 4. Decreto del Presidente della Repubblica No. 318 (Decree of the President of the Republic), 28 July 1999. The cited decree and the other various decrees enacted after 1996 to regulate data protection in specific sectors are all available at http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Norm....
- 5. Decreto Legislativo No. 282 (Legislative Decree), 28 July 1999.
- 6. Decreto Legislativo No. 171 (Legislative Decree). 13 May 1998.
- 7. Decreto Legislativo No. 281 (Legislative Decree), 30 July 1999.
- 8. Decreto Legislativo No. 135 (Legislative Decree, 11 May 1999.
- 9. See http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Norm....
- 10. Decreto Legislativo No. 207, 30 December 2008, Art. 44.
- 11. Legge No. 15, 4 March 2009, Art. 4 paragraph 9.
- 12. See the extensive articles collection published by Interlex, supra.
- 13. Id.
- 14. See the section "Major Privacy & Data Protection Case Law," infra.
- 15. Legge No. 93, 29 March 1983.
- 16. Decreto del Presidente della Repubblica No. 513 (Decree of the President of the Italian Republic), 10 November 1997, available at http://www.privacy.it/dpcm19990208.html.
- 17. "Garante per la Protezione dei Dati Personali," available at http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?solotesto=N.
- 18. Decreto del Presidente della Repubblica No. 501 (Decree of the President of the Italian Republic), 31 March 1998, reprinted in Gazzetta Ufficiale No. 25, 1 February 1999, the decree was subsequently partly repealed by the Data Protection Code.
- 19. "Recent Examples of Enforcement Actions Carried Out by Data Protection Authorities," Article 29-Data Protection Working Party, (Article 29 WP Report) January 2005, available at http://ec.europa.eu/justice/policies/privacy/workinggroup/index_en.htm.
- 20. See http://www.garanteprivacy.it/garante/doc.jsp?ID=1490382http://www.garant... and http://www.garanteprivacy.it/garante/doc.jsp?ID=1490463(both in Italian).
- 21. In Italian at http://www.garanteprivacy.it/garante/doc.jsp?ID=1719879http://www.garant....
- 22. See Andrea Monti, "Il caso 'Le Iene' e la funzione del Garante", available at http://www.interlex.it/675/amonti87.htm. A TV programme called Le Iene sent a make-up artist to the Parliament home that â€“ posing as a TV journalist â€“ swabbed MPs' eyebrows to collect droplets of perspiration. All the swabs where immediately anonymised so that it wasn't possible to match the swab with the MP's identity. The Data Protection Code doesn't allow the Garante to claim jurisdiction over human tissue samples because a sample â€“ per se â€“ doesn't meet the legal definition of Personal Data. Nevertheless the Garante blocked the show.
- 23. Cfr. Section "Financial Privacy," infra in this Report.
- 24. See"Vuoto normativo? La legge che vieta Ã¨ giÃ in vigore" ("Regulatory Gap? The Prohibiting Law is Already in Force"), Il Sole24Ore, 3 May 2008.
- 25. Garante per la Protezione dei Dati Personali, "Vende dati on line, ma non informa gli interessati e scatta il divieto del Garante" ("The Garante prohibits Online Selling of Personal Data without Informing Data Subjects"), 29 July 2008, available at http://www.garanteprivacy.it/garante/doc.jsp?ID=1536569.
- 26. Garante per la Protezione dei Dati Personali, "No ai sondaggi 'occulti'" ("No Hidden 'Surveys'") Notiziario Settimanale No. 313, del 6 October 2008, available at http://www.garanteprivacy.it/garante/doc.jsp?ID=1553314http://www.garant....
- 27. Garante per la Protezione dei Dati Personali, "Conti correnti: Ã¨ gratuito l'accesso ai dati personali dei familiari defunti" ("Bank Accounts: Free Access to Personal Data of Deceased Relatives") 6 October 2008, available at http://www.garanteprivacy.it/garante/doc.jsp?ID=1553314http://www.garant....
- 28. Garante per la Protezione dei Dati Personali, "Fotografie riprese all'interno di luogo di dimora privata: divieto di diffusione" (Photographs Taken in Private Residences: Disclosure Prohibited"),18 June 2009, available at http://www.garanteprivacy.it/garante/doc.jsp?ID=1623306.
- 29. Garante per la Protezione dei Dati Personali, "Le foto di Berlusconi sul pontile potevano essere pubblicate" ("Pictures of Berlusconi on the Pier Could Be Published"), Press Release, 11 September 2009, available at http://www.garanteprivacy.it/garante/doc.jsp?ID=1649435.
- 30. Garante per la Protezione dei Dati Personali, "Personal Data and Elections-Instructions for Use," 7 March 2001.
- 31. Italian Data Protection Authority, Consultation on RFID, available at http://www.garanteprivacy.it/garante/doc.jsp?ID=1078227http://www.garant....
- 32. In Italian at http://www.garanteprivacy.it/garante/doc.jsp?ID=1368292.
- 33. 10th Annual Report of the Article 29 Data Protection Working Party (2006), 20 June 2007, available at http://ec.europa.eu/justice/policies/privacy/workinggroup/annual_reports....
- 34. Email (report) sent by Andrea Monti, Vice President, ALCEI â€“ Electronic Frontiers Italy to Katitza Rodriguez Pereda, EPIC International Privacy Project Director, 2008 (on file with EPIC).
- 35. Available in English at http://www.garanteprivacy.it/garante/doc.jsp?ID=1569165.
- 36. Available in English at http://www.garanteprivacy.it/garante/doc.jsp?ID=1683328http://www.garant... and http://www.garanteprivacy.it/garante/doc.jsp?ID=1672821.
- 37. In English at http://www.garanteprivacy.it/garante/doc.jsp?ID=1619241.
- 38. In English at http://www.garanteprivacy.it/garante/doc.jsp?ID=1577499.
- 39. In Italian at http://www.garanteprivacy.it/garante/doc.jsp?ID=1626595.
- 40. "Non e' una firmetta!" ("It's Not Only a Signature!"), Newsletter of the Garante per la Protezione dei Dati Personali, No. 163 (17-23 March 2003), available at http://www.garanteprivacy.it/garante/doc.jsp?ID=66974.
- 41. "Nuovi elenchi telefonici: chiarezza nelle informazioni agli abbonati" ("New Telephone Directories: Clear Information to Subscribers") Newsletter of the Garante per la Protezione dei Dati Personali, No. 163 (24 February -2 March 2003), available at http://www.garanteprivacy.it/garante/doc.jsp?ID=34804.
- 42. See generally, Garante per la Protezione dei Dati Personali, supra.
- 43. Cfr. Sections "Online social networks and virtual communities" and "Online youth safety," infra in this Report. See http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Atti....
- 44. Cfr. "Online social networks and virtual communities," infra in this Report.
- 45. Other relevant case law concerning privacy and data protection is categorized and discussed under the corresponding section. Cfr. Sections "Data Protection Authority", supra, "Wiretapping, access to, and interception of communications," infra, "Cybercrime," infra.
- 46. Cons. Stato 4002/2003 Foro It. V. Stato.
- 47. Cons. Stato 9276/2003 Foro It. V. Stato.
- 48. Cass. 8827/2003, 8828/2003.
- 49. Court of Brescia, Ordinanza 4 Ottobre 2006, at http://www.ictlex.net/?p=566.
- 50. Electronic Frontiers Italy, "An Update on the Piratebay Case," available at http://www.alcei.org/?p=38.
- 51. See Italian justice wants to "seize" a foreign website, available at http://www.edri.org/edrigram/number6.16/italy-blocks-piratebay.
- 52. "An Update on the Piratebay Case," supra.