Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


I. Legal framework

Comprehensive law

The Data Protection Code1 relating to the protection of personal data was enacted by a Legislative Decree of 30 June 2003.2 The Code replaced the Data Protection Act (which was enacted on 31 December 1996, after 20 years of debate,3 to fully implement the European Union (EU) Data Protection Directive 1995/46/EC as well as the various decrees enacted after 1996 to regulate data protection in specific sectors, such as security requirements,4 the processing of medical information,5 the processing of information for journalistic,6 scientific, or research purposes,7 and personal data held by public bodies.8 The new Data Protection Code (the Code) therefore covers all the requirements from previous data protection decrees, and from both the EU Directive 2002/58/EC on Privacy and Electronic Communications and the EU Directive 2006/24/EC on Data Retention, along with some codes of conduct already approved by the Italian Data Protection Authority.9 Among the most relevant amendments to the Code that have occurred in recent years, it is worth mentioning the Legislative Decree No. 207 that doubled the fines for all administrative violations.10 In 2009, the Law No. 15 integrated Article 1 of the Code by providing that "reports about the performance benefits of anyone employed on a public function and its evaluation are not subject to the protection of privacy".11

After strong criticism of the old law, the Code aimed to create, with little practical effect, a higher level of protection for data subjects while simplifying the applicable rules.12 The Code is arranged in three sections: the first one contains provisions dealing with the rules applicable to the processing of personal information in the public and private sector; the second section focuses on "special requirements" which would apply in those specific fields, such as debtors or the health sector; finally, the third section concerns administrative and judicial issues.13 Violators of the Code may also face harsh administrative or criminal penalties, as occurred in the Google-Vividown case decided by the Tribunal of Milan on 24 February 2010. On that occasion, three Google executives were sentenced to a six-month suspended jail for violation of the data protection law.14

Sector-based laws

Italy also has several laws relating to video and workplace surveillance,15 statistical information, electronic files, and digital signatures.16

There are some important provisions about data protection in the field of electronic communications that are stated in other laws or regulations. The reference is to the anti-spam rules contained in the Italian Law of electronic commerce (Legislative Decree No. 70 of 9 April 2003) and to the secrecy of correspondence rules in the Italian Code of Electronic Communications (Legislative Decree No. 259 of 1 August 2003).

Data protection authority

The Supervisory Authority for Personal Data Protection (Garante per la Protezione dei Dati Personali or Garante) enforces the Italian Data Protection Code.17 The Garante maintains a register of databases, conducts audits and supervises the enforcement of the law. The Garante can also audit databanks not under its jurisdiction, such as those relating to intelligence activities. The Decree on the Internal Organisation of the Garante18 establishes the procedures for keeping the Register of Data Processes and regulates access to the register by citizens, or for investigations, registrations, and inspections.

The Garante is responsible for carrying out many activities. As of May 2010, there are 33 different sectors in which the Garante has intervened. Among these sectors there are video surveillance, public transport, telemarketing and communications, spamming, minors and security measures, journalism and the health sector, biometrics, insurance and finance, and associations.

Enforcement actions the Garante carries out are mainly based on both the reaction to complaints lodged by data subjects for failure to exercise their rights (access, rectification, deletion), and on inspection or audit activities carried out either ex officio (based on an annual action plan identifying specific sectors and/or processing operations) or following complaints and reports.

Significant enforcement activities were carried out in the biometrics sector. The Garante stopped two initiatives by public bodies considering the use of fingerprint-based systems. In one case, the data controller required low-income university students and/or scholarship recipients to submit their fingerprints if they wanted to receive discounted access to restaurants and shops. In another, a local municipality required their employees to be fingerprinted to check their attendance at the workplace. The Italian DPA argued that the use of biometrics-based mechanisms was disproportionate compared with the purposes to be achieved, and that specific privacy safeguards (such as enhanced security measures) were necessary given the highly sensitive nature of biometric information.19 In 2008 the Garante authorised several banks to use biometric systems for security purposes.20 Recently, on 15 April 2010, the Garante authorised the bank Brescia to use fingerprints in order to allow access to clients’ safe deposit boxes.21

Some of the Garante's decisions have had an impact on Italian public opinion. For example, in October 2006, the Garante blocked the broadcast of a media investigation revealing that an Italian Member of Parliament used cannabis extensively. This decision raised strong criticism, mostly based on the alleged lack of jurisdiction over the issue.22

In May 2008, the Italian Revenue Office(Agenzia delle Entrate) released the fiscal records of Italian citizens online.23 After a few days, the Garante tried to block the massive disclosure of personal information published on the Internet and through peer-to-peer networks.24 In July 2008, a small company in Milan sold an online database with email addresses, fax, and telephone numbers – lawfully taken from public records, but the company did not inform the data subjects to whom those data belonged. The Garante prohibited the company from continuing to use, store, and sell that data.25 On 6 October 2008, the Garante fined two marketing research firms for a breach of privacy. The companies carried out an opinion poll without informing the data subjects of the purpose for which their opinions were collected.26 On the same day, the Garante ruled that access to personal data contained in records concerning a deceased person must be guaranteed free of charge to the deceased's family.27

&&On 15 January 2009, the Garante ordered a famous Italian publisher to redesign its own online database containing the articles of the most important Italian newspaper, Il Corriere della Sera, so as to prevent the possibility that that information could directly be traced back by a search engine. As a case of the individual's "right to be forgotten," the Garante aimed to strike a balance between personal data protection and people's right to be informed, so that the data subject's request to have his name deleted from the article was dismissed by the supervisory authority. Two other cases handled by the Garante during 2009 concerned newspapers and TV channels that had published pictures taken directly from Facebook when commenting on the death of two individuals, even though the pictures in question did not correspond to the deceased individuals but rather to namesakes. The Garante considered that publication of those pictures was in breach of data protection legislation as the accuracy of the information collected had not been checked thoroughly and erroneous personal information had been disseminated. Another important decision in this area reiterated that filming and using images of individuals within private premises without the individuals' consent was unlawful. The Garante prohibited the dissemination/publication by whomsoever of images acquired and/or obtained in breach of the safeguards applying to private premises, in particular considering the privacy-intrusive techniques implemented to capture those images, the lack of consent by the relevant data subjects, and the exclusively personal nature of the activities shown in those images.28 However, on 11 September 2009, the Garante declared that other pictures of Mr. Berlusconi, namely on a pier and in his private beach in Villa Certosa, Sardinia, are legal and do not represent an illicit treatment of personal data, due to the nature of the places.29

Along with enforcement actions and the ever-growing number of its case studies, the Garante carries out further functions with regard to data protection. These functions involve the drafting of guidelines and codes of conduct. Since 2001, the Garante issued a Code of Conduct and Ethics Regarding the Processing of Personal Data for Historical Purposes, including guidelines on the protection of personal data in election activities such as campaign literature and elections.30 In 2005, the Garante issued guidelines on privacy issues related to RFID tags, loyalty cards, digital TV (e.g., pay-per-view) and video communications.31 In 2006, the Garante released guidelines on the collection of personal information of employees in the workplace.32 In 2006-2007, the Garante continued to work on the draft of a code of practice applying to the Internet with the participation of a large number of representatives from the private sector.33 In 2007, the Garante promoted a round table with Internet Service Providers, access operators, and other concerned bodies to enforce the draft code of practice. As of June 2010, this self-regulation draft code is still a work in progress, with no prospect of a release date.34 In 2008, the Garante established the legal framework for all of the electronic systems processing personal data. In November 2008, the Garante issued another Code of Conduct and Ethics Regarding the Processing of Personal Data for Private Investigations carried out by lawyers and their "private eyes".35 In 2009, new guidelines were delivered in the health sector, concerning the management of health dossiers and e-files, as well as online medical reports.36

On 27 November 2008, the Garante simplified the security measures contained in the technical specifications to the Data Protection Code (set out in Annex B).37 On the same day, the Authority adopted a Decision concerning Measures and Arrangements Applying to the Controllers of Processing Operations Performed with the Help of Electronic Tools in View of Committing the Task of System Administrator.38

On 25 June 2009 the Garante reviewed and recast this decision to enhance the safeguards for data subjects in connection with the activities performed by "system administrators" – a concept that is actually not defined expressly by the Italian law.39 The new text was meant to clarify various points, partly to take account of queries lodged with the Garante. The requirements set forth by the Garante had to do more specifically with access logging (systems must be in place to log accesses to processing systems and electronic databases as performed by system administrators); supervision by data controller on the activities performed by system administrators (to verify that they are compliant with the organisational, technical and security measures provided for in data protection legislation); drafting of a list of system administrators and their features (containing information to identify system administrators including a list of the functions committed to them), which should be reported by each data controller in an internal document that should be made available for inspection by the Garante.

Since 2003, the Garante has launched public information television campaigns to inform the public of their rights with regard to the collection of personal data.40 In the same year, the Garante began work on a do-not-call strategy to deter unwanted marketing calls.41 In addition, nearly every year the Garante hosts a conference in Rome. Topics have ranged from human genetics to the future of privacy.42 During the 2009, the Garante decided to launch an initiative targeted to students on the occasion of European Data Protection Day (28 January).43 Additionally, a booklet was produced by the Garante in 2009 to provide guidance (especially to youth) in dealing with social networks and making a knowledgeable use of their potential.44

Major privacy and data protection case law

In addition to legislative action, there are several decisions on the judicial front that have crucially dealt with the right to privacy.45 A decision by the Council of State (Consiglio di Stato) addressed the relationship between the right of access and the right to privacy, ruling that the laws in force do not provide general guidance on how to balance these two rights. The decision allows an administrative body holding sensitive data to assess each specific situation in order to determine whether access is necessary or not to establish or defend a claim that is at least equal to the data subject's claim to privacy.46 In another decision concerning this issue, the Council of State ruled that the right of access, albeit in its "softened" version, i.e., as the right to inspect records, should override the right to privacy if knowledge of the information is required to exercise the right of defence with regard to circumstances amounting to a criminal offence.47 Furthermore, since two relevant decisions issued in 2003, the Court of Cassation has ruled that non-pecuniary damage should be construed as a wide-ranging category including all cases in which there is violation of a value pertaining to human beings. The use of unlawful means in collecting personal data was expressly mentioned among the cases the Court considered to entitle to protection against the damage caused by the violation of individual-related interests devoid of pecuniary value.48

On 4 October 2006 the Court of Brescia ruled that it is a Constitutional violation if the Public Prosecutor seizes a computer belonging to a non-investigated person and collects data not related to the investigation itself.49

On 1 August 2008, the Court of Bergamo issued a preliminary investigation order requesting the "seizure" of the Pirate Bay website. The Pirate Bay displayed a collection of links to allegedly copyright-infringing material; however, the website is hosted outside Italy. On 10 August 2008, the order was implemented by forcing Italian Internet providers to block the domain name of the website as well as its associated IP numbers. On 29 September 2009, the Court of Cassation (Corte di Cassazione), which is the highest court in Italy, declared the "seizure" legal pursuant to Article 171 ter (2 a bis) from Act No. 633/1941.

Then, on 16 August 2008, Electronic Frontiers Italy (ALCEI-EFI) reported the violations of law contained in the preemptive seizure order issued by the Judge for the preliminary investigation of the Bergamo Tribunal to the Italian Data Protection Authority.50 ALCEI-EFI explained that the enforcement of the Court order exceeded what the Judge had said. "Users attempting to connect to the 'seized' site are redirected to the IP number, belonging to servers located in the United Kingdom and apparently registered by the domain, a music industry association protecting intellectual property rights. If the above is true, then a private association, outside the Italian jurisdiction, is collecting Internet traffic data that, when matched with those retained by the ISPs, will allow the identification and possible criminal investigation of third parties absolutely not involved in the Bergamo's criminal case."51

On 7 October 2008, the Bergamo Criminal Court overruled the seizure. According to ALCEI-EFI, "The Bergamo Court had overruled the seizure, but only on a legal technicality. As it had been pointed out by ALCEI, that 'seizure' cannot be interpreted as 'traffic hijacking'."52 Even after the aforementioned decision by the Court of Cassation from 29 September 2009, this crucial issue still seems controversial.

Among the most relevant recent cases is the aforementioned Google-Vividown case decided by the Tribunal of Milan on 24 February 2010. The reasons why three Google executives were sentenced to a six-month suspended jail hinge on Article 167 of the Code, i.e., illicit treatment of personal data, and Articles 23 and 26 on sensitive data. The defendants, in other words, were convicted because they would have obtained an illicit gain by participating in the processing of the video of a disabled teenager without either his consent or the authorisation of the Garante. Most scholars, however, argue that users should be personally held liable for what they do online, as confirmed by cases of defamation and privacy or copyright infringements, so that ISPs as well as social network services should be held liable only when they fail to remove illegitimate content after having been asked to do so by a judicial or administrative authority. The decision has sparked lively reactions while raising a number of hot legal issues, e.g., the applicability of the Italian law on data protection to this case, the distinction between data processor and data controller, ISPs duties of information on the Web 2.0, and the idea that cookies on people's PCs should be considered as an "equipment" pursuant to Article 4(1) of the EU Directive on data protection. A decision by the Court of Appeal in Milan is expected in 2011.