Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

The constitutional principles of the secrecy of communication and the inviolability of the domicile have been enforced in the Criminal Code (Codice Penale). In particular, Section 615 bis – "Illegal Interference with Private Life" (Interferenze illecite nella vita privata) – establishes sanctions for whomever commits illegal interference into a third party's private life by means of video or audio recording tools. Further provisions establish sanctions for hacking into computer systems that under Italian law are protected as private domicile.1

Wiretapping is regulated by Articles 266-271 of the Criminal Procedure Code (Codice di Procedura Penale or CPP) and may be authorised only for a "legal proceeding," except in the case of terrorism related investigations.2 In fact, after 11 September 2001, "preemptive wiretapping" can be done even if no Public Prosecutor investigation is in progress.3 In particular, in October 2001, the Italian Parliament passed a decree4 in which the offence of criminal association for purposes of terrorism was redefined. However, the blanket surveillance of communications by law enforcement bodies was expressly ruled out. Telephone tapping and electronic surveillance were facilitated but only with due authorisation and under the supervision of judicial authorities. Additional safeguards apply to the use of investigatory findings and the prohibition to disclose such findings.5 The current legal framework establishes common provisions as well as special regimes for wiretapping and surveillance law. In November 2006 a Law was enacted which allows magistrates to destroy illegal wiretaps if discovered by police.6 In Italy, the publication of legitimate wiretap transcriptions is regulated by the Code of Criminal Procedure, in particular by its Article 114 – that prohibits the publication of "acts covered by secret" (atti coperti da segreto) and regulates the publication of acts "no more covered by secret" (non piú coperti da segreto) or "not covered by secret" (non coperti da segreto) –, Article 115 – that establishes criminal liability and the "disciplinary action" against civil servants that violate the prohibition on publication – and Article 329 regulating the "duty of secrecy".

Over the last few years, however, this subject matter has sparked a hot debate and, on 10 June 2010, the Italian Senate proposed a Bill (No. 1611) so as to modify current provisions on wiretapping. The Bill substantially curtails legal powers of Public Prosecutors and makes administrative and criminal penalties harsher for cases involving illegal wiretaps. One of the bill's provisions – heavily criticised by legal and police authorities – is the requirement that a three-judge panel approve successive three-day extensions to an initial 75-day warrant to wiretap conversations. The measure exempts Mafia and terrorism investigations. The law foresees a penalty of up to €450,000 for publishers and 30 days in jail and up to €10,000 for journalists who publish leaked material obtained through wiretaps before the beginning of a trial. In addition, documents related to ongoing investigations may not be published in full, but only as an abstract. According to the draft law, publishers who flout this ban face a fine of up to €300,000.7 Whereas most of the new provisions are quite problematic, the Italian Parliament is expected to examine the Bill in autumn 2010. Italian supporters of the bill claim it is necessary in order to protect privacy and curb the excessive use of wiretaps. Major concerns are raised, in Italy and abroad, that this decree would harm most pending and future trials for major crimes, advantage criminals, and have the effect of harming or stopping a number of famous trials involving politicians and VIPs. In a speech given at the presentation of the 2009 Annual report, the Garante criticised the measure as being too unbalanced in favour of a general protection of privacy without specific references to specific cases.8

On the other hand, search and seizure of Internet Service Providers storing digital information needed for criminal investigation purposes are subject to CPP.9 While a search and seizure warrant is the Attorney's General decision, wiretapping needs an Attorney General's request to the Judiciary for a "pre-emptive investigation". Only if the legal requirement is met may the Attorney General issue a wiretapping order.10

In the specific field of privacy online or digital privacy, the law on computer crimes includes penalties for the interception of electronic communications.11 Interception orders are granted for 15 days at a time and may be extended for the same length of time by a judge. The judge also monitors procedures for storing recordings and transcripts. Any recordings or transcripts that are not used must be destroyed. The conversations of religious ministers, lawyers, doctors, or others subject to professional confidentiality rules cannot be intercepted. There are more lenient procedures for anti-Mafia cases.

On 18 March 2008, the Italian Parliament enforced the Convention of Budapest on Cybercrime12 with the Act No. 48, which modifies Articles 244 and 247 CPP in order to guarantee both the integrity and quality of the data to be used in criminal trials. Still, the new provisions do not clarify the distinction between "searches" and "wiretaps" as it occurs in the paradigmatic case of SMS/MMS and whether it should be applied Article 254 CPP on search or the more "liberal" Article 266 bis CPP on wiretaps.

On 21 June 2005, the Italian collective and Internet service provider (ISP) Austistici/Inventati discovered a major police backdoor in its server, which hosts a large number of websites, mailboxes, mailing lists, and Internet services for NGOs, grassroots activists, and public interest associations. The Italian Polizia Postale (Postal Police) installed the backdoor the year before, after the Procura di Bologna (Office of the Public Prosecutor of Bologna) ordered a seizure during an investigation of the anarchist collective Crocenera. The police gained access to the private SSL certificate stored on the server and installed several tools to monitor, intercept and decrypt all the traffic going through the server – that is, traffic that was not directly relevant to the investigations. This included the communications of more than 30,000 of the ISP's subscribers, whose basic rights to privacy and presumption of innocence, as granted under the Italian constitution, were violated.

In 2005 and 2006, the new internal security team of Telecom Italia, which reports directly to the CEO of the company, collected thousand of files regarding politicians, reporters, influential people in the financial sector, stars, and soccer players. This was done using both the internal wiretapping capabilities of Telecom Italy (which owns most of the physical phone and communication network in Italy) as well as covert (and illegal) decoding activities by the members of the Telecom Italia security team. This activity resulted in over 20 charges of having used the above information to gain unfair advantages against competitors and to blackmail individuals for politic and/or economic gain. The first hearing of such a complex case was held before the Tribunal of Milan on 23 March 2009. By May 2010, the 25th hearing had taken place and it seems there is still a long way to go. Meanwhile, the Garante issued a decision requiring Telecom Italia to "implement IT solutions that are suitable for ensuring supervision over the activities carried out by any and all persons in charge of any kind of processing with regard to the individual items of information included in the databases in use, regardless of the individual person's capacity, tasks, and scope of activity as authorised in respect to the data at issue," and fined the Telecom €500 (only!), to be paid to a complainant.13

In August 2007, an Italian judge ruled that installing bugging devices in a car was "not a criminal offence" because the provisions forbidding bugging apply only to the inviolability of the home. The ruling arose in Brescia, northern Italy, where a private detective agency specialising in infidelity cases offered to plant hidden microphones and satellite tracking devices in the cars of suspected spouses, at a cost of up to €1,500. The judge suggested that Parliament should take another look at Italy's privacy laws. In the judgment No. 28251 of 9 July 2009, the Court of Cassation, IV Penal Section, established that the car is not comparable to a private house, and therefore installing in the car a device that would be able to record the sound of what happens inside it doesn't entail a privacy breach.14

National security legislation

In July 2005, the Italian government passed Act No. 155/2005 as "urgent measures to enhance the prevention of and fight against international terrorism." The Act greatly expands law enforcement powers in anti-terrorism investigations. In 2007, the UN High Commissioner for Human Rights Subcommittee on Torture issued recommendations concerning Italian legislation. In the report, the Committee voiced concern that fundamental legal safeguards for persons detained by the police, including the right of access to a lawyer, are not being observed in all situations under Act No. 155/2005 (the "Pisanu Decree"). The Committee was concerned that the Act includes a provision that extends the permissible period of deprivation of liberty by the police for identification purposes from 12 to 24 hours. The Committee recommended immediate amendment of the Act.15

On 21 July 2007, Italian law enforcement made three arrests under Act No. 155/2005. The law empowers police to arrest individuals without any evidence of involvement with terrorist groups or in the planning of terrorist attacks. After two years of surveillance, police still lack concrete evidence against the trio. Under the new measures, training others to commit an attack and the possession of dangerous materials is enough for conviction.16

Data retention

Legislative Decree No. 109/08 enforced EU Directive 2006/24/CE and amended (again) the Data Protection Code by setting a new legal framework for data retention concerning both the traffic data to be retained, and the period of retention (two years for telephone traffic and one year for Internet traffic). The companies had a further six months (until 31 October 2008) to comply with the requirements imposed by law and delete five years of data stored until then because of the "Decreto Pisanu" and subsequent numerous extensions.17

However, the Garante on 17 January 2008 ruled that telephone operators had until 30 April 2009 to finally comply with the Internet and telephone data traffic retention requirements established by law.18 In the IT community this is regarded as proof that ISP's and telephone companies only consider important the IT implementation of legal requirements regarding data retention, underestimating the ones regarding deletion; in other word implementing only mandated investigatory needs and not citizen privacy rights.

National databases for law enforcement and security purposes

In order to enforce the Treaty of Prüm19 of 2005, as well as the EU Decision 2008/615/GAI,20 the Parliament passed the Law No. 85 of 30 June 2009, on a national DNA database.21 More particularly, the provisions distinguish between DNA profiles and biological samples of convicted persons, thereby establishing two different databases under the control of the Departments of Justice and Internal Affairs. Pursuant to Article 9 of the Law, the retention of both DNA profiles and biological samples concerns a specific set of convicted persons or people arrested while committing a crime. Notwithstanding the remarks of the Garante on 15 October 2007, national law-makers have established a huge period of data retention, that is, according to Article 13 of the Law, 40 years for DNA profiles and 20 years for biological samples. By considering the ruling of the European Court of Human Rights on 4 December 2008, in S. and Marper vs. UK, it is nonetheless likely that these provisions should be deemed disproportionate pursuant to Article 8 of the European Convention on Human Rights.22


The 1993 computer crime law prohibits unlawfully using a computer system and intercepting computer communications.23

Since a decree-law issued in March 2004, the responsibilities of Internet service providers (ISPs) are increasing, even though it is still debatable whether they should report who among their users engages in peer-to-peer file sharing.24 At the end of May 2004, Italy passed one of the world's toughest laws against piracy and file sharing.25 Penalties include a prison term of up to three years and fines that can exceed approximately €220,000. The Culture Ministry said that the law was necessary to protect the intellectual property rights of artists in light of the growing popularity of peer-to-peer networks. An early version draft of the Urbani Law (from the Minister's surname) included a special penalty for using encryption as tool to disguise illegal activities. This provision was not included in the final text.

In the light of this trend, it is thus likely that the Italian public will soon discuss the "three strikes" doctrine, already passed by some national Parliaments in Europe, so that Internet users should be logged off after three notices of copyright infringement.

On 14 July 2007, the Civil Court of Rome ruled in a peer-to-peer case where a music label asked the Court to force a telecommunications company to release the identity of customers suspected of copyright infringement using peer-to-peer software. A private company collected the IP number of 3,000 peer-to-peer users. The Court ruled that collection of an IP number for this purpose by a private entity is a violation of Articles 2 and 15 of the Italian Constitution as well as Articles 13, 23 and 37 of the Code, thus preventing this data from being used in Court.26

In July 2007, Italian law enforcement made 26 arrests from two separate groups of phishing fraudsters, in the culmination of an operation, dubbed "Phish and Chip", aimed at tracking down phishers defrauding banking clients of the national postal service Poste Italiane. The gangs were accused of sending out emails claiming to represent the Poste Italiane, and directing victims to faked websites to gather banking details, which were then used to strip accounts of funds. They are thought to have used casinos to enable larger withdrawals than offered by ATM cash machines. No details of the scale of the phishing activity have yet emerged. A judge involved in the case has called for improvements to the laws governing such fraud, including a specific crime of phishing, describing current legislation covering some of the crimes involved as "weak".27 Accordingly, the Parliament strengthened the rules by modifying Articles 640 ter and 617 quater-quinquies of the Criminal Code via the Legislative Decree No. 231 from 2007.

Territorial privacy

Video surveillance

Along with a set of safeguards for storing and processing personal data, some recent provisions on video surveillance are nonetheless problematic. For example, Act No. 38 from 23 April 2009 allows municipalities to employ video surveillance in order to guarantee "urban security," although bypassing national provisions on data protection and, more particularly, Article 53 of the Code. It seems in fact clear that such provisions are not covered by the exceptions of "national security" or "public security" pursuant to Article 13 (let alone 3) of the EU Directive 1995/46/EC.

Since a decision adopted in April 2004, the Garante has referred to the basic principles on video surveillance and described the general requirements to be fulfilled by any video surveillance system. Guidance was also provided for specific data processing operations concerning the use of video surveillance in schools, hospitals, on board transportation means, and in the workplace. The Garante reserved the right to take ad hoc measures in particular situations on a case-by-case basis. It was determined that the basic criteria should be the respect for citizens' fundamental rights and freedoms as well as personal dignity, with particular regard to privacy, identity, and personal data protection.28 Accordingly, the Garante stated that individuals may not be deprived of the right to move without interferences that are incompatible with a free democratic society,29 such as those resulting from invasive and oppressive data acquisitions with respect to an individual's whereabouts and movements. The Garante also drew inspiration from the guidelines issued by several international and European fora such as, in particular, the Council of Europe's guidelines on video surveillance of 2003,30 and the documents drafted by the European data protection authorities within the framework of the Article 29 Working Party.31

On 25 September 2008, the Garante announced that it would begin carrying out inspections of operators of video surveillance equipment to determine whether they comply with the Data Protection Code. The findings of the Garante also aimed to identify any issues not specifically covered by the legislation.32 On 8 April 2010, the Garante finally set out the general principles of video surveillance and data protection, along with specific provisions for both the public and private sector, including security measures, data retention, and particular data subjects' rights like the partial ability to update their data in this field (pursuant to Article 3.5 of the Garante's decision).33 According to the Decision the installation of cameras is permitted only if it is proportionate to the objectives it pursue; video surveillance systems should be activated only when other measures are inadequate or impracticable; any storage of images should be limited in time. Citizens should be informed if an area is subject to surveillance.

Travel privacy (travel identification documents, biometrics, etc.) and border surveillance

The Italian Ministry of Foreign Affairs issued a Decree on Electronic Passports in December 2005, according to which new passports should include an RFID proximity chip to store the image of the holder's face and both forefinger prints. The Decree states that the biometric information stored on the chip will not be stored in a central database, but will be used only for authentication purposes.34 This decree was never applied and the Italian passports were modified only by inserting ordinary enhancements like printing computer-readable text and photo, because the negative privacy consequences of RFID features became an international affair. Further provisions were established by a new Decree of 23 June 2009, dealing with "the security of the ordinary e-passports."

The Garante considered the use and appropriateness of biometrics in relation to a project called S-Travel, which considered initial tests at the Athens and Milan Malpensa airports. Biometric authentication technologies, using fingerprints and/or iris scans, with particular regard to check-in and boarding operations, were the main issue. The Garante stated that it was necessary to comply with data minimisation and proportionality principles, as well as with data relevance and non-excessiveness requirements. In the case at issue, the technologies to be implemented were only partly suitable for achieving enhanced security of airport controls. Furthermore, the collection of biometric data related to both fingerprints and iris scans of both eyes was found to be excessive and disproportionate compared with the purposes of the processing. The S-Travel pilot projects have now concluded in Milan, but further implementation of the system is being considered.

National ID and smart cards

Starting in 2005 a fully electronic national identity document (Carta di Identità Elettronica or CIE)35 conceived in 2000, was deployed in limited quantities. The original document design that wouldn't have stored the whole fingerprint but only its "features" and wouldn't have sent fingerprints to a central database was dropped in favour of a full fingerprint stored in both the smartcard and a central database. Also, the possibility for the CIE to refuse giving the fingerprint was dropped. The whole CIE initiative was silently dismantled in 2009.

On 31 March 2005, Law No. 43/2005 was adopted. The statute, which takes into account an Opinion on e-cards adopted by the Garante, consolidates various regulations regarding electronic ID cards, and indicates which data must be included on the card and which information may or not be included. DNA information can never be included on the card, even with the cardholder's consent. However, at the cardholder's express request, biometric data, blood group data, and organ donation information can be included. The move from paper cards to electronic cards is voluntary, and there will be no obligation to obtain an electronic card. The statute also includes security standards and encryption standards for storage of biometric data in the card's chip.36

Starting from 1 January 2010 all Italian ID, electronic or traditional, should have carried a printed fingerprint that would have been also centrally recorded in digital format.37 The Financial Law 2010 (Legge Finanziaria 2010) postponed the date to 1 January 2011.38

RFID tags

The Garante has paid considerable attention to the development of radio frequency identification (RFID) technology.39 An initial in-depth analysis of this issue was carried out by addressing the way in which the new technology might impact the conditions for the exercise of individuals' freedoms, as well as the issues that are bound to arise in a data protection perspective following implementation of the technology.40

The Winston Smith Project (Progetto Winston Smith),41 an Italian NGO, has responded with a legal proposal to control the use of RFID tags. First, the organisation wants legal rules that oblige manufacturers to make RFID tags easily identifiable and removable. Second, the organisation says the presence, type, and position of RFID tags must be clearly advertised on the packaging of an article or the article itself. Third, the group requires permanent deactivation of RFID tags when buying the product or when usage of the tag has ended. Fourth, the group urges that all data collected by RFID readers be treated as personal data, to which all privacy principles apply. Fifth, the group says collection, storage, and further processing should only happen within the boundaries of a strict and publicly known goal. In case of additional processing or conservation for a longer time, companies should notify the Garante. Furthermore, the groups says these rules should not only apply to RFID-related data, but to all kinds of new electronic databases, such as GSM location data, web log files, and data generated by wireless networks.42 The proposal 1728/2006 on Norms Regarding the Collection, Use, Storage, and Deletion of Geo-referenced or Chrono-referenced Data containing an Unique User Identifier Obtained through Automatic Data Collection was submitted to the Chamber of Deputies in 2006, dropped because of new elections in 2008, and resubmitted on 29 April 2008 as proposal 257/2008 and is currently "on hold" in the Justice Commission of the Italian Parliament.43

Bodily privacy

In 2008 the Garante addressed the case of a father who had performed a genetic test on his son without informing him, in connection with investigations he was carrying out to establish consanguinity.44 A private investigation agency had collected two cigarette butts binned by the man's son, acting on instructions of the man's legal counsel. The biological samples had been tested, without informing the data subject, to establish genetic compatibility between father and son. The Garante ruled that a paternity/maternity test may not be performed without the child's consent if such test is not indispensable for judicial purposes. The Italian DPA recalled that genetic data may only be collected and processed with the data subject's "prior, written" and informed consent. This requirement may only be derogated to establish or defend a judicial claim; however, this only applies if the test is absolutely "indispensable" and is carried out pursuant to the conditions set forth by the Italian DPA – which include, in particular, an obligation to provide specific information to the data subject if the genetic test is aimed at establishing paternity/maternity. The Garante found that the son's data protection rights had been violated and prohibited both his father and the legal counsel from further processing the genetic information that had been unlawfully collected in the manner described above.

It seems likely that the Garante will soon address some further problems concerning the protection of people's privacy since, in January 2010, the Government introduced body scanner devices at airports, apparently violating Article 13 of the Constitution.