Law Library Stacks

Back to Online Privacy Law

The right to privacy, which encompasses the right to the protection of the individual’s personal data, was first recognized by the Italian courts in the 1970s, and was then acknowledged by the legislature. In 2003, the Personal Data Protection Code, which implements EU Directives on data protection and on privacy and electronic communications, was adopted.

The Code governs all types of data processing, including online data processing. The main purpose of the Code is the general prohibition of the collection, storage, and use of personal data, unless the data subject has given his or her prior informed consent. Transparency is ensured by the adoption of codes of conduct and professional practice by service providers, and by the general duty of providing adequate information to data subjects. Security is guaranteed through the imposition of the “minimum safety measures” standard. In addition to the right to be informed, data subjects are entitled to several other rights, including the right to object to the processing of the data concerning them or to obtain the updating, correction, integration, or erasure of such data. Spamming is prohibited unless the subscriber or user has given his or her consent.

A supervisory authority is tasked with verifying compliance of data processing with laws and regulations, responding to data subjects’ complaints, and blocking unlawful or unfair data processing operations. Administrative, nonjudicial, or judicial remedies to protect rights of data subjects are foreseen.

Presently, no proposals for reforming the current legislation  have been presented.

I. Legal Framework

The Italian Constitution contains no express guarantee of the right to privacy.[1] The jurisprudential debate over its existence began in the 1950s, but it was only in 1973 that the Constitutional Court[2] expressly acknowledged privacy as a right,[3] followed by the Court of Cassation two years later.[4]

Initially, the right to privacy protected a person’s private life and domicile; over time, as technology evolved, it was extended to protect the ability of individuals to determine what sort of information about themselves is collected and how that information is used.[5]

The first law dealing specifically with the issue of data protection was enacted in 1996,[6] in order to implement EU Directive 95/46 on Data Protection.[7] This act was then repealed and replaced in 2003 by the Codice in Materia di Protezione dei Dati Personali (Personal Data Protection Code, hereafter referred to as the Code),[8] which implements both EU Directive 95/46 on Data Protection and Directive 2002/58 on Privacy and Electronic Communications.[9] The Code expressly recognizes the existence of a right to personal data protection.[10]

As of this writing, no specific laws  or  regulations  regulate  location  data  or smartphone applications.

Back to Top

II.  Current Law

The Personal Data Protection Code governs all kinds of data processing, including online data processing.[11] The provisions of Title X are, however, dedicated specifically to some aspects of the processing of personal data in connection with electronic communications.

The definition of electronic communications is given in the introductory part of the Code, where it is stated that this expression “shall mean any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service.”[12]

A.  Subject Matter and Scope of Application

The provisions of the Code apply to providers of electronic communications services, subscribers, and users. While no definition is given for providers, the Code specifies that a subscriber “shall mean any natural or legal person, body, or association who or which is party to a contract with the provider of publicly available electronic communications services for the supply of such services, or is otherwise the recipient of such services by means of prepaid cards.”[13] A user, on the other hand, is “a natural person using a publicly available electronic communications service for private or business purposes, without necessarily being a subscriber to such service.”[14] The distinction between subscriber and user extends the protection offered by the Code to those who occasionally use an electronic communications service without having signed a contract with the service provider (e.g., those using their friend’s computer or a hotel guest using a hotel Internet connection).[15]

As to the scope of application, the Code applies to the “processing of personal data, including data held abroad, where the processing is performed by any entity established either in the State’s territory or in a place that is under the State’s sovereignty.”[16] It also applies when the processing “is performed by an entity established in the territory of a country outside the European Union, where said entity makes use in connection with the processing of equipment, whether electronic or otherwise, situated in the State’s territory, unless such equipment is used only for purposes of transit through the territory of the European Union.”[17]

B.    Data Processing

Title X of the Code begins with a general prohibition against using “an electronic communications network to gain access to information stored in the terminal equipment of a subscriber or user, to store information or monitor operations performed by a user.”[18] In fact, terminals are considered to be an integral part of the private sphere of the individual, and are thus protected by the right to privacy.[19]

The general prohibition on collection, storage, and use of personal data is subject to only one exception: for specific, legitimate purposes, the service provider may store information in order to transmit a communication or provide a specific service as requested by a subscriber or user; however, such technical storage cannot last longer than is strictly necessary and “the subscriber or user must give his or her consent based on prior information, whereby the purposes and duration of the processing shall be referred to in detail, clearly and accurately.”[20]

Location data, which indicate the geographic position of the terminal equipment of a user,[21] may only be processed when they are made anonymous;[22] otherwise, it is necessary for the data subject to give his or her prior consent, which may be withdrawn at any time. In both cases, the data may be processed “to the extent and for the duration necessary for the provision of a value-added service.”[23]

Traffic data, which are those data necessary for the “purpose of the conveyance of a communication on an electronic communications network or for the billing thereof,”[24] must be either erased or made anonymous when they are no longer necessary for the purpose of transmitting the electronic communication.[25]

C.  Data Retention

The Code stipulates that service providers should retain traffic data for two years “with a view to detecting and suppressing criminal offenses.”[26] Within that term, the data may be acquired from the provider “by means of a reasoned order of the judicial authority at the request of either the public prosecutor, defense counsel, the person under investigation, the injured party, or any other private party.”[27] The Ministry of the Interior as well as the police may request the service provider to “keep and protect traffic data” for up to ninety more days for “purposes of investigation and suppression of crimes.”[28] Nonetheless, data processing “shall be carried out by complying with the measures and precautions to safeguard data subjects.”[29]

D.  Transparency

In order to ensure transparency, the Code provides that the supervisory authority, the Garante per la Protezione dei Dati Personali (Data Protection Authority, discussed in Section III of this report), “shall encourage the adoption of a code of conduct and professional practice applying to the processing of personal data” by service providers, in order to “ensure and streamline adequate information and awareness by users of public and private electronic communications networks as to the categories of personal data processed and the mechanisms for such processing—in particular, by providing information notices online using simple means and in an interactive manner.”[30]

Even in the absence of such a code of conduct, the subscriber or user is protected by the general provision of article 12, according to which the service provider must preliminarily inform the data subject,

either orally or in writing, as to the purposes and modalities of the data processing; the obligatory or voluntary nature of providing the requested data; the consequences if he or she fails to reply; the entities or category of entities to whom or which the data may be communicated, and the scope of dissemination of said data; his or her rights; the identification data concerning the data controller; and, where designated, the data controller’s representative in the State’s territory and the data processor.[31]

E.    Security

In order to ensure “security of its services and integrity of traffic data, location data, and electronic communications against any form of unauthorized utilization or access,” the service provider shall take “all suitable technical and organizational measures that are adequate in light of the existing risk.”[32] Moreover, in case of a particular risk of a breach of network security, the provider shall inform subscribers and users of said risk and the possible remedies.[33]

According to the Code, the minimum security measures that a service provider may adopt include

  1. a)   computerized authentication;
  2. b)   implementation of authentication credentials management procedures;
  3. c)   use of an authorization system;
  4. d)   regular update of the specifications concerning scope of the processing operations that may be performed by the individual entities in charge of managing and/or maintaining electronic means;
  5. e)    protection of electronic means and data against unlawful data processing operations, unauthorized access, and specific computer programs;
  6. f)    implementation of procedures for safekeeping backup copies and restoring data and system availability;
  7. g)    keeping an up-to-date security policy document;
  8. h)    implementation of encryption techniques or identification codes for specific processing operations performed by health-care bodies in respect of data disclosing health and sex life.[34]

F.  Data Subjects’ Rights

The Code provides that data subjects “have the right to obtain confirmation as to whether or not personal data concerning [them] exists.”[35] They also have the right to be informed of the source of the personal data, the purposes and methods of the processing, the identification data concerning data controller and data processors, and the entities to whom the personal data may be communicated.[36] Once they have been so informed, data subjects have the right to object, in whole or in part, to the processing,[37] and also to obtain updating, correction or integration, erasure, anonymization, or blocking of such data.[38] All these rights may be exercised simply by making a request to the data controller or processor without formalities, and the processor must reply without delay.[39]

G.  Spamming

The Code regulates the practice of spamming, stating that the use of automated emails without human intervention “for the purposes of direct marketing or sending advertising materials, or else for carrying out market surveys or interactive business communications, shall only be allowed with the subscriber’s consent.”[40]

H.    Minors

No specific provisions exist in the Code or elsewhere as to the specific issue of online privacy for minors. The general rules of the Code therefore apply.

I.  Remedies

If a provision of the Code is violated, data subjects may choose among three kinds of remedies to protect their rights: administrative,[41] nonjudicial,[42] and judicial.[43]

In the case of administrative remedies, the data subject may lodge a claim of infringement with the national data protection authority, the Garante. No specific formalities are required. The claim must contain as many details as possible.[44] As long as the claim is not found to be manifestly groundless, the Garante may take different actions:[45] the data controller may be asked to block the processing of their own initiative, or an order may be issued for the data controller to take such measures as are necessary or appropriate to bring the processing into line with the provisions in force.[46] If the service provider fails to comply or if there is an actual risk of a considerable prejudice to one or more of the data subjects, the Garante may also block or prohibit the processing. The same will happen if such processing is in conflict with a substantial public interest.

Nonjudicial remedies are also offered by the Garante. If data subjects have not yet brought an action before a judicial authority, they may protect their rights by filing a complaint with the Garante[47](once such a complaint is lodged, data subjects cannot change their minds and seek a judicial remedy).[48] The Garante gathers the necessary information relevant to the complaint and, if it is well-founded, may order the data controller to abstain from the unlawful conduct, and may also specify the remedies to enforce the data subject’s rights and set a term for their implementation.[49] If no decision is rendered within sixty days of the date on which the complaint was lodged, the complaint must be regarded as dismissed.[50] The decision or tacit dismissal of the Garante may be challenged before the judicial authorities.[51]

Finally, the data subject may choose to file a lawsuit at the Civil Court, and the petition may be granted or dismissed, in whole or in part. The court may also order the necessary measures; provide for damages, if claimed; and award legal costs to the losing party.[52] Appeal against the judgment is  not  possible;  however,  it  may  be  challenged  before  the  Court of Cassation.[53]

J.  Sanctions

Violations of the Code are punishable with sanctions that, according to the nature of the violation, may be either administrative or criminal, and are specific to each violation.[54] For instance, in the case of no or inadequate information provided to data subjects, the service provider may be punished with a fine of between three thousand and eighteen thousand euro (about US$3,700 to $22,255); the amount may be increased up to three times if it is found to be ineffective on account of the offender’s economic status.[55] Another example is unlawful data processing, which may be punished, if harm is caused, with imprisonment of up to twenty-four months.[56] Finally, failure to adopt security measures may be punished either with detention for up to two years or with a fine of up to fifty thousand euro (about US$61,820).[57]

Back to Top

III.  Role of Data Protection Agencies

The Garante per la Protezione dei Dati Personali (Data Protection Authority) was instituted by Law 675/96 in order to ensure lawful data processing and the respect of people’s fundamental rights.[58] It is an independent and autonomous collegiate body composed of four members, two of whom are elected by the Chamber of Deputies and two by the Senate from among “persons ensuring independence and with proven experience in the field of law or computer science.”[59] The elected members hold office for four years, and the appointment may be renewed only once.[60] Under penalty of losing office, they cannot carry out professional or advisory  activities,  manage  or  be  employed  by  public  or  private  entities,  or  hold elective offices.[61]

The tasks of the Garante  are  described  in  article  154  of  the  Code  and  include the following:

  • Verifying whether data processing operations are carried out in compliance with laws and regulations
  • Receiving reports and complaints
  • Ordering data controllers or processors to adopt such measures as are necessary or appropriate for the processing, to comply with the provisions in force
  • Prohibiting unlawful or unfair data processing operations, in whole or in part, or blocking such processing operations
  • Drawing  the  attention  of  the  Parliament  and  government  to  the  advisability of legislation
  • Issuing opinions whenever required
  • Raising public awareness of the legislation governing personal data processing and its relevant purposes, as well as of data security measures

Back to Top

IV.    Court Decisions

As discussed in the first section of this report, the right to privacy was first recognized by the courts. After World War II, the courts were forced to take affirmative steps toward the protection of a person’s private life in order to answer the challenges of technological evolution, as the legislature did not want to intervene.

From the 1950s until the first half of the 1970s, there was a clear contrast between the decisions of the Tribunals of First Instance and those of the Appellate Courts: the former recognized the right to privacy, while the latter refused to acknowledge it.[62] An example of this contrast can be found in the well-known Caruso case.[63] Caruso was a famous opera singer; after his death, his heirs asked the Tribunal of Rome to protect his private life by barring  the disclosure of certain indiscretions that would have harmed his privacy and memory.[64] The Tribunal rendered an innovative decision, recognizing the existence of a right to privacy, which implied the prohibition of intruding into someone’s private sphere.[65] Nonetheless, the Court of Appeals[66] and then the Court of Cassation[67] reversed the decision rendered by the Tribunal, stating that the simple desire for privacy alone could not be protected by the law.[68]

It was only in 1975 that the Court of Cassation finally acknowledged the existence of the right to privacy, stating that “a general right to privacy is deemed to exist in our legal system, a right protecting strictly personal and domestic situations [from disclosure] if not justified by preeminent public interests.”[69] This case opened the way for a series of decisions confirming the right to privacy. There were no landmark cases; rather, the courts, with their intense activity, built a path that, decision after decision, led to the adoption of Law 95/46, followed by the Personal Data Protection Code. After these laws were enacted, there was a sudden slowdown in the jurisprudential activity; as of this writing, no decision has yet been rendered with regard to online data protection.

Back to Top

V.  Public and Scholarly Opinion

The Personal Data Code has been well received both by the public and by legal scholars. According to Sabina Kirschen, a scholar of civil law, “the undeniable complexity of the subject . . . has forced the legislature to intervene and transform the multitude of existing rules into an organic law,” which “represents an important accomplishment in the history of Italian privacy law, as well as a foundation on which to build its future.”[70]

Another civil law scholar, Silvia Melchionna, praised the ability of the Code to finally “simplify the interpretation of the provisions about personal data protection.”[71]

The  provisions  of  the  Code  that  deal  with  electronic  communications  have  been particularly popular, principally because of the “comprehensive protection it gives to consumers . . . by specifying the duties of service providers and giving value to the rights of users,” according to an Italian jurist and former member of the Garante, Giuseppe Santaniello.[72]

Back to Top

VI.  Pending Reforms

As of this writing, no proposals have been presented to reform the current legislation concerning online privacy.

Back to Top

Prepared by Laura Andriulli
Law Library Intern
under the supervision of Nicole Atwill
Senior Foreign Law Specialist
June 2012


[1] GIUSEPPE CASSANO, DIRITTO DELLE NUOVE TECNOLOGIE INFORMATICHE E DELL’INTERNET [NEW INFORMATION TECHNOLOGY AND INTERNET LAW] 128 (Ipsoa, 2002).

[2] Corte di Cassazione [Cass.] 12 aprile 1973, n. 38, Corte Costituzionale [Corte Cost.], 1973, I, 354.

[3] CASSANO, supra note 1, at 130.

[4] Cass. 27 maggio 1975, n. 2129, Giurisprudenza Italiana [Giur. it.], 1976, I, 1, 970.

[5] ROCCO PANETTA, LIBERA CIRCOLAZIONE E PROTEZIONE DEI DATI PERSONALI [FREEDOM OF MOVEMENT AND PERSONAL DATA PROTECTION] 6 (Giuffrè, 2006).

[6] Legge 31 dicembre 1996, n. 675, GAZETTA UFFICIALE DELLA REPUBBLICA ITALIANA [G.U.] 8 gennaio 1997, n. 5.

[7] Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.

[8] Decreto Legislativo [D. Lgs.] n. 196 del 30 giugno 2003, G.U. 29 luglio 2003, n. 174.

[9] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, 2002 O.J. (L 201) 37, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML.

[10] Art. 1 Codice in Materia di Protezione dei Dati Personali [C.m.p.], http://www.garanteprivacy.it/garante/doc.jsp?ID=1311248.

[11] Art. 2 C.m.p.

[12] Art. 4.2 C.m.p. (all Code translations by author).

[13] Id.

[14] Id.

[15] PANETTA, supra note 5, at 1563.

[16] Art. 5 C.m.p.

[17] Id.

[18] Art. 122 C.m.p.

[19] PANETTA, supra note 5, at 1564.

[20] Art. 122 C.m.p.

[21] Art. 4 C.m.p.

[22] Art. 126 C.m.p.

[23] Id.

[24] Art. 4 C.m.p.

[25] Art. 123 C.m.p.

[26] Art. 132.1 C.m.p., as amended by D. Lgs. 30 maggio 2008, n. 109, G.U. 18 giugno 2008, n. 141, implementing Directive 2006/24/EC.

[27] Art. 132.3 C.m.p.

[28] Art. 132.4 C.m.p.

[29] Art. 132.5 C.m.p.

[30] Art. 133 C.m.p.

[31] Art. 13 C.m.p.

[32] Art. 32 C.m.p.

[33] Id.

[32] Art. 34 C.m.p. (footnotes dropped).

[35] Art. 8 C.m.p.

[36] Id.

[37] Id.

[38] Id.

[39] Id.

[40] Art. 130 C.m.p.

[24] 41 Arts. 142–144 C.m.p.

[42] 42 Arts. 145–151 C.m.p.

[43] Art. 152 C.m.p.

[44] Art. 142 C.m.p.

[45] Art. 143 C.m.p.

[46] Id.

[47] Art. 145 C.m.p.

[48] Id.

[49] Art. 150 C.m.p.

[50] Id.

[51] Art. 151 C.m.p.

[52] Art. 152 C.m.p.

[53] Id.

[54] Arts. 161–172 C.m.p.

[55] Art. 161 C.m.p.

[56]Art. 167 C.m.p.

[57] Art. 169 C.m.p.

[58] See Compiti del Garante [The Tasks of the Data Protection Authority], GARANTE PER LA PROTEZIONE DEI DATI PERSONALI, http://www.garanteprivacy.it/garante/doc.jsp?ID=34737 (last updated Dec. 9, 2009).

[59] Art. 153 C.m.p.

[60] Id.

[61] Id.

[62] TOMMASO AMEDEO AULETTA, RISERVATEZZA E TUTELA DELLA PERSONALITÀ [PRIVACY AND PROTECTION OF THE PERSONALITY] 68 (Giuffrè, 1978).

[63] Tribunale Ordinario di Roma 14 settembre 1953, Foro it., 1954, I, 115.

[64] CASSANO, supra note 1, at 129.

[65] Id.

[66] Corte d’Appellodi Roma 17 maggio 1955, Foro it., 1956, I, 793.

[67] Cass. 22 dicembre 1956, n. 4487, Foro it., 1957, I, 5.

[68] CASSANO, supra note 1, at 129.

[69] Cass. 27 maggio 1975, n. 2129, Diritto d’autore [Dir. aut.], 1975, 367–78, as cited in PANETTA, supra note 5, at 161 (translation by author).

[70] Sabina Kirschen, Il Codice della Privacy, fra Tradizione ed Innovazione [The Privacy Code, Between Tradition and Innovation], in PANETTA, supra note 5, at 7 (translation by author).

[71] SILVIA MELCHIONNA, IL CODICE DEL TRATTAMENTO DEI DATI PERSONALI [THE DATA PROTECTION CODE] 68 (Giappichelli, 2007) (translation by author).

[72] GIUSEPPE SANTANIELLO, LA PROTEZIONE DEI DATI PERSONALI [PROTECTION OF PERSONAL DATA] 1 (Cedam, 2005) (translation by author).

Back to Top

 

 

Last Updated: 06/05/2015