Italy’s fixed-line broadband penetration rate is 28.43 percent,1 while its mobile broadband penetration rate is 88.56 percent,2 according to 2019 data from the European Commission.2 Data provided to the ITU for 2018 give Italy a slighter lower fixed-line broadband penetration rate, 28.03 percent, and a much higher mobile broadband penetration rate, 94.53 percent.3

Several factors have contributed to Italy’s relatively low overall penetration rates, including infrastructural limitations. According to the EU’s 2020 Digital Economy and Society Index, ultrafast broadband connections are only available to 30 percent of households, compared with an EU average of 44 percent.4 While fourth-generation (4G) mobile network coverage extends to 97 percent of households, Italy ranks 19 out of 28 member states on this metric.5 The country ranks high on 5G readiness.6

Some 78 percent of Italians connected to the internet in 2019, and 74 percent did so on a daily basis. The share of households accessing the internet via broadband grew to 74.7 percent in 2019, compared with 73.7 percent in 2018.7

A July 2020 study by the Open Observatory of Network Interference (OONI) analyzed download and upload speeds around Milan, where coronavirus cases were prevalent, and found a correlation between poor service and the peak of COVID-19 infections. Increased home usage associated with pandemic-related restrictions on movement apparently caused network congestion.8

Italy’s Digital Agenda initiative, based on the Europe 2020 Digital Agenda, aims to expand broadband access and e-government functions.9 A 2016 government decree reduced the costs for laying cables and established the Networks Register for Infrastructure (SINFI), a dedicated instrument for implementing broadband strategy, managed by the Ministry of Economic Development.10 5G testing began in 2017,11 and the first 5G networks debuted in June 2019.12

In 2016, a “digital transformation team” was created to lead the technological modernization of Italian public administration, among other goals.13 Before its mandate ended in 2019, the team issued a Three-Year Plan for Information Technology in the Public Administration.14

Internet connections are relatively affordable. In 2020, the Economist Intelligence Unit ranked Italy 19 out of 100 countries surveyed in terms of the affordability of prices for fixed and mobile connections.15 The 2020 Digital Society and Economic Index noted that “Italy performs above the EU average in all price baskets considered (fixed, mobile, converged).”16

Significant geographical differences in internet penetration persist across the country, with southern regions such as Calabria lagging behind. An ambitious infrastructure plan called Growth 2.0 was launched in 2012 to close the digital divide between areas that are served by high-speed connections and those that are not, but the plan was plagued by delays.17 In May 2019 a new initiative was launched to raise digital literacy and increase skills in emerging technologies. Called Repubblica Digitale,18 it aims to reduce various aspects of the digital divide by 2025.

According to a 2018 special report by the European Court of Auditors, only around 40 percent of Italians living in rural areas had access to high-speed broadband connections (of 30 Mbps or more) in 2017.19 As part of its 2015 plan to expand ultrafast broadband (known as SNBUL), the government has assigned tenders to roll out networks in underserved regions.20

According to FTTH Council Europe data provided by iData, 1.9 million Italian households obtained access to ultra-high-speed broadband connections in 2019, marking the second largest increase in Europe. Still, Italy is only in the 34th position, out of 39 countries, when it comes to active broadband subscriptions.21

The internet is particularly popular among young people, with over 90 percent of people between ages 15 and 24 using the medium.22 Unfamiliarity with the internet among older people contributes to Italy’s relatively low overall penetration rate.

The government does not impose restrictions on connectivity, nor does it centralize control over information and communication technology (ICT) infrastructure.

Telecom Italia (TIM), the former state telecommunications monopoly that owns much of Italy’s physical networks, has continued the process of “externalizing” its infrastructure since 2013 to provide fair access to competitors as required by EU legislation,23 though it was unclear during the coverage period exactly how far the effort had progressed. TIM was privatized in 1997, and Cassa Depositi e Prestiti, controlled by the Ministry of Economy and Finance, holds only a 9 percent stake in the company.24 However, under a 2012 decree-law, the state enjoys special supervisory authority, or “golden power,” over TIM and other companies in strategic sectors of the economy.25

In 2019, the government approved a decree-law allowing the state to use its “golden power” to veto the purchase and deployment of Chinese 5G technology.26

Access to the internet for private users is offered by a range of internet service providers (ISPs), all of which must be authorized by the Ministry of Economic Development.27 TIM has the largest share of the fixed-line market (47.4 percent as of September 2019, a decrease of 3.8 percentage points from the previous year), followed by Vodafone (15 percent), Fastweb (13.9 percent), Wind Tre (13.7 percent), and others.28

TIM, Vodafone, Wind Tre, and Iliad are the major mobile service providers,29 and all of them operate 3G and 4G networks.30 Iliad, a French company, entered the Italian mobile market in May 2018, offering a low-cost option for consumers.31 Later in 2018, Kena Mobile,32 operated by TIM, and Ho. Mobile, managed by Vodafone, entered the low-cost mobile market to compete with Iliad.33 As of September 2019, Wind Tre, TIM, and Vodafone accounted for some 97 percent of the postpaid market, with nearly equal shares. In the prepaid market, Wind Tre had 30.3 percent, TIM 26.5 percent, and Vodafone 24.1 percent, followed by Iliad at 6.5 percent and other operators with smaller shares.34

In January 2020, Fastweb, TIM, Vodafone, and Wind Tre were fined a total of €228 million ($251 million) by the Italian Antitrust Agency,35 which found that they had coordinated in overcharging customers.36 In February 2018, the police and authorities from the agency had searched the offices of the four providers, and of the industry lobbying firm Asstel, as part of a probe into the pricing of fixed-line and mobile services.37 Regulators suspected that the companies had overcharged their clients by billing them for their services every four weeks instead of once a month. In late 2017, Parliament passed a law requiring monthly billing for all telephone service providers.38 This law followed a March 2017 regulation by the Authority for Communications Guarantees (AGCOM) that required fixed-line providers to move to monthly billing. Several companies, including Vodafone, Fastweb, and Wind Tre, were fined by AGCOM for noncompliance in December of that year.39

In the spring of 2018, the Italian Antitrust Authority fined TIM €4.8 million ($5.3 million) for misleading advertising regarding its broadband service in underserved areas. According to the authority, TIM omitted relevant information about its plans and their limitations.40 In a statement, the company called the decision “groundless” and said it intended to file an appeal with the Regional Administrative Court of Lazio.41

The main regulatory body for telecommunications is AGCOM, an independent agency that is accountable to Parliament. Its responsibilities also include protecting intellectual property rights, regulating advertisements, and overseeing public broadcasting. The parliamentary majority appoints AGCOM’s president.

Another important player governing the ICT sector is the Data Protection Authority (DPA). Established in 1997, it is tasked with supervising compliance with data protection laws by both governmental and nongovernmental entities. It also has the authority to ban or block “processing operations that are liable to cause serious harm to individuals.”42 It is generally viewed as professional and fair in carrying out its duties. The DPA is the supervisory authority responsible for monitoring application of the EU’s General Data Protection Regulation (GDPR) in Italy, and between May 2018 and March 2020 it actively managed more than 17,000 GDPR complaints and reports.43

Italy does not typically block or filter content of a political, social, or religious nature; all major websites and communication platforms are freely available. According to data gathered by OONI, Italy’s blocking and filtering of the internet is limited and is primarily implemented by means of domain name system (DNS) tampering.44

Websites are frequently blocked for hosting copyright-violating content. In April 2020 the Italian Federation of Newspaper and Periodical Publishers (FIEG) urged AGCOM to restrict access to the Telegram messaging application, citing the existence of some Telegram channels that violated copyright by distributing digital copies of Italian newspapers.45 Following separate investigations in the cities of Bari and Rome, nearly 50 Telegram channels and websites found to be illegally distributing newspaper content were ordered to be blocked in spring 2020. The order in Bari came from the city’s prosecutor and led to the preventive seizure of 19 Telegram channels, while the latter was initiated by the Guardia di Finanza and facilitated the obstruction of 28 sites that disseminated content to several Telegram channels.46 In response, Telegram itself removed the relevant channels.47

One of the sites that was targeted for blocking as part of the Telegram investigation in May 2020 was that of Project Gutenberg, a prominent online distributor of public-domain e-books.48 Project Gutenberg appears on a list of websites put under investigation for the distribution of copyright-protected content published by newspapers and magazines.49 However, it was unclear why access to this specific website was restricted. Lawyers have suggested that some of the content hosted by the site may not be considered part of the public domain in Italy, which has different legal criteria than the United States, where Project Gutenberg is based. The site remained blocked as of June.50

AGCOM has issued 723 blocking orders since 2013, according to the latest (August 2019) data.51 These orders are publicly available on AGCOM’s website.52 Illegal gambling sites are frequently blocked by the Customs and Monopolies Agency (ADM), an administrative body under the Ministry of Finance. Italy’s public blacklist contains over 7,000 such websites, according to a January 2019 report from the European Commission.53 Websites hosting content related to terrorism or child sexual abuse images may also be subject to blocking. Through a June 2019 decree, the government gave the National Companies and Exchange Commission (CONSOB), the public authority responsible for regulating the Italian securities market, the mandate to order service providers to block websites offering unauthorized financial services. According to CONSOB data released in May 2020, 211 such websites have been blocked since July 2019.54

Authorities sometimes request the removal of specific content. According to Facebook, from July to December 2019, 579 pieces of content were removed from the main platform and 18 from Instagram.55 The report noted that 42 of these removals occurred “in response to valid court orders,” while four items were reported by the National Office against Racial Discrimination (UNAR). The remaining items were removed following “user reports related to Holocaust denial” and “private reports of defamation.”56 Twitter’s transparency report for 2019 lists seven requests for content removal, including one court order, between January and June, but no content was ultimately withheld.57 According to Google’s transparency report, the government sent 121 content removal requests between January and June 2019, including 64 for defamatory content, 42 for privacy and security reasons, and eight for hate speech.58

Italian courts have ruled in favor of the so-called right to be forgotten (RTBF) established by the Court of Justice of the European Union (CJEU) in 2014. In December 2015, a civil court in Rome upheld the CJEU’s reasoning on the right to be forgotten but rejected the plaintiff’s request, seeking to balance such a right with the right to information in the public interest.59 In a problematic move in 2016, the Supreme Court upheld a 2013 court decision ordering the removal of an article that damaged a restaurant’s reputation from a website’s archives after two years, finding that the time elapsed between the publication date and the request for removal “sufficed to satisfy the public interest as far as its right to be informed was concerned.”60 Google reported that, between September 2018 and June 2019, the company removed some 22,000 URLs in Italy (39 percent of the total requested) following RTBF complaints from users.61

Websites related to child sexual abuse images, copyright infringement, illegal gambling, and terrorism may be subject to blocking or targeted with content removal orders. Blocking or takedown orders are generally issued by the courts. An antiterrorism decree-law passed by Parliament in 2015 allows the public prosecutor to order the blocking or removal of websites affiliated with terrorist groups.62 In a system similar to those used to block child sexual abuse images and illegal gambling sites, the Ministry of the Interior compiles a blacklist of terrorist websites for ISPs to block.63

In June 2020 Parliament approved a decree covering various legal topics, including the penitentiary system, telephone interceptions, and civil justice. The decree included a standard authored by Senator Simone Pillon of the far-right Lega party concerning the automatic blocking of pornographic and other “inappropriate” content. According to the decree text, a parental control will have to be implemented on both fixed-line and mobile connections, preventing access to pornographic content of any kind by default. Adults would have to ask their service provider to lift the filter. According to various experts, it is unlikely that the rule will be effectively implemented, for both technical and practical reasons.64

A controversial resolution on online copyright enforcement enacted in 2014 enables AGCOM to issue administrative blocking orders to ISPs for specific websites that infringe on copyright, even those that only contain links for downloading copyright-protected content. The regulation also gives AGCOM the power to remove content upon review by an internal panel, but without prior judicial approval, if a copyright violation is detected.65

Debate about the 2019 EU Copyright Directive was lively in Italy, where political parties have expressed strong and diverging opinions. The first government headed by Prime Minister Giuseppe Conte, in office from June 2018 to September 2019 and led by the Five Star Movement and Lega, expressed opposition to the new directive, while the Democratic Party, which formed the second, current Conte government with the Five Star Movement, favored the measure. Italy was ultimately among the six EU member states that voted against the directive in the Council of the EU after the European Parliament approved it.66 Because the directive came into force in June 2019, Italy must transpose it into national legislation.67 As of May 2020, this legislation had yet to be adopted. FIEG has urged the government to accelerate the implementation of the EU directive, particularly Article 15, which allows for financial compensation if a full article is published online by various platforms.68

In 2017, Parliament approved a new law on cyberbullying after several high-profile cases came to light.69 Minors over the age of 14 or their parents can demand that content-hosting sites remove damaging material within 48 hours.70 If no action is taken, the victims can refer their case to the DPA, which can order the damaging content to be blocked or taken down.71 Critics of the bill said it gave users too much latitude to force the removal of content from social media sites.72

Italian lawmakers and regulators have at times proposed measures allowing for the blocking or removal of “fake news” websites (see C2), but these proposals have made little progress to date.

ISPs are not generally liable for illegal third-party content, but they must inform authorities of such content should they become aware of it, and they face civil penalties if they do not comply with official requests to restrict access to it.73

Content creators and hosts may exercise some self-censorship regarding content that could prove controversial or create friction with powerful entities or individuals. Online writers also exercise caution to avoid libel suits by public officials, whose litigation—even when unsuccessful—can take a significant financial toll. Individuals writing about the activities of organized crime in some parts of the country may be especially at risk of extralegal reprisals.

In March 2018, the magazine Famiglia Cristiana deleted an article about the seizure by Italian authorities of a Spanish nongovernmental rescue ship carrying asylum seekers, following a confrontation at sea that may have violated international law.74 After 24 hours, an altered version of the article was published online,75 and the original author withdrew his name from it. Mention of the Italian navy was dropped from the title, and descriptions of the navy’s involvement in the incident were modified.

Manipulated online content surfaced in Italy during the coverage period, including material related to the COVID-19 pandemic. In recent years political parties have also engaged in online manipulation surrounding elections.

According to an April 2020 AGCOM report, the pandemic has been marked by an influx of disinformation; at its peak on March 11, almost three weeks after the outbreak began, nearly half of all disinformation on websites and social media was related to the pandemic. Information that was circulated included claims that the virus was created by Chinese spies in a Canadian lab, that the virus was patented by a group financed by US software developer and philanthropist Bill Gates, that it was connected to 5G technology, and that remedies like garlic could cure the disease.76 The independent watchdog NewsGuard highlighted the existence of at least 10 Facebook pages that played a significant role in disseminating disinformation about the virus. The pages, which ostensibly focused on topics like fashion and cooking, together accounted for over five million followers and repeatedly shared disinformation content produced by two websites, ViralMagazine.it and FanMagazine.it. At least nine of the pages had been shut down as of May 6.77

An investigation by Formiche found that the Chinese government and its proxies played a key role in spreading manipulated information about COVID-19 in Italian on Twitter in March. Bots generated much of the content promoting Chinese-Italian cooperation, which included the hashtags #forzaCinaeItalia (go China and Italy) and #grazieCina (thank you China). Inauthentic accounts also posted criticism of the EU’s response to the pandemic.78

In May 2019, ahead of that month’s EU parliamentary elections, a Facebook spokesperson in Italy said the platform had removed a number of accounts or pages for violating policies on authenticity, name changes, and spreading incorrect information.79 This decision followed an investigation by the activist group Avaaz, which said Facebook had removed 23 accounts with a total of 2.46 million followers. According to Avaaz, more than half of the closed accounts supported either the Five Star Movement or Lega, the two parties that governed the country in coalition from June 2018 to September 2019.

In November 2018, AGCOM released a report analyzing the quality of information in Italy. It found that the volume of disinformation peaked in relation to the March 2018 general election campaign but had since subsided.80 The disinformation took the form of fabricated opinion polls, manipulated pictures, and fake news. Bot activity was also detected in the days running up to the 2018 vote.81 A February 2018 Reuters Institute for the Study of Journalism report observed that fake news websites had a much smaller reach among Italian readers than legacy news outlets, and that the time readers spent on their pages was limited compared with their mainstream counterparts. However, interactions on Facebook with fake news content matched or exceeded those with content produced by legitimate journalism.82

In January 2018, then interior minister Marco Minniti announced a new Postal Police initiative to fight the spread of fake news.83 The project, named Red Button, offered citizens the opportunity to report suspected fake news using a portal on the police’s website. The National Anticrime Information Center for Critical Infrastructure Protection (CNAIPIC) was tasked with analyzing the reported content. The police then published fact-checks based on these analyses. David Kaye, then the UN special rapporteur on freedom of opinion and expression, expressed concerns about the initiative, citing its vague definition of fake news. In a formal communication, he urged the government to reconsider it.84 The government later confirmed that the initiative concluded within a few days of Italy’s March 2018 elections.85 It is unclear how many reports the police received, how many instances of alleged fake news were assessed, and whether any content was removed.86 According to Wired, published responses to citizens’ reports were generally vague, short, and not released in a timely manner.87

A December 2018 analysis of the use of Facebook by Lega leader Matteo Salvini and Five Star Movement leader Luigi Di Maio showed that the two employed the platform’s video and live-streaming services to bypass the mainstream media and “foment discord” during the March 2018 elections, after which they both became deputy prime ministers in the first Conte government.88 In April 2019, ahead of the EU elections, the DPA issued guidelines on the use of voter data by parties and other political actors in compliance with the GDPR. According to the DPA website, the guidelines focus in particular on the use of political and propaganda messages sent to users via social-networking sites, such as Facebook and LinkedIn, or other messaging platforms, such as Skype, WhatsApp, and Facebook Messenger, reiterating that such use must comply with data protection rules. As shown by recent cases of massive voter profiling, the agency said, “it is essential to protect the electoral process and avoid risks of external interference and disturbances.”89

The 2018 Cambridge Analytica scandal, in which the United Kingdom–based political consultancy was found to have improperly harvested Facebook data on US voters, also had an impact on Italy. The DPA conducted an inquiry into the case in order to establish how Italians’ data could have been misused, and investigators met with Facebook representatives in April 2018.90 The inquiry was closed in February 2019, when the DPA announced that Italians’ data were processed unlawfully. As a consequence, the DPA “reserved the right to issue administrative fines due to the unlawful processing activities at issue.”91

In practice, Italians do not face special economic or regulatory obstacles to publishing content online.

Italy’s Declaration of Internet Rights (see C1) expresses the country’s commitment to the net neutrality principle. However, the declaration is nonbinding, and net neutrality is not enshrined in national law, though a 2015 EU-level regulation empowers AGCOM to supervise and enforce the principle.92

The online information landscape in Italy is diverse, representative, and relatively unrestricted. Blogging has become popular in Italy, though television remains a leading medium for obtaining news. Most policymakers, popular journalists, and figures in the entertainment industry have expressed themselves on their own blogs, as do many ordinary citizens. More recently, social media platforms have become a more popular forum for online expression. Facebook and YouTube in particular are among the most-visited websites in the country.93 Twitter is particularly popular among journalists.

However, observers have frequently raised the problem of inadequate or flawed representation of immigrants, migrants, and refugees in media coverage as well as in newsrooms. A January 2020 report by Voci Globali,94 the Italian chapter of Global Voices, noted that despite the central place that migration has in the public and social debate in the country, foreign-born journalists are still very rare in Italian newsrooms. Such journalists often create forms of alternative journalism that find their space online or work in what are called “ethnic media.” The latter, while considered important, could potentially lead to isolation from the main debate. According to the report, “the ethnic media, while being useful at first because they allow migrants to find the lost community, do not favor integration: through ethnic journalism the different communities have the opportunity to coexist next to each other, but they are unable to make their voices heard in the wider public debate.”95

In Italy, social media platforms, especially Facebook, have emerged as crucial tools for organizing protests and other mass gatherings such as parties or political rallies. There are no restrictions on their use.

In 2017, as the #MeToo movement against sexual assault and harassment gained momentum in the United States and elsewhere, Italy had, to a lesser extent, its own reckoning with pervasive sexism. Italy’s movement used the hashtag #quellavoltache (that time when). While the campaign stirred conversation online and in public forums,96 it did not lead to a sustained debate in Parliament or the country’s other institutions.

Hashtag activism remains quite visible and frequently reported on by mainstream media. One key example happened in 2018, in relation to the Aquarius controversy. The boat, carrying 629 migrants rescued in the Mediterranean Sea, was banned from entering Italian ports in June 2018 when then interior minister Matteo Salvini announced on Twitter that the harbors were closed, using the hashtag #chiudiamoiporti (let’s close the ports). Users on Twitter reacted using the hashtag #umanitàperta (open humanity), protesting the government’s decision. The latter campaign was started by the Italian online news outlet Valigia Blu.97

Italy is a signatory to the European Convention on Human Rights and other relevant international treaties, and its constitutional guarantees regarding freedoms of speech and the press, as well as the confidentiality of correspondence,98 are supported by an independent judiciary. Italy became the first European country to adopt a crowdsourced Declaration of Internet Rights in July 2015.99 The nonbinding document includes provisions that promote net neutrality and establish internet access as a fundamental right. While generally seen as a positive development, the text has also raised some criticism for failing to outline adequate protections for anonymity, encryption, and data retention.100

Some restrictions on journalism, including online journalism, that are uncommon in other EU member states remain in place in Italy. Drawing on a 1948 law against the “clandestine press,” a regulation issued in 2001 holds that anyone providing a news service must be a “chartered” journalist with the Communication Workers’ Registry (ROC) and hold membership in the Italian National Press Federation.101 With the exception of one case from the late 2000s, these rules have generally not been applied to bloggers, and in practice thousands of blogs are published in Italy without repercussions.

Italy approved a Freedom of Information Act (FOIA) only in 2016, recognizing the right to access data and documents from public administrations.102 A March 2020 decree, passed during the COVID-19 pandemic, suspended FOIA requests until the end of May. A second decree issued in March suspended all nonurgent “administrative proceedings” until mid-April, encompassing FOIA requests. Journalists have lamented their impeded access to data about the spread of the pandemic on the local and regional level.103

Several laws present a threat to internet freedom in the country. A 2015 antiterrorism law expanded language in the criminal code on terrorist recruitment, as well as the endorsement or incitement of terrorism, to include online activities.104 Critics argued that the law could be applied broadly and would sanction legitimate instances of free expression that fall within international norms on protected speech.105

Defamation is a criminal offense in Italy. According to the criminal code, “aggravated defamation” is punishable by prison terms ranging from six months to three years and a minimum fine of €516 ($568). In cases of libel through the press, television, or other public means, there is no prescribed maximum fine.106 Though these criminal provisions are rarely applied, civil libel suits against journalists, including by public officials and politicians, are a common occurrence, and the financial burden of lengthy legal proceedings may have chilling effects on reporters and their editors. In March 2017, the UN Human Rights Committee expressed renewed concerns that “forms of expression, including defamation, libel and blasphemy, remain criminal offences and can be punished with imprisonment and that article 13 of the press law and article 595 of the Criminal Code impose harsher punishments for defaming public officials, including the Head of State.”107

In early 2017, a widely criticized bill intended to tackle the spread of fake news and hate speech was presented for parliamentary discussion. According to this bill, online news organizations could be fined up to €5,000 ($5,550) for publishing "false, exaggerated, or biased" news reports and failing to remove them within 24 hours. If fake news is deemed to damage the public interest or to seek to undermine the democratic process, publishers would face heavier fines and prison sentences.108 The bill was officially presented in February 2017 but was not ultimately passed.109

Defamation suits against journalists, including those operating online, remain common. Drawn-out legal proceedings, whatever their result, can entail serious financial costs for defendants. Ossigeno per l’Informazione, an organization that tracks threats to journalists in Italy, has reported hundreds of “frivolous defamation suits” against the media since 2011, including cases against online media.110 According to a survey from the Italian National Institute of Statistics presented in October 2019, some 70 percent of all libel cases against journalists between 2011 and 2016 did not lead to a full investigation, a sign of the frivolous grounds of most of these complaints. However, overall convictions for defamation, whether or not the defendants were journalists, rose from 182 in 2014 to 435 in 2017, and the number of prison sentences, largely between three and six months, rose from 35 in 2014 to 64 in 2017.111 In a representative incident reported in April 2019, the online news outlet Estense was presented with a €100,000 ($110,000) lawsuit by a regional Lega politician after publishing a story in which interviewees accused the plaintiff of stopping suspected immigrants and asking for their residency papers.112

The government places few restrictions on anonymous communication or encryption. Italian law does require mobile service providers to obtain customers’ personal and identification data in order to register a SIM card, citing counterterrorism purposes.113

In October 2019, Parliament member Luigi Marattin indicated on Twitter that he would work on legislation to effectively ban anonymous social media accounts in Italy.114 According to Marattin’s statements, the proposal would require all Italians to provide identity cards when registering an account on social media. The idea was framed as a means of combating hate speech and the spread of fake news. Despite sparking widespread media coverage and a debate about its propriety,115 the idea was never formally presented as draft legislation.

In May 2019, lawmaker Andrea Ruggieri had advanced a similar measure to fight anonymous trolling on social media. The proposal would have required social media companies to record users’ identity cards and personal tax codes upon registration.116 The concept was harshly criticized by experts in the field, who highlighted the potential for civil rights violations.117 It did not appear to have advanced by the end of the coverage period.

Italian courts and lawmakers have sought in recent years to better define the legal boundaries of state surveillance, whether for law enforcement, intelligence, or public health purposes.

During the COVID-19 pandemic, officials introduced a contact-tracing mobile app, known as Immuni (the immune ones), that was selected after a March 2020 open call coordinated by the ministers of health and innovation and the National Institute of Health (ISS).118 The app was developed by the private company Bending Spoons and is open-source.119 Use of the app, set to be formally released at the end of May, is voluntary, and the program is technically compatible with Apple and Google’s more privacy-oriented framework. Immuni uses Bluetooth technology, allowing nearby devices to exchange contact information with each other, and the data are stored on each person’s smartphone for no more than 14 days, theoretically maintaining both decentralization and privacy.120 The launch of the app followed a wide debate about privacy, surveillance, and digital rights in the country;121 after originally planning to have the app store information externally in a government-managed database, Bending Spoons later switched to a decentralized model, but there was also a lack of clarity as to whether the app would be mandatory.122 The government-led process for selecting the app was frequently criticized for a lack of transparency.123

An anticorruption law approved in February 2020 included provisions and a further decree that extended the authorized use of trojans, a type of malicious software, to investigations of crimes against the public administration committed by public officials, if the crimes are punishable with at least five years of imprisonment. In addition, the changes allow for the interception to take place at “the target’s private home,” even if a crime is not occurring at the moment, as long as it has been authorized.124

Despite former US intelligence contractor Edward Snowden’s 2013 revelation of intrusive surveillance practices by the US government and its European and other allies, Italy has not engaged in a thorough public debate on surveillance. Authorities are widely perceived to be engaged in regular wiretapping, and the news media often publicizes wiretap information that is leaked to them. In 2017, it was revealed that Lorenzo Tondo, an Italian journalist at the Guardian, was secretly wiretapped by prosecutors while investigating Medhanie Yehdego Mered, a reputed human trafficker. Tondo condemned the wiretapping as “a clear violation of my rights as a professional journalist.”125

The use of hacking by Italian law enforcement agencies has been documented, and in May 2017, the UN Human Rights Committee raised concerns that “intelligence agencies are intercepting personal communications and employing hacking techniques without explicit statutory authorization or clearly defined safeguards from abuse.”126 In July 2016, however, the Supreme Court had ruled that hacking by law enforcement authorities under certain circumstances was constitutional and in accordance with human rights law.127

Lawmakers have made several attempts to regulate hacking in recent years.128 A criminal justice reform law approved in June 2017 calls on the government to regulate hacking for the purpose of criminal investigations.129 Organizations such as Privacy International have contended that the law fails to meet the standard of legality, necessity, and proportionality, and does not establish sufficient minimization procedures, effective oversight, or safeguards from abuse.130 Another proposal known as the Trojan Bill sought to establish a more robust system for authorizing remote and covert hacking.131 The bill was ultimately withdrawn in the aftermath of the March 2018 general elections.

A November 2018 ruling by the Supreme Court was expected to effectively place limits on authorities’ ability to conduct hacking as part of a criminal investigation. The case involved the installation of malware on a suspect’s mobile phone; the Supreme Court instructed a lower court to reexamine whether police practices were consistent with articles of the European Convention of Human Rights and the Italian constitution that protect the freedom and confidentiality of correspondence and other forms of communication.132 According to Privacy International, the ruling “points to the need for Italy and other states to thoroughly review their practices of hacking for surveillance purposes and stop these activities until and unless they can be demonstrated to be in full compliance with applicable international human rights law.”133

Service providers are required to comply with law enforcement requests for users’ activity records, known as metadata, under a variety of circumstances, including in the course of a criminal investigation or “for the purpose of preventing crimes by criminal associations and international terrorism organizations.”134

Although the CJEU struck down the 2006 EU directive on the retention of data, Italy has extended the period for which ISPs must keep users’ metadata. In November 2017, Parliament swiftly approved a regulation on data retention that requires telecommunications companies to store telephone and internet data for up to six years. Despite civil society protests, there was virtually no public or parliamentary debate on the measure, which had been added to unrelated legislation following a European Council directive before passage.135 The DPA expressed its objection to the bill, citing its incompatibility with EU law and case law.136 European Data Protection Supervisor Giovanni Buttarelli commented that the new regulation did not reflect the European approach to data retention: “The European Court of Justice has said that we can no longer collect anything that concerns us all just to have it ’in case.’ This is a type of approach that is not part of the European legal system.”137

In March 2020, in response to COVID-19, a Ministry of Innovation task force collaborated with the University of Pavia to create a program that compiles and analyzes anonymized data drawn from Facebook and telecommunications firms such as TIM, Vodafone, Wind Tre, and Fastweb. According to Wired Italy, the datasets “aggregate users' movements to help with contact tracing or other forms of monitoring.”138 The system is apparently used by health researchers and nonprofit organizations that have signed licensing agreements with Facebook. The president of the Italian Privacy Institute warned that while EU regulators allow for a loosening of data protection rules in a public emergency, the Italian program lacked provisions for the restoration of ordinary safeguards and the deletion of the data after the crisis has passed.139

While cases of intimidation or physical violence in response to online activity are reported only sporadically, individuals who expose organized crime activities in some parts of the country may be especially at risk of reprisals. For example, in May 2019, journalist Gaetano Scariolo’s car was set on fire by unknown assailants. Scariolo, who covers criminal justice and whose work appears online, said, “I am sure that the intimidation has to do with my professional activity.”140

Ossigeno per l’Informazione documented 433 cases of threats and intimidation against journalists and bloggers during 2019.141 The previous year, the organization found that 11 percent of all threats against journalists were issued online.142

Hate speech remains an endemic problem on the Italian internet.143 Women journalists and politicians in particular are subject to virulent online harassment. In the summer of 2018, journalist Annalisa Camilli received derogatory and threatening anonymous emails after publishing an online story about a migrant rescued at sea by the nongovernmental organization Open Arms.144 Other female journalists have reported experiencing similar harassment, frequently for their coverage of the migration crisis.145 Independent lawmaker Laura Boldrini was harassed throughout the coverage period, including by Salvini, whose posts about her elicited death and rape threats from his online supporters.146

Score Change: The score improved from 1 to 2 because there was no repetition of the high-profile cyberattacks that surrounded the 2018 elections during the previous coverage period.

Cyberattacks have constituted a problem in Italy in recent years, though the defacement of or distributed denial-of-service (DDoS) attacks against the websites of political figures were less common during the latest coverage period. Hacks of public and private institutions continued to occur.

On April 1, 2020, the National Social Security Institute (INPS) was forced to shut down its website due to a data breach. Initially attributed to a series of cyberattacks, the incident occurred on the first day that self-employed Italians could apply for a coronavirus relief package announced by the government in mid-March. Early login attempts reportedly led to several cases in which other users’ information was displayed; the information was published by the hackers to reveal that they had obtained such data and would publish it all if a technical problem with the website was not fixed and users were not notified.147 The following day, by which time the site had become accessible again,148 the head of the DPA announced that it had started an audit of the INPS’s recovery measures in order to identify any further interventions that might be needed to protect personal data.149

It was reported in May 2020 that, two months earlier, hacktivist groups Anonymous Italia and LulzSec Italia had hacked the intranet of a major Milan hospital, San Raffaele. The email addresses and passwords of 2,400 hospital employees and the personal data (including name, date of birth, nationality, and social security number) of at least 600 patients were allegedly stolen. The hackers stated that the hospital administration, under the GDPR, should have alerted both the DPA and the individuals whose data were exposed, which they said never happened, and they threatened to publish the data online. The hospital denied that the data breach occurred.150

In May 2019, Anonymous and LulzSec Italia breached the database of Rome’s Bar Association, exposing the email accounts of 30,000 registered lawyers. The breach allegedly included the account of the mayor of Rome, a registered lawyer.151

In a major data breach reported in April 2019, roughly 1.4 million users’ information was stolen from the Italian email services provider Italiaonline. Popular services Libero Mail and Virgilio Mail were also affected. A 24-year-old hacker was arrested and charged for the attack that month, but not before selling the data to an unidentified party. The hacker entered Italiaonline’s network by cracking its Wi-Fi network from a bar near the company’s headquarters.152

In March 2019, Vice reported that hackers working for an Italian surveillance company had infected hundreds of people’s devices with several malicious mobile apps that were hosted on the official Google Play store for months.153 Experts said that the operation may have ensnared innocent victims, as the spyware appears to have been faulty and poorly targeted. The DPA announced an investigation into the matter, with the head of the authority declaring that such tools posed a serious risk to citizens’ freedoms if deployed without the necessary safeguards. Prosecutors in turn launched an investigation into eSurv,154 the company that made the spyware, seizing its computers and shutting down the program’s infrastructure.

In its annual report, the Italian Association on Cybersecurity (CLUSIT) called 2018 the “worst year ever” with respect to the evolution of cybercrimes and attacks, both quantitatively and qualitatively.155 The 2018 general election campaign in particular was characterized by several high-profile hacks. In February 2018, the Florence section of the Democratic Party was hacked, and personal information, including former prime minister Matteo Renzi’s mobile phone number, was posted on Twitter by the hackers.156 In the same week, two of Salvini’s campaign websites were hacked, and some internal Lega party data were subsequently released on Twitter by the hackers. The AnonPlus collective claimed responsibility for both attacks.157 Separately, in November 2018, LulzSec Italia and another collective, AntiSec Italia, conducted attacks targeting the websites of the Ministry of Economic Development, the State Police, the Brothers of Italy party, and some local branches of other political parties.158

During the summer of 2017, the Five Star Movement was hacked by an attacker using the handle @r0gue_0. The perpetrator infiltrated Rousseau, the party’s online organizing platform, and leaked internal data, including a password used by staff to access the platform.159 The same hacker allegedly infiltrated the platform again in 2018, leaking phone numbers of two Five Star Movement ministers.160 In September 2018, the DPA opened an investigation into the platform’s security flaws and those of various websites connected to the Five Star Movement,161 and in April 2019 it fined Rousseau €50,000 ($55,000) for various data protection failures.162

Awareness of Italian involvement in the international cyber-weapons market has grown, and Italian companies have faced increased scrutiny over sales of surveillance software to government agencies and repressive regimes. In July 2015, a leak of internal documents from the Milan-based surveillance technology firm Hacking Team revealed details about some of the company’s clients around the world, including in countries with poor human rights records.163 The company had been criticized in the past for cooperating with undemocratic regimes and lacking sufficient consideration of users’ privacy.164 In April 2016, the Italian government suspended Hacking Team’s “global” authorization to export its software, requiring it to obtain individual licenses from Italian authorities to serve countries outside of the EU.165

According to a study from Privacy International in August 2016, three other companies based in Italy market intrusion technology.166 In 2017, the Italian Coalition for Civil Liberties and Rights, Privacy International, and the Hermes Center for Transparency and Digital Human Rights wrote a public letter asking the Ministry of Economic Development to reconsider the export authorization for the Italian company AREA, which had been investigated after selling its products in Syria and Egypt.167 The ministry issued a press release stating that the company’s export authorization for Egypt had been suspended and would be revoked.168 However, civil society organizations have continued to demand greater transparency on export licensing and the countries involved.169