Freedom on the Net 2022 - Italy

/ 100
Obstacles to Access 21 / 25
Limits on Content 29 / 35
Violations of User Rights 25 / 40
76 / 100 Free
Scores are based on a scale of 0 (least free) to 100 (most free). See the research methodology and report acknowledgements.


Internet freedom in Italy declined slightly during the coverage period. In response to a European Union (EU) regulation, Italy blocked access to Russian state-owned websites following Russia’s brutal invasion of Ukraine. Italy also lags behind some of its EU peers when it comes to overall connectivity, although it continues to invest funds in closing the digital divide. The data protection authority was active, issuing a large fine for privacy violations. However, according to some sources, the number of cyberattacks increased during the coverage period, compared to recent years.

Italy’s parliamentary system features competitive multiparty elections. Civil liberties are generally respected, but concerns persist regarding the rights of migrants and the long-term problems of organized crime and corruption.

Key Developments, June 1, 2021 - May 31, 2022

  • In March 2022, Italian internet service providers (ISPs) and telecom operators blocked access to a number of Russian state-owned websites, after the EU ordered member states to do so (see B1).
  • The Italian Data Protection Authority (DPA) fined Clearview AI €20 million ($22.6 million) for violating the General Data Protection Regulation (GDPR) and demanded that the company delete all data related to Italian users (see C6).
  • During the coverage period, the number of cyberattacks increased, after decreasing during the first year of the pandemic, according to some sources (see C8).

A Obstacles to Access

A1 0-6 pts
Do infrastructural limitations restrict access to the internet or the speed and quality of internet connections? 5 / 6

Italy has relatively low internet penetration rates compared to the rest of the EU. According to June 2021 data from the EU’s Digital Economy and Society Index (DESI), 90.5 percent of households have access to the internet.1 Italy’s fixed-broadband penetration rate is 31.1 percent and its mobile broadband penetration rate is 95.5 percent.2 The percent of households covered by fourth-generation (4G) mobile broadband is 99.9 percent.3

Several factors have contributed to Italy’s relatively low overall penetration rates, including infrastructural limitations. According to the EU’s 2021 DESI, Very High Capacity Network Coverage (VHCN) connections were only available to 34 percent of households in 2021.4 The country ranks above the EU average on fifth-generation (5G) readiness, with 60 percent of the total harmonized 5G spectrum assigned for deployment.5

Italy’s Digital Agenda initiative, based on the Europe 2020 Digital Agenda, aimed to expand broadband access and e-government functions.6 A 2016 government decree reduced the costs for laying cables and established the Networks Register for Infrastructure (SINFI), a dedicated instrument for implementing broadband strategy, managed by the Ministry of Economic Development.7

In 2016, a “digital transformation team” was created to lead the technological modernization of Italian public administration, among other goals.8 Before its mandate ended in 2019, the team issued a Three-Year Plan for Information Technology in the Public Administration.9

In September 2020, the government announced the creation of AccessCo, a new entity responsible for the management of broadband infrastructure in Italy. Previously, the infrastructure was managed separately by Telecom Italia (TIM) and Open Fiber, a telecommunications provider. In forming AccessCo, the two companies seek to establish a single high-speed broadband network in the country. The deal was approved by Cassa Depositi e Prestiti—an investment firm controlled by the Ministry of Economy and Finance that owns 9.7 percent of TIM and 50 percent of Open Fiber—and energy company Enel, which owns the other 50 percent of Open Fiber. As part of the deal, TIM must form a new company, FiberCop, to manage the network with Open Fiber.10 In February 2022, FiberCop was greenlit by the Authority for Communications Guarantees (AGCOM), the primary telecommunications regulator (see A4).11

According to Ookla’s Speedtest, the median fixed broadband download speed in May 2022 was 53.9 Mbps, while the median mobile broadband speed was 38.5 Mbps.12

A2 0-3 pts
Is access to the internet prohibitively expensive or beyond the reach of certain segments of the population for geographical, social, or other reasons? 2 / 3

Internet connections are relatively affordable. According to the International Telecommunications Union (ITU), the cheapest fixed broadband plan that provides at least 5 gigabytes (GB) of monthly high-speed data costs 1.3 percent of gross national income (GNI) per capita, while the cheapest plan providing at least 2 GB of high-speed mobile data cost 0.4 percent of GNI per capita.13

Significant geographical differences in internet penetration persist across the country, with southern regions such as Calabria lagging behind. An ambitious infrastructure plan called Growth 2.0 was launched in 2012 to close the digital divide between areas that are served by high-speed connections and those that are not, but the plan was plagued by delays.14 In May 2019, a new initiative was launched to raise digital literacy and increase skills in emerging technologies. Called Repubblica Digitale,15 it aims to reduce various aspects of the digital divide by 2025.

As part of Italy’s Recovery and Resilience Plan (RRP), also referred to as “Italia Domani” (“Italy Tomorrow”), the government will further invest in connectivity and digitization. In early 2022, approximately €350 million ($396 million) were made available under the scheme to fund projects for digital innovation and transition.16 Overall, 27 percent of the total €191.5 billion ($216.9 billion) allocated under the RRP will be dedicated to digital innovation and transformation.17 The "Italia a 1 Giga” program, which is a component of the broader plan, aims to provide one gigabit per second (Gbps) in download speed and 200 Mbps in upload speed to areas where fast broadband coverage is unavailable.

A3 0-6 pts
Does the government exercise technical or legal control over internet infrastructure for the purposes of restricting connectivity? 6 / 6

The government does not impose restrictions on connectivity, nor does it centralize control over information and communication technology (ICT) infrastructure.

TIM has continued the process of “externalizing” its infrastructure since 2013 to provide fair access to competitors as required by EU legislation,18 though it was unclear during the coverage period exactly how far the effort had progressed. TIM was privatized in 1997, and Cassa Depositi e Prestiti holds only a 9 percent stake in the company.19 However, under a 2012 decree-law, the state enjoys special supervisory authority, or “golden power,” over TIM and other companies in strategic sectors of the economy.20

In 2019, the government approved a decree-law allowing the state to use its “golden power” to veto the purchase and deployment of 5G technology provided by Chinese companies.21

A4 0-6 pts
Are there legal, regulatory, or economic obstacles that restrict the diversity of service providers? 5 / 6

Access to the internet for private users is offered by a range of ISPs, all of which must be authorized by the Ministry of Economic Development.22 As of June 2021, TIM had the largest share (44.1 percent) of the fixed-line market, followed by Vodafone (15.9 percent), Fastweb (14.5 percent), Wind Tre (14 percent), and others.23

TIM, Vodafone, Wind Tre, and Iliad are the major mobile service providers,24 and all of them operate third-generation (3G) and 4G networks.25 Iliad, a French company, entered the Italian mobile market in May 2018, offering a low-cost option for consumers.26 Later in 2018, Kena Mobile,27 operated by TIM, and Ho. Mobile, managed by Vodafone, entered the low-cost mobile market to compete with Iliad.28 In the prepaid market, Wind Tre has 27.5 percent, TIM 23.7 percent, and Vodafone 22.5 percent, followed by Iliad at 11.4 percent and other operators with smaller shares.29

In January 2020, Fastweb, TIM, Vodafone, and Wind Tre were fined a total of €228 million ($258 million)30 by the Italian Competition Authority (AGCM).31 However, in July 2021, the fines against the companies were annulled by the Regional Administrative Court of Lazio because AGCM allegedly failed to provide sufficient evidence to justify its claim that operators acted in coordination.32 In February 2018, the police and authorities from the agency had searched the offices of the four providers, and of the industry lobbying firm Asstel33 Regulators suspected that the companies had overcharged their clients by billing them for their services every four weeks instead of once a month. In late 2017, parliament34 This law followed a March 2017 regulation by the Authority for Communications Guarantees (AGCOM), the primary telecommunications regulator, that required fixed-line providers to move to monthly billing. Several companies, including Vodafone, Fastweb, and Wind Tre, were fined by the Authority for Communications Guarantees (AGCOM).35

In March 2020, AGCM fined TIM €116 million ($131 million) for abusing its dominant market position by “obstructing the entrance of rivals” into the ultrafast broadband market. The fine concerned TIM’s 2018 claim that it would not provide broadband to cities and towns where it could not ensure a return on the investment, which led Rome to provide state-subsidized tenders. Then, after losing out in a bid to Open Net, TIM reneged on its earlier claim and agreed to provide broadband to rural areas without a state subsidy.36

In December 2020, AGCM launched an investigation into TIM-owned FiberCop, which manages the development of fiber communication networks projects, and its potential investors (see A1).37 In February 2022, the FiberCop initiative received final approval from AGCOM after the closure of the investigation in 2021.38

A5 0-4 pts
Do national regulatory bodies that oversee service providers and digital technology fail to operate in a free, fair, and independent manner? 3 / 4

The main regulatory body for telecommunications is AGCOM, an independent agency that is accountable to parliament. Its responsibilities also include protecting intellectual property rights, regulating advertisements, and overseeing public broadcasting. The parliamentary majority appoints AGCOM’s president.

Another important player governing the ICT sector is the Data Protection Authority (DPA). Established in 1997, it is tasked with supervising compliance with data protection laws by both governmental and nongovernmental entities. It also has the authority to ban or block “processing operations that are liable to cause serious harm to individuals.”39 It is generally viewed as professional and fair in carrying out its duties. The DPA is the supervisory authority responsible for monitoring application of the EU’s General Data Protection Regulation (GDPR) in Italy, and between May 2018 and March 2020 it actively managed more than 17,000 GDPR complaints and reports.40

B Limits on Content

B1 0-6 pts
Does the state block or filter, or compel service providers to block or filter, internet content, particularly material that is protected by international human rights standards? 4 / 6

Score Change: The score declined from 5 to 4 to reflect the government’s implementation of a European Union regulation ordering member states to block the websites of RT and Sputnik, as well as their local subsidiaries.

Italy does not typically block or filter content of a political, social, or religious nature; however, during the coverage period it did limit access to Russian state-owned websites in response to an EU regulation. Otherwise, all major websites and communication platforms are freely available. According to data gathered by the Open Observatory of Network Interference (OONI), Italy’s blocking and filtering of the internet is limited and is primarily implemented by means of domain name system (DNS) tampering.41

In early March 2022, following the Russian government’s brutal invasion of Ukraine, the EU Council issued Regulation 2022/350, ordering member states to “urgently suspend the broadcasting activities” of RT, Sputnik, RT France, RT Spanish, RT Germany, and RT UK within the EU and to block their websites because they “engaged in continuous and concerted propaganda actions targeted at civil society.”42 Asstel, the organization representing Italian telecom operators, confirmed that its members had promptly blocked these websites, but remained uncertain about the government agency responsible for overseeing the blocking.43 In June 2022, after the coverage period, the EU adopted a new package of sanctions, which also included directives for member states to block additional media websites: Rossiya RTR/RTR Planeta, Rossiya 24/Russia 24, and TV Centre International.44

Websites and other popular digital services are also blocked for hosting copyright-violating content. In a major intervention in February 2021, AGCOM blocked five websites that were used by millions to stream Spanish football matches illegally. The blocking came in response to a request from the Spanish La Liga football organization.45

In April 2020, the Italian Federation of Newspaper and Periodical Publishers (FIEG) urged AGCOM to restrict access to the Telegram messaging application, citing the existence of some Telegram channels that violated copyright by distributing digital copies of Italian newspapers.46 After two ensuing investigations led authorities to order 19 Telegram channels and 28 websites blocked, Telegram itself removed the relevant channels.47

One of the sites that was targeted for blocking as part of the Telegram investigation in May 2020 was that of Project Gutenberg, a prominent online distributor of public-domain e-books.48 Project Gutenberg appears on a list of websites put under investigation for the distribution of copyright-protected content published in the United States, where Project Gutenberg is based. The site remained blocked as of May 2022.49

AGCOM has issued 723 blocking orders since 2013, according to August 2019 data.50 These orders are publicly available on AGCOM’s website.51

Illegal gambling sites are frequently blocked by the Customs and Monopolies Agency (ADM), an administrative body under the Ministry of Finance, In March 2021, ADM blocked the popular content-sharing platform Medium in Italy because of posts that allegedly shared illegal gambling links. Following inquiries from the press, the block was lifted later the same day.52

Italy’s public blacklist contains over 7,000 illegal gambling websites, according to a January 2019 report from the European Commission.53 Websites hosting content related to terrorism or child sexual abuse images may also be subject to blocking. Through a June 2019 decree, the government gave the National Companies and Exchange Commission (CONSOB), the public authority responsible for regulating the Italian securities market, the mandate to order service providers to block websites offering unauthorized financial services. In September 2021, the overall number of websites blocked by the CONSOB rose to 505, the majority of which were abusive online financial and trading services.54

B2 0-4 pts
Do state or nonstate actors employ legal, administrative, or other means to force publishers, content hosts, or digital platforms to delete content, particularly material that is protected by international human rights standards? 3 / 4

Authorities and courts sometimes request the removal of specific content.

In May 2021, the Supreme Court of Cassation ruled that the popular television show “Le Lene” must remove a segment allegedly defaming Roberto Burioni, a scientist and public figure. Burioni had sued Mediaset, which airs “La Lene,” for defamation, claiming reputational damages from a segment of an episode that alleged that Burioni had promoted pharmaceutical products for his own financial benefit. The May 2021 ruling upheld an earlier decision in which a court ruled in favor of Burioni and imposed the restriction of the allegedly defamatory segment on Le Lene’s website. The Supreme Court’s ruling also confirmed that a court can order the restriction of an entire journalistic piece in a defamation suit, rather than only the parts of the piece considered defamatory. Various observers have warned of the negative impact the case could have on free expression.55

According to Meta, from January to December 2021, 1,149 comments, 563 posts, and 10 pages and groups were removed from Facebook, while 504 pieces of “media” and 14 accounts were removed from Instagram based on requests originating from Italy, as well as 21 global restrictions that were externally imposed. According to Meta, 1,831 of the removals were in response to private reports of defamation, 290 were in response to valid court orders, and 91 were because items violated local law.56 Twitter’s transparency report for the period January to June 2021 lists seven requests for content removal, including one court order; Twitter complied with 57 percent of these requests. From July to December 2021, the Italian government issued eight requests, and Twitter complied with 38 percent of them.57 According to Google’s transparency report, the company received 184 content-removal requests originating from Italy between January and December 2021, including 97 for defamatory content and 47 for privacy and security reasons.58

Italian courts have ruled in favor of the so-called right to be forgotten (RTBF) established by the Court of Justice of the European Union (CJEU) in 2014. In December 2015, a civil court in Rome upheld the CJEU’s reasoning on the RTBF but rejected the plaintiff’s request, seeking to balance such a right with the right to information in the public interest.59 In a problematic move in 2016, the Supreme Court upheld a 2013 court decision ordering the removal of an article that damaged a restaurant’s reputation from a website’s archives after two years, finding that the time elapsed between the publication date and the request for removal did not satisfy the public interest.60 Google reported that, between May 2014 and the end of May 2022, the company removed some 178,500 URLs in Italy (40.7 percent of the total requested) following RTBF complaints from users.61

B3 0-4 pts
Do restrictions on the internet and digital content lack transparency, proportionality to the stated aims, or an independent appeals process? 3 / 4

Websites related to child sexual abuse images, copyright infringement, illegal gambling, and terrorism may be subject to blocking or targeted with content removal orders generally issued by the courts. An antiterrorism decree-law passed by parliament in 2015 allows the public prosecutor to order the blocking or removal of websites affiliated with terrorist groups.62 In a system similar to those used to block child sexual abuse images and illegal gambling sites, the Ministry of the Interior compiles a blacklist of terrorist websites for ISPs to block.63

A controversial resolution on online copyright enforcement enacted in 2014 enables AGCOM to issue administrative blocking orders to ISPs for specific websites that infringe on copyright, even those that only contain links for downloading copyright-protected content. The regulation also gives AGCOM the power to remove content upon review by an internal panel, but without prior judicial approval, if a copyright violation is detected.64

Debate about the 2019 EU Copyright Directive, which holds “online content sharing service providers” liable for copyright violations that take place on their platforms, was lively in Italy, where political parties expressed strong and diverging opinions. The first government headed by Prime Minister Giuseppe Conte expressed opposition to the new directive, while the Democratic Party, which formed the second Conte government favored the measure.65 In April 2021, Italy adopted a law to transpose the Copyright Directive,66 but it did not enact the law before the June 7 deadline set by the EU.67 The 2019 EU Copyright Directive was officially adopted by Italy in December 2021, under the Draghi government.68

In July 2022, The European Parliament (EP) adopted the European Union’s Digital Services Act (DSA),69 which seeks to harmonize member states’ legislation regarding illegal content and introduces transparency measures for large platforms.

In 2017, Parliament approved a new law on cyberbullying after several high-profile cases came to light.70 Minors over the age of 14 or their parents can demand that content-hosting sites remove damaging material within 48 hours.71 If no action is taken, the victims can refer their case to the DPA, which can order the damaging content to be blocked or taken down.72 Critics of the bill said it gave users too much latitude to force the removal of content from social media sites.73

Italian lawmakers and regulators have at times proposed measures allowing for the blocking or removal of “fake news” websites (see C2), but these proposals have made little progress to date.

ISPs are not generally liable for illegal third-party content, but they must inform authorities of such content should they become aware of it, and they face civil penalties if they do not comply with official requests to restrict access to it.74

B4 0-4 pts
Do online journalists, commentators, and ordinary users practice self-censorship? 3 / 4

Content creators and hosts may exercise some self-censorship regarding content that could prove controversial or create friction with powerful entities or individuals. Online writers also exercise caution to avoid libel suits by public officials, whose litigation—even when unsuccessful—can take a significant financial toll. Individuals writing about the activities of organized crime in some parts of the country may be especially at risk of extralegal reprisals.

In March 2018, the magazine Famiglia Cristiana deleted an article about the seizure by Italian authorities of a Spanish nongovernmental rescue ship carrying asylum seekers, following a confrontation at sea that may have violated international law.75 After 24 hours, an altered version of the article was published online,76 and the original author withdrew his name from it. Mention of the Italian navy was dropped from the title, and descriptions of the navy’s involvement in the incident were modified.

B5 0-4 pts
Are online sources of information controlled or manipulated by the government or other powerful actors to advance a particular political interest? 3 / 4

Manipulated online content was prevalent in Italy during the COVID-19 pandemic and also following the Russian invasion of Ukraine. In recent years political parties have also engaged in online manipulation surrounding elections.

The Russian invasion of Ukraine led to a wave of foreign disinformation and misinformation campaigns targeting the Italian public. In April 2022, Italian fact-checking organization Facta reported on a network of at least five Facebook pages with around 40,000 followers supporting Vladimir Putin and echoing Russian disinformation.77 According to figures published by daily La Repubblica, around 50 Facebook profiles were removed in Italy for spreading Russian disinformation.78 In May 2022, the Italian parliament’s security committee opened a probe into pro-Putin disinformation being spread through news outlets.79

Additionally, a September 2022 Meta report noted that a Russian influence operation used “false media sites” mimicking those of prominent publications in the European Union, to target users in Italy and the European Union with Russian propaganda. The campaign spent around $100,000 on advertisements and sponsored pages spread narratives about the potential energy crisis in Europe and claimed that war crimes committed by the Russian military in Ukraine, which have been documented by rights groups, did not happen. Ultimately, the network had little influence within the European Union.80

Newsguard’s Coronavirus Disinformation monitoring center81 found that 41 websites—including conspiratorial blogs, alternative websites, and popular news outlets—published COVID-19 disinformation in Italy as of September 2021. Among the outlets were right-wing daily La Verità and Il Primato Nazionale, a website with ties to the neofascist CasaPound movement. An investigation by online magazine Formiche found that the Chinese government and its proxies played a key role in spreading manipulated information about COVID-19 in Italian on Twitter in March 2020, using the hashtags #forzaCinaelItalia (”go China and Italy”) and #grazieChina (”thank you China”).82

In May 2019, ahead of that month’s EU parliamentary elections, a Facebook spokesperson in Italy said the platform had removed a number of accounts or pages for violating policies on authenticity, name changes, and spreading incorrect information.83 This decision followed an investigation by the activist group Avaaz, which said Facebook had removed 23 accounts with a total of 2.46 million followers. According to Avaaz, more than half of the closed accounts supported either the Five Star Movement or Lega, the two parties that governed the country in coalition from June 2018 to September 2019.

In January 2018, then–interior minister Marco Minniti announced a new Postal Police initiative to fight the spread of fake news.84 The project, named Red Button, offered citizens the opportunity to report suspected fake news using a portal on the police’s website. The National Anticrime Information Center for Critical Infrastructure Protection (CNAIPIC) was tasked with analyzing the reported content. The government later confirmed that the initiative concluded within a few days of Italy’s March 2018 elections.85 According to Wired, published responses to citizens’ reports were generally vague, short, and not released in a timely manner.86

B6 0-3 pts
Are there economic or regulatory constraints that negatively affect users’ ability to publish content online? 3 / 3

In practice, Italians do not face special economic or regulatory obstacles to publishing content online.

Italy’s Declaration of Internet Rights (see C1) expresses the country’s commitment to the net neutrality principle. However, the declaration is nonbinding, and net neutrality is not enshrined in national law, though a 2015 EU-level regulation empowers AGCOM to supervise and enforce the principle.87

B7 0-4 pts
Does the online information landscape lack diversity and reliability? 4 / 4

The online information landscape in Italy is diverse, representative, and relatively unrestricted.

In more recent years, social media platforms have become a more popular forum for online expression. Facebook, YouTube and Instagram in particular are among the most-visited websites in the country.88 Twitter is particularly popular among journalists and politicians.

Misinformation related to the COVID-19 virus was prevalent in the online environment. For example, In December 2020, Facta published a report about the state of online dis- and misinformation in Italy.89 The report identified a network of Facebook pages originally created for sharing nonpolitical content that played a major role in spreading COVID-19 misinformation, reaching over two million users. The report also identified a Twitter network that included politicians and bloggers and circulated COVID-19 dis- and misinformation on the platform.

Observers have also frequently raised the problem of inadequate or flawed representation of immigrants, migrants, and refugees in media coverage as well as in newsrooms. A January 2020 report by Voci Globali,90 the Italian chapter of Global Voices, noted that despite the central place that migration has in the public and social debate in the country, foreign-born journalists are still very rare in Italian newsrooms. Such journalists often create forms of alternative journalism that find space online or work in what are called “ethnic media.” The latter, while important, could potentially lead to isolation from the mainstream debate.91

B8 0-6 pts
Do conditions impede users’ ability to mobilize, form communities, and campaign, particularly on political and social issues? 6 / 6

In Italy, social media platforms, especially Facebook, have emerged as crucial tools for organizing protests and other mass gatherings such as parties or political rallies. There are no restrictions on their use.

In the spring of 2021, a social media campaign emerged around a new bill to establish penalties for discrimination on the basis of sexual orientation and gender identity, commonly referred to as “ddl Zan” (the Zan bill) in reference to Alessandro Zan, the parliamentarian and LGBT+ activist who introduced the bill. As activists denounced the bill’s slow progress in parliament, the magazine Vanity Fair Italy asked people to share photos on social media of the slogan “DDL ZAN” written on a hand, along with the hashtag #diamociunamano (#LetsGiveEachOtherAHand).92 Many celebrities joined the campaign, which became widely popular on social media.

In November 2020, civil society, activists, and media organizations joined forces for the #datibenecomune (#DataForTheCommonGood) campaign, pressuring Italian institutions to release all pandemic-related data in open and machine-readable formats and advocating for greater transparency. The campaign was launched by the open data group OnData and the corresponding petition gathered over 50,000 signatures. Over 170 organizations joined the campaign, including ActionAid, Transparency International, and Wikimedia.93

C Violations of User Rights

C1 0-6 pts
Do the constitution or other laws fail to protect rights such as freedom of expression, access to information, and press freedom, including on the internet, and are they enforced by a judiciary that lacks independence? 4 / 6

Italy is a signatory to the European Convention on Human Rights and other relevant international treaties, and its constitutional guarantees regarding freedoms of speech and the press, as well as the confidentiality of correspondence,94 are supported by an independent judiciary. Italy became the first European country to adopt a crowdsourced Declaration of Internet Rights in July 2015.95 The nonbinding document includes provisions that promote net neutrality and establish internet access as a fundamental right. While generally seen as a positive development, the text has also raised some criticism for failing to outline adequate protections for anonymity, encryption, and data retention.96

Some restrictions on journalism, including online journalism, that are uncommon in other EU member states remain in place in Italy. Drawing on a 1948 law against the “clandestine press,” a regulation issued in 2001 holds that anyone providing a news service must be a “chartered” journalist with the Communication Workers’ Registry (ROC) and hold membership in the Italian National Press Federation.97 With the exception of one case from the late 2000s, these rules have generally not been applied to bloggers, and in practice thousands of blogs are published in Italy without repercussions.

Italy approved a Freedom of Information Act (FOIA) only in 2016, recognizing the right to access data and documents from public administrations.98 Journalists in the country increasingly use the law to conduct investigations. According to Transparency International Italia, which assists Italian journalists in submitting FOIA requests, 75 percent of the requests submitted through their service in 2019 facilitated the release of relevant information and documents.99

Two March 2020 decrees, passed early in the COVID-19 pandemic, suspended FOIA requests and all nonurgent “administrative proceedings” until mid-April. In May 2020, FOIA request processing was resumed.100

C2 0-4 pts
Are there laws that assign criminal penalties or civil liability for online activities, particularly those that are protected under international human rights standards? 2 / 4

Several laws present a threat to internet freedom in the country. A 2015 antiterrorism law expanded language in the criminal code on terrorist recruitment, as well as the endorsement or incitement of terrorism, to include online activities.101 Critics argued that the law could be applied broadly and would sanction legitimate instances of free expression that fall within international norms on protected speech.102

Defamation is a criminal offense in Italy. According to the criminal code, “aggravated defamation” is punishable by prison terms ranging from six months to three years and a minimum fine of €516 ($584). In cases of libel through the press, television, or other public means, there is no prescribed maximum fine.103 Though these criminal provisions are rarely applied, civil libel suits against journalists, including by public officials and politicians, are a common occurrence, and the financial burden of lengthy legal proceedings may have chilling effects on reporters and their editors.104

C3 0-6 pts
Are individuals penalized for online activities, particularly those that are protected under international human rights standards? 5 / 6

Defamation suits against journalists, including those operating online, remain common. Drawn-out legal proceedings, whatever their result, can entail serious financial costs for defendants. Ossigeno per l’Informazione, an organization that tracks threats to journalists in Italy, has reported hundreds of “frivolous defamation suits” against media defendants since 2011, including cases about online media. The organization’s most recent report notes that in 2021, 384 journalists were subject to different forms of threats, 48 percent of which were defamation suits.105

According to a survey from the Italian National Institute of Statistics presented in October 2019, some 70 percent of all libel cases against journalists between 2011 and 2016 did not lead to a full investigation, a sign of the frivolous grounds of most of these complaints. However, overall convictions for defamation, whether or not the defendants were journalists, rose from 182 in 2014 to 435 in 2017, and the number of prison sentences imposed for the offense, most of them between three and six months, rose from 35 in 2014 to 64 in 2017.106 In a representative incident reported in April 2019, the online news outlet Estense was presented with a €100,000 ($113,000) lawsuit by a regional Lega politician after publishing a story in which interviewees accused the plaintiff of stopping suspected immigrants and asking for their residency papers.107

C4 0-4 pts
Does the government place restrictions on anonymous communication or encryption? 3 / 4

The government places few restrictions on anonymous communication or encryption. Italian law does require mobile service providers to obtain customers’ personal and identification data in order to register a SIM card, citing counterterrorism purposes.108

In the past, lawmakers have attempted to propose laws that would require users to present identification to sign up for social media accounts, but they have not gained traction.109

C5 0-6 pts
Does state surveillance of internet activities infringe on users’ right to privacy? 3 / 6

Italian courts and lawmakers have sought in recent years to better define the legal boundaries of state surveillance, whether for law enforcement, intelligence, or public health purposes, with mixed success.

In April 2021, the DPA criticized a government decree to implement the EU-wide domestic vaccine passport, known as the “green pass.” The DPA said that the Italian government’s implementation was not provided for under Italian law, did not sufficiently disclose the purposes of the collection of Italians’ health data, and failed to adequately minimize the data collected.110 In June, the DPA stated that its criticisms had been sufficiently addressed by the Ministry of Health.111

In June 2020, officials introduced an open-source COVID-19 contact-tracing mobile app known as Immuni (the immune ones), which had been selected after a March 2020 open call coordinated by the ministers of health and innovation and the National Institute of Health (ISS).112 After originally planning to have the app store information externally in a government-managed database, Bending Spoons, the company that developed Immuni, later switched to a decentralized model, but there was also a lack of clarity as to whether the app would be mandatory.113 The government-led process for selecting the app was frequently criticized for a lack of transparency.114

An anticorruption law approved in February 2020 included provisions and a further decree that extend the authorized use of trojans, a type of malicious software, to investigations of crimes against the public administration committed by public officials, if the crimes are punishable with at least five years of imprisonment. In addition, the changes allow for the interception to take place at “the target’s private home,” even if a crime is not occurring at the moment, as long as it has been authorized.115

Authorities are widely perceived to be engaged in regular wiretapping, and the news media often publicizes wiretap information that is leaked to them.

In April 2021, the newspaper Domani reported that prosecutors and other officials in Trapani, a Sicilian city, had wiretapped journalists’ phone calls with sea rescue NGOs.116 The officials were investigating the NGOs for their alleged involvement in human trafficking. Authorities later exposed the journalists’ sources. As subsequently reported by the Guardian, the recorded conversations included information about travel itineraries and a conversation between a reporter and her lawyer. The officials also used geolocation data to track the journalists.117

A new wiretapping law came into effect in September 2020, implementing Decree Law 161 of 2019. 118 According to Wired, the new law “[restructures] the management of intercepted data and, above all, expands the categories of crime for which computer detectors can be used.”119 The law includes some privacy safeguards; for example, companies that supply these surveillance systems are compelled to use encrypted systems and securely delete files, according to journalist Carola Frediani.120 However, there are concerns that these safeguards will be applied inconsistently.121 MPs also raised concerns about the broadening of wiretaps in March 2021, during the discussion of a bill to establish expenses and quality standards related to wiretapping, which includes the storage and management of sensitive data by companies.122

The use of hacking by Italian law enforcement agencies has been documented, and in May 2017, the UN Human Rights Committee raised concerns that intelligence agencies can intercept personal communications with limited safeguards.123 In July 2016, however, the Supreme Court had ruled that hacking by law enforcement authorities under certain circumstances was constitutional and in accordance with human rights law.124

Lawmakers have made several attempts to regulate hacking in recent years.125 A criminal justice reform law approved in June 2017 calls on the government to regulate hacking for the purpose of criminal investigations.126 Organizations such as Privacy International have contended that the law fails to meet the standard of legality, necessity, and proportionality, and does not establish sufficient minimization procedures, effective oversight, or safeguards from abuse.127 Another proposal known as the Trojan Bill sought to establish a more robust system for authorizing remote and covert hacking.128 The bill was ultimately withdrawn in the aftermath of the March 2018 general elections.

A November 2018 ruling by the Supreme Court was expected to effectively place limits on authorities’ ability to conduct hacking as part of a criminal investigation. The case involved the installation of malware on a suspect’s mobile phone; the Supreme Court instructed a lower court to reexamine whether police practices were consistent with articles of the European Convention of Human Rights and the Italian constitution that protect the freedom and confidentiality of correspondence and other forms of communication.129

Awareness of Italian involvement in the international cyberweapons market has grown, and Italian companies, including the now-defunct Hacking Team, have faced increased scrutiny over sales of surveillance software to government agencies and repressive regimes.130 In June 2021, a joint investigation by IRPI Media, the newsroom of the NGO Investigative Reporting Project Italy; the newspaper il Domani; and Dutch investigative nonprofit Lighthouse Reports reported that European companies, including the Italian company SecurCube, provided cell-tower surveillance technology to Myanmar’s military, despite the EU embargo on the export of these tools. The company claimed that it had not directly sold the technology to Myanmar’s military, but it acknowledged that BTS could have been resold by third parties.131

The use of facial recognition continued to be a hotly debated topic in Italy. In April 2021, the DPA rejected the use by the police of the SARI Real Time facial recognition system,—which was an advanced version of the existing Italian National Police facial recognition system—arguing that the system lacks a legal basis for live facial recognition and that, as designed, it would implement a form of mass surveillance.132 In December 2021, the Italian parliament approved a two-year moratorium on facial recognition systems.133

Advanced technologies are used on vulnerable populations without transparency and appropriate oversight: in December 2021, the Hermes Center for Transparency and Digital Human Rights published a report detailing the use of facial recognition and biometric technologies on migrants fleeing persecution and arriving to Italy by boat.134 According to the report, migrants’ biometric data is included in a database that also contains suspects of crimes, and the government uses biometric authentication, including through facial recognition, to see if any of the migrants have committed crimes.

C6 0-6 pts
Does monitoring and collection of user data by service providers and other technology companies infringe on users’ right to privacy? 3 / 6

Service providers are required to comply with law enforcement requests for users’ activity records, known as metadata, under a variety of circumstances, including in the course of a criminal investigation or “for the purpose of preventing crimes by criminal associations and international terrorism organizations.”135

Although the CJEU struck down a 2006 EU directive on the retention of data, Italy has extended the period for which ISPs must keep users’ metadata. In November 2017, parliament swiftly approved a regulation on data retention that requires telecommunications companies to store telephone and internet data for up to six years. Despite civil society protests, there was virtually no public or parliamentary debate on the measure, which had been added to unrelated legislation following a European Council directive before passage.136 The DPA expressed its objection to the bill, citing the measure's incompatibility with EU law and case law.137 European Data Protection Supervisor Giovanni Buttarelli commented that the new regulation allowed too much data to be collected and did not reflect the European approach to data retention.138

In March 2020, in response to the COVID-19 pandemic, a Ministry of Innovation task force collaborated with the University of Pavia to create a program that compiles and analyzes anonymized data drawn from Facebook and telecommunications firms such as TIM, Vodafone, Wind Tre, and Fastweb. According to Wired Italy, the datasets “aggregate users' movements to help with contact tracing or other forms of monitoring.”139 The system is apparently used by health researchers and nonprofit organizations that have signed licensing agreements with Facebook. The president of the Italian Privacy Institute warned that while EU regulators allow for a loosening of data protection rules in a public emergency, the Italian program lacked provisions for the restoration of ordinary safeguards and the deletion of the data after the crisis passed.140

The Italian DPA has launched investigations into companies that have abused user data, issuing fines in some cases. For example, in February 2022, the authority fined the US-based facial recognition company Clearview AI €20 million ($22.6 million),141 the maximum penalty under the General Data Protection Regulation, after discovering that the company monitored and processed biometric data of individuals on Italian territory without a legal basis. The DPA started its investigation following several complaints by journalists, civil society organizations, and researchers.142 Additionally, the DPA ordered the company to erase all personal data relating to individuals in Italy and banned further collection and processing of personal data relating to individuals in Italy through Clearview AI’s facial recognition system. The DPA also ordered Clearview AI to designate a representative in the EU.

In September 2021, the DPA fined Luigi Bocconi University €200,000 ($226,000) for using Respondus, a proctoring software, without sufficiently informing students of the processing of their personal data and, among other violations, for processing their biometric data without a legal basis. Bocconi is a private University based in Milan and during the COVID-19 pandemic it introduced Respondus tools to monitor students during remote exams.143

The 2018 Cambridge Analytica scandal, in which the United Kingdom–based political consultancy was found to have improperly harvested Facebook data on US voters, also had an impact on Italy. The DPA conducted an inquiry into the case in order to establish how Italians’ data could have been misused, and investigators met with Facebook representatives in April 2018.144 The inquiry was closed in February 2019, when the DPA declared that Italians’ data were processed unlawfully and informed Cambridge Analytica that it might be fined.145 In June 2019, Italy fined Facebook $1.1 million because Cambridge Analytica accessed the data of around 214,000 Italian users through the platform.146

C7 0-5 pts
Are individuals subject to extralegal intimidation or physical violence by state authorities or any other actor in relation to their online activities? 3 / 5

While cases of intimidation or physical violence in response to online activity are reported only sporadically, individuals who expose organized crime activities in some parts of the country may be especially at risk of reprisals. For example, in May 2019, journalist Gaetano Scariolo’s car was set on fire by unknown assailants. Scariolo, who covers criminal justice and whose work appears online, said, “I am sure that the intimidation has to do with my professional activity.”147

The Interior Ministry recorded 44 episodes of violence and intimidation against journalists in the first three months of 2022, amounting to a small decrease compared to the first quarter of 2021.148 Of all the reported 232 cases in 2021, 44 percent involved online intimidation; 53 of these episodes were related to journalistic coverage of the pandemic. Compared to 2019, harassment of journalists increased by 87 percent. Ossigeno per l’Informazione documented 384 cases of threats and intimidation against Italian journalists and bloggers in 2021.149

Women journalists and politicians in particular are subject to virulent online harassment. In 2018, journalist Annalisa Camilli received derogatory and threatening anonymous emails after publishing an online story about a migrant rescued at sea by the NGO Open Arms.150 Other women journalists have reported experiencing similar harassment, frequently for their coverage of the migration crisis.151 Independent lawmaker Laura Boldrini was harassed, including by prominent politicians such as Matteo Salvini, the leader of the right-wing Lega, whose posts about her elicited death and rape threats from his online supporters.152

In 2021, several journalists were attacked while reporting on antivaccination protests or gatherings; for example, in August 2021, two separate instances of verbal and physical assault were reported.153

C8 0-3 pts
Are websites, governmental and private entities, service providers, or individual users subject to widespread hacking and other forms of cyberattack? 2 / 3

Cyberattacks have constituted a problem in Italy in recent years, through the defacement of or distributed denial-of-service (DDoS) attacks against the websites of political figures or institutional websites.

Though cyberattacks declined during the first year of the pandemic, they have increased in recent years, according to some sources. In its 2021 report, the Italian Association on Cybersecurity (CLUSIT) recorded 2,049 serious cyberattacks, an increase of almost ten percent compared to the previous year. Additionally, there was a monthly average of 171 attacks, the highest number ever recorded.154 The 2021 CLUSIT data, gathered by Fastweb’s Security Operations Center (SOC), signals a 58 percent increase of servers targeted via malware or botnets. The same report also underlines an increase in phishing via email and SMS. When it comes to DDoS attacks, Fastweb has recorded 2,500 instances of attacks against its clients in 2021, 50 percent of which targeted financial institutions or public agencies.155

Hacks of public and private institutions continued to occur in the coverage period, including attacks against hospitals.156 For example, in May 2022, the news agency AGI reported157 that a DDoS attack hit seven Italian websites, including the Senate, the Higher Institute of Health, and the Italian Automobile Club. The hacking attack was claimed on Telegram by a pro-Russian IT group called "Killnet," and was allegedly in retaliation for Italy’s support of Ukraine.

In June 2022, after the coverage period, the public administration of the Sardinia region admitted they had been targeted by a massive ransomware attack,158 following several reports by local and national journalists.159 The hackers allegedly obtained 155 GB of personal and sensitive data, including ID cards and passwords. If confirmed, this would be the largest data breach to impact a public institution in Italy.

In March 2021, Wired reported that the Ministry for Economic Development (MISE) suffered a data breach the previous year and had failed to report it.160 The breach jeopardized the personal information of employees at the ministry.

In March 2019, Vice reported that hackers working for an Italian surveillance company had infected hundreds of people’s devices with several malicious mobile apps that were hosted on the official Google Play store for months.161 Experts said that the operation may have ensnared innocent victims, as the spyware appears to have been faulty and poorly targeted. The DPA announced an investigation into the matter, with the head of the authority declaring that such tools posed a serious risk to citizens’ freedoms if deployed without the necessary safeguards. Prosecutors in turn launched an investigation into eSurv,162 the company that made the spyware, seizing its computers and shutting down the program’s infrastructure.