Italy’s fixed-line broadband penetration rate is 29.9 percent,1 while its mobile broadband penetration rate is 93.6 percent,2 according to 2020 data from the European Commission.

Several factors have contributed to Italy’s relatively low overall penetration rates, including infrastructural limitations. According to the EU’s 2020 Digital Economy and Society Index (DESI), ultrafast broadband connections were only available to 30 percent of households in 2019, compared with an EU average of 44 percent.3 While fourth-generation (4G) mobile network coverage extends to 99.3 percent of households, Italy ranks 23 out of 27 member states on this metric.4 The country ranks high on 5G readiness.5

According to DESI, around 80.8 percent of Italians connected to the internet in 2020, and 75.6 percent did so on a daily basis.6 According to FTTH Council Europe data provided by iData, 2.8 million Italian households obtained access to ultra-high-speed broadband connections in 2020, marking the second largest increase in Europe.7

A July 2020 study by the Open Observatory of Network Interference (OONI) analyzed download and upload speeds around Milan, where coronavirus cases were prevalent, and found a correlation between poor service and the peak of COVID-19 infections. Increased home usage associated with pandemic-related restrictions on movement apparently caused network congestion.8

Italy’s Digital Agenda initiative, based on the Europe 2020 Digital Agenda, aims to expand broadband access and e-government functions.9 A 2016 government decree reduced the costs for laying cables and established the Networks Register for Infrastructure (SINFI), a dedicated instrument for implementing broadband strategy, managed by the Ministry of Economic Development.10 5G testing began in 2017,11 and the first 5G networks debuted in June 2019.12

In 2016, a “digital transformation team” was created to lead the technological modernization of Italian public administration, among other goals.13 Before its mandate ended in 2019, the team issued a Three-Year Plan for Information Technology in the Public Administration.14

In January 2021, La Stampa reported that the government will also allocate €26.7 billion ($32.8 billion) from Italy’s portion of the EU COVID-19 recovery fund to increase and strengthen broadband penetration in an effort to narrow Italy’s digital gap.15.

In September 2020, the government announced the creation of AccessCo, a new entity responsible for the management of broadband infrastructure in Italy. Previously, the infrastructure was managed separately by TIM and Open Fiber, a telecommunications provider. In forming AccessCo, the two companies seek to establish a single high-speed broadband network in the country. The deal was approved by Cassa Depositi e Prestiti—an investment firm controlled by the Ministry of Economy and Finance that owns 9.7 percent of TIM and 50 percent of Open Fiber—and energy company Enel, which owns the other 50 percent of Open Fiber. As part of the deal, TIM must form a new company, FiberCop, to manage the network with Open Fiber.16 In December 2020, the Italian Competition Authority (AGCM), the competition regulator, opened an investigation into the formation of FiberCop.17

Internet connections are relatively affordable. In 2021, the Economist Intelligence Unit’s Inclusive Internet Index ranked Italy 4th out of 120 countries surveyed in terms of the affordability, which accounts for cost of access, relative income level, and the competitiveness of the market.18 The 2020 DESI noted that “Italy performs above the EU average in all price baskets considered (fixed, mobile, converged).”19 According to the International Telecommunications Union (ITU), the cheapest fixed broadband plan that provides at least 5 gigabytes (GB) of monthly high-speed data costs 1.4 percent of gross national income (GNI) per capita, while the cheapest plan providing at least 1.5 GB of high-speed mobile data cost .4 percent of GNI per capita.20

Significant geographical differences in internet penetration persist across the country, with southern regions such as Calabria lagging behind. An ambitious infrastructure plan called Growth 2.0 was launched in 2012 to close the digital divide between areas that are served by high-speed connections and those that are not, but the plan was plagued by delays.21 In May 2019 a new initiative was launched to raise digital literacy and increase skills in emerging technologies. Called Repubblica Digitale,22 it aims to reduce various aspects of the digital divide by 2025.

According to a 2018 special report by the European Court of Auditors, only around 40 percent of Italians living in rural areas had access to high-speed broadband connections (of 30 Mbps or more) in 2017.23 As part of its 2015 plan to expand ultrafast broadband (known as SNBUL), the government has assigned tenders to roll out networks in underserved regions.24

The internet is particularly popular among young people, with 86.8 percent of people between ages 15 and 17 and 88.2 percent of people between ages 18 and 19 using the medium.25 Unfamiliarity with the internet among older people contributes to Italy’s relatively low overall penetration rate.

The government does not impose restrictions on connectivity, nor does it centralize control over information and communication technology (ICT) infrastructure.

TIM has continued the process of “externalizing” its infrastructure since 2013 to provide fair access to competitors as required by EU legislation,26 though it was unclear during the coverage period exactly how far the effort had progressed. TIM was privatized in 1997, and Cassa Depositi e Prestiti holds only a 9 percent stake in the company.27 However, under a 2012 decree-law, the state enjoys special supervisory authority, or “golden power,” over TIM and other companies in strategic sectors of the economy.28

In 2019, the government approved a decree-law allowing the state to use its “golden power” to veto the purchase and deployment of 5G technology provided by Chinese companies.29

Access to the internet for private users is offered by a range of internet service providers (ISPs), all of which must be authorized by the Ministry of Economic Development.30 As of 2019, TIM had the largest share of the fixed-line market (47.4 percent), followed by Vodafone (15 percent), Fastweb (13.9 percent), Wind Tre (13.7 percent), and others.31

TIM, Vodafone, Wind Tre, and Iliad are the major mobile service providers,32 and all of them operate 3G and 4G networks.33 Iliad, a French company, entered the Italian mobile market in May 2018, offering a low-cost option for consumers.34 Later in 2018, Kena Mobile,35 operated by TIM, and Ho. Mobile, managed by Vodafone, entered the low-cost mobile market to compete with Iliad.36 As of September 2019, Wind Tre, TIM, and Vodafone accounted for some 97 percent of the postpaid market, with nearly equal shares. In the prepaid market, Wind Tre had 30.3 percent, TIM 26.5 percent, and Vodafone 24.1 percent, followed by Iliad at 6.5 percent and other operators with smaller shares.37

In January 2020, Fastweb, TIM, Vodafone, and Wind Tre were fined a total of €228 million ($280 million) by AGCM,38 which found that the companies had coordinated in overcharging customers.39 In February 2018, the police and authorities from the agency searched the offices of the four providers, and of the industry lobbying firm Asstel, as part of a probe into the pricing of fixed-line and mobile services.40 Regulators suspected that the companies had overcharged their clients by billing them for their services every four weeks instead of once a month. In late 2017, Parliament passed a law requiring monthly billing for all telephone service providers.41 This law followed a March 2017 regulation by the Authority for Communications Guarantees (AGCOM), the primary telecommunications regulator, that required fixed-line providers to move to monthly billing. Several companies, including Vodafone, Fastweb, and Wind Tre, were fined by AGCOM for noncompliance in December of that year.42 In July 2021, after the coverage period, the fines against the companies were annulled by the Regional Administrative Court of Lazio because AGCM allegedly failed to provide sufficient evidence to justify its claim that operators acted in coordination.43

In March 2020, ACGM fined TIM €116 million ($142 million) for abusing its dominant market position by “obstructing the entrance of rivals” into the ultrafast broadband market. In 2018, TIM claimed that it would not provide broadband to cities and towns where it could not on ensure a return the investment, which led Rome to provide state-subsidized tenders. Then, after losing out in a bid to Open Net, TIM reneged on its earlier claim and agreed to provide broadband to rural areas without a state subsidy.44

In December 2020, AGCM launched an investigation into TIM-owned FiberCop, which manages the development of fiber communication networks projects, and its potential partners (see A1).45

The main regulatory body for telecommunications is AGCOM, an independent agency that is accountable to Parliament. Its responsibilities also include protecting intellectual property rights, regulating advertisements, and overseeing public broadcasting. The parliamentary majority appoints AGCOM’s president.

Another important player governing the ICT sector is the Data Protection Authority (DPA). Established in 1997, it is tasked with supervising compliance with data protection laws by both governmental and nongovernmental entities. It also has the authority to ban or block “processing operations that are liable to cause serious harm to individuals.”46 It is generally viewed as professional and fair in carrying out its duties. The DPA is the supervisory authority responsible for monitoring application of the EU’s General Data Protection Regulation (GDPR) in Italy, and between May 2018 and March 2020 it actively managed more than 17,000 GDPR complaints and reports.47

AGCM has also played an active role in ensuring that telecom markets remain competitive and consumer rights are protected.

Italy does not typically block or filter content of a political, social, or religious nature; all major websites and communication platforms are freely available. According to data gathered by OONI, Italy’s blocking and filtering of the internet is limited and is primarily implemented by means of domain name system (DNS) tampering.48

In March 2021, the Customs and Monopolies Agency (ADM), an administrative body under the Ministry of Finance, blocked the popular content sharing platform Medium in Italy because of posts that allegedly shared illegal gambling links. Following inquiries from the press, the block was lifted later the same day.49

Websites are also frequently blocked for hosting copyright-violating content. In April 2020, the Italian Federation of Newspaper and Periodical Publishers (FIEG) urged AGCOM to restrict access to the Telegram messaging application, citing the existence of some Telegram channels that violated copyright by distributing digital copies of Italian newspapers.50 Following separate investigations in the cities of Bari and Rome, nearly 50 Telegram channels and websites found to be illegally distributing newspaper content were ordered to be blocked in spring 2020. The order in Bari came from the city’s prosecutor and led to the restriction of 19 Telegram channels, while the latter was initiated by the Guardia di Finanza and facilitated the obstruction of 28 sites that disseminated content newspapers and magazines.51 However, it was unclear why access to this specific website was restricted. Lawyers have suggested that some of the content hosted by the site may not be considered part of the public domain in Italy, which has different to several Telegram channels.52 In response, Telegram itself removed the relevant channels.53

One of the sites that was targeted for blocking as part of the Telegram investigation in May 2020 was that of Project Gutenberg, a prominent online distributor of public-domain e-books.54 Project Gutenberg appears on a list of websites put under investigation for the distribution of copyright-protected content published by legal criteria than the United States, where Project Gutenberg is based. The site remained blocked as of the end of June 2021.55

AGCOM has issued 723 blocking orders since 2013, according to August 2019 data.56 These orders are publicly available on AGCOM’s website.57 Illegal gambling sites are frequently blocked by ADM. Italy’s public blacklist contains over 7,000 such websites, according to a January 2019 report from the European Commission.58 Websites hosting content related to terrorism or child sexual abuse images may also be subject to blocking. Through a June 2019 decree, the government gave the National Companies and Exchange Commission (CONSOB), the public authority responsible for regulating the Italian securities market, the mandate to order service providers to block websites offering unauthorized financial services. According to CONSOB data released in May 2020, 211 such websites have been blocked since July 2019.59

Authorities and courts sometimes request the removal of specific content.

In May 2021, the Supreme Court of Cassation, Italy’s court of last resort, ruled that the popular television show “Le Lene” must remove a segment allegedly defaming Roberto Burioni, a scientist and public figure. Burioni had sued Mediaset, which airs “La Lene,” for defamation, claiming reputational damages from a segment of an episode that alleged that Burioni had promoted pharmaceutical products for his own financial benefit. The May 2021 ruling upheld an earlier decision in which a court ruled in favor of Burioni and imposed the restriction of the allegedly defamatory segment on Le Lene’s website. The Supreme Court’s ruling also confirmed that a court can order the restriction of an entire journalistic piece in a defamation suit, rather than only the parts of the piece considered “defamatory.” Various observers have warned of the negative impact the case could have on free expression.60

According to Facebook, from July to December 2020, 263 pieces of content were removed, which included 110 pieces of content that violated local laws and 70 pieces of content in response to private defamation reports.61 Twitter’s transparency report for the same period lists seven requests for content removal, including four court orders; Twitter complied with 57 percent of these requests.62 According to Google’s transparency report, the government sent 91 content removal requests between July and December 2020, including 56 for defamatory content, 3 for bullying and harassment, and 10 for fraud.63

Italian courts have ruled in favor of the so-called right to be forgotten (RTBF) established by the Court of Justice of the European Union (CJEU) in 2014. In December 2015, a civil court in Rome upheld the CJEU’s reasoning on the right to be forgotten but rejected the plaintiff’s request, seeking to balance such a right with the right to information in the public interest.64 In a problematic move in 2016, the Supreme Court upheld a 2013 court decision ordering the removal of an article that damaged a restaurant’s reputation from a website’s archives after two years, finding that the time elapsed between the publication date and the request for removal “sufficed to satisfy the public interest as far as its right to be informed was concerned.”65 Google reported that, between May 2018 and April 2021, the company removed some 60,000 URLs in Italy (43 percent of the total requested) following RTBF complaints from users.66

Websites related to child sexual abuse images, copyright infringement, illegal gambling, and terrorism may be subject to blocking or targeted with content removal orders. Blocking or takedown orders are generally issued by the courts. An antiterrorism decree-law passed by Parliament in 2015 allows the public prosecutor to order the blocking or removal of websites affiliated with terrorist groups.67 In a system similar to those used to block child sexual abuse images and illegal gambling sites, the Ministry of the Interior compiles a blacklist of terrorist websites for ISPs to block.68

In June 2020, Parliament approved a decree covering various legal topics, including the penitentiary system, telephone interceptions, and civil justice. The decree included a standard authored by Senator Simone Pillon of the far-right Lega party concerning the automatic blocking of pornographic and other “inappropriate” content. According to the decree text, a parental control will be implemented on both fixed-line and mobile connections, preventing access to pornographic content of any kind by default. Adults would have to ask their service provider to lift the filter. According to various experts, it is unlikely that the rule will be effectively implemented, for both technical and practical reasons.69

A controversial resolution on online copyright enforcement enacted in 2014 enables AGCOM to issue administrative blocking orders to ISPs for specific websites that infringe on copyright, even those that only contain links for downloading copyright-protected content. The regulation also gives AGCOM the power to remove content upon review by an internal panel, but without prior judicial approval, if a copyright violation is detected.70

In April 2021, Italy adopted a law to transpose the 2019 EU Copyright Directive,71 but it did not enact the law before the June 7 deadline set by the EU.72 Debate about the Copyright Directive was lively in Italy, where political parties have expressed strong and diverging opinions. The first government headed by Prime Minister Giuseppe Conte, in office from June 2018 to September 2019 and led by the Five Star Movement and Lega, expressed opposition to the new directive, while the Democratic Party, which formed the second, current Conte government with the Five Star Movement, favored the measure. Italy was ultimately among the six EU member states that voted against the directive in the Council of the EU after the European Parliament had approved it.73 The FIEG had urged the government to accelerate the implementation of the EU directive, particularly Article 15, which allows for financial compensation if a full article is published online by various platforms.74

In 2017, Parliament approved a new law on cyberbullying after several high-profile cases came to light.75 Minors over the age of 14 or their parents can demand that content-hosting sites remove damaging material within 48 hours.76 If no action is taken, the victims can refer their case to the DPA, which can order the damaging content to be blocked or taken down.77 Critics of the bill said it gave users too much latitude to force the removal of content from social media sites.78

Italian lawmakers and regulators have at times proposed measures allowing for the blocking or removal of “fake news” websites (see C2), but these proposals have made little progress to date.

ISPs are not generally liable for illegal third-party content, but they must inform authorities of such content should they become aware of it, and they face civil penalties if they do not comply with official requests to restrict access to it.79

Content creators and hosts may exercise some self-censorship regarding content that could prove controversial or create friction with powerful entities or individuals. Online writers also exercise caution to avoid libel suits by public officials, whose litigation—even when unsuccessful—can take a significant financial toll. Individuals writing about the activities of organized crime in some parts of the country may be especially at risk of extralegal reprisals.

In March 2018, the magazine Famiglia Cristiana deleted an article about the seizure by Italian authorities of a Spanish nongovernmental rescue ship carrying asylum seekers, following a confrontation at sea that may have violated international law.80 After 24 hours, an altered version of the article was published online,81 and the original author withdrew his name from it. Mention of the Italian navy was dropped from the title, and descriptions of the navy’s involvement in the incident were modified.

Manipulated online content was prevalent in Italy during the coverage period, including material related to the COVID-19 pandemic. In recent years political parties have also engaged in online manipulation surrounding elections.

Newsguard’s Coronavirus Disinformation monitoring center82 found that 41 websites—including conspiratorial blogs, alternative websites, and popular news outlets—published COVID-19 disinformation in Italy as of September 2021. Among the outlets were right-wing daily La Verità and Il Primato Nazionale, a website with ties to the neofascist CasaPound movement.

An investigation by online magazine Formiche found that the Chinese government and its proxies played a key role in spreading manipulated information about COVID-19 in Italian on Twitter in March 2020. Bots generated much of the content promoting Chinese-Italian cooperation, which included the hashtags #forzaCinaeItalia (go China and Italy) and #grazieCina (thank you China). Inauthentic accounts also posted criticism of the EU’s response to the pandemic.83

In May 2019, ahead of that month’s EU parliamentary elections, a Facebook spokesperson in Italy said the platform had removed a number of accounts or pages for violating policies on authenticity, name changes, and spreading incorrect information.84 This decision followed an investigation by the activist group Avaaz, which said Facebook had removed 23 accounts with a total of 2.46 million followers. According to Avaaz, more than half of the closed accounts supported either the Five Star Movement or Lega, the two parties that governed the country in coalition from June 2018 to September 2019.

In November 2018, AGCOM released a report analyzing the quality of information in Italy. It found that the volume of disinformation peaked in relation to the March 2018 general election campaign but had subsided.85 The disinformation took the form of fabricated opinion polls, manipulated pictures, and fake news. Bot activity was also detected in the days running up to the 2018 vote.86 A February 2018 Reuters Institute for the Study of Journalism report observed that fake news websites had a much smaller reach among Italian readers than legacy news outlets, and that the time readers spent on their pages was limited compared with their mainstream counterparts. However, interactions on Facebook with fake news content matched or exceeded those with content produced by legitimate journalism.87

In January 2018, then interior minister Marco Minniti announced a new Postal Police initiative to fight the spread of fake news.88 The project, named Red Button, offered citizens the opportunity to report suspected fake news using a portal on the police’s website. The National Anticrime Information Center for Critical Infrastructure Protection (CNAIPIC) was tasked with analyzing the reported content. The police then published fact-checks based on these analyses. David Kaye, then the UN special rapporteur on freedom of opinion and expression, expressed concerns about the initiative, citing its vague definition of fake news. In a formal communication, he urged the government to reconsider it.89 The government later confirmed that the initiative concluded within a few days of Italy’s March 2018 elections.90 It is unclear how many reports the police received, how many instances of alleged fake news were assessed, and whether any content was removed.91 According to Wired, published responses to citizens’ reports were generally vague, short, and not released in a timely manner.92

A December 2018 analysis of the use of Facebook by Lega leader Matteo Salvini and Five Star Movement leader Luigi Di Maio showed that the two employed the platform’s video and live-streaming services to bypass the mainstream media and “foment discord” during the March 2018 elections, after which they both became deputy prime ministers in the first Conte government.93 In April 2019, ahead of the EU elections, the DPA issued guidelines on the use of voter data by parties and other political actors in compliance with the GDPR. According to the DPA website, the guidelines focus in particular on the use of political and propaganda messages sent to users via social-networking sites, such as Facebook and LinkedIn, or other messaging platforms, such as Skype, WhatsApp, and Facebook Messenger, reiterating that such use must comply with data protection rules. As shown by cases of massive voter profiling, the agency said, “it is essential to protect the electoral process and avoid risks of external interference and disturbances.”94

In practice, Italians do not face special economic or regulatory obstacles to publishing content online.

Italy’s Declaration of Internet Rights (see C1) expresses the country’s commitment to the net neutrality principle. However, the declaration is nonbinding, and net neutrality is not enshrined in national law, though a 2015 EU-level regulation empowers AGCOM to supervise and enforce the principle.95

The online information landscape in Italy is diverse, representative, and relatively unrestricted. Blogging has become popular in Italy, though television remains a leading medium for obtaining news. Most policymakers, popular journalists, and figures in the entertainment industry have expressed themselves on their own blogs, as do many ordinary citizens. In more recent years, social media platforms have become a more popular forum for online expression.

Facebook, YouTube and Instagram in particular are among the most-visited websites in the country.96 Twitter is particularly popular among journalists and politicians.

Misinformation related to the COVID-19 virus was prevalent in the online environment. For example, In December 2020, the Italian fact-checking organization Facta published a report about the state of online dis- and misinformation in Italy.97 The report identified a network of Facebook pages originally created for sharing non-political content that played a major role in spreading COVID-19 misinformation, reaching over two million users. The report also identified a Twitter network that included politicians and bloggers and circulated COVID-19 dis- and misinformation on the platform.

An April 2020 AGCOM report also noted that pandemic has been marked by an influx of misinformation. On March 11, 2020, almost three weeks after the outbreak began, nearly half of all the recorded misinformation on websites and social media was related to the pandemic. Information that was circulated linked the virus to 5G technology and included claims that Chinese spies created the virus in a Canadian lab.98

Observers have also frequently raised the problem of inadequate or flawed representation of immigrants, migrants, and refugees in media coverage as well as in newsrooms. A January 2020 report by Voci Globali,99 the Italian chapter of Global Voices, noted that despite the central place that migration has in the public and social debate in the country, foreign-born journalists are still very rare in Italian newsrooms. Such journalists often create forms of alternative journalism that find their space online or work in what are called “ethnic media.” The latter, while considered important, could potentially lead to isolation from the main debate. According to the report, “the ethnic media, while being useful at first because they allow migrants to find the lost community, do not favor integration: through ethnic journalism the different communities have the opportunity to coexist next to each other, but they are unable to make their voices heard in the wider public debate.”100

In Italy, social media platforms, especially Facebook, have emerged as crucial tools for organizing protests and other mass gatherings such as parties or political rallies. There are no restrictions on their use.

In the spring of 2021, a social media campaign emerged around a new bill to establish penalties for discrimination on the basis of sexual orientation and gender identity, commonly referred to as “ddl Zan” (the Zan bill) in reference to Alessandro Zan, the parliamentarian and LGBT+ activist who introduced the bill. As activists denounced the bill’s slow progress in the parliament, the magazine Vanity Fair Italy asked people to share photos on social media of the slogan “DDL ZAN” written on a hand, along with the hashtag #diamociunamano (#LetsGiveEachOtherAHand).101 Many celebrities joined the campaign, which became widely popular on social media.

In November 2020, civil society, activists, and media organizations joined forces for the #datibenecomune (#DataForTheCommonGood) campaign, pressuring Italian institutions to release all pandemic-related data in open and machine-readable formats and advocating for greater transparency. The campaign was launched by the open data group OnData and the corresponding Change.org petition gathered over 50,000 signatures. Over 170 organizations joined the campaign, including ActionAid, Transparency International, and Wikimedia.102

Italy is a signatory to the European Convention on Human Rights and other relevant international treaties, and its constitutional guarantees regarding freedoms of speech and the press, as well as the confidentiality of correspondence,103 are supported by an independent judiciary. Italy became the first European country to adopt a crowdsourced Declaration of Internet Rights in July 2015.104 The nonbinding document includes provisions that promote net neutrality and establish internet access as a fundamental right. While generally seen as a positive development, the text has also raised some criticism for failing to outline adequate protections for anonymity, encryption, and data retention.105

Some restrictions on journalism, including online journalism, that are uncommon in other EU member states remain in place in Italy. Drawing on a 1948 law against the “clandestine press,” a regulation issued in 2001 holds that anyone providing a news service must be a “chartered” journalist with the Communication Workers’ Registry (ROC) and hold membership in the Italian National Press Federation.106 With the exception of one case from the late 2000s, these rules have generally not been applied to bloggers, and in practice thousands of blogs are published in Italy without repercussions.

Italy approved a Freedom of Information Act (FOIA) only in 2016, recognizing the right to access data and documents from public administrations.107 Journalists in the country increasingly use the law to conduct investigations. According to Transparency International Italia, which assists Italian journalists in submitting FOIA requests, 75 percent of the requests submitted through their service in 2019 facilitated the release of relevant information and documents.108

A March 2020 decree, passed during the COVID-19 pandemic, suspended FOIA requests. A second decree issued in March suspended all non-urgent “administrative proceedings” until mid-April, encompassing FOIA requests. Journalists lamented their impeded access to data about the spread of the pandemic on the local and regional level.109 In May 2020, FOIA requests were resumed.110

Several laws present a threat to internet freedom in the country. A 2015 antiterrorism law expanded language in the criminal code on terrorist recruitment, as well as the endorsement or incitement of terrorism, to include online activities.111 Critics argued that the law could be applied broadly and would sanction legitimate instances of free expression that fall within international norms on protected speech.112

Defamation is a criminal offense in Italy. According to the criminal code, “aggravated defamation” is punishable by prison terms ranging from six months to three years and a minimum fine of €516 ($634). In cases of libel through the press, television, or other public means, there is no prescribed maximum fine.113 Though these criminal provisions are rarely applied, civil libel suits against journalists, including by public officials and politicians, are a common occurrence, and the financial burden of lengthy legal proceedings may have chilling effects on reporters and their editors. In March 2017, the UN Human Rights Committee expressed renewed concerns that “forms of expression, including defamation, libel and blasphemy, remain criminal offences and can be punished with imprisonment and that article 13 of the press law and article 595 of the Criminal Code impose harsher punishments for defaming public officials, including the Head of State.”114

Defamation suits against journalists, including those operating online, remain common. Drawn-out legal proceedings, whatever their result, can entail serious financial costs for defendants. Ossigeno per l’Informazione, an organization that tracks threats to journalists in Italy, has reported hundreds of “frivolous defamation suits” against the media since 2011, including cases against online media.115

According to a survey from the Italian National Institute of Statistics presented in October 2019, some 70 percent of all libel cases against journalists between 2011 and 2016 did not lead to a full investigation, a sign of the frivolous grounds of most of these complaints. However, overall convictions for defamation, whether or not the defendants were journalists, rose from 182 in 2014 to 435 in 2017, and the number of prison sentences, largely between three and six months, rose from 35 in 2014 to 64 in 2017.116 In a representative incident reported in April 2019, the online news outlet Estense was presented with a €100,000 ($122,800) lawsuit by a regional Lega politician after publishing a story in which interviewees accused the plaintiff of stopping suspected immigrants and asking for their residency papers.117

The government places few restrictions on anonymous communication or encryption. Italian law does require mobile service providers to obtain customers’ personal and identification data in order to register a SIM card, citing counterterrorism purposes.118

In October 2019, Parliament member Luigi Marattin indicated on Twitter that he would work on legislation to effectively ban anonymous social media accounts in Italy.119 According to Marattin’s statements, the proposal would require all Italians to provide identity cards when registering an account on social media. The idea was framed as a means of combating hate speech and the spread of fake news. Despite sparking widespread media coverage and a debate about its propriety,120 the idea was never formally presented as draft legislation.

In May 2019, lawmaker Andrea Ruggieri had advanced a similar measure to fight anonymous trolling on social media. The proposal would have required social media companies to record users’ identity cards and personal tax codes upon registration.121 The concept was harshly criticized by experts in the field, who highlighted the potential for civil rights violations.122 It did not appear to have advanced by the end of the coverage period.

Italian courts and lawmakers have sought in recent years to better define the legal boundaries of state surveillance, whether for law enforcement, intelligence, or public health purposes.

During the COVID-19 pandemic, officials introduced a contact-tracing mobile app, known as Immuni (the immune ones), that was selected after a March 2020 open call coordinated by the ministers of health and innovation and the National Institute of Health (ISS).123 The app was developed by the private company Bending Spoons and is open-source.124 Use of the app, which was released in June 2020, is voluntary, and the program is technically compatible with Apple and Google’s more privacy-oriented framework. Immuni uses Bluetooth technology, allowing nearby devices to exchange contact information with each other, and the data are stored on each person’s smartphone for no more than 14 days, theoretically maintaining both decentralization and privacy.125 The launch of the app followed a wide debate about privacy, surveillance, and digital rights in the country;126 after originally planning to have the app store information externally in a government-managed database, Bending Spoons later switched to a decentralized model, but there was also a lack of clarity as to whether the app would be mandatory.127 The government-led process for selecting the app was frequently criticized for a lack of transparency.128

Data from Immuni indicate that the app had been downloaded 10.3 million times as of March 2021, with the most downloads in December 2020. Since December, downloads have stalled and the app has almost disappeared from institutional communications and public discourse.129

In April 2021, the DPA criticized a government decree to implement the EU-wide domestic vaccine passport, known as the “green pass.” The DPA said that the Italian government’s implementation was not provided for under Italian law, did not sufficiently disclose the purposes of the collection of Italians’ health data, and failed to adequately minimize the data collected.130 In June, the DPA stated that its criticisms had been sufficiently addressed by the Ministry of Health.131

An anticorruption law approved in February 2020 included provisions and a further decree that extended the authorized use of trojans, a type of malicious software, to investigations of crimes against the public administration committed by public officials, if the crimes are punishable with at least five years of imprisonment. In addition, the changes allow for the interception to take place at “the target’s private home,” even if a crime is not occurring at the moment, as long as it has been authorized.132

Despite former US intelligence contractor Edward Snowden’s 2013 revelation of intrusive surveillance practices by the US government and its European and other allies, Italy has not engaged in a thorough public debate on surveillance. Authorities are widely perceived to be engaged in regular wiretapping, and the news media often publicizes wiretap information that is leaked to them. In April 2021, the newspaper Domani reported that prosecutors and other officials in Trapani, a Sicilian city, had wiretapped journalists’ phone calls with sea rescue NGOs. 133 The officials were investigating the NGOs for their alleged involvement in human trafficking. Authorities later exposed the journalists’ sources. As subsequently reported by the Guardian, the recorded conversations included information about travel itineraries and a conversation between a reporter and her lawyer. The officials also used geolocation data to track the journalists. 134

The use of hacking by Italian law enforcement agencies has been documented, and in May 2017, the UN Human Rights Committee raised concerns that “intelligence agencies are intercepting personal communications and employing hacking techniques without explicit statutory authorization or clearly defined safeguards from abuse.”135 In July 2016, however, the Supreme Court had ruled that hacking by law enforcement authorities under certain circumstances was constitutional and in accordance with human rights law.136

Lawmakers have made several attempts to regulate hacking in recent years.137 A criminal justice reform law approved in June 2017 calls on the government to regulate hacking for the purpose of criminal investigations.138 Organizations such as Privacy International have contended that the law fails to meet the standard of legality, necessity, and proportionality, and does not establish sufficient minimization procedures, effective oversight, or safeguards from abuse.139 Another proposal known as the Trojan Bill sought to establish a more robust system for authorizing remote and covert hacking.140 The bill was ultimately withdrawn in the aftermath of the March 2018 general elections.

A November 2018 ruling by the Supreme Court was expected to effectively place limits on authorities’ ability to conduct hacking as part of a criminal investigation. The case involved the installation of malware on a suspect’s mobile phone; the Supreme Court instructed a lower court to reexamine whether police practices were consistent with articles of the European Convention of Human Rights and the Italian constitution that protect the freedom and confidentiality of correspondence and other forms of communication.141 According to Privacy International, the ruling “points to the need for Italy and other states to thoroughly review their practices of hacking for surveillance purposes and stop these activities until and unless they can be demonstrated to be in full compliance with applicable international human rights law.”142

A new wiretapping law came into effect in September 2020, implementing Decree Law 161 of 2019. 143 According to Wired, the new law “[restructures] the management of intercepted data and, above all, expands the categories of crime for which computer detectors can be used.” 144 The law includes some privacy safeguards; for example, companies that supply these surveillance systems are compelled to use encrypted systems and securely delete files, according to journalist Carola Frediani.145 However, there are concerns that these safeguards will be applied inconsistently.146 Additionally, MPs also raised concerns about the broadening of wiretaps in March 2021, during the discussion of a bill to establish expenses and quality standards related to wiretapping, which includes the storage and management of sensitive data by companies.147

Awareness of Italian involvement in the international cyber-weapons market has grown, and Italian companies have faced increased scrutiny over sales of surveillance software to government agencies and repressive regimes. In July 2015, a leak of internal documents from the Milan-based surveillance technology firm Hacking Team revealed details about some of the company’s clients around the world, including in countries with poor human rights records.148 The company had been criticized in the past for cooperating with undemocratic regimes and lacking sufficient consideration of users’ privacy.149 In April 2016, the Italian government suspended Hacking Team’s “global” authorization to export its software, requiring it to obtain individual licenses from Italian authorities to serve countries outside of the EU.150

According to a study from Privacy International in August 2016, three companies based in Italy market intrusion technology.151 In 2017, the Italian Coalition for Civil Liberties and Rights, Privacy International, and the Hermes Center for Transparency and Digital Human Rights wrote a public letter asking the Ministry of Economic Development to reconsider the export authorization for the Italian company AREA, which had been investigated after selling its products in Syria and Egypt.152 The ministry issued a press release stating that the company’s export authorization for Egypt had been suspended and would be revoked.153 However, civil society organizations have continued to demand greater transparency on export licensing and the countries involved.154

In June 2021, after the coverage period, a joint investigation by IRPI media (the newsroom of the NGO Investigative Reporting Project Italy), the newspaper il Domani, and Dutch investigative nonprofit Lighthouse Reports reported that European companies, including the Italian company SecurCube provided technology to Myanmar’s military, despite the EU embargo on the export of these tools. According to the investigation, the military used SecurCube’s Base Transceiver Stations (BTS) to measure and map how cell towers spread their signals. The company claimed that it had not directly sold the technology to Myanmar’s military, but acknowledged that BTS could have been resold by third parties.155

Service providers are required to comply with law enforcement requests for users’ activity records, known as metadata, under a variety of circumstances, including in the course of a criminal investigation or “for the purpose of preventing crimes by criminal associations and international terrorism organizations.”156

Although the CJEU struck down the 2006 EU directive on the retention of data, Italy has extended the period for which ISPs must keep users’ metadata. In November 2017, Parliament swiftly approved a regulation on data retention that requires telecommunications companies to store telephone and internet data for up to six years. Despite civil society protests, there was virtually no public or parliamentary debate on the measure, which had been added to unrelated legislation following a European Council directive before passage.157 The DPA expressed its objection to the bill, citing its incompatibility with EU law and case law.158 European Data Protection Supervisor Giovanni Buttarelli commented that the new regulation did not reflect the European approach to data retention: “The European Court of Justice has said that we can no longer collect anything that concerns us all just to have it ’in case.’ This is a type of approach that is not part of the European legal system.”159

In March 2020, in response to the COVID-19 pandemic, a Ministry of Innovation task force collaborated with the University of Pavia to create a program that compiles and analyzes anonymized data drawn from Facebook and telecommunications firms such as TIM, Vodafone, Wind Tre, and Fastweb. According to Wired Italy, the datasets “aggregate users' movements to help with contact tracing or other forms of monitoring.”160 The system is apparently used by health researchers and nonprofit organizations that have signed licensing agreements with Facebook. The president of the Italian Privacy Institute warned that while EU regulators allow for a loosening of data protection rules in a public emergency, the Italian program lacked provisions for the restoration of ordinary safeguards and the deletion of the data after the crisis has passed.161

The 2018 Cambridge Analytica scandal, in which the United Kingdom–based political consultancy was found to have improperly harvested Facebook data on US voters, also had an impact on Italy. The DPA conducted an inquiry into the case in order to establish how Italians’ data could have been misused, and investigators met with Facebook representatives in April 2018.162 The inquiry was closed in February 2019, when the DPA announced that Italians’ data were processed unlawfully. As a consequence, the DPA “reserved the right to issue administrative fines due to the unlawful processing activities at issue.”163

While cases of intimidation or physical violence in response to online activity are reported only sporadically, individuals who expose organized crime activities in some parts of the country may be especially at risk of reprisals. For example, in May 2019, journalist Gaetano Scariolo’s car was set on fire by unknown assailants. Scariolo, who covers criminal justice and whose work appears online, said, “I am sure that the intimidation has to do with my professional activity.”164

The interior ministry recorded 63 episodes of violence and intimidation against journalists in the first three months of 2021, amounting to a 50 percent increase compared to the first quarter of 2020; 42 percent of the 2021 cases involved online intimidation.165 Ossigeno per l’Informazione (The Ossigno Observatory) documented 127 cases of threats and intimidation against Italian journalists and bloggers between April and June 2020.166

Hate speech remains an endemic problem on the Italian internet.167 Women journalists and politicians in particular are subject to virulent online harassment.

In 2018, journalist Annalisa Camilli received derogatory and threatening anonymous emails after publishing an online story about a migrant rescued at sea by the NGO Open Arms.168 Other women journalists have reported experiencing similar harassment, frequently for their coverage of the migration crisis.169 Independent lawmaker Laura Boldrini was harassed including by prominent politicians such as right wing Lega’s leader, Matteo Salvini, whose posts about her elicited death and rape threats from his online supporters.170

Cyberattacks have constituted a problem in Italy in recent years, though the defacement of or distributed denial-of-service (DDoS) attacks against the websites of political figures were less common during the latest coverage period. Hacks of public and private institutions continued to occur.

In its annual report, the Italian Association on Cybersecurity (CLUSIT) noted a decline in cybersecurity attacks in 2020, compared to 2019, especially in the months coinciding with the first lockdown, and an increase in attacks on endpoints, including employee devices. According to the CLUSIT, the increase in endpoint attacks may have been related to the fact that many companies did not provide their employees with secure, company-issued laptops when they began working remotely during the pandemic.171

In March 2021, Wired reported that the Ministry for Economic Development (MISE) suffered a data breach the previous year and had failed to report it.172 The breach jeopardized the personal information of employees at the ministry.

In April 2020, the National Social Security Institute (INPS) was forced to shut down its website due to a data breach. Initially attributed to a series of cyberattacks, the incident occurred on the first day that self-employed Italians could apply for a coronavirus relief package announced by the government in mid-March. Early login attempts reportedly led to several cases in which other users’ information was displayed; the information was published by the hackers to reveal that they had obtained such data and would publish it all if a technical problem with the website was not fixed and users were not notified.173 The following day, by which time the site had become accessible again,174 the head of the DPA announced that it had started an audit of the INPS’s recovery measures in order to identify any further interventions that might be needed to protect personal data.175

It was reported in May 2020 that, two months earlier, hacktivist groups Anonymous Italia and LulzSec Italia had hacked the intranet of a major Milan hospital, San Raffaele. The email addresses and passwords of 2,400 hospital employees and the personal data (including name, date of birth, nationality, and social security number) of at least 600 patients were allegedly stolen. The hackers stated that the hospital administration, under the GDPR, should have alerted both the DPA and the individuals whose data were exposed, which they said never happened, and they threatened to publish the data online. The hospital denied that the data breach occurred.176

In a major data breach reported in April 2019, roughly 1.4 million users’ information was stolen from the Italian email services provider Italiaonline. Popular services Libero Mail and Virgilio Mail were also affected. A 24-year-old hacker was arrested and charged for the attack that month, but not before selling the data to an unidentified party. The hacker entered Italiaonline’s network by cracking its Wi-Fi network from a bar near the company’s headquarters.177

In March 2019, Vice reported that hackers working for an Italian surveillance company had infected hundreds of people’s devices with several malicious mobile apps that were hosted on the official Google Play store for months.178 Experts said that the operation may have ensnared innocent victims, as the spyware appears to have been faulty and poorly targeted. The DPA announced an investigation into the matter, with the head of the authority declaring that such tools posed a serious risk to citizens’ freedoms if deployed without the necessary safeguards. Prosecutors in turn launched an investigation into eSurv,179 the company that made the spyware, seizing its computers and shutting down the program’s infrastructure.

The 2018 general election campaign in particular was characterized by several high-profile hacks. In February 2018, the Florence section of the Democratic Party was hacked, and personal information, including former prime minister Matteo Renzi’s mobile phone number, was posted on Twitter by the hackers.180 In the same week, two of Salvini’s campaign websites were hacked, and some internal Lega party data were subsequently released on Twitter by the hackers. The AnonPlus collective claimed responsibility for both attacks.181 Separately, in November 2018, LulzSec Italia and another collective, AntiSec Italia, conducted attacks targeting the websites of the Ministry of Economic Development, the State Police, the Brothers of Italy party, and some local branches of other political parties.182

During the summer of 2017, the Five Star Movement was hacked by an attacker using the handle @r0gue_0. The perpetrator infiltrated Rousseau, the party’s online organizing platform, and leaked internal data, including a password used by staff to access the platform.183 The same hacker allegedly infiltrated the platform again in 2018, leaking phone numbers of two Five Star Movement ministers.184 In September 2018, the DPA opened an investigation into the platform’s security flaws and those of various websites connected to the Five Star Movement,185 and in April 2019 it fined Rousseau €50,000 ($61,400) for various data protection failures.186