Italy

Overview

EU Member State: Italy is subject to the GDPR, the Law Enforcement Directive, and the ePrivacy Directive. For the EU framework, see the EU Framework page. This page covers national laws, intelligence and surveillance, and Italy’s role in international data sharing.

Italy authorises more lawful interceptions than any other EU country, rooted in decades of Mafia and domestic terrorism campaigns. The captatore informatico (state Trojan) is explicitly legislated for judicial-authorised microphone capture, remote data access, and GPS tracking. Data retention extends to an extraordinary 72 months (6 years) for serious crimes — three times longer than any comparable EU regime. Sicily is one of Europe’s most strategically significant submarine cable hubs, with SEA-ME-WE 3/4, AAE-1, I-ME-WE, and Blue-Raman landing at Palermo and Catania.^[1][2]

The Garante is one of the most active DPAs in Europe (467 GDPR fines totalling EUR 277M+, first ChatGPT ban, first generative AI GDPR fine). Italy was the first EU member state to enact a national AI law (Law 132/2025). In 2025, the Paragon spyware scandal revealed targeting of journalists and civil society before the vendor itself terminated Italy’s contract. Article 15 of the Italian Constitution guarantees the inviolability of correspondence, yet the country’s organised crime history has produced a legal culture where expansive surveillance enjoys broad support.^[3]

Privacy Framework

The Garante per la protezione dei dati personali (four members, elected by Parliament for seven-year terms) has imposed landmark fines including E.ON Energia EUR 89.27M (largest Italian GDPR fine), Enel Energia EUR 79.1M, Clearview AI EUR 20M, OpenAI EUR 15M (first generative AI fine), and conducted the world’s first national ChatGPT ban (March 2023). Italy retains criminal sanctions for data protection violations (6 months to 3 years imprisonment).^[3][4]

The Privacy Code (d.lgs. 196/2003, amended 2018) supplements the GDPR with age of consent at 14, strict public interest processing requirements, and specific rules for genetic, biometric, and health data. The Electronic Communications Code (updated 2024) extends obligations to OTT services (WhatsApp, Signal, email).^[5]

Surveillance and Intelligence

Intelligence System (Law 124/2007)

The 2007 reform dismantled Cold War-era agencies (SISDE, SISMI) and created:^[6]

• AISE (Agenzia Informazioni e Sicurezza Esterna) – Foreign intelligence
• AISI (Agenzia Informazioni e Sicurezza Interna) – Domestic intelligence
• DIS (Dipartimento delle Informazioni per la Sicurezza) – Coordination under the Prime Minister

The reform separated intelligence by geography (not ministry), consolidated all agencies under the PM, and introduced functional guarantees for authorised operations.^[7]

COPASIR Oversight

COPASIR (Comitato Parlamentare per la Sicurezza della Repubblica, 10 members) has exceptional powers by European standards: it can obtain information from the judiciary (exception to investigative secrecy), compel testimony from public and private entities (exception to professional secrecy), hear intelligence personnel (exception to state secrecy), and inspect intelligence offices. The Prosecutor General at the Rome Court of Appeal separately authorises intelligence wiretapping.^[8]

Wiretapping: Highest in the EU

Governed by Articles 266–271 of the Code of Criminal Procedure. Two-stage judicial authorisation: prosecutor requests, GIP (Judge for Preliminary Investigations) grants by reasoned decree upon finding serious suspicion and absolute necessity. Despite the high legal standard, Italy authorises more interceptions than any other EU country.^[1]

The captatore informatico (“computer interceptor”) is one of the few explicitly legislated state spyware frameworks in the EU. When judicially authorised, it can activate a device’s microphone, remotely access all stored data, and track GPS location. Justice Minister Nordio described these as “diabolical Trojans” while defending their regulation rather than prohibition. The Nordio Reform (Law 114/2024) restricted publication of wiretap transcripts, drawing criticism from press freedom organisations. In 2025, intelligence surveillance expansion provisions were stripped from a security bill following conflict with the EU European Media Freedom Act.^[9][10]

Data Retention

Italy’s regime is the most extensive in the EU. Baseline: 24 months telephony, 12 months internet (Article 132 Privacy Code). Law 167/2017 extended maximum to 72 months (6 years) for serious crimes including international terrorism, organised crime, and offences under district prosecutors’ jurisdiction — three times longer than any comparable EU regime and three times the maximum of the EU Data Retention Directive that was struck down as disproportionate by the CJEU.^[2][11]

The Garante has expressed proportionality concerns but cannot override parliamentary legislation. Compatibility with CJEU case law (Digital Rights Ireland, Tele2/Watson, SpaceNet) is an open question; no Italian court challenge has reached Luxembourg, partly because prosecutors and judges broadly support the regime as essential to combating organised crime.

Internet Infrastructure: Sicily Mediterranean Cable Hub

NAMEX (Rome, established 1994) and MIX-IT (Milan, established 1996) are Italy’s major IXPs.^[12]

Sicily is one of Europe’s most strategically significant cable landing points, with major systems at Palermo and Catania: SEA-ME-WE 3 (Northern Europe to Southeast Asia), SEA-ME-WE 4 (France/Italy to Singapore), AAE-1 (25,000 km Europe-Asia), I-ME-WE (Italy to Pakistan/India), and Blue-Raman (Italy to Israel/Jordan/Saudi Arabia/India). Communications between Europe and Asia pass through Italian territory with no connection to Italy beyond routing. AISE has interception authority under the 2005 Anti-Terrorism Law, and Fourteen Eyes membership means collected intelligence is shared with thirteen partner nations.^[13]

Age Verification: Identity Infrastructure as Surveillance

AGCOM Resolution 96/25/CONS (April 2025) designated 48 platforms for mandatory age verification with compliance from November 2025. Italy’s approach uses a “double anonymity” principle (verification providers cannot see which service the proof is for; platforms receive no identifying information). Users prove age through SPID or CIE (national electronic ID), with anonymised tokens passed to platforms. Widely considered the most advanced mandatory age verification in the EU. Law 132/2025 (national AI law) requires parental consent for AI system access below age 14. The infrastructure creates government-linked identity touchpoints across the internet that, despite privacy-preserving design, establish a surveillance-capable verification layer between Italian citizens and online platforms.^[14]

International Data Sharing Agreements

Mutual Legal Assistance: Layered Framework

EU Member States (26 countries): EU MLA Convention 2000, Schengen Convention, EIO (transposed through d.lgs. 108/2017). Italy participates in Prüm (automated DNA/fingerprint/vehicle exchange; Prüm II adds facial images and police records). Italy is one of the highest-volume SIS II contributors (organised crime and migration).^[15]

Council of Europe (50 signatory states): European Convention on MLA 1959 + Additional Protocols.

Bilateral MLAT with the United States: Signed 1982, in force November 13, 1985. Covers organised crime, terrorism, drug trafficking, money laundering. Ministry of Justice serves as central authority. Supplemented by the EU-US MLAT Enhancement (2010). Italy’s central role in Mediterranean organised crime generates substantial MLAT traffic in both directions.^[16]

Fourteen Eyes (SIGINT Seniors Europe)

As a third-tier partner, AISE maintains bilateral SIGINT arrangements with the NSA. Italy’s Mediterranean position and organised crime intelligence are valuable contributions. The Anti-Terrorism Law enables wiretap data sharing with alliance partners under national security exemptions, effectively removing it from GDPR protection.^[17]

Commercial Surveillance: Paragon and Pegasus

In January 2025, WhatsApp disclosed that ~100 journalists and civil society members worldwide were targeted with Paragon Graphite spyware via zero-click attacks, including Italian journalists Francesco Cancellato and Ciro Pellegrino and co-founders of Mediterranea Saving Humans. Paragon itself terminated Italy’s contract after determining Italy violated its terms. COPASIR investigated. The Garante had previously fined Clearview AI EUR 20M (2022). These cases demonstrate how commercial surveillance operates entirely outside both GDPR and intelligence alliance frameworks.^[18]

EU-US and Multilateral Frameworks

EU-US Umbrella Agreement: Judicial redress for Italian citizens in US courts. SWIFT/TFTP: International wire transfers subject to US Treasury subpoena. PNR: Italy operates a national Passenger Information Unit (UIP). Europol: Major contributor, particularly organised crime and migrant smuggling; FBI cooperation channel. Interpol I-24/7. Egmont Group.

The Privacy Backdoor Effect

Despite the Garante’s enforcement (EUR 277M+ in fines) and GDPR Article 48 protections, alternative access pathways exist:

• Fourteen Eyes: AISE shares SIGINT with Five Eyes partners; NSA/GCHQ can collect on Italian persons and share with AISE
• EU Framework: Italian data in SIS II, Prüm, or EIO channels accessible to 27 EU states and through Europol to US FBI
• MLAT (1982): US requests through one of the oldest bilateral treaties, with potentially different evidentiary standards
• SWIFT/PNR: Financial transactions and air travel subject to US access
• Commercial spyware: Paragon demonstrated Italian government targeting of domestic journalists outside any legal framework

Recent Developments

Paragon Spyware Scandal (January 2025–March 2026): ~100 targets worldwide including Italian journalists. Intelligence chief acknowledged Graphite use. Paragon terminated Italy’s contract. COPASIR investigation (June 2025) concluded intelligence agencies “lawfully targeted” pro-immigration activists but found no evidence of journalist hack. In March 2026, Italian prosecutors confirmed that journalist Francesco Cancellato (editor-in-chief, Fanpage) was hacked with Graphite. Citizen Lab identified two additional targeted journalists, including Fanpage’s Naples newsroom head. The scandal has expanded across multiple European countries.^[18][22]

Security Decree (DL 48/2025, Law 80/2025): Six UN Special Rapporteurs called on Italy to rescind provisions criminalising protest tactics and creating rioting offences in migrant detention. Human Rights Watch called it “a serious threat to rights and freedoms.” Enacted by emergency decree bypassing parliament.^[19]

Chat Control: Italy Shifts to Undecided (October 2025): Italy moved from supporting to undecided on the EU CSAM Regulation, contributing to postponement of the Council vote. Notable given Italy’s historically permissive wiretapping culture — even within that tradition, mandatory scanning of encrypted messages was seen as a step too far.^[20]

Nordio Wiretapping Reforms (2024–2025): Law 114/2024 restricted wiretap transcript publication. Intelligence surveillance expansion provisions stripped from 2025 security bill due to conflict with EU European Media Freedom Act — EU-level norms constraining Italy’s surveillance culture.^[10]

National AI Law (Law 132/2025, October 2025): First EU member state with a comprehensive national AI law. Sector-specific provisions for healthcare (human decisional authority), employment (AI disclosure), intellectual professions, and criminal law. Deepfake dissemination: 1–5 years imprisonment. First country with explicit AI copyright protection. AgID/ACN/Garante tripartite oversight.^[21]

Sources