Italy

EU Member State: Italy is a member of the European Union and is therefore subject to the General Data Protection Regulation (GDPR), the Law Enforcement Directive, the ePrivacy Directive, and other EU-level data protection instruments. For a detailed treatment of the EU framework, see the EU Framework page. This page covers Italy’s national implementing legislation, domestic enforcement record, intelligence and surveillance laws, and its role in the Fourteen Eyes intelligence alliance.

Overview

Italy’s data protection authority, the Garante per la protezione dei dati personali, is one of the most active regulators in Europe, responsible for landmark actions including the world’s first national ban of ChatGPT and the first generative AI GDPR fine, as well as some of the largest data protection penalties in European history, as detailed in the sections below.^[1]

Italy is also a member of the Fourteen Eyes intelligence alliance (SIGINT Seniors of Europe / SSEUR), and on the surveillance side, the country has the highest level of lawful wiretapping in the European Union, a legally defined framework for deploying state-sponsored spyware, and the longest mandatory data retention period in the EU, each covered in dedicated sections below.^[4][5]

Italy's privacy framework reflects a significant tension: a regulator that will ban cutting-edge AI systems overnight and impose nine-figure fines on energy companies, operating within a legal system that simultaneously authorizes continental Europe’s most extensive wiretapping regime and demands that telecommunications providers preserve user data for years longer than any other EU member state. Understanding Italy means understanding both of these impulses simultaneously.

Italy’s privacy framework is also shaped by its constitutional tradition. Article 15 of the Italian Constitution declares that “the freedom and secrecy of correspondence and of every other form of communication are inviolable” and that limitations may only be imposed by a reasoned order of the judiciary “with the guarantees established by law.” This constitutional guarantee provides the foundational principle against which all surveillance, interception, and data retention laws must be measured, and frequently are, through challenges before Italy’s Constitutional Court (Corte costituzionale).

The Italian data protection landscape is further shaped by the country’s unique historical relationship with organized crime. The prolonged campaigns against the Sicilian Mafia, the Neapolitan Camorra, and the Calabrian ’Ndrangheta have created a legal culture in which expansive law enforcement surveillance powers enjoy broad political support across the ideological spectrum. This context explains why Italy can simultaneously be the most active GDPR enforcer in Europe and the most permissive wiretapping jurisdiction; the two are not perceived as contradictory in the Italian legal tradition, but as complementary tools serving different objectives.

Data Protection Authority: The Garante

The Garante per la protezione dei dati personali (the “Garante”) was established in 1996 under Italy’s original data protection legislation, Law 675/1996, and is now governed by Title II of the Privacy Code (d.lgs. 196/2003). It is a collegial body composed of four members (a president and three other members) elected by the Italian Parliament (two by the Chamber of Deputies, two by the Senate), serving seven-year non-renewable terms.^[6]

The Garante has established itself as one of the most active and consequential DPAs in Europe. As of early 2026, Italy has imposed 467 GDPR fines totaling EUR 277,173,160, a figure that places Italy consistently among the top three EU member states for total enforcement volume alongside Ireland and Luxembourg.^[1] The Garante has acted on an expedited basis in several high-profile cases, including its emergency ban on ChatGPT.

The Garante’s inspection plan for the first half of 2025 prioritized data breaches and security of public databases, credit institution databases, call centers, email marketing, and unauthorized energy sector contracts, reflecting the authority’s systematic approach to high-risk sectors.^[7] New areas of focus for 2025 include the National Statistical Program (PSN), the use of biometric data in driving examinations, and broad-based inspections of both public and private entities processing sensitive categories of data.

The ChatGPT Ban and OpenAI Fine

The Garante’s most internationally significant action was its March 30, 2023 emergency order against OpenAI, which made Italy the first country in the world to ban ChatGPT. The order cited four grounds: absence of a legal basis for the mass collection and processing of personal data used to train ChatGPT’s algorithms; failure to provide any transparency information to data subjects whose data was collected; generation of factually inaccurate information about individuals (hallucinations); and failure to implement any age verification mechanism to prevent minors under 13 from accessing the service.^[8]

OpenAI was given 20 days to respond. The ban was lifted on April 28, 2023 after OpenAI implemented age gating, an EU privacy policy, a mechanism for Italian users to object to data processing, and a plan to submit a full age verification system by September 30, 2023.^[9] But the story did not end there. The Garante continued its investigation, and on December 20, 2024, it imposed a EUR 15 million fine on OpenAI, the first GDPR fine against a generative AI company anywhere in the world.^[2] The final decision found that OpenAI lacked any legal basis for training data collection, failed in its transparency obligations, provided inadequate age verification, and failed to notify the Garante of the March 2023 data breach that had initially triggered the investigation. As part of the corrective measures, the Garante ordered OpenAI to conduct a six-month informational campaign across Italian media (radio, television, newspapers, and the internet) to inform the Italian public about how ChatGPT processes personal data and their rights under the GDPR.^[2]

Major Enforcement Actions

The ChatGPT fine, while globally significant, is far from the Garante’s largest. Notable enforcement actions include:

Enel Energia S.p.A. (February 2024): EUR 79.1 million – The largest fine in the Garante’s history and one of the largest GDPR fines in Europe. The investigation revealed that four companies, operating without any cooperation agreement or authorization from Enel, had promoted electricity and gas services through forged forms and falsified identification documents. Between 2015 and 2022, approximately 9,300 contracts were illicitly introduced into Enel’s systems, with 978 confirmed as directly resulting from the fraudulent activity. The Garante found Enel responsible for violating accountability and privacy-by-design principles, failing to conduct adequate risk assessments related to its “N.Eve” telemarketing platform, and failing to control the agencies conducting telemarketing on its behalf.^[3]

Clearview AI (March 2022): EUR 20 million – The Garante fined the American facial recognition company for unlawfully processing biometric and geolocation data of individuals located in Italy. Clearview had scraped billions of facial images from publicly available sources (social media profiles, news sites, and other websites) without any legal basis or consent, and used them to build a facial recognition database marketed to law enforcement agencies worldwide. The Garante found that the processing involved special categories of data (biometric data) without any of the GDPR’s Article 9 exceptions, and that Clearview had failed to provide any transparency information to the millions of individuals whose faces it had captured. The Garante ordered Clearview to delete all data relating to individuals in Italy and imposed a permanent prohibition on any further collection of Italian data.^[10]

Axpo Italia (September 2023): EUR 10 million – Fined for processing outdated and inaccurate customer data in its energy services operations.

TIM S.p.A. (April 2023): EUR 7.6 million – Italy’s largest telecommunications company was fined for unlawful telemarketing practices.

Eni Plenitude (June 2024): EUR 6.4 million – Another energy sector fine for unlawful telemarketing activities.

Autostrade per l’Italia (2025): EUR 420,000 – Fined after the toll-road operator used content extracted from an employee’s personal Facebook profile and private chats to justify disciplinary proceedings, in violation of the principles of lawfulness, purpose limitation, and data minimization.^[11]

The pattern in Italy’s enforcement record is notable: telemarketing and unauthorized data acquisition in the energy sector account for a disproportionate share of the largest fines. This reflects both the prevalence of aggressive telemarketing practices in the Italian market (where consumers routinely receive unsolicited calls from energy resellers operating through opaque chains of sub-agents) and the Garante’s systematic focus on combating them. Italy’s Registro delle Opposizioni (Opposition Register), which allows citizens to opt out of telemarketing calls, has not eliminated the problem, and the Garante has continued to impose significant fines in this sector.

National Framework: The Privacy Code

Italy’s primary national data protection legislation is the Personal Data Protection Code (Codice in materia di protezione dei dati personali), enacted as Legislative Decree 196/2003 (commonly referred to as the “Privacy Code” or Codice Privacy). Originally a comprehensive standalone law, it was extensively amended by Legislative Decree 101/2018 (the “Harmonization Decree”), effective September 19, 2018, to align with the GDPR while retaining those provisions that the GDPR delegates to member state discretion.^[12]

Key National Derogations

Age of consent for information society services: Italy has set the age at which a child may independently consent to data processing in the context of information society services at 14 years, rather than the GDPR’s default of 16 or the minimum floor of 13. Below 14, parental or guardian consent is required.^[12]

Public interest processing: The Harmonization Decree specifies that data processing carried out in the performance of tasks in the public interest or the exercise of official authority may only be based on a specific provision of law or, where the law so provides, a regulation. This is stricter than the GDPR’s general Article 6(1)(e) basis and ensures parliamentary oversight of public-sector data processing.^[13]

Special categories of data: The Privacy Code contains specific provisions governing the processing of genetic data, biometric data, health data, and data relating to criminal convictions and offenses (“judicial data”). The Garante is empowered to issue specific authorizations and codes of conduct for these data categories, providing a more granular regulatory layer than the GDPR alone requires.^[13]

Criminal sanctions: Unlike many EU member states that rely solely on the GDPR’s administrative fines, Italy has retained criminal sanctions for specific data protection violations. These include unlawful processing of personal data resulting in harm (Article 167), fraudulent notification or communication to the Garante (Article 168), failure to comply with Garante measures (Article 170), and violations of specific data subject rights provisions. These offenses carry penalties of imprisonment ranging from six months to three years, providing a deterrent that goes beyond financial penalties. The retention of criminal sanctions is notable: it means that in Italy, a sufficiently serious data protection violation is not merely a regulatory infraction but a criminal offense that can result in a prison sentence.^[12]

Repeal of minimum security measures: The Harmonization Decree repealed the prescriptive “Minimum Security Measures” that had been detailed in Annex B of the original Privacy Code. These were replaced by the GDPR’s risk-based accountability approach under Articles 24 and 32, requiring controllers and processors to implement measures appropriate to the risk rather than comply with a fixed checklist.^[12]

Electronic Communications Code

Italy’s Electronic Communications Code (Legislative Decree 259/2003) provides the regulatory framework for telecommunications and is separate from but interacts with the Privacy Code. It was substantially updated by Legislative Decree 207 of December 28, 2023, transposing the European Electronic Communications Code (EECC, Directive 2018/1972), with the new provisions taking effect in 2024.^[14]

The updated code modernizes the framework for electronic communications services in several important ways. It extends regulatory obligations to over-the-top (OTT) communication services (messaging apps like WhatsApp and Signal, voice-over-IP services, and email providers), bringing them under the same regulatory umbrella as traditional telecommunications providers. It strengthens end-user rights provisions, including enhanced transparency requirements for contracts and stronger protections for switching between providers. The regulatory authority AGCOM (Autorità per le Garanzie nelle Comunicazioni) oversees compliance with the Electronic Communications Code, while the Garante retains jurisdiction over data protection aspects of electronic communications.

Surveillance and Intelligence

Italy’s intelligence and surveillance architecture underwent a fundamental transformation in 2007 when Law 124/2007 dismantled the Cold War-era intelligence structure and created an entirely new system with clearer mandates, stronger parliamentary oversight, and an innovative multi-layered accountability framework.^[15]

The Intelligence System

The 2007 reform replaced the previous agencies (SISDE (domestic), SISMI (military/foreign), and CESIS (coordination)) with a restructured system that separates intelligence functions by geography rather than ministry:

AISE (Agenzia Informazioni e Sicurezza Esterna) – The foreign intelligence and security agency, responsible for intelligence activities outside Italian territory. AISE may only conduct operations within Italian borders in coordination with AISI, and its activities abroad relate to the defense of the Republic’s independence, integrity, and security from threats emanating from external sources.^[16]

AISI (Agenzia Informazioni e Sicurezza Interna) – The domestic intelligence and security agency, responsible for protecting the Republic’s security from internal threats, including espionage, terrorism, subversion, and organized crime. AISI may only conduct activities abroad in coordination with AISE.^[16]

DIS (Dipartimento delle Informazioni per la Sicurezza) – The coordination department, operating under the direct authority of the President of the Council of Ministers (Prime Minister). DIS coordinates AISE and AISI, ensures coherence in intelligence policy, and maintains the central archive of intelligence materials. The Prime Minister retains ultimate political responsibility for the intelligence system.^[17]

This was not merely a renaming exercise. The pre-2007 structure had SISMI as a branch of the defense ministry and SISDE as part of the interior ministry, creating competing bureaucratic loyalties and enabling the scandals that plagued Italian intelligence for decades, including allegations of involvement in Cold War “stay-behind” operations (Gladio) and the P2 Masonic lodge affair. The reform consolidated all intelligence under the Prime Minister’s office and drew a clear geographical line between domestic and foreign intelligence, with mandatory coordination requirements to prevent the institutional rivalries and operational failures that had characterized the old system. The reform also introduced functional guarantees (garanzie funzionali) that provide legal protection for intelligence officers performing authorized operations, while establishing clearer boundaries on what activities are permissible.^[15]

Oversight: COPASIR

Law 124/2007 also transformed parliamentary oversight of intelligence activities by creating the Comitato Parlamentare per la Sicurezza della Repubblica (COPASIR), replacing and significantly strengthening the former COPACO. COPASIR is composed of five deputies and five senators and is mandated by Article 30 of Law 124/2007 to “systematically and continuously” verify that the activities of the intelligence system are carried out in accordance with the Constitution and the law.^[18]

COPASIR’s investigative powers are exceptional by European standards. Article 30 of Law 124/2007 grants it four extraordinary powers, each representing an exception to protections that would otherwise bar access:

• It can obtain information from the judiciary – an exception to the ordinary secrecy of judicial investigations.
• It can compel testimony from public and private entities – an exception to professional secrecy obligations.
• It can hear intelligence personnel directly – an exception to state secrecy.
• It can arrange inspections of intelligence offices, subject to notification to the Prime Minister.^[18]

Law 124/2007 also introduced three sets of oversight mechanisms beyond COPASIR:^[19]

Internal administrative review: Each agency has internal compliance structures responsible for ensuring operations conform to legal requirements and authorized mandates.

External judicial review: The Prosecutor General at the Rome Court of Appeal exercises judicial oversight of intelligence wiretapping, ensuring that intercepts conducted for national security purposes receive independent judicial authorization separate from the ordinary criminal justice system.

Political accountability: The Prime Minister retains ultimate political responsibility for the intelligence system. The Prime Minister may delegate day-to-day intelligence authority to an Under-Secretary of State (the Autorità Delegata), but cannot delegate the constitutional responsibility itself, ensuring a single point of political accountability at the highest level of government. This structure is designed to prevent the diffusion of responsibility that characterized the pre-2007 system, where intelligence failures could be attributed to inter-ministerial disputes rather than to any single accountable official.

Wiretapping: Lawful Interception

As noted in the Overview, Italy has the highest level of lawful interception of communications in the European Union, a distinction rooted in the country’s decades-long struggle against organized crime and domestic terrorism. The Mafia trials of the 1980s and 1990s, the anti-Mafia campaign led by judges Giovanni Falcone and Paolo Borsellino (both assassinated in 1992), and the Years of Lead (Anni di piombo) domestic terrorism of the 1970s and 1980s all shaped a legal culture that views communications interception as an indispensable investigative tool.

Wiretapping is governed by Articles 266–271 of the Code of Criminal Procedure (Codice di procedura penale), which establish a two-stage judicial authorization process: the public prosecutor must request authorization from the Giudice per le Indagini Preliminari (GIP, Judge for Preliminary Investigations), who grants it by reasoned decree only upon finding serious suspicion of one of the listed offenses and absolute necessity for the continuation of the investigation. The standard is intentionally high (“gravi indizi di reato”, or serious indications of crime), but in practice Italy authorizes more interceptions than any other EU country.^[20]

Italian law also provides a formal legal framework for the captatore informatico (“computer interceptor”), effectively state-sanctioned spyware or Trojan horse software. When deployed with judicial authorization, the captatore informatico can perform three functions: interception of conversations by activating a device’s microphone (turning it into a surveillance tool), remote access to stored data on the infected device, and electronic tracking through GPS location collection.^[20]

Italy is one of the few EU countries to have explicitly legislated the conditions under which this technology may be used, rather than leaving it in a legal gray zone. The captatore informatico is particularly significant because, unlike traditional wiretapping of telephone lines, it compromises the target’s entire device, potentially capturing encrypted communications, stored files, photographs, browsing history, and real-time location data. Justice Minister Nordio himself described these tools as “diabolical Trojans” (trojan diabolici), acknowledging their extraordinary invasive power while defending the need to regulate rather than ban them.^[21]

Intelligence wiretapping operates under a parallel regime with two levels of control: judicial oversight by the Prosecutor General at the Rome Court of Appeal, who must authorize intelligence intercepts; and parliamentary oversight through COPASIR.^[20]

The Nordio Reform (2024–2025)

Justice Minister Carlo Nordio’s reform of the wiretapping framework, enacted as Law No. 114/2024 (effective August 25, 2024), introduced significant restrictions on the publication and use of wiretapping records. The reform prohibits the publication of wiretapped conversations unless their contents have been reproduced by a judge in a judicial decision or used during a hearing, and enhances the confidentiality protections for suspects.^[21]

The reform drew sharp criticism from press freedom organizations. The Italian Press National Federation and trade associations characterized the restrictions on publishing wiretap transcripts as a direct attack on press freedom and the public’s right to be informed about matters of public interest.^[21] In 2025, provisions that would have expanded intelligence surveillance powers were stripped from a security bill following criticism that they conflicted with the EU’s new European Media Freedom Act, illustrating the ongoing tension between Italy’s expansive interception culture and EU-level press freedom protections.^[22]

Data Retention

Italy’s data retention regime is the most extensive in the European Union, reflecting the Italian legal system’s emphasis on law enforcement access to communications data, a priority driven by decades of combating organized crime, particularly the Mafia, the Camorra, and the ’Ndrangheta.

Article 132 of the Privacy Code establishes the baseline retention periods: 24 months for telephony traffic data and 12 months for internet traffic data. These periods already exceed the norms in many other EU member states.^[23]

However, the most dramatic provision is found in Law 167/2017, subsequently reinforced by Decree 132/2021 (converted into Law 178/2021), which extended the maximum retention period to an extraordinary 72 months (six years) for telecommunications and electronic communications traffic data when needed for the detection and suppression of serious crimes. The serious crimes covered include international terrorism, organized crime, and other offenses falling under the jurisdiction of district prosecutors or where preliminary investigations may be extended to two years.^[5]

This six-year retention period is three times longer than any comparable regime in the EU. For context, Germany’s data retention law was struck down by the Federal Constitutional Court as unconstitutional, France mandates 12 months, the Netherlands operates on 12 months, and the CJEU’s landmark decisions in Digital Rights Ireland (2014) and Tele2/Watson (2016) invalidated EU-wide data retention on proportionality grounds. Even the original EU Data Retention Directive, struck down as disproportionate by the CJEU, had only mandated a maximum of 24 months. Italy’s regime has been widely criticized by civil liberties organizations, with the Civil Liberties Union for Europe arguing that it constitutes mass surveillance that threatens the fundamental right to privacy.^[24]

The practical effect of six-year retention is significant: every phone call, text message, and internet connection made by any person in Italy generates metadata that telecommunications providers must store for six years if it could potentially be relevant to serious crime investigations. This means that a complete record of who communicated with whom, when, for how long, and from where exists for the vast majority of Italian communications, accessible to prosecutors investigating a broad range of offenses. The Garante itself has repeatedly expressed concerns about the proportionality of this regime, but has been unable to override the parliamentary legislation that mandates it.

The regime’s compatibility with EU law remains an open question. The CJEU has repeatedly held that general and indiscriminate retention of traffic and location data is incompatible with EU law, permitting targeted retention only where there is a serious threat to national security, and subject to strict safeguards including prior review by a court or independent administrative body. The CJEU’s 2022 SpaceNet decision further narrowed the circumstances under which member states may mandate data retention, requiring that any retention be limited in time, targeted in scope, and subject to effective judicial oversight.^[24]

Italy’s six-year retention mandate for broad categories of serious crime sits uncomfortably with this case law. A preliminary reference from an Italian court to the CJEU could trigger a ruling that forces either legislative reform or judicial invalidation of the regime. To date, however, no such challenge has succeeded in reaching Luxembourg, in part because Italian prosecutors and judges broadly support the retention regime as essential to combating organized crime, and in part because the Italian government has consistently argued that its regime falls within the national security exception that the CJEU has recognized in its more recent case law.

Fourteen Eyes Intelligence Alliance

Italy is a member of the Fourteen Eyes alliance, formally known as SIGINT Seniors of Europe (SSEUR). This multilateral signals intelligence sharing arrangement expanded from its original nine members (formed in 1982 during the Cold War to monitor the Soviet Union) to fourteen members following the September 11, 2001 attacks, when its focus shifted to counterterrorism.^[4]

As a third-tier partner (behind the Five Eyes core and the Nine Eyes inner circle), Italy maintains formal bilateral signals intelligence arrangements between AISE and the United States National Security Agency. The NSA is the global leader in SIGINT, and most SIGINT agreements, whether multilateral or bilateral, center on which partner nations receive access to NSA data and technology, and what intelligence they provide in return. Italy’s contribution includes its geographically strategic position in the Mediterranean, its intelligence on organized crime networks, and its signals intelligence capabilities in Southern Europe and North Africa.^[25]

Italy’s Anti-Terrorism Law enables intelligence agencies to use wiretaps and share the resulting data with alliance partners for national security purposes.^[26] This creates a significant tension with Italy’s GDPR obligations: data shared with foreign intelligence partners under national security exemptions effectively exits the GDPR’s protective framework, and Italian citizens have no practical recourse to discover or challenge such transfers. The Snowden revelations confirmed that SSEUR members routinely share intercepted communications data, though the precise scope of Italian contributions remains classified.

For users of privacy-focused services, Italy’s Fourteen Eyes membership means that data stored within Italian jurisdiction is potentially accessible not only to Italian intelligence agencies but, through bilateral sharing arrangements, to the intelligence services of thirteen other nations, including the United States, the United Kingdom, Canada, Australia, and New Zealand (the Five Eyes core), as well as France, Denmark, the Netherlands, Norway, Germany, Belgium, Spain, and Sweden. This consideration is relevant when evaluating the privacy implications of services hosted in or routed through Italy.

The interaction between Italy’s intelligence sharing obligations and the GDPR’s restrictions on international data transfers remains one of the unresolved tensions in Italian law. While the GDPR exempts national security processing from its scope (Article 2(2)(a)), the boundary between national security intelligence and ordinary law enforcement data, which is subject to the GDPR and the Law Enforcement Directive, is not always clear. Intelligence agencies may acquire data through GDPR-regulated channels before classifying it as national security material, at which point it exits the GDPR’s protective framework entirely.

Recent Developments

AI Regulation Leadership (2023–2025): Italy's ChatGPT ban drew attention from DPAs across Europe and prompted parallel investigations. The temporary ban drew significant attention across the technology industry and prompted DPAs across Europe, including France’s CNIL, Germany’s BfDI, and Ireland’s DPC, to open their own investigations into generative AI systems. The European Data Protection Board (EDPB) created a dedicated ChatGPT task force to coordinate the EU-wide response. The December 2024 fine was the first GDPR fine imposed on a generative AI company, and the Garante has continued to scrutinize AI services throughout 2025, including the imposition of a definitive limitation on the processing of Italian users’ personal data by certain platforms.^[27]

Employee Email Metadata (2025): The Garante issued its first GDPR fine relating to the unlawful retention of metadata from employees’ corporate email accounts, establishing that email metadata (including sender, recipient, timestamp, and subject line information) is subject to full GDPR protection and cannot be retained indefinitely for monitoring purposes.^[28]

Inspection Focus Areas (2025): The Garante’s 2025 inspection plan targets several priority areas: data breach response and security of public databases, credit institution data practices, call center and email marketing compliance, the National Statistical Program, and the use of biometric data in driving examinations.^[7]

Energy Sector Enforcement Trend: The Enel Energia fine was not an isolated event but the culmination of a systematic enforcement campaign. The Garante has methodically targeted Italy’s energy sector, where aggressive telemarketing and unauthorized contract acquisition have been endemic problems for years. The Italian energy market was liberalized in stages, with full deregulation for household customers completed in 2024, creating intense competition among energy providers and a corresponding explosion in telemarketing activity, much of it conducted through chains of sub-agents and intermediaries operating outside authorized sales networks. The Eni Plenitude and Axpo Italia fines, combined with the record-setting Enel penalty, signal that the Garante treats this sector as a priority enforcement area with correspondingly severe sanctions.

Nordio Wiretapping Reforms (2024–2025): The tension between law enforcement’s surveillance powers and privacy rights continues to evolve under Justice Minister Nordio’s reform agenda. While the 2024 reform (Law 114/2024) restricted public access to wiretapping transcripts (a change that benefits suspects’ privacy but limits press freedom), the removal of intelligence surveillance expansion provisions from the 2025 security bill suggests that EU-level norms, particularly the European Media Freedom Act, are beginning to constrain Italy’s historically permissive approach to communications interception. This dynamic illustrates how EU-level legislation can act as an external check on national surveillance impulses, even in a country with deeply entrenched wiretapping traditions.^[22]

Electronic Communications Code Update (2024): The transposition of the European Electronic Communications Code through Legislative Decree 207/2023, effective 2024, modernized Italy’s telecommunications regulatory framework. The update extends regulatory obligations to over-the-top (OTT) communication services and strengthens end-user rights provisions, aligning Italy with the EU’s updated approach to electronic communications regulation.^[14]

Double Opt-In for Marketing (2025): Enforcement developments in 2025 have raised questions about whether Italy is moving toward a de facto mandatory double opt-in standard for marketing consent, requiring not just initial consent but a subsequent confirmation step before marketing communications may lawfully be sent. While not yet formally legislated as a statutory requirement, the Garante’s enforcement pattern in telemarketing cases suggests an increasingly strict interpretation of what constitutes valid, freely given, and informed consent for marketing communications. This trend has significant implications for companies operating in the Italian market, particularly in the energy and telecommunications sectors.

National AI Law – Law No. 132/2025 (October 2025): Italy became the first EU member state to enact a comprehensive national AI law when Law No. 132/2025 entered into force on October 10, 2025. The law, composed of 28 articles across six chapters, complements the EU AI Act (Regulation 2024/1689) by addressing regulatory areas delegated to member state discretion. It introduces sector-specific AI provisions for healthcare (requiring informed patients and human decisional authority over AI-assisted diagnosis and treatment), employment (mandating employer disclosure when AI is used and guaranteeing employee access to processed data), intellectual professions, public administration, and criminal law. Notably, the law makes Italy the first country with explicit AI copyright protection, establishing that AI-generated works do not receive copyright unless a human author has exercised creative control, and that the use of copyrighted works for AI training requires authorization. The criminal provisions are also significant: dissemination of deepfakes intended to deceive or cause harm is punishable by one to five years’ imprisonment. For minors, the law requires parental consent for AI system access and related data processing below age 14, while those aged 14–18 may consent independently. Oversight is split between Italy’s Digital Transformation Agency (AgID) and National Cybersecurity Agency (ACN), coordinated by a special committee under the Presidency of the Council of Ministers. Unlike the EU AI Act’s phased implementation timeline, several provisions of the Italian law are already fully applicable.^[29][38]

Paragon Spyware Scandal (January–June 2025): In January 2025, WhatsApp disclosed that approximately 100 journalists and civil society members worldwide had been targeted with Graphite spyware developed by Israeli firm Paragon Solutions via zero-click attacks delivered through malicious PDFs. Among the confirmed Italian targets were Francesco Cancellato, editor-in-chief of news outlet Fanpage.it, journalist Ciro Pellegrino, and co-founders of Mediterranea Saving Humans, a migrant rescue organization that had frequently criticized Prime Minister Meloni’s government. The Citizen Lab at the University of Toronto provided forensic confirmation linking the infections to a single Paragon operator. The Italian government admitted that seven Italians were targeted but maintained the surveillance was lawful and prosecutor-supervised. Intelligence chief Alfredo Montavano acknowledged the use of Graphite. The parliamentary intelligence oversight committee COPASIR investigated the matter extensively, and by June 2025, Italy’s intelligence services terminated their contracts with Paragon after the company itself determined that Italy had violated its terms of service and ethical framework. The scandal drew condemnation from Amnesty International and reignited debate over Italy’s captatore informatico framework and its adequacy for preventing abuse of state-sponsored spyware.^[30][31][39]

E.ON Energia Fine – EUR 89.27 Million (2025): The Garante imposed a fine of EUR 89.27 million on E.ON Energia, surpassing the previous record EUR 79.1 million Enel Energia penalty (February 2024) to become the largest Italian GDPR fine in history. The investigation found widespread unlawful telemarketing activities conducted without a valid legal basis, coupled with the company’s failure to respond adequately to data subject access requests. The fine continued the Garante’s systematic enforcement campaign against the energy sector’s endemic telemarketing abuses, reinforcing that Italy treats unauthorized data acquisition and aggressive telemarketing through uncontrolled chains of sub-agents as among the most serious GDPR violations. The energy sector now accounts for each of the three largest Italian GDPR fines ever imposed.^[1][40]

NIS2 Transposition with Expanded Scope (October 2024): Italy transposed the EU NIS2 Directive through Legislative Decree No. 138/2024, published October 1, 2024 and entering into force on October 16, 2024. Notably, Italy went beyond the minimum EU requirements by adding two national annexes. Annex III extends cybersecurity obligations to public administrations of any size, while Annex IV brings in sectors not mandated by the directive itself, including local public transport providers, research-active educational institutions, cultural heritage organizations, and publicly controlled companies. Italy’s decision to include cultural heritage institutions is particularly distinctive, reflecting the country’s recognition that its vast network of museums, archaeological sites, and cultural archives constitutes critical national infrastructure warranting cybersecurity protection. Obligations for regulated entities are being introduced gradually, with full compliance required by October 2026.^[32][41]

Clothoff Deepfake App Ban (October 3, 2025): The Garante ordered an emergency suspension and immediate temporary limitation on the processing of Italian users’ personal data by Clothoff, a generative AI application that creates hyper-realistic “deep nude” images depicting real people, including minors, in nude or sexually explicit poses. The company, registered in the British Virgin Islands, was found to lack any age restrictions, any system for verifying consent from the individuals depicted, and adequate disclosure that outputs were AI-generated. The Garante simultaneously launched a broader formal investigation into the operation of “nudifying apps” as a category, citing serious risks to fundamental rights and freedoms, particularly those of minors. The action represents the Garante’s continued willingness to issue emergency orders against AI services, following the precedent established by the 2023 ChatGPT ban.^[33][42]

AGCOM Age Verification for Adult Content (Resolution 96/25/CONS, April 8, 2025): Italy’s communications regulator AGCOM adopted Resolution 96/25/CONS on April 8, 2025, designating 48 online platforms required to implement age verification systems to prevent minors from accessing pornographic material, with compliance required from November 12, 2025. The platforms include Pornhub, Xvideos, Xhamster, LiveJasmin, and OnlyFans, among others. Italy’s approach is built on a distinctive “double anonymity” (double blind) principle: age verification providers cannot see which service the age proof is being issued for, and the proof shared with the platform contains no identifying user information. Users prove their age through certified digital identity systems such as SPID or CIE (Italy’s national electronic ID card) or through privacy-preserving facial age estimation, but the verification token passed to platforms is anonymized, preventing platforms from linking access to any individual’s identity. This is widely considered the most advanced mandatory age verification regime in the EU, combining robust identity proofing with genuine privacy protection through its double-blind architecture.^[34]

Security Decree – DL 48/2025, Law 80/2025 (April–June 2025): Italy’s Security Decree (Decree-Law No. 48/2025, enacted April 11, 2025 and converted into Law 80/2025) prompted six UN Special Rapporteurs to call on the Italian government to rescind the measure, citing provisions “not aligned with international human rights law.” The decree criminalizes road-blocking protest tactics (Article 14, carrying up to one month in prison, directly targeting climate activist groups such as Ultima Generazione), introduces a new “rioting” offense in migrant detention centers, includes vague terrorism definitions that could enable arbitrary enforcement, and broadened law enforcement powers. UN experts expressed particular alarm that the government bypassed parliament by enacting the bill as an emergency decree through the Council of Ministers. Human Rights Watch described the legislation as a serious threat to rights and freedoms, while the European Civic Forum characterized it as “the biggest attack on the right to protest in the history of the Italian Republic.” The decree illustrates the tension between Italy’s expanding surveillance and public order powers under the Meloni government and its international human rights obligations.^[35][36][43]

Italy Shifts Position on EU Chat Control (October 2025): In a significant policy reversal, Italy moved from supporting the EU’s proposed Child Sexual Abuse Material (CSAM) regulation – widely known as “Chat Control” – to an undecided position in early October 2025, contributing to the postponement of the October 14 EU Council vote. The proposed regulation would have mandated client-side scanning of encrypted messages, effectively requiring platforms to scan private communications before encryption. Italy’s shift, alongside similar moves by Sweden, added to the blocking minority led by Germany that prevented the proposal from advancing. The reversal was attributed to growing awareness among Italian parliamentarians, many of whom had not been fully informed about the proposal’s implications for end-to-end encryption and privacy. Trilogue negotiations between the Council, Parliament, and Commission eventually commenced on December 9, 2025, but with a substantially weakened proposal. Italy’s changed stance is notable given the country’s historically permissive approach to communications interception, suggesting that even within Italy’s surveillance-friendly legal culture, mandatory scanning of encrypted private messages was seen as a step too far.^[37]

Additional Developments (2024–2026)

EU AI Act Designated Authorities (2025): Under the EU AI Act (Regulation 2024/1689), Italy designated its national competent authorities in a three-way split. AgID (Agenzia per l’Italia Digitale) serves as the notifying authority for conformity assessment bodies; ACN (Agenzia per la Cybersicurezza Nazionale) serves as the market surveillance authority responsible for overseeing AI systems placed on the Italian market; and the Garante retains jurisdiction over all data protection aspects of AI systems. This tripartite structure, formalized alongside the national AI Law (Law 132/2025), reflects Italy’s decision to distribute AI governance across existing specialist agencies rather than creating a new dedicated body.^[29][38]

Replika/Luka EUR 5 Million Fine (April 2025): The Garante imposed a EUR 5 million fine on Luka, Inc., the US-based developer of the AI companion chatbot Replika. The investigation, which began with the Garante’s February 2023 temporary processing ban, found that Replika lacked adequate age verification mechanisms, exposing minors to AI-generated responses that could include sexually explicit or emotionally manipulative content. The fine represents one of the few GDPR penalties specifically targeting an AI chatbot company and reinforces the Garante’s position, first established in the ChatGPT case, that AI services must implement robust age verification before processing personal data of users in the EU.^[44]

Acea Energia EUR 3 Million Fine (2025): The Garante fined Acea Energia EUR 3 million for unlawful telemarketing activities conducted without a valid data processing agreement with its marketing partners. The case continued the Garante’s aggressive enforcement pattern in the energy sector, where companies routinely outsource telemarketing to networks of sub-agents without ensuring that appropriate data processing agreements under GDPR Article 28 are in place. Acea’s failure to establish these agreements meant that personal data was being shared with and processed by third parties without the legal safeguards required by the regulation.^[1]

Apple App Tracking Transparency EUR 98.6 Million Fine (December 2025): Italy’s competition authority AGCM (Autorità Garante della Concorrenza e del Mercato) fined Apple EUR 98.6 million in December 2025 over the company’s App Tracking Transparency (ATT) framework. While Apple marketed ATT as a privacy-protective measure giving users control over cross-app tracking, the AGCM determined that the feature simultaneously restricted third-party developers’ ability to collect user data for advertising while exempting Apple’s own advertising platform from equivalent restrictions, creating an anticompetitive advantage. The case exemplifies the growing competition-privacy crossover in regulatory enforcement, where features marketed as privacy protections are scrutinized for potential anticompetitive effects. Italy’s fine was among the most significant competition penalties imposed on a Big Tech company for conduct at the intersection of privacy and market dominance.^[45]

DORA Implementation – D.Lgs. 23/2025 (March 2025): Italy transposed the EU’s Digital Operational Resilience Act (DORA, Regulation 2022/2554) through Legislative Decree 23/2025, effective March 2025. DORA establishes uniform requirements for the security of network and information systems across the financial sector, covering banks, insurance companies, investment firms, and their critical ICT service providers. Italy designated the Bank of Italy (Banca d’Italia) as the primary competent authority for DORA supervision, alongside CONSOB for securities-related entities and IVASS for insurance supervision. The implementation requires Italian financial institutions to adopt comprehensive ICT risk management frameworks, conduct regular threat-led penetration testing, establish incident reporting procedures, and manage third-party ICT provider risks, with particular attention to cloud service concentration risk.^[46]

AGCOM as DSA Digital Services Coordinator (January 2025): AGCOM was formally designated as Italy’s Digital Services Coordinator under the EU Digital Services Act (DSA, Regulation 2022/2065) in December 2023, with implementing rules entering into force in January 2025. In this role, AGCOM oversees compliance by intermediary service providers, hosting services, and online platforms operating in Italy with the DSA’s obligations regarding illegal content moderation, transparency reporting, and algorithmic accountability. The designation adds to AGCOM’s already extensive portfolio, which includes telecommunications regulation, media supervision, and the age verification framework for adult content described above.^[47]

Garante 2024 Annual Report (July 2025): The Garante published its 2024 Annual Report in July 2025, providing a comprehensive accounting of the authority’s enforcement activities, regulatory guidance, and strategic priorities for the prior year. The report documented the Garante’s continued high volume of enforcement activity, its evolving approach to AI regulation following the ChatGPT and Replika precedents, and its inspection campaigns targeting the energy sector, healthcare data, and public administration databases. The report also outlined the Garante’s contributions to EDPB guidelines and its coordination with other national supervisory authorities on cross-border GDPR enforcement cases.^[48]

H1 2026 Inspection Plan: The Garante’s inspection plan for the first half of 2026 targets over 40 planned inspections, continuing its sector-based enforcement approach. Notable new focus areas include the use of AI in education, reflecting growing concerns about the deployment of algorithmic tools in Italian schools for purposes including automated grading, student behavioral analysis, and personalized learning systems. The plan also maintains the Garante’s traditional enforcement priorities in telemarketing, healthcare data processing, and public administration databases, while expanding scrutiny of data brokers and large-scale profiling activities.^[49]

Sources