Subscribe to regular updates:


DPA Digital Digest: Italy

A close-up of Italy’s regulatory approach to data governance, content moderation, competition and more.

Report Image

This is the sixteenth issue of the “DPA Digital Digest” series based on the Digital Policy Alert database. This series provides concise summaries of each G20 nation’s recent policy changes in data governance, content moderation, competition and further domestic focal points.


Tommaso Giardini, Anna Pagnacco

Date Published

20 Jul 2023

Italy’s digital economy accounts for 4.3 per cent of GDP and counts over 50 million users. Italy devotes 25.1 per cent (EUR 48 billion) of its Recovery and Resilience Plan, the largest in the European Union, to its digital transition. According to the EU’s Digital Economy and Society Index, between 2017 and 2022 Italy’s digitalisation grew faster than any other EU country’s. In 2022, the value of Italy’s cloud market exceeded EUR 4.5 billion and grew by 18 per cent, according to the Polytechnic University of Milan. 

But what do Italy’s domestic digital policies stand for? The sixteenth DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Italy-specific points of emphasis.

  • In data governance, Italy imposed a rigorous cybersecurity regime, scrutinised data transfers to the United States and China, and spearheaded GDPR enforcement, focusing on artificial intelligence and user consent.

  • In content moderation, Italy has implemented rules on online audiovisual content and scrutinised harmful content, especially the non-consensual sharing of intimate images. 

  • In competition policy, Italy has introduced unilateral conduct rules for digital platforms and strictly enforced large digital firms’ self-preferencing and anti-competitive agreements.

  • Italy’s points of emphasis include artificial intelligence, the taxation of the digital economy and crypto assets.

Jump directly to the section that interests you most:

Discover the details of Italy’s regulatory approach on our dedicated country page.

Remain up-to-date on new and upcoming developments with our free notification service

Written by Tommaso Giardini and Anna Pagnacco. Edited by Johannes Fritz.

Data governance

Data protection policy developments

Italy implemented the General Data Protection Regulation of the European Union (EU) in 2018, which is enforced by the meticulous data protection authority (Garante). The Garante has issued a body of secondary legislation, covering both general GDPR implementation and specific topics, e.g. cookies and tracking tools and data processing certification.

Since 2020, Italy has established a cybersecurity regime (“perimeter”) for providers of ICT goods deemed “essential” national infrastructure, specified by several implementing decrees. The perimeter applies to systems considered essential according to three criteria: the territorial scope of their function, the potential consequences of cybersecurity compromises, and incident mitigation possibilities. In-scope providers must share a comprehensive list of their critical assets with authorities and conduct risk assessments. Depending on cyber incident criticality, providers are subject to different timelines regarding both the implementation of appropriate security responses and incident notification. Finally, the decrees outline certification and evaluation procedures. In 2021, Italy established its national cybersecurity agency and outlined its organisational structure by decree. In 2022, in view of Russia’s invasion of Ukraine, Italy enhanced public bodies’ cybersecurity measures, suggested technical and organisational mitigation measures for ICT infrastructures connected with Ukrainian cyberspace and launched an investigation into the Kaspersky antivirus software.

Data transfer/localisation developments

The Garante has recently scrutinised data transfers to both the United States and China. Before the EU granted the United States (US) adequacy under the Data Privacy Framework in July 2023, enabling transatlantic data transfers, the Garante raised concerns about the framework. In June 2022, the Garante concluded that Italian websites using Google Analytics transferred user data, including IP addresses and activity, to the US without appropriate safeguards under the GDPR. Regarding transfers to China, in June 2023, the Garante opened an investigation into TikTok regarding both data transfers and the Chinese government’s access to Italian users’ data. 

Enforcement developments

The Garante’s enforcement has focused on novel artificial intelligence (AI) applications as well as data subjects’ consent. In April 2023, the Garante temporarily blocked and then reinstated ChatGPT, following measures by OpenAI to comply with demands. OpenAI published a notice including information on data use and processing for AI training, granted EU users the right to opt out and request the deletion of inaccurate information, and implemented age verification mechanisms, among others. In February 2023, the Garante blocked the Replika chatbot due to risks to children, through inappropriate replies, and insufficient age verification. In March 2022, the Garante fined Clearview AI EUR 20 million (the maximum penalty), for applying biometric monitoring to individuals in Italy without an appropriate legal basis. Clearview was ordered to stop collecting and erase data of individuals in Italy as well as designate an EU representative.

User consent is a central topic in the Garante’s recent enforcement. In 2022, The Garante fined Alpha Exploration, owner of social media app Clubhouse, EUR 2 million for storing user data without consent, among others. Also in 2022, the Garante fined Uber EUR 4.2 million for processing user data without explicit consent, among others. The Garante further issued a formal warning to TikTok following changes to its privacy policy that enabled user profiling for personalised advertisements based on the "legitimate interest" legal basis. The Garante warned TikTok that personal data stored on user devices cannot be processed for profiling without explicit consent. Currently, the Garante is investigating websites’ use of cookie walls to obtain consent as well as Pornhub’s user tracking and profiling systems. 

The Italian competition authority has also focused on consent due to consumer protection concerns. In October 2022, the Administrative Court of Lazio rejected Google’s appeal against the authority’s EUR 10 million fine, for not adequately informing users on its data collection and use for commercial purposes and “pre-setting consumer consent". In 2021, in similar cases, the authority fined Apple EUR 10 million and Facebook EUR 7 million (in addition to a 2018 EUR 10 million fine). In April 2023, the authority opened an investigation to scrutinise, among others, whether Apple’s consent request prompts complicate denying consent by design. Previously, the authority launched an investigation into Google, Apple and Dropbox for, among others, not adequately informing users of their cloud computing services about commercial data collection and use before they gave consent.

Content moderation

Content moderation developments

In July 2023, the Senate approved a law that grants the communications authority (AGCOM) blocking powers to tackle copyright-protected content on electronic communications networks. AGCOM can request service providers and network access providers to disable access to illicit content. For live content, precautionary blocking orders must be executed within 30 minutes.

In December 2021, Italy implemented two EU Directives regarding online content. The implementation of the amended Audiovisual and Media Services Directive extended audiovisual rules to video-sharing platforms and social media services, including a requirement to tackle hate speech and protect minors. In addition, video-on-demand providers must include 30 per cent of European works in their catalogues, half of which in Italian, and invest 20 per cent of their annual revenue in Italy in such works. 

The implementation of the Directive on Copyright in the Digital Single Market includes rules for online content-sharing platforms. Regarding content remuneration, platforms must remunerate, through link or snippet payments, press publishers for the reproduction of their publications. In addition, authors and performers are entitled to remuneration for the transfer or licensing of their work. Platforms are liable for copyright-infringing content posted by users unless they prove permission from rightsholders or remove unauthorised content upon notification.

Enforcement developments

The competition authority, the data protection authority (Garante), and AGCOM oversee content moderation. The agencies collaborate, e.g. on minor protection, and conduct investigations.

Since March 2023, the competition authority investigates TikTok for allegedly failing to apply its content moderation guidelines and remove harmful content, e.g. on self-harm and suicide. The investigation scrutinises TikTok’s measures to address harmful content as well as its recommendation algorithm and artificial intelligence techniques, which may cause "undue influence" on users. In 2021, the Garante temporarily blocked TikTok for non-age-verified users because users under 13 could circumvent TikTok’s registration barriers. The block ended after TikTok removed 500,000 accounts and added measures to detect and block underage users. A recent focus of the Garante is the non-consensual sharing of intimate images (“revenge porn”), of which it requested removals from Facebook, Instagram, YouTube, TikTok, Snapchat, Telegram and Discord, among others.


Competition policy developments

Since October 2022, the amended competition law regulates the abuse of economic dependence by “digital platforms”. Companies for which digital platforms’ intermediation services play a key role in reaching users or suppliers are presumed to be economically dependent. The amendment lists prohibited abusive practices by digital platforms, including providing insufficient information, imposing unilateral conditions and restricting the choice between providers of the same service. In August 2022, amendments regarding merger rules entered into force, requiring notification up to six months after transactions in which one of the parties (not both) exceeds ordinary notification thresholds or the combined annual global turnover of the companies exceeds EUR 5 billion. Finally, the competition authority was granted the power to issue information requests and agree to settlements. 

Enforcement developments

The competition authority focuses on unilateral conduct, especially large digital firms’ self-preferencing. In May 2023, the authority opened an investigation into Apple’s abuse of dominance in the iOS app market. Apple’s privacy policy for third-party apps is allegedly more restrictive than for Apple’s own apps. The authority investigates whether this disadvantages third-party developers and advertisers, preventing entries to the app development and distribution market to the benefit of Apple's own apps, mobile devices and iOS operating system. In May 2021, the authority fined Google EUR 102 million for abusing its dominant position in the market of operating systems. Specifically, Google excluded Enel X Italia from its driving feature (Android Auto), thus favouring Google Maps. In 2021, the authority’s investigation into Amazon led to a record fine of EUR 1.1 billion for its favouring of third-party sellers that used Amazon's logistical services in the “buy box” of the Amazon marketplace. 

In other cases relating to unilateral conduct, the authority has focused on data sharing and collection, as well as negotiation practices. In April 2023, the authority consulted on Google's commitments to close an investigation into practices that hindered interoperability in data sharing with other platforms, reducing consumer benefits and circumventing the right to data portability. Previously, the authority closed an investigation into Google’s abuse of dominance in the display advertising market, through excessive data collection from various applications, in view of the launch of a similar EC investigation. Regarding negotiations, in April 2023, the authority opened an investigation into Meta’s behaviour in content remuneration negotiations with SIAE, the representative of artists' rights in negotiations on music licensing. Meta removed all music represented by SIAE from its platforms during licensing renewal negotiations. The investigation scrutinises whether Meta abused SIAE's economic dependence to impose unfair terms while withholding relevant information, and could require renewed negotiations. 

Finally, the authority scrutinises anti-competitive agreements. In July 2023, the authority fined online streaming provider DAZN EUR 7.2 million and telecommunications provider TIM EUR 776’000 due to an anti-competitive exclusivity agreement regarding the broadcasting of Serie A matches. The agreement, halted by the start of the investigation in 2021, prohibited DAZN from entering into partnerships with competitors and enabled TIM to offer unique bundling services. In October 2022, a court cancelled – on procedural grounds – the authority’s fines of EUR 58.6 million against Amazon and EUR 114.6 million against Apple for an agreement regulating the prices of Apple and Beats products among Amazon resellers.

Further points of emphasis

Artificial Intelligence

In November 2021, Italy adopted its AI Strategic Program for 2022-24. The program outlines twenty-four policies aiming to boost the potential of AI in the Italian economy and society. The framework builds on three pillars: attracting talents and competencies, funding research, and incentivising the adoption of AI applications in both the private and the public sector. 

In terms of AI guardrails, Italy has spearheaded investigations into privacy concerns of novel AI applications, especially generative AI and facial recognition. In addition, in October 2022, the central bank analysed risks regarding the use of AI in credit scoring, noting that risks of bias and discrimination exist but emphasising that they do not exceed those of traditional methods.


Since January 2020, Italy levies a Digital Service Tax (DST) of 3 per cent. The DST applies to targeted advertising, digital interfaces for user interaction and the transmission of collected user data. The DST applies to companies that exceed revenues of EUR 750 million (global) and EUR 5.5 million (local) through in-scope services. The government published a circular and a decree specifying the scope and calculation of the tax. In 2020, the United States (US) Trade Representative investigated the DST and announced punitive tariffs. In 2021, the countries reached a political agreement under which Italy (and others) will withdraw the DST upon entry into force of Pillar 1 of the G20/OECD Inclusive Framework, while the US defers its tariffs. 

Crypto assets

Since May 2022, Italy has required providers of cryptocurrencies and digital wallets to register with the responsible authority (Organismo Agenti e Mediatori). To register, providers must have a subsidiary or, for EU providers, a branch in Italy. In addition, providers must submit information regarding their registered office, service, address of the physical points of operation and the web address through which the service is performed. The authority has approved over 90 registrations of cryptocurrency service providers, including Binance. In June 2022, the central bank issued a communication highlighting the risks of decentralised finance and crypto assets, outlining appropriate safeguards. Currently, the financial markets authority is consulting on the regulation for the registration of “managers for digital circulation” under the FinTech Decree.

Since January 2023, crypto assets, defined as "a digital representation of value or rights that can be transferred and stored electronically", are subject to capital gains tax. Gains from crypto assets exceeding EUR 2000 are subject to a 26% tax rate.