Subscribe to regular updates:

Share

DPA Digital Digest: Italy [2024 Edition]

A close-up of Italy’s regulatory approach to data governance, content moderation, competition and more.

Report Image

The “DPA Digital Digest” series provides concise summaries of each G20 nation’s digital policy. Based on the Digital Policy Alert database, we outline rules and enforcement cases in data governance, content moderation, competition, artificial intelligence, and domestic points of emphasis.

Authors

Tommaso Giardini, Nils Deeg, Anna Pagnacco

Date Published

21 Aug 2024

Italy, the current G7 president, is developing its digital economy and pursuing international alignment. Italy’s digital economy accounted for 4.3% of GDP in 2021, according to the Italian ICT association. Netcomm estimates that Italy’s e-commerce and digital retail sector accounted for 40.6% of total revenue growth between 2016 and 2020, generating over EUR 70 billion in revenue. And according to the EU’s Digital Economy and Society Index, between 2017 and 2022 Italy’s digitalisation grew faster than in any other EU member. 

On the international stage, under Italy’s presidency, the G7 has established the Hiroshima Friends Group, a voluntary framework for countries supporting the G7 Hiroshima AI Process. 

But what do Italy’s domestic digital policies stand for? Our Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Italy-specific points of emphasis. 

  • Data governance: Italy established data protection requirements for minors and employees, implemented the new EU cybersecurity regime, and scrutinised data transfers to the United States, China, and the United Kingdom.

  • Content moderation: Italy is implementing various EU frameworks, enhancing its authorities’ powers, and focusing enforcement on minor protection and gambling content. 

  • Competition policy: Italy is enforcing novel unilateral conduct rules for digital platforms, especially large firms’ self-preferencing and anti-competitive agreements.

  • Artificial intelligence: Italy is considering legislation on content labelling and spearheading enforcement action against AI providers across policy areas.

  • Italy’s points of emphasis include the taxation of the digital economy, crypto assets, and consumer protection.

Jump directly to the section that interests you most:


Discover the details of Italy’s regulatory approach on our dedicated country page.

Remain up-to-date on new and upcoming developments with our free notification service

Written by Tommaso Giardini, Nils Deeg, and Anna Pagnacco. Edited by Johannes Fritz.


Data governance

Policy developments

Italy implements the General Data Protection Regulation of the European Union (EU) through its meticulous data protection authority (Garante). The Garante has issued a body of secondary legislation, covering both general GDPR implementation and specific topics, e.g. cookies and tracking tools and data processing certification. Since then, specific data protection requirements have been implemented regarding minor protection, employees, and metadata retention.

Since 2020, Italy has established a cybersecurity regime (“perimeter”) for providers of ICT goods deemed “essential” national infrastructure, specified by several implementing decrees. The perimeter applies to systems considered essential according to three criteria: The territorial scope of their function, the potential consequences of cybersecurity compromises, and incident mitigation possibilities. In-scope providers must share a comprehensive list of their critical assets with authorities and conduct risk assessments. Requirements on cyber incidents, including response and notification, are subject to different timelines based on incidents’ criticality. Finally, the decrees outline certification and evaluation procedures. 

In 2021, Italy established its national cybersecurity agency and outlined its organisational structure. The agency has recently focused on overseeing the transposition of the EU NIS 2 directive and published guidelines to improve password storage practices. 

In 2022, following Russia’s invasion of Ukraine, Italy enhanced public bodies’ cybersecurity measures, suggested technical and organisational mitigation measures for ICT infrastructures connected with Ukrainian cyberspace and launched an investigation into Kaspersky

Data transfer/localisation developments

The Garante has recently scrutinised data transfers to the United States (US), China, and the United Kingdom. The Garante raised concerns about the EU-US Data Privacy Framework before the EU granted the US adequacy under the framework in July 2023, enabling transatlantic data transfers. Previously, the Garante concluded that Italian websites using Google Analytics transferred user data, including IP addresses and activity, to the US without appropriate safeguards under the GDPR. 

In June 2023, the Garante opened an investigation into TikTok’s data transfers and the Chinese government’s access to Italian users’ data. In February 2024, the Garante opened an investigation into the alleged unlawful transfer of Italian motorists' data to the United Kingdom.

Guidelines and enforcement developments

The Garante’s recent enforcement focuses on user profiling, biometric data, and consent. 

  • The Garante is investigating Pornhub’s user profiling, having issued a warning to TikTok and a EUR 200’000 fine to Nirvam based on similar concerns. 

  • The Garante is investigating Worldcoin’s data processing to create a global “World ID.” 

  • Non-compliance with consent requirements has led to fines of EUR 2 million for Alpha Exploration, owner of social media app Clubhouse, and EUR 4.2 million for Uber

In addition, the Italian competition authority has focused on consent from a consumer protection perspective, investigating firms for not adequately informing users and pre-setting consumer consent. The authority fined Google EUR 10 million, Apple EUR 10 million, and Facebook EUR 7 million (in addition to a 2018 EUR 10 million fine). Currently, the authority is investigating whether Apple complicates denying consent by design and whether Google, Apple and Dropbox adequately inform users of their cloud computing services before they give consent.

Content moderation

Policy developments

At the end of 2023, two resolutions by Italy’s communications authority (AGCOM) to combat harmful content on video-sharing platforms entered into force. The regulations expand AGCOM’s powers to restrict the dissemination of restricted content, including in other EU member states. 

In July 2023, the Senate approved a law that grants AGCOM blocking powers to tackle copyright-protected content on electronic communications networks. AGCOM can request service providers and network access providers to disable access to illicit content. For live content, precautionary blocking orders must be executed within 30 minutes.

In December 2021, Italy implemented two EU Directives on online content. The implementation of the amended Audiovisual and Media Services Directive extended rules to video-sharing platforms and social media services, including requirements to tackle hate speech and protect minors. In addition, video-on-demand providers must have 30% European works in their catalogues, half of which in Italian, and invest 20% of their annual revenue in Italy in such works. 

The implementation of the Directive on Copyright in the Digital Single Market includes rules for online content-sharing platforms. Platforms must remunerate, through link or snippet payments, press publishers for the reproduction of their publications. In addition, authors and performers are entitled to remuneration for the transfer or licensing of their work. Furthermore, platforms are liable for copyright-infringing content posted by users unless they prove permission from rightsholders or remove unauthorised content upon notification.

Guidelines and enforcement developments

AGCOM, the competition authority, and the data protection authority (Garante) oversee content moderation. The agencies collaborate, e.g. on minor protection, and conduct investigations. 

AGCOM, Italy’s digital services coordinator under the EU Digital Service Act (DSA), is the primary enforcement authority.

  • AGCOM recently fined several firms for violating a gambling advertising ban: Twitch (EUR 900'000), Meta (EUR 5.85 million), Twitter (EUR 1.35 million) and Google (EUR 750'000). 

  • In February 2024, AGCOM mandated the removal of the “French scar”  challenge content from TikTok. Beyond enforcement, AGCOM has established a complaint procedure and issued guidance for online intermediation services.

Other authorities focus mainly on minor protection and the sharing of intimate images. 

  • In March 2024, the competition authority fined TikTok EUR 10 million for failing to remove content on self-harm and suicide. 

  • In 2023, the Garante requested the removal of non-consensual sharing of intimate images (“revenge porn”) from Facebook, Instagram, YouTube, TikTok, Snapchat, Telegram and Discord, among others. 

  • In 2021, the Garante temporarily blocked TikTok for non-age-verified users because users under 13 could circumvent TikTok’s registration barriers. The block ended after TikTok removed 500,000 accounts and added measures to detect and block underage users. 

  • In July 2023, the Garante ordered Google to fully remove a defamatory URL.

Competition

Policy developments

Since October 2022, Italy’s amended competition law regulates the abuse of economic dependence by digital platforms. Companies for which digital platforms’ intermediation services are key to reach users or suppliers are presumed to be economically dependent. The amendment lists prohibited abusive practices by digital platforms, including providing insufficient information, imposing unilateral conditions and restricting the choice between providers of the same service. 

In August 2022, amendments regarding merger rules entered into force, requiring notification up to six months after transactions in which one (not both) of the parties exceeds ordinary notification thresholds or the combined annual global turnover of the companies exceeds EUR 5 billion. Finally, the amendment empowered the competition authority to issue information requests and enter settlement agreements. 

In 2024, the communications authority initiated an inquiry to gather insights on individual markets within the integrated communications system. Additionally, the competition authority opened a consultation to define the scope and procedures for imposing structural measures when a fact-finding investigation reveals market distortions.

Guidelines and enforcement developments

Italy’s competition authority (AGCM) focuses on large digital firms’ self-preferencing. 

  • In May 2023, AGCM opened an investigation into Apple’s abuse of dominance in the iOS app market, alleging that Apple’s privacy policy for third-party apps is more restrictive than for Apple’s own apps. AGCM investigates whether this disadvantages third-party developers and advertisers to the benefit of Apple's own apps, mobile devices and iOS operating system. 

  • In May 2021, AGCM fined Google EUR 102 million for excluding Enel X Italia from Android Auto to favour Google Maps. 

  • In 2021, AGCM’s investigation into Amazon led to a record fine of EUR 1.1 billion for its favouring of third-party sellers that used Amazon's logistical services in the Amazon “buy box.” 

In other unilateral conduct cases, AGCM has focused on data sharing, negotiation behaviour, and anti-competitive agreements. 

  • In April 2024, AGCM fined Amazon EUR 10 million for pre-selecting the “recurring purchase” option. 

  • In July 2023, AGCM accepted Google's commitments to enable data portability to close the investigation. AGCM is considering proposed commitments by Booking regarding its dominance in the online hotel intermediation services market. 

  • In April 2023, AGMC opened an investigation into Meta’s removal of music represented by SIAE, the representative of artists' rights, from its platforms during licensing renewal negotiations.

  • In October 2022, a court cancelled – on procedural grounds – AGCM fines of EUR 58.6 million against Amazon and EUR 114.6 million against Apple for an agreement regulating the prices of Apple and Beats products among Amazon resellers.

  • Previously, AGCM closed its investigation into Google’s excessive data collection in the display advertising market, in view of the launch of a similar EC investigation.

Artificial Intelligence

Policy developments

The EU’s AI Act will apply in Italy. At the domestic level, the Italian Cabinet approved a bill designating authorities to oversee the enforcement of EU and national rules, as well as allocating funding to AI development. The bill is currently pending introduction to the legislature. In October 2023, a bill proposing measures on the transparency of AI-generated contents, including labelling and watermark obligations, was introduced. 

In 2021, Italy adopted its AI Strategic Program for 2022-24. The program outlines 24 policies aiming to boost the potential of AI in the Italian economy and society. The framework builds on three pillars: attracting talents and competencies, funding research, and incentivising the adoption of AI applications in both the private and the public sector.

Guidelines and enforcement developments

The Italian data protection authority is the most active Italian authority in enforcing AI guardrails. 

  • In January 2024, the Garante issued a notice of objection to OpenAI, finding that some of the company’s data processing practices may be unlawful. Previously, in April 2023, the Garante temporarily blocked and then reinstated ChatGPT, following measures by OpenAI to comply with demands. OpenAI published a notice including information on data use and processing for AI training, granted EU users the right to opt out and request the deletion of inaccurate information, and implemented age verification mechanisms, among others. 

  • In February 2023, the Garante blocked the Replika chatbot due to risks to children, through inappropriate replies, and insufficient age verification. 

  • In March 2022, the Garante fined Clearview AI EUR 20 million (the maximum penalty) for biometric monitoring of individuals without an appropriate legal basis. Clearview was ordered to stop collecting and erase data of individuals in Italy.

Points of emphasis

Taxation

Since January 2020, Italy levies a Digital Service Tax (DST) of 3%. The DST applies to targeted advertising, digital interfaces for user interaction, and the transmission of collected user data. The DST applies to companies that exceed revenues of EUR 750 million (global) and EUR 5.5 million (local) through in-scope services. The government published a circular and a decree specifying the scope and calculation of the tax. 

In 2020, the United States (US) Trade Representative investigated the DST and announced punitive tariffs. In 2021, the countries reached a political agreement under which Italy (and others) will withdraw the DST upon entry into force of Pillar 1 of the G20/OECD Inclusive Framework, while the US defers its tariffs. In February 2024, the countries agreed to extend the terms of the agreement until the end of June 2024.

Crypto assets

Since May 2022, Italy requires providers of cryptocurrencies and digital wallets to register with the responsible authority (Organismo Agenti e Mediatori). To register, providers must have a subsidiary or, for EU providers, a branch in Italy. In addition, providers must submit information on their registered office, service, address of the physical points of operation and the web address through which the service is performed. The authority has approved over 90 registrations of cryptocurrency service providers, including Binance

Since January 2023, crypto assets, defined as the “digital representation of value or rights that can be transferred and stored electronically," are subject to a capital gains tax. Gains from crypto assets exceeding EUR 2000 are subject to a tax rate of 26%.

In June 2022, the central bank issued a communication highlighting the risks of crypto assets and outlining appropriate safeguards. Currently, the financial markets authority is consulting on a regulation for the registration of “digital circulation managers” under the FinTech Decree.

Consumer protection

The focus of Italy’s online consumer protection lies on minor protection and online advertisement. Italy requires age verification to prevent minors from accessing pornographic content since 2023. 

Since September 2023, electronic service providers must inform customers on the availability of parental control applications. In March 2024, the communications authority consulted on age verification methods, following its resolution on the same subject. Further minor protection measures concern online gaming and gambling.

Regarding online advertising, the communications authority fined British American Tobacco (BAT) (EUR 6 million) and Amazon (EUR 1 million) for misleading advertising of heated tobacco devices in January 2024. The authority also fined Facile Ristrutturare EUR 4.5 million for false online reviews and misleading prices of renovation materials. The authority further issued guidelines and a code of conduct on influencers’ compliance with the Law on Audiovisual Media Services.