A close-up of Italy’s regulatory approach to data governance, content moderation, competition and more.
The “DPA Digital Digest” series provides concise summaries of each G20 nation’s digital policy. Based on the Digital Policy Alert database, we outline rules and enforcement cases in data governance, content moderation, competition, artificial intelligence, and domestic points of emphasis.
Italy, the current G7 president, is developing its digital economy and pursuing international alignment. Italy’s digital economy accounted for 4.3% of GDP in 2021, according to the Italian ICT association. Netcomm estimates that Italy’s e-commerce and digital retail sector accounted for 40.6% of total revenue growth between 2016 and 2020, generating over EUR 70 billion in revenue. And according to the EU’s Digital Economy and Society Index, between 2017 and 2022 Italy’s digitalisation grew faster than in any other EU member.
On the international stage, under Italy’s presidency, the G7 has established the Hiroshima Friends Group, a voluntary framework for countries supporting the G7 Hiroshima AI Process.
But what do Italy’s domestic digital policies stand for? Our Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Italy-specific points of emphasis.
Data governance: Italy established data protection requirements for minors and employees, implemented the new EU cybersecurity regime, and scrutinised data transfers to the United States, China, and the United Kingdom.
Content moderation: Italy is implementing various EU frameworks, enhancing its authorities’ powers, and focusing enforcement on minor protection and gambling content.
Competition policy: Italy is enforcing novel unilateral conduct rules for digital platforms, especially large firms’ self-preferencing and anti-competitive agreements.
Artificial intelligence: Italy is considering legislation on content labelling and spearheading enforcement action against AI providers across policy areas.
Italy’s points of emphasis include the taxation of the digital economy, crypto assets, and consumer protection.
Jump directly to the section that interests you most:
Discover the details of Italy’s regulatory approach on our dedicated country page.
Remain up-to-date on new and upcoming developments with our free notification service.
Written by Tommaso Giardini, Nils Deeg, and Anna Pagnacco. Edited by Johannes Fritz.
Italy implements the General Data Protection Regulation of the European Union (EU) through its meticulous data protection authority (Garante). The Garante has issued a body of secondary legislation, covering both general GDPR implementation and specific topics, e.g. cookies and tracking tools and data processing certification. Since then, specific data protection requirements have been implemented regarding minor protection, employees, and metadata retention.
Since 2020, Italy has established a cybersecurity regime (“perimeter”) for providers of ICT goods deemed “essential” national infrastructure, specified by several implementing decrees. The perimeter applies to systems considered essential according to three criteria: The territorial scope of their function, the potential consequences of cybersecurity compromises, and incident mitigation possibilities. In-scope providers must share a comprehensive list of their critical assets with authorities and conduct risk assessments. Requirements on cyber incidents, including response and notification, are subject to different timelines based on incidents’ criticality. Finally, the decrees outline certification and evaluation procedures.
In 2021, Italy established its national cybersecurity agency and outlined its organisational structure. The agency has recently focused on overseeing the transposition of the EU NIS 2 directive and published guidelines to improve password storage practices.
In 2022, following Russia’s invasion of Ukraine, Italy enhanced public bodies’ cybersecurity measures, suggested technical and organisational mitigation measures for ICT infrastructures connected with Ukrainian cyberspace and launched an investigation into Kaspersky.
The Garante has recently scrutinised data transfers to the United States (US), China, and the United Kingdom. The Garante raised concerns about the EU-US Data Privacy Framework before the EU granted the US adequacy under the framework in July 2023, enabling transatlantic data transfers. Previously, the Garante concluded that Italian websites using Google Analytics transferred user data, including IP addresses and activity, to the US without appropriate safeguards under the GDPR.
In June 2023, the Garante opened an investigation into TikTok’s data transfers and the Chinese government’s access to Italian users’ data. In February 2024, the Garante opened an investigation into the alleged unlawful transfer of Italian motorists' data to the United Kingdom.
The Garante’s recent enforcement focuses on user profiling, biometric data, and consent.
The Garante is investigating Pornhub’s user profiling, having issued a warning to TikTok and a EUR 200’000 fine to Nirvam based on similar concerns.
The Garante is investigating Worldcoin’s data processing to create a global “World ID.”
Non-compliance with consent requirements has led to fines of EUR 2 million for Alpha Exploration, owner of social media app Clubhouse, and EUR 4.2 million for Uber.
In addition, the Italian competition authority has focused on consent from a consumer protection perspective, investigating firms for not adequately informing users and pre-setting consumer consent. The authority fined Google EUR 10 million, Apple EUR 10 million, and Facebook EUR 7 million (in addition to a 2018 EUR 10 million fine). Currently, the authority is investigating whether Apple complicates denying consent by design and whether Google, Apple and Dropbox adequately inform users of their cloud computing services before they give consent.
At the end of 2023, two resolutions by Italy’s communications authority (AGCOM) to combat harmful content on video-sharing platforms entered into force. The regulations expand AGCOM’s powers to restrict the dissemination of restricted content, including in other EU member states.
In July 2023, the Senate approved a law that grants AGCOM blocking powers to tackle copyright-protected content on electronic communications networks. AGCOM can request service providers and network access providers to disable access to illicit content. For live content, precautionary blocking orders must be executed within 30 minutes.
In December 2021, Italy implemented two EU Directives on online content. The implementation of the amended Audiovisual and Media Services Directive extended rules to video-sharing platforms and social media services, including requirements to tackle hate speech and protect minors. In addition, video-on-demand providers must have 30% European works in their catalogues, half of which in Italian, and invest 20% of their annual revenue in Italy in such works.
The implementation of the Directive on Copyright in the Digital Single Market includes rules for online content-sharing platforms. Platforms must remunerate, through link or snippet payments, press publishers for the reproduction of their publications. In addition, authors and performers are entitled to remuneration for the transfer or licensing of their work. Furthermore, platforms are liable for copyright-infringing content posted by users unless they prove permission from rightsholders or remove unauthorised content upon notification.
AGCOM, the competition authority, and the data protection authority (Garante) oversee content moderation. The agencies collaborate, e.g. on minor protection, and conduct investigations.
AGCOM, Italy’s digital services coordinator under the EU Digital Service Act (DSA), is the primary enforcement authority.
AGCOM recently fined several firms for violating a gambling advertising ban: Twitch (EUR 900'000), Meta (EUR 5.85 million), Twitter (EUR 1.35 million) and Google (EUR 750'000).
In February 2024, AGCOM mandated the removal of the “French scar” challenge content from TikTok. Beyond enforcement, AGCOM has established a complaint procedure and issued guidance for online intermediation services.
Other authorities focus mainly on minor protection and the sharing of intimate images.
In March 2024, the competition authority fined TikTok EUR 10 million for failing to remove content on self-harm and suicide.
In 2023, the Garante requested the removal of non-consensual sharing of intimate images (“revenge porn”) from Facebook, Instagram, YouTube, TikTok, Snapchat, Telegram and Discord, among others.
In 2021, the Garante temporarily blocked TikTok for non-age-verified users because users under 13 could circumvent TikTok’s registration barriers. The block ended after TikTok removed 500,000 accounts and added measures to detect and block underage users.
Since October 2022, Italy’s amended competition law regulates the abuse of economic dependence by digital platforms. Companies for which digital platforms’ intermediation services are key to reach users or suppliers are presumed to be economically dependent. The amendment lists prohibited abusive practices by digital platforms, including providing insufficient information, imposing unilateral conditions and restricting the choice between providers of the same service.
In August 2022, amendments regarding merger rules entered into force, requiring notification up to six months after transactions in which one (not both) of the parties exceeds ordinary notification thresholds or the combined annual global turnover of the companies exceeds EUR 5 billion. Finally, the amendment empowered the competition authority to issue information requests and enter settlement agreements.
In 2024, the communications authority initiated an inquiry to gather insights on individual markets within the integrated communications system. Additionally, the competition authority opened a consultation to define the scope and procedures for imposing structural measures when a fact-finding investigation reveals market distortions.
Italy’s competition authority (AGCM) focuses on large digital firms’ self-preferencing.
In May 2023, AGCM opened an investigation into Apple’s abuse of dominance in the iOS app market, alleging that Apple’s privacy policy for third-party apps is more restrictive than for Apple’s own apps. AGCM investigates whether this disadvantages third-party developers and advertisers to the benefit of Apple's own apps, mobile devices and iOS operating system.
In May 2021, AGCM fined Google EUR 102 million for excluding Enel X Italia from Android Auto to favour Google Maps.
In 2021, AGCM’s investigation into Amazon led to a record fine of EUR 1.1 billion for its favouring of third-party sellers that used Amazon's logistical services in the Amazon “buy box.”
In other unilateral conduct cases, AGCM has focused on data sharing, negotiation behaviour, and anti-competitive agreements.
In April 2024, AGCM fined Amazon EUR 10 million for pre-selecting the “recurring purchase” option.
In July 2023, AGCM accepted Google's commitments to enable data portability to close the investigation. AGCM is considering proposed commitments by Booking regarding its dominance in the online hotel intermediation services market.
In April 2023, AGMC opened an investigation into Meta’s removal of music represented by SIAE, the representative of artists' rights, from its platforms during licensing renewal negotiations.
In October 2022, a court cancelled – on procedural grounds – AGCM fines of EUR 58.6 million against Amazon and EUR 114.6 million against Apple for an agreement regulating the prices of Apple and Beats products among Amazon resellers.
The EU’s AI Act will apply in Italy. At the domestic level, the Italian Cabinet approved a bill designating authorities to oversee the enforcement of EU and national rules, as well as allocating funding to AI development. The bill is currently pending introduction to the legislature. In October 2023, a bill proposing measures on the transparency of AI-generated contents, including labelling and watermark obligations, was introduced.
In 2021, Italy adopted its AI Strategic Program for 2022-24. The program outlines 24 policies aiming to boost the potential of AI in the Italian economy and society. The framework builds on three pillars: attracting talents and competencies, funding research, and incentivising the adoption of AI applications in both the private and the public sector.
The Italian data protection authority is the most active Italian authority in enforcing AI guardrails.
In January 2024, the Garante issued a notice of objection to OpenAI, finding that some of the company’s data processing practices may be unlawful. Previously, in April 2023, the Garante temporarily blocked and then reinstated ChatGPT, following measures by OpenAI to comply with demands. OpenAI published a notice including information on data use and processing for AI training, granted EU users the right to opt out and request the deletion of inaccurate information, and implemented age verification mechanisms, among others.
In February 2023, the Garante blocked the Replika chatbot due to risks to children, through inappropriate replies, and insufficient age verification.
Since January 2020, Italy levies a Digital Service Tax (DST) of 3%. The DST applies to targeted advertising, digital interfaces for user interaction, and the transmission of collected user data. The DST applies to companies that exceed revenues of EUR 750 million (global) and EUR 5.5 million (local) through in-scope services. The government published a circular and a decree specifying the scope and calculation of the tax.
In 2020, the United States (US) Trade Representative investigated the DST and announced punitive tariffs. In 2021, the countries reached a political agreement under which Italy (and others) will withdraw the DST upon entry into force of Pillar 1 of the G20/OECD Inclusive Framework, while the US defers its tariffs. In February 2024, the countries agreed to extend the terms of the agreement until the end of June 2024.
Since May 2022, Italy requires providers of cryptocurrencies and digital wallets to register with the responsible authority (Organismo Agenti e Mediatori). To register, providers must have a subsidiary or, for EU providers, a branch in Italy. In addition, providers must submit information on their registered office, service, address of the physical points of operation and the web address through which the service is performed. The authority has approved over 90 registrations of cryptocurrency service providers, including Binance.
Since January 2023, crypto assets, defined as the “digital representation of value or rights that can be transferred and stored electronically," are subject to a capital gains tax. Gains from crypto assets exceeding EUR 2000 are subject to a tax rate of 26%.
In June 2022, the central bank issued a communication highlighting the risks of crypto assets and outlining appropriate safeguards. Currently, the financial markets authority is consulting on a regulation for the registration of “digital circulation managers” under the FinTech Decree.
The focus of Italy’s online consumer protection lies on minor protection and online advertisement. Italy requires age verification to prevent minors from accessing pornographic content since 2023.
Since September 2023, electronic service providers must inform customers on the availability of parental control applications. In March 2024, the communications authority consulted on age verification methods, following its resolution on the same subject. Further minor protection measures concern online gaming and gambling.
Regarding online advertising, the communications authority fined British American Tobacco (BAT) (EUR 6 million) and Amazon (EUR 1 million) for misleading advertising of heated tobacco devices in January 2024. The authority also fined Facile Ristrutturare EUR 4.5 million for false online reviews and misleading prices of renovation materials. The authority further issued guidelines and a code of conduct on influencers’ compliance with the Law on Audiovisual Media Services.