Italy: Technology

The In-House Lawyer Logo

This country-specific Q&A provides an overview to technology laws and regulations that may occur in the Italy.

It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.

This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology

  1. Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?

    Yes, they are regulated. The most important piece of legislation for what concerns communications networks and services is the Electronic Communications Code (Legislative Decree n. 259 of 1 August 2003), which implements the EU regulatory framework for electronic communications.
    Communications networks and services are described as follows by the Electronic Communications Code:

    (i) electronic communication networks are defined as: ‘transmission systems and, where applicable, switching or routing equipment and other resources, which permit the conveyance of signals by wire, radio, optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, networks used for radio and television broadcasting, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, and cable television networks, irrespective of the type of information conveyed’; and

    (ii) an electronic communications services means ‘a service, normally provided for a fee, which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, with the exclusion of the services which consist in the provision of contents transmitted by means of electronic communications networks and services or which imply an editorial control on such contents; also the information society services, which do not entirely or prevalently consist in the conveyance of signals on electronic communications networks, are excluded’.

    The provision of electronic communications services or networks is subject to a general authorization regime. In particular, Section 25 of the Electronic Communications Code states that any undertaking wishing to provide electronic communications services or networks must file a declaration with the Italian Ministry of Economic Development. The activity can be started immediately after the declaration is filed; however, the Ministry can examine the declaration within 60 days and, if there is a grounded reason, can require the relevant undertaking to stop the activity. The general authorization is subject to the payment of an administrative fee. Such fee ranges from a few hundred Euros to up to Euro 127,000 for the provision of a public communications network covering the entire Italian territory. Authorisations for the use of numbers and radio frequency spectrums in mobile or satellite services are also granted by the Ministry and spectrum rights are awarded through public tender procedures.

  2. Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?

    The Italian regulator for the provisions of communications-related services in Italy is the “Autorità per le Garanzie nelle Comunicazioni” (“AGCOM”). AGCOM is an independent and autonomous authority. AGCOM’s members are appointed by the Italian Parliament, which has established AGCOM’s powers. Thus, AGCOM is not under the control of the government and is accountable directly to the parliament. In addition, also the Italian Ministry for Economic Development has significant powers and responsibility in connection with the communication industry.

  3. Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?

    Any undertaking of a European Union, European Economic Area or WTO country can obtain a general authorisation for the provision of electronic communications services or networks in Italy. Electronic communication operators residing in countries other than the above can be granted authorisations only under reciprocity conditions (i.e. if the relevant home country would authorise an Italian operator to operate in such country for the same type of service).

  4. Are there any regulations covering interconnection between operators? If so are these different for operators with market power? What are the principal consumer protection regulations that apply specifically to telecoms services?

    Under the Electronic Communications Code, all operators holding a general authorisation to provide publicly available electronic communications networks and services have the right and - if requested by other authorised operators - the obligation, to negotiate with each other interconnection agreements, in order to allow the provision and interoperability of the services in the entire European Union. The access and interconnection must be offered in compliance with the obligations imposed by AGCOM pursuant to the Electronic Communications Code. The operators with significant market power are subject to additional obligations imposed by the AGCOM, which exercises also control on the termination rates and other terms and conditions applied by them in connection with interconnection arrangements.

    In addition to the protection granted by Italian law to all consumers under the Italian Consumer Code (Legislative Decree N° 206 of 6 September 2005), users of electronic communications services are granted a set of further rights and safeguards.

    The obligations imposed to operators by the Electronic Communications Code in order to grant such additional protection (in particular sections 70 – 81 and the relevant implementing AGCOM’s regulations) depend on the specific nature of the services supplied. They include, for example, the duty to publish and render available to their customers - before entering into the relevant contract - a “Carta dei Servizi” (Services Chart), indicating the minimum quality requirements to be fulfilled by the services and the connected key quality indicators, which must be regularly measured. Moreover, operators shall establish a procedure allowing users to submit claims and complaints, by telephone, in writing, by fax or electronically at no additional costs, for malfunctions or inefficiencies of the services, and/or failures to comply with contractual clauses or agreed service levels. Operators are required to notify in advance and by appropriate means the relevant customers about scheduled maintenance interventions involving a complete outage of the service, with specific indication of the estimated duration of the interruption, and of a contact point, easily accessible, in order to obtain assistance and more detailed information. There are a number of pieces of information which must be mandatorily included in the clauses of each agreement with users, such as provisions relating to the indemnification due in case the service does not reach the agreed service levels and the right of withdrawal of the user. Additional rights of users relate, inter alia, to number portability, the user’s right to change the operator and the operators’ obligations to ensure access for disabled end users.

  5. What legal protections are offered in relation to the creators of computer software?

    Under Italian law, computer software is considered as an intellectual work falling within the scope of Law 22.4.1941, n. 633 concerning the protection of copyright and neighbouring rights (hereinafter the “Copyright Law”). Section 2, n. 8) of the Copyright Law expressly states that any form of computer software which is original and is the result of the intellectual creation of his/her author will be granted protection by copyright. Copyright protection is granted to the author of a software automatically with its creation and does not require any specific procedure in order to be recognized.

    The author of the software is the holder of two distinct categories of exclusive rights:

    (i) the “moral” rights to be recognised as the author of the software. Such rights are of a personal nature and cannot be waived or sold and/or in any way transferred by the author; and

    (ii) the rights to utilise and economically exploit the software; such rights may be totally or partially transferred by the author.

    If the software is developed by an employee, in the context of the performance of its tasks or on the basis of instructions provided by the employer, the right to economically exploit the software belongs to the employer.

    In relation to the exclusive rights to the use and economic exploitation mentioned above, the Copyright Law includes specific provisions on the extent of the awarded protection. Such provisions were introduced in the Copyright Law in 1992 upon Italy’s implementation of EU Directive 91/250.

    Copyright on software includes the exclusive right of the author (or of the transferee of the rights of economic exploitation) to carry out or authorise:

    (a) the reproduction, permanent or temporary, total or partial, of the software by any means or in any form. To the extent that the operations such as loading, screening, running, transmission or memorisation of the software require a reproduction, also such operations are subject to the authorisation of the copyright owner;

    (b) the translation, the adaptation, the transformation and every other amendment of the software as well as the reproduction of the work that results from this (without prejudice to the rights of the person amending the software); and

    (c) any form of distribution to the public, including the lease of the original software or of copies of the software.

    However, the Copyright Law provides also for some limitations to the exclusive rights. In particular, under certain conditions, the legitimate licensee cannot be contractually prevented by the owner of the intellectual property rights from carrying out certain activities, such as making a back-up copy, correcting errors or making amendments aimed at ensuring the interoperability of the software with other computer programs.

  6. Are specific intellectual property rights in respect of data/databases recognised?

    Databases are protected by the Copyright Law. Section 2 of the Copyright Law defines a database as “a collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means”. The protection granted through the Copyright Law concerns the database and not the contents included in the database, and is without prejudice to any rights subsisting in those contents themselves. If the structure of the database is original, because the selection or arrangement of their contents has been made according to original criteria, the author of the database is granted both the moral rights and the rights to economically exploit the database. Such rights last 70 years after the death of the author or 70 years after the database is lawfully made available to the public. The rights to economically exploit the database can be assigned or transferred by the author.

    If the database is created by an employee, in the context of the performance of its tasks or on the basis of instructions provided by the employer, the right to economically exploit the database belongs to the employer.

    If the database does not have an original structure and cannot be considered the author’s own intellectual creation, the author of the database does not own the copyright under the Copyright Law. However, in this case, the Copyright Law (Section 102-bis) grants a sui generis right to the “maker” of the database, i.e. the person that has made a substantial investment in either the obtaining, verification or presentation of the contents, using, for this purpose, financial means, time or work. In such event, the maker has the right to prevent extraction and/or re-utilization of the whole or of a substantial part of the contents of that database. The right of the “maker” lasts 15 years after the first day of the calendar year (1st January) following the date on which the database has been made available to the public for the first time.

  7. What key protections exist for personal data?

    The Italian Legislative Decree n. 196 of 30 June 2003 (the “Privacy Code”) brings together all the various laws, codes and regulations relating to data protection since 1996. The Privacy Code applies to all processing of personal data relating to natural persons (although certain provisions apply also to legal persons) carried by data controllers established in Italy and non-EU data controllers which make use of equipment located within the Italian territory (e.g. servers). Data controllers are required, inter alia, to (i) provide a data protection notice to the relevant data subject, (ii) obtain the prior and freely-given consent of the relevant data subject to the processing of his/her personal data (which must be given in writing if sensitive data are processed), unless another legal basis exists (e.g. the processing is necessary to comply with an Italian or EU law, or to perform an agreement which the data subject is a party to), (iii) appoint in writing the persons in charge of the processing and the data processors; (iv) implement certain minimum security measures to the protect the personal data; (v) notify the Italian Data Protection Authority (“DPA”) in case certain categories of processing are carried out (e.g. profiling) or certain categories of personal data are processed (e.g. genetic data); (vi) obtain the DPA’s authorization to the processing of sensitive data, unless the processing is already covered by one of the general authorizations issued by the DPA; (vii) file a prior checking request with the DPA if the processing is likely to present specific risks to data subjects’ fundamental rights and freedoms.

    On 25 May 2018, the EU General Data Protection Regulation (Regulation (EU) 2016/679 – the “GDPR”) will become applicable in all Member States, including Italy. The key changes that will be introduced by the GDPR include: (i) a wider territorial scope, given that also data controllers and data processors based outside of the EU will be required to comply with the GDPR, if their processing activities are related to the offering of goods or services to individuals in the EU or the monitoring of the behaviour of individuals in the EU; (ii) direct legal responsibilities for data processors; (iii) the obligation to appoint a data protection officer for data controllers and data processors with core activities involving either the regular, systematic and large scale monitoring of individuals or the large scale processing of ‘special categories of data’ and/or ‘personal data relating to criminal convictions and offences’; (iv) the obligation for data controllers to perform a privacy impact assessment where, taking into account the nature, scope, context and purposes of the processing, there is likely a high risk to the rights and freedoms of individuals; (v) the requirement for both data controllers and data processors to keep relatively detailed records of their processing activities (there is an exemption for enterprises or organisations that employ fewer than 250 persons unless the processing is high risk, not occasional, or includes ‘special categories of data’ and/or personal data relating to criminal convictions and offences); and (vi) a system of mandatory notification for data breaches (data controllers will be required to notify personal data breaches to supervisory Authorities without undue delay and, where feasible, no later than 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals; in some cases, also data subjects must be notified of the breach).

  8. Are there restrictions on the transfer of personal data overseas?

    Under the Privacy Code, personal data can be transferred with no restrictions to (i) any European Economic Area (EEA) country; or (ii) any non-EEA country which has been recognized by the European Commission as a country ensuring an adequate level of protection; or (iii) any US data importer which is a Privacy Shield certified entity. Personal data cannot be transferred to other non-EEA countries unless: (i) the data exporter and the data importer belongs to a group of companies which has adopted the so called binding corporate rules; or (ii) the data exporter and the data importer have entered into the standard contractual clauses approved by the European Commission and the DPA; or (iii) the data exporter and the data importer have entered into a different data transfer agreement that has been specifically approved by the DPA. Furthermore, personal data can be transferred to other non-EEA countries, among other marginal cases, if a) the data subject has given his/her consent either expressly or, where the transfer concerns sensitive data, in writing; or b) the transfer is necessary for the performance of obligations resulting from a contract to which the data subject is a party; or (c) the transfer is necessary to establish or defend a legal claim. However, the exemptions mentioned in points a), b) and c) above shall apply only where transfers are neither recurrent, nor massive or structural.

    Under the GDPR, similar transfer restrictions will apply and the existing methods of ensuring an adequate level of protection will remain broadly unchanged. In addition to such methods, the GDPR will introduce the possibility of transfers being made where there is an approved code of conduct or certification mechanism, together with binding and enforceable commitments of the data controller or the data processor that is outside the EEA to apply appropriate safeguards.

  9. What is the maximum fine that can be applied for breach of data protection laws?

    The Privacy Code does not provide for a specific maximum fine. The fines that can be applied by the DPA depend on the number and type of the violations, as well as actual circumstances of the breach, such as the nature of the relevant personal data, the seriousness of the breach, the number of the affected data subjects and the economic status of the offender. The highest fine issued by the DPA to date is Euro 11 million.

    Under the GDPR, the level of fines will be significantly higher. Some infringements (for example of provisions relating to keeping records of processing) are subject to fines of up to €10,000,000, or for an ‘undertaking’, up to 2% of worldwide annual turnover in the previous financial year, whichever is higher. Others (such as breaches of the basic principles for processing/conditions for obtaining consent) are punishable by higher fines of up to €20,000,000, or for undertakings, up to 4% of worldwide annual turnover in the previous financial year, whichever is higher.

  10. Are there any restrictions applicable to cloud-based services?

    There are no laws in Italy specifically aimed at regulating cloud-computing services, although legislation targeting internet service providers and telecommunications providers may be applicable depending on the service offered. However, it is worth underlining that:

    1. (i)with Regulation n. 285 of 17 December 2013 the Bank of Italy has set forth certain requirements for banks which intend to be provided with cloud computing services. According to such regulation (which is binding for Italian banks), should a bank resort to cloud computing services, the relevant cloud computing agreement shall, inter alia, provide for the supplier’s obligation to (i) inform the bank of the data centres locations;

      (ii) isolate and separate the bank’s data from other suppliers’ customers’ data;

      (iii) guarantee that the service levels will be met also in case of emergency or in case of dispute among the supplier’s customers for the use of the supplier’s resources; (iv) ensure that any access or modification to the data is duly tracked, also for supervisory purposes; (v) grant the bank a right of audit, which shall be appropriate in consideration of the criticality of the outsourced activities and the architecture of the supplier’s services; and

    2. the Italian Digital Agency (“Agid”, formerly “DigitPA”) has published some recommendations and proposals on cloud computing in the public sector, which however are not binding.
  11. Are there specific requirements for the validity of an electronic signature?

    Yes, there are. A simple electronic signature is not automatically equivalent to hand-written signature, as the probative value of a digital document signed using a simple electronic signature – as well as its aptitude to meet the written form requirement - can be freely evaluated by the judge in the context of a trial, taking into account its objective characteristics of quality, security, integrity and non-modifiability. On the contrary, the “advanced electronic signature”, the “qualified electronic signature” and the “digital signature”, which must fulfil stricter requirements imposes by the law, have the same legal value as a hand-written signature. Furthermore, in cases where the law provides for the requirement that a contract shall be entered into in writing, using an advanced electronic signature (except for a few cases, concerning contracts regarding real estate) or an electronic qualified signature or a digital signature to sign a document meets such requirement. Both the advanced electronic signature and the digital signature shall comply with specific technical requirements. Furthermore, the advanced electronic signature can be used only for contractual relationships between the issuer of the signature tool and the signatory, provided that specific conditions provided for by the law have been complied with by the issuer of the signature tool (e.g. the issuer of the signature tool shall obtain an insurance cover for possible damages caused to the signatories or third parties).

  12. In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?

    The automatic transfer of employees and third-party contracts, without the need to obtain the prior consent of the relevant employee / contractual party, can occur only in the context of a transfer of a business or a business unit as a going-concern. If a court deems that the transferred assets did not form a going-concern, it may declare the transfer void. In such case, the transfer of the contracts will be deemed ineffective end the employees concerned will have the right to be reinstated by the customer. Thus, in the context of an outsourcing deal in Italy, it is extremely important to assess whether the assets which need to be transferred from the client to the supplier form a business or a business unit as a going-concern. If this is not the case, the individual consent of each transferred employee and contractual party of the contracts being transferred will need to be obtained.

  13. If a software program which purports to be an early form of A.I. malfunctions, who is liable?

    In Italy, there is not yet a specific piece of legislation dealing with issues relating to A.I. liability. Based on the general principles of Italian tort and contractual law, depending on the specific circumstances of the case, if the malfunction causes damages to a third party, there could be liability of both the provider of the A.I. solution and the person using the A.I. solution when it caused the damage.

  14. What key laws exist in terms of obligations as to the maintenance of cybersecurity?

    There are several laws and regulations applicable in Italy which impose the adoption of policies and technologies aimed at maintaining the cybersecurity. The Privacy Code requires any data controller to implement certain minimum-security measures to protect the personal data, with higher standards imposed to companies controlling more critical types of data (for example sensitive data or genetic data) or providing certain type of services (i.e. electronic communications services providers). Moreover, additional specific obligations to protect the security of data are imposed by regulatory authorities (such as Banca d’Italia, Consob and IVASS) to companies operating in specific sectors, like banks, financial services providers and insurance companies.

    It is worth also underlining that the Italian government has recently approved a new national plan for computer security (published on the Italian Official Journal of 31 May 2017), based on the Decree of the President of the Ministers’ Council of 17 February 2017 (hereafter the “Decree”). The plan and the Decree allocate the responsibilities within the Italian public administration regarding cyber protection and national computer security, and set forth the guidelines to be followed to achieve the national security in this respect. The Decree contains also certain obligations applicable to a number of private operators (including providers of electronic communications networks and services, suppliers of digital services, providers managing critical infrastructures) to notify any material security breach and adopt best practices to maintain cyber security.

    Finally, on 6 July 2016 the European Parliament has approved the Directive on security of network and information systems (the NIS Directive), which contains significant provisions relating to cybersecurity. Member States, including Italy have 21 months as from August 2016 to transpose the Directive into their national laws.

  15. What key laws exist in terms of the criminality of hacking/DDOS attacks?

    Pursuant to Section 615-ter of the Italian Criminal Code (Royal Decree no. 1398 of 19 October 1930), whoever accesses an IT or telematic system protected through security measures without authorisation, or continues to have access against the express or tacit will of the person having the right to exclude him, is punished with imprisonment for up to 3 years. If certain serious material circumstances detailed in Section 615-ter arise, the imprisonment can be up to 5 years, or if the breach relates to IT or telematic systems having military, national security, public order, healthcare or public interest relevance, the imprisonment can be up to 8 years.

  16. What technology development will create the most legal change in the jurisdiction?

    We believe the Fintech technologies, which are revolutionising the banking and financial services industry, as well as Internet of things and artificial intelligence solutions, are the technology developments which in the coming years will create the most legal changes in Italy.

  17. Which current legal provision/regime creates the greatest impediment to economic development/ commerce?

    In certain areas, like for example banking and finance, transport, tourism, there are still laws and regulations which do not yet take into due account the latest technology developments and the needs arising out of the new sharing economy, causing impediments to the success of innovative ideas in these areas.

  18. Do you believe the legal system specifically encourages or hinders digital services?

    In the technology field, legislation can never be entirely up to speed with the latest innovations and technology developments. It is important that the system is able to adapt quickly, both in terms of new legislation being passed by the Parliament and technology friendly law interpretation by the judges, and this does not always happen in Italy. Notwithstanding the above, in our opinion the greatest impediment to economic development in the technology area in Italy does not arise from the legal regime, but is caused by the high level of taxation in our country, which prevents many investments from happening. However, in this regard it must be pointed out that recently the government has approved substantial tax benefits for investments in R&D and these may have an impact on future investments on new technologies too.

  19. To what extent is the legal system ready to deal with the legal issues associated with artificial intelligence?

    At the moment, in lack of a legislation specifically dealing with artificial intelligence issues, also in Italy - like in most other jurisdictions - there are some areas with lack of legal certainty. For example, we believe that more clarity would be needed in connection with issues like liability in case of damages caused by an AI solution and ownership of intellectual property rights in connection with works created by AI tools.