This country-specific Q&A provides an overview to technology, media and telecom laws and regulations that may occur in Italy.
This Q&A is part of the global guide to TMT. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/tmt-3rd-edition/
What is the regulatory regime for technology?
Communication networks and services are regulated by Legislative Decree 259/2003, the so-called Electronic Communications Code (the “ECC”). The ECC liberalised and harmonized, also under a regulatory perspective, the provision of electronic communication services and networks telecommunications as well as the convergence of all transmission networks and related services within a single regulatory framework.
Are communications networks or services regulated?
If so, what activities are covered and what licences or authorisations are required?
The ECC is aimed at regulating: (i) electronic communications networks and services for public use, including networks used for the circular broadcasting of sound and television programs and cable television networks; (ii) electronic communications activities for private use; (iii) protection of submarine electronic communications installations; and (iv) radio- electric services.
According to Section 25 ECC, the provision of the said services is subject to a general authorisation.
The applicant must submit to the Ministry of Economic Development a declaration, compliant with a standard form attached to the ECC, for the offer to the public of the electronic communication service concerned, together with a number of technical information related to the same service; the provision of such service can start even immediately after the filing of the said declaration, provided that the Ministry will have 60 days to verify the existence of the legal and technical requirements applicable to the relevant service and prohibit the continuation of the same service.
General authorisations have a maximum duration of 20 years and are renewable.
Is there any specific regulator for the provisions of communications-related services?
The authorities competent for the provisions of electronic communication services are:
- Autorità per le Garanzie nelle Comunicazioni or AGCOM, and
- Ministero per lo Sviluppo Economico or MiSE.
Are they independent of the government control?
AGCOM is an independent authority entrusted with the task of both ensuring fair competition from market operators and protecting the pluralism and fundamental freedoms of citizens in the telecommunications, publishing, mass media and postal industries. AGCOM is accountable to the Parliament, which establishes its powers, has defined its statute and elects its members.
Are platform providers (social media, content sharing, information search engines) regulated?
No specific regulation exists regarding “platform providers”.
However, several provisions of law apply to platform providers, such as:
- Legislative Decree no. 70 of 9 April 2003, implementing EC Directive no. 31/2000 on information society services, including electronic commerce;
- Legislative Decree 6 September 2005 n. 206 (Italian Consumer Code);
- Regulation (EU) no. 2016/679 (GDPR) and Italian Legislative Decree no. 101/2018.
If so, does the reach of the regulator extend outside your jurisdiction?
As a general principle, the competence of the Italian regulator is limited to Italian jurisdiction, provided that it will cover, at certain conditions, also services provided by operators domiciled abroad but addressed to Italian clients.
Does a telecoms operator need to be domiciled in the country?
As a general principle – and under a pure regulatory point of view – no, although certain restriction may be provided for operators domiciled outside the European Union.
According to Section 25 of the ECC, operators domiciled outside the European Union can freely provide services in Italy (subject to the authorisation regime described under 1.2 above), subject only to (1) limitations justified by reasons of State defence, security and public health, environmental and civil protection; and (2) the country of origin of the operator concerned applies conditions of full reciprocity to Italian operators providing the same services in such foreign country.
Are there any restrictions on foreign ownership of telecoms operators?
No, save for the limitation already provided under query 2 above.
Are there any regulations covering interconnection between operators?
Interconnection is regulated by Chapter III of the ECC (headed access and interconnection). Section 40 and ff. of the ECC provides that operators may negotiate with each other agreements on the technical and commercial arrangements for access and interconnection. In addition, AGCOM also ensures, through the adoption of specific measures, that there are no restrictions preventing undertakings from entering into interconnection and access agreements.
If so are these different for operators with market power?
Interconnection with operators having significant market power (i.e. those that, either individually or jointly with other operators, have the economic strength to behave – to an appreciable extent – independently from competitors, customers and consumers) is also regulated by Chapter III of the ECC.
According to article 45 of the EEC, where, as a result of the market analysis, an entity is designated as having significant market power on a specific market, the Authority shall impose, among others, the following obligations: (i) access and use of network resources/assets; (ii) transparency; (iii) nondiscrimination; (iv) accounting separation.
The above obligations must be based on the nature of the issues under investigation, be proportionate and justified in the light of the following objectives: (a) promotion of an open and competitive market; (b) contribution to the development of the internal market; (c) promotion of the interests of European citizens.
What are the principal consumer protection regulations that apply specifically to telecoms services?
As far as consumer-related issues are concerned, reference should be made to the Italian Consumer Code as well as to specific provisions of the ECC and of AGCOM resolutions.
A cornerstone on consumer protection is contractual content and transparency of information, under Sections 70 and 71 of ECC, requiring users to be provided with clear, transparent, accessible, adequate and updated information.
What legal protections are offered in relation to the creators of computer software?
Software intellectual property may be protected:
- through copyright, pursuant to Law no. 633/1941, it is possible to extend to the source code and the object code a protection that lasts 70 years after the death of the author; this is a protection that reserves to its owner not only the reproduction but also the use of the program itself, allowing him to exclude any possibility of use by other subjects, unless expressly authorized but that, however, does not protect the functionality of the software itself;
- through patent it is possible, on the other hand, to protect one or more algorithms of the software that are considered innovative from the technical point of view through a form of protection more intensive than that guaranteed by copyright: the patent allows, in fact, to protect the invention in whatever form it is reproduced.
In addition to these forms of protection, if the software has already been published, the latter can be registered in the special public register for computer programs. This filing has a declaratory probative function of the existence of the work and its authorship at a certain date, transferring to third parties the burden of proving the contrary.
Do you recognise specific intellectual property rights in respect of data/databases?
Italian Legislative Decree no. 169/1999 added, among the works benefiting of copyright protection, “databases which, by the choice or arrangement of the material, constitute a creation of the author's own creativity”.
Italian legislation provides for a two tier copyright protection.
The first type of protection is part of the traditional discipline of copyright and has as its objective the protection of (electronic and printed) archives understood as a set of data, works or other that, for the particular type of assembly chosen, are characterized as an intellectual creation.
The second type of protection aims at safeguarding the patrimonial value of the investment made by the creator of the database, in such a way as to discourage any possible counterfeiting of the archive carried out through the extraction and reuse of the contents of the database. Said atypical nature can also be found in the duration of such protection. This protection is set at 15 years (from 1 January of the year following the completion of the archive) and is renewable in case of new and significant investments.
What key protections exist for personal data?
The key protections for personal data are set in Regulation (EU) no. 2016/679 (“GDPR”), in Legislative Decree no. 101/2018 (“Decree”) and in Legislative Decree no. 196/2003 (“Privacy Code”), as amended. Important rules are contained, in addition, within the decisions and measures issued by the Italian Data Protection Authority (“IDPA”).
Unlawful data processing may lead to an obligation to compensate damages caused to the data subject(s) affected and, even more importantly, data unlawfully processed cannot be used in Court or otherwise.
Under very specific circumstances, the infringement of data protection rules can lead to the application of criminal sanctions.
It should be noted that the Privacy Code contains a specific section on electronic communications services (Section X, Section 121 and following) that governs, among others, traffic data, data on the location of the subscriber or user, line identification, unsolicited communications sent via automated means, data retention and security requirements.
One of the crimes under the Privacy Code specifically refers to the unlawful processing of personal data in the telecommunications sector. The conduct referred to under Section 167, para. 1, of the Privacy Code - punished with imprisonment from six months to one year and six months - concerns the violation of the provisions protecting the data subject in the electronic communication services: in particular, the provision sanctions the conduct of those who illegally process traffic data (Section 123), location data (Section 126), as well as the subject who sends unsolicited communications (c.d. spam) referred to in Section 130, or carries out processing activities in violation of the IDPA’s measures relating to the use of personal data relating to printed or electronic directories available to the public.
Are there restrictions on the transfer of personal data overseas?
The GDPR - under Section 44 and following - provides for specific restrictions on the transfer of personal data overseas, i.e. to a country outside the European Union or to an international organization.
Said transfer is generally allowed only if: (a) there is an adequacy decision issued by the European Commission, confirming that the relevant third country offers an adequate level of protection, (b) the controller or processor has provided appropriate safeguards for the transfer, and on the condition that data subject rights are enforceable and effective legal remedies for data subjects are available, (c) derogations for specific situations are applicable (such as, for example, the explicit consent of the data subject, the transfer is necessary for the performance of a contract or for the establishment, exercise or defense of legal claims).
Under certain conditions, the transfer of personal data outside the European Union in violation of said conditions could be punished as a crime, pursuant to Section 167 of the Privacy Code.
What is the maximum fine that can be applied for breach of data protection laws?
In accordance with Section 83, para. 5, of the GDPR, the maximum fine amounts to 20,000,000 euros, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Such fine is applicable with respect to the infringement of the provisions indicated under the same rule.
In addition, Section 166 of the Privacy Code specifies the provisions contained therein that, if violated, entail the application of the sanctions established under Section 83, para. 5, of the GDPR. Some rules under Section X of the Privacy Code, on electronic communications services, are included in said list.
For the sake of completeness, Section 166 of the Privacy Code also specifies the provisions contained therein that, if violated, entail the application of the sanctions established under Section 83, para. 4, of the GDPR, thus falling within the range of lower sanctions (10,000,000 euros, or up to 2% of the worldwide annual turnover, whichever is higher).
What additional protections have been implemented, over and above the GDPR requirements?
Section 2-decies of the Privacy Code provides that data unlawfully processed cannot be used. In addition, pursuant to Section 167 and following, the Privacy Code identifies a set of data protection crimes. Please refer to our reply under no. 10 for further details.
Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?
Firstly, the IDPA, in 2012, issued specific guidelines on cloud computing, providing a set of recommendations for private and public entities in order to assess the related risks and verify the implementation of the relevant fulfilments. Specifically, it contains: a description of the main types of cloud systems, an overview of the regulatory framework on data protection (with a focus on the roles of data controller and data processor, the transfer of data outside the EU, the adoption of specific security measures and the exercise of data subjects’ rights), and an indication of the criteria for assessing the costs and benefits of adopting cloud technologies.
Secondly, useful tools for the proper management of data confidentiality and security in the cloud environment are represented by: (i) the ISO/IEC 27018:2019 standard and (ii) the recommendations issued by ENISA in the document “Cloud Computing. Benefits, risks and recommendations for information security”.
Specifically, the ISO/IEC 27018 standard provides precise instructions, guidelines and controls for the processing of personal data in the cloud through public networks (e.g. on the data subject’s consent, purposes of processing, data minimisation, restriction on use, storage and disclosure, transparency, accountability, etc.).
ENISA’s recommendations, in addition, include technical measures to mitigate the risk of unauthorised disclosure of data (e.g. defining the host and network controls, ensuring that adequate backup policies and procedures are in place, etc.).
Are there specific requirements for the validity of an electronic signature?
Yes. The electronic signature systems and their requirements are regulated under Legislative Decree no. 82/2005 (“Code for the Digital Administration”), and the technical rules attached thereof.
Such rules, consistently with Regulation (EU) no. 910/2014 (the “eIDAS Regulation”), identifies different types of electronic signature, according to their technical features and related legal effects.
It is possible to identify:
i) the “simple” electronic signature, i.e. data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign; no technical requirement is established, and the judge will assess on a case-by-case basis the legal impact and the evidentiary effects of the signature; ii) the advanced / qualified / digital electronic signatures, whose technical requirements ensure, in particular, a unique connection of the signature to the signatory and the integrity of the signed document. An electronic document signed with such systems fulfils the written form requirement and provides full proof, until an action of falsehood is granted.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
Italian law provides for a special regime to apply in case of assignment of agreements, assets pf employees where such assets and agreements are part of a line of business organised as a going concern (the “LOB”) and they are assigned in connection with a transfer of the same LOB.
As a general principle and unless agreed otherwise, the transfer of a LOB entails, as an automatic effect, the transfer of all contracts pertaining thereto, without the need of any prior consent of the Assigned Party.
In very broad terms, the rationale behind the above provision is to protect the interest of the assignee of the LOB to (i) keep the LOB duly organised as a going concern; (ii) preserve the integrity of all its assets (including any and all agreements required to operate the LOB) and, therefore (iii) maintain the value of the LOB, considered as a whole.
As a partial limitation to the said general principle, article 2558 provides that the transfer of a LOB will not automatically entail assignment to the transferee of the agreements included in the LOB (but rather the consent of the assigned party shall be required), should such agreements have been entered into on a ‘personal’ basis, that is to say that the obligations set forth under the agreement are of such a nature that can be duly performed only by the relevant contractual parties, it being otherwise understood that, should the agreement be assigned to any third parties, the due performance of the contractual obligations could be materially affected.
Accordingly, if an outsourcing of IT services entails the transfer of assets, agreements and employees organised as a LOB, they will automatically transfer to the outsourcing supplier as above.
The transfer of employees (as part of a LOB) requires a statutory consultation procedure with the trade unions to be carried-out before the transfer, in case the transferor employs more than 15 employees.
If a software program which purports to be a form of A.I. malfunctions, who is liable?
Apart from the “White Paper on Artificial Intelligence at the service of citizens” issued by the Task Force on Artificial Intelligence of the Agency for Digital Italy (“AgID”) on March 2018, a specific Italian regulation on A.I. is still to be drafted. Therefore, the civil law principles on contractual and non-contractual liability are applicable.
Specifically, in case of malfunctions of software malfunctioning, the following subjects could be theoretically liable:
i) the seller of the software, being the subject liable from the contractual standpoint to provide a product with a certain level of safety and cybersecurity and, generally, without defects; ii) the manufacturer of the software, being the subject liable from an extra-contractual standpoint (if it does not act as seller of the software); in this context, the liability for damages for a defected product, as set out under Sections 114-117 of the Consumer Code could be construed so to encompass also goods as software. If the case, the same manufacturer might claim compensation for damages suffered to the developer of the software who has been entrusted of such task.
What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?
a) obligations as to the maintenance of cybersecurity; and
Under Section 32 of the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security adequate to the risk, taking into account the state of the art and relevant costs, and the characteristics of the data processing activities. This means that, pursuant to the accountability principle, each entity shall assess its own situation and adopt the security measures that it deems appropriate.
It should be noted that the previous version of the Privacy Code provided for a technical annex which included the minimum-security measures to be taken. Following the entry into force of the GDPR, those minimum measures are now obsolete and there is currently no list of what can be considered as minimum-security measures.
Cybersecurity measures are also dealt with by the Directive (EU) no. 2016/1148 (“NIS Directive”), implemented by Italian Legislative Decree no. 65/2018. Said regulation is aimed at setting at adequate measures in order to pursue a high level of security within network and information systems through, inter alia, a cybersecurity national strategy.
b) the criminality of hacking/DDOS attacks?
Hacking/DDOS attacks could be considered as criminal offences according to Italian criminal law, Decree no. 1398/1930 (“Criminal Code”).
The main computer crimes identified under the Criminal Code are the following:
- computer fraud, under Section 640ter, which consists of altering the functioning of a computer system in order to obtain an unfair profit and damaging third parties;
- illegal access to a computer or telecommunications system, under Section 615-ter;
- the unauthorised possession and dissemination of access codes to computer and telematic systems, under Section 615-quater;
- the dissemination of equipment, devices or computer programs aimed at damaging or interrupting a computer or telecommunications system, under Section 615-quinquies.
What technology development will create the most legal change in your jurisdiction?
The large telecom players in Italy are aiming to speeding up the roll out and obtaining costs synergies with respect to ultra broad band as well as of 5G networks also by means of mergers of infrastructure providers and/or ad hoc agreements for joint roll out. Whilst these plans will have the potential to substantially speed up the roll out process, on the other hand they shall have to under-go the necessary approval processes.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
In general, the wide fragmentation of the EU infrastructure market and the very large number of EU players in the telecom infrastructure sector compared with those in each of the US or in China seems to be a substantial weakness of the EU telecom environment, also in terms of ability to support future investments and R&D. Similarly the absence of any major EU OTT compared with US and China show further weaknesses of the EU regulatory frame-work compared with such other leading jurisdictions
Do you believe your legal system specifically encourages or hinders digital services?
We believe further efforts could certainly be done in our legal framework to further expand and encourage digital services in our country, though the same regulatory and legislative opening and support should certain be made available, as stated above, in the traditional infrastructure sector.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
Traditionally, the development of the legal system in new areas follow (and does not anticipate) the new business needs. Hence, whilst a civil law system by its own nature is able to address some initial issues of new business developments, no doubt the full flourishing of AI applications will require ad hoc legislation.