[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Italian Republic

Constitutional Framework

The Italian Constitution, adopted in 1948, has several limited provisions relating to privacy.[3014] Article 14 states, "(1) Personal domicile is inviolable. (2) Inspection and search may not be carried out save in cases and in the manner laid down by law in conformity with guarantees prescribed for safeguarding personal freedom. (3) Special laws regulate verifications and inspections for reasons of public health and safety, or for economic and fiscal purposes." Article 15 states, "(1) The liberty and secrecy of correspondence and of every form of communication are inviolable. (2) Limitations upon them may only be enforced by decision, for which motives must be given, of the judicial authorities with the guarantees laid down by law."[3015]

Data Protection Framework

The Privacy Code[3016] relating to the protection of personal data was enacted by a Legislative Decree of June 30, 2003.[3017] The Code replaced the Data Protection Act (which was enacted on December 31, 1996, after 20 years of debate,[3018] to fully implement the European Union (EU) Data Protection Directive) and the various decrees enacted after 1996 to regulate data protection in specific sectors, such as security requirements,[3019] the processing of medical information,[3020] the processing of information for journalistic,[3021] scientific or research purposes,[3022] and personal data held by public bodies.[3023] The new Privacy Code (the Code) therefore covers all the requirements from previous data protection decrees, as well as from the EU Directive on Privacy and Electronic Communications (2002/58/EC) and some codes of conduct already approved by the Italian Data Protection Authority. The Code creates more protections for data subjects while simplifying the applicable rules. The Code is arranged in three sections with the first containing provisions dealing with the rules applicable to the processing of personal information in the public and private sector; the second dealing with "special requirements," which would apply in those specific sectors, such as debtors or the health sector; and the third concerning administrative and judicial issues.[3024] Violators of the Code may also face harsh administrative or criminal penalties. Although the Code has been in effect since January 1, 2004, individuals or organizations processing data had until June 30, 2004, to implement the required measures in order to comply with the new standards.

Supervisory Authority

The Italian Data Protection Code is enforced by the Supervisory Authority for Personal Data Protection (Garante per la Protezione dei Dati Personali, or Garante).[3025] The Garante maintains a register of databases, conducts audits and enforces the laws. The Garante can also audit databanks not under its jurisdiction, such as those relating to intelligence activities. The Decree on the Internal Organization of the Garante[3026] establishes the procedures for keeping the Register of Data Processes and regulates access to the register by citizens, or for investigations, registrations and inspections.

The Garante is responsible for carrying out many activities. Enforcement actions the Garante carries out are mainly based on the reaction to complaints lodged by data subjects for failure to exercise their rights (access, rectification, deletion) and on inspection or audit activities that are carried out either ex officio (based on an annual action plan identifying specific sectors and/or processing operations) or following complaints and reports. In 2005, the Garante issued guidelines on privacy issues related to RFID tags, loyalty cards, digital TV (e.g., pay-per-view) and video-telephoning.[3027] In 2006, the Garante released guidelines on the collection of personal information of employees in the workplace.[3028]

Significant enforcement activities were carried out in the biometrics sector. The Garante stopped two initiatives by public bodies considering the use of fingerprint-based systems. In one case, the data controller required low-income university students and/or scholarship recipients to submit their fingerprints if they wanted to receive discounted access to restaurants and shops. In another, a local municipality required their employees to be fingerprinted to check their attendance at the workplace. The Italian DPA argued that use of biometrics-based mechanisms was disproportionate compared with the purposes to be achieved, and that specific privacy safeguards (such as enhanced security measures) were necessary given the highly sensitive nature of biometric information.[3029]

A decision adopted by the Garante in April 2004 referred to the basic principles on video surveillance and described the general requirements to be fulfilled by any video surveillance system. Guidance was also provided in respect of specific data processing operations concerning the use of video surveillance in schools, hospitals, on board transportation means, and at the workplace. The Garante reserved the right to take ad hoc measures in particular situations on a case-by-case basis. It was determined that the basic criteria should be the respect for citizens' fundamental rights and freedoms and personal dignity, with particular regard to privacy, identity and personal data protection.[3030] Accordingly, the Garante stated that individuals may not be deprived of the right to move without interferences that are incompatible with a free democratic society,[3031] such as those resulting from invasive and oppressive data acquisitions in respect of an individual's whereabouts and movements. The Garante also drew inspiration from the guidelines issued by several international and Community fora such as, in particular, the Council of Europe's guidelines on video surveillance of 2003[3032] and the documents drafted by the European data protection authorities within the framework of the Article 29 Working Party.[3033]

The Garante carries out several different functions with regards to data protection. For example, in 2001, the Garante issued a Code of Conduct and Ethics Regarding the Processing of Personal Data for Historical Purposes, including guidelines on the protection of personal data in election activities such as campaign literature and elections.[3034] In 2003, the Garante launched a public information television campaign to inform the public of their rights with regards to the collection of personal data.[3035] In the same year, the Garante began work on a do-not-call scheme to deter unwanted marketing calls.[3036] In addition, nearly every year the Garante hosts a conference in Rome. Topics have ranged from human genetics to the future of privacy.[3037]

Wiretapping and Surveillance Rules

Wiretapping is regulated by Articles 266-271 of the Penal Procedure Code and may only be authorized in the case of legal proceedings.[3038] Government interceptions of telephone and all other forms of communications must be approved by a court order. The law on computer crime includes penalties on interception of electronic communications.[3039] Interception orders are granted for 15 days at a time and can be extended for the same length of time by a judge. The judge also monitors procedures for storing recordings and transcripts. Any recordings or transcripts that are not used must be destroyed. The conversations of religious ministers, lawyers, doctors or others subject to professional confidentiality rules can not be intercepted. There are more lenient procedures for anti-Mafia cases.

In August 2007, an Italian judge ruled that to plant bugging devices in a car was "not a criminal offence" because the provisions forbidding bugging apply only to homes. The ruling arose in Brescia, northern Italy, where a private detective agency specializing in infidelity cases offered to plant hidden microphones and satellite tracking devices in the cars of suspected spouses, at a cost of up to 1,500 EUR. The judge suggested that parliament should take another look at Italy’s privacy laws.[3040]

In October 2001, the Italian Parliament passed a decree[3041] in which the offense of criminal association for purposes of terrorism was re-defined; however, the blanket surveillance of communications by law enforcement bodies was expressly ruled out. Telephone tapping and electronic surveillance were facilitated but only with authorization and under the supervision of judicial authorities, and, only with regard to very serious offences. Additional safeguards apply to the use of investigational findings and the prohibition to disclose such findings.[3042]

On June 21, 2005, the Italian collective and Internet service provider (ISP) Austistici/Inventati discovered a major police backdoor in their server, which hosts a large number of web sites, mailboxes, mailing lists and Internet services for NGOs, grassroots activists and public interest associations. The Italian Polizia Postale (Postal Police) installed the backdoor the year before after the Procura di Bologna (Office of the Public Prosecutor of Bologna) ordered a seizure during an investigation of the anarchist collective Crocenera. The police gained access to the private SSL certificate stored on the server and installed several tools to monitor, intercept and decrypt all the traffic going through the server – that is, traffic that was not directly relevant to the investigations. This included the communications of more than 30,000 subscribers of the ISP, whose basic rights to privacy and presumption of innocence, as granted under the Italian constitution, have been violated.

In 2005 and 2006, the new internal security team of Telecom Italia, which reports directly to the CEO of the company, collected thousand of files regarding politicians, reporters, influential people in the financial sector, stars and soccer players; this was done using both the internal wiretapping capabilities of Telecom Italy (which owns most of the physical phone and communication network in Italy) as well as covert (and illegal) decoding activities by the members of Telecom Italia security team. This activity resulted in over 20 charges of having used the information above to get unfair advantages against competitors and to blackmail individuals for politic and/or economic gain.

The Garante issued a decision requiring Telecom Italia to “implement IT solutions that are suitable for ensuring supervision over the activities carried out by any and all persons in charge of any kind of processing with regard to the individual items of information included in the databases in use, regardless of the individual person’s capacity, tasks and scope of activity as authorized in respect of the data at issue,” and fined the Telecom 500 EUR, to be paid to a complainant.[3043]

In July 2005, the Italian government passed Act no.155/2005 as “urgent measures to enhance the prevention of and fight against international terrorism.” The Act greatly expands law enforcement powers in anti-terrorism investigations. In 2007, the UN High Commissioner for Human Rights Subcommittee on Torture issued Recommendations concerning Italian legislation. In the report, the Committee voiced concern that fundamental legal safeguards for persons detained by the police, including the rights of access to a lawyer, are not being observed in all situations under Act. No. 155/2005 (the “Pisanu Decree”). The Committee was concerned that the Act includes a provision that extends the permissible period of deprivation of liberty by the police for identification purposes from 12 to 24 hours. Furthermore, an accused person may be held in detention for five days under a reasoned decree adopted by an investigating judge before being allowed to contact an attorney. The Committee recommended immediate amendments to the Act.[3044]

On July 21, 2007, Italian law enforcement made three arrests under Act. No.155/2005. If the cases go to trial, these would be the first to be tried under the new law. The law empowers police to arrest individuals without any evidence of involvement with terrorist groups or in the planning of terrorist attacks. And after two years of surveillance, police still lack concrete evidence against the trio. Under the new measures, training others to commit an attack and the possession of dangerous materials is enough for conviction.[3045]

Italy also has several laws relating to workplace surveillance,[3046] statistical information, electronic files, and digital signatures.[3047] For example, the Workers Charter prohibits employers from investigating the political, religious or trade union opinions of their workers, and in general, on any matter that is irrelevant for the purposes of assessing their professional skills and aptitudes.[3048] The 1993 computer crime law prohibits unlawfully using a computer system and intercepting computer communications.[3049]

A decree-law issued in March 2004 increased the responsibilities of Internet service providers (ISPs) and now makes them report who among their users engages in peer-to-peer file-sharing.[3050] At the end of May 2004, Italy passed one of the world's toughest laws against piracy and file-sharing.[3051] Penalties include a prison term of up to three years and fines that can exceed USD 300,000. The Culture Ministry said that the law was necessary to protect the intellectual property rights of artists in light of the growing popularity of peer-to-peer networks.

The compulsory limit for the data retention of telephone traffic was increased from 30 months to four years in February 2004 as a result of an Act (No. 45/2004)[3052] issued further to a decree proposed by the Italian government. The latter decree (No. 354/2003) had been approved by the government cabinet as a result of "the extraordinary need and urgency for the regulation of the modes of storage of traffic data relating to telephone and Internet communications, so as to prevent its loss in case its acquisition should prove necessary for the scope of the repression of particularly serious crimes."[3053] Also following the advice provided by the Italian Data Protection Authority, the Act passed in February 2004 applied the expanded retention period to telephone traffic data only. The relevant requirements will unfold in the following manner: during the first 24 months service providers must retain telephone traffic data in case it is required for the investigation of criminal offences, and, during the final 24 months, stricter access guidelines will be attached whereby it can be requested for more serious crimes only, including terrorism.[3054] Application of the provisions concerning erasure of telephone and Internet traffic data was suspended until December 2007. Retention obligations for Internet traffic data were set at 12 months (6 months for all purposes, and an additional 6 months for purposes related to terrorism and serious crime).[3055]

Throughout 2003, Italy enacted several laws that contain provisions that effectively compromise the privacy rights of its citizens. For example, Act No. 140 from June 20, 2003,[3056] contains provisions on interceptions and acquisitions of reports concerning conversations and/or communications of MPs as intercepted within the framework of judicial proceedings concerning third parties. This Act provides, in particular, for the need to destroy reports and recordings concerning irrelevant interception activities.[3057] The latter provision is related to general data protection principles, in that its violation may also entail the impossibility of using the personal data being processed – as per Section 11 of the Data Protection Code.

Radio Frequency Identification

The Garante has paid considerable attention to the development of radio frequency identification (RFID) technology. An initial in-depth analysis of this issue was carried out by addressing the way in which the new technology might impact the conditions for the exercise of individuals' freedoms, as well as the issues that are bound to arise in a data protection perspective following implementation of the technology.[3058]

The Winston Smith Project,[3059] an Italian NGO, has responded with a legal proposal to control the use of RFID tags. First, the organization wants legal rules that oblige manufacturers to make RFID tags easily identifiable and removable. Second, the organization says the presence, type and position of RFID tags must be clearly advertised on the packaging of an article or the article itself. Third, the group requires permanent deactivation of RFID tags when buying the product or when usage of the tag has ended. Fourth, the group urges that all data collected by RFID readers be treated as personal data, to which all privacy principles apply. Fifth, the group says collection, storage and further processing should only happen within the boundaries of a strict and publicly known goal. In case of additional processing or conservation for a longer time, companies should notify the Data Protection Authority. Furthermore, the groups says these rules should not only apply to RFID-related data, but to all kinds of new electronic databases, such as GSM location data, web log files and data generated by wireless networks.[3060] The proposal was submitted to the government in 2006 and is currently “on hold” in the Justice Commission of the Italian Parliament.[3061]

The Italian Ministry of Foreign Affairs issued a Decree on electronic passports in December 2005. New passports will include an RFID proximity chip to store the image of the holder’s face and both forefinger prints. The Decree states that the biometric information stored on the chip will not be stored in a central database, but will be used only for authentication purposes.[3062]

Unsolicited Commercial E-mails ("Spam")

The newly approved Privacy Code of Italy considers the sending of unsolicited e-mails to be a very serious offence.[3063] If an individual is found guilty of sending spam and trying to profit from such e-mails, he could face up to three years in prison. Since many companies are losing a large amount of bandwidth as a result of dealing with spam, the Italian government has now made spam an act of theft. Italy is one of the first countries to implement legislation that actively deals with combating spam. Critics remain skeptical of Italy's law, because many of the sources of spam are from outside the country and therefore outside the Italian court's jurisdiction. Italy is currently one of the few European countries to be fully compliant with EU Directive 2002/58/EC, which prohibits the sending of unsolicited e-mail.[3064]

The sending of "spam," however, is an ever-recurring topic, not only as regards commercial messages, but also in connection with "political marketing." In 2004, the Garante issued two provisions. The Garante took part in meetings in which fixed and mobile telephony operators, consumer associations, and ISP associations participated. These meetings were focused on the drafting of a self-regulatory code.[3065]

In July 2007, Italian law enforcement made 26 arrests from two separate groups of phishing fraudsters, in the culmination of an operation, dubbed 'Phish and Chip', aimed at tracking down phishers defrauding banking clients of the national postal service Poste Italiane. The gangs are accused of sending out emails claiming to represent the Poste Italiane, and directing victims to faked websites to gather banking details, which were then used to strip accounts of funds. They are thought to have used casinos to enable larger withdrawals than offered by ATM cash machines. No details of the scale of the phishing activity have yet emerged. A judge involved in the case has called for improvements to the laws governing such fraud, including a specific crime of phishing, describing current legislation covering some of the crimes involved as 'weak'.[3066]

Medical Privacy

Legislative Decree No. 269 of September 30, 2003,[3067] converted with amendments into Act No. 326 of November 24, 2003,[3068] sets out the requirements to monitor health care expenditure. During the process leading to the conversion of the legislative decree, the Garante drew Parliament's attention to the sensitive issues raised by Section 50 in the decree, providing, inter alia, for the establishment of a database containing the fiscal identification codes of all health care beneficiaries in order to monitor health care expenditure. The Garante pointed out that the purpose the decree sought was undoubtedly in line with streamlining supervision over the state's expenditure; however, the tools envisaged to that end might jeopardize citizens' rights to the protection of their personal data – in particular the data concerning health, which are covered by special safeguards.[3069]

On January 1, 2005, the Italian Electronic Health card was launched. Together with e-prescriptions, the e-Health card is a key element of the Italian national e-Health Program, which aims at controlling public health expenses while improving communication between health professionals and delivering better services to patients. The card, which contains a magnetic stripe but no chip, also features the European e-health insurance card information on the back. They are used in conjunction with the National Healthcare Expenditure Monitoring System, commonly referred to as the "TS System." Designed to monitor and manage each phase of the public health expenditure cycle, from drug prescription to service delivery, the system will allow Italian authorities to enhance controls on the healthcare benefits of each citizen. The TS System is coordinated by the Italian Revenue Agency and implemented by Sogei[3070] in those regions where e-health cards are being issued. Distribution of the cards has already started in the Regions of Abruzzi, Umbria, Emilia Romagna, Veneto and Lazio. The government will progressively introduce the e-health card in other regions, with the objective of issuing 15 million cards by April 2005.[3071]

The Garante has specified the conditions in which the right to privacy and the right of access to clinical records held by health care institutions could be balanced. This is an issue arising mostly in connection with the requests made by defense counsel carrying their own investigations in order to access records containing data relating to health and/or sex life. In particular, the so-called "equal importance" principle holds that the processing of personal data in order to enable access is only allowed if the right to be defended through the request for accessing administrative records is at least as important as the data subject's rights, or else consists in a personal right or another fundamental, inviolable right or freedom. In other words, the defendant's rights must be equal to, or outweigh, the other individual's fundamental right to privacy.

Major Privacy Case Law

In addition to legislative action, there have been a number of decisions on the judicial front that have dealt with the right to privacy. A decision by the Council of State (Consiglio di Stato) addressed the relationship between the right of access and the right to privacy, ruling that the laws in force do not provide general guidance on how to balance these two rights. The decision allows an administrative body holding sensitive data to assess each specific situation in order to determine whether access is necessary or not to establish or defend a claim that is at least equal to the data subject's claim to privacy.[3072] In another decision concerning this issue, the Council of State ruled that the right of access, albeit in its "softened" version, i.e., as the right to inspect records, should override the right to privacy if knowledge of the information is required to exercise the right of defence with regard to circumstances amounting to a criminal offence.[3073] Furthermore, in two decisions issued in 2003, the Court of Cassation (Corte di cassazione), which is the highest court in Italy, ruled that non-pecuniary damage should be construed as a wide-ranging category including all cases in which there is violation of a value pertaining to human beings. Among the cases the Court considered to entitle to protection against the damage caused by the violation of individual-related interests devoid of pecuniary value, the use of unlawful means in collecting personal data was expressly mentioned.[3074]

The Garante considered the use and appropriateness of biometrics in relation to a project called S-Travel, which considered initial tests at the Athens and Milan Malpensa airports. Biometric authentication technologies, using fingerprints and/or iris scans, with particular regard to check-in and boarding operations, were the main issue. The Garante stated that it was necessary to comply with data minimization and proportionality principles, as well as with data relevance and non-excessiveness requirements. In the case at issue, the technologies to be implemented were only partly suitable for achieving enhanced security of airport controls. Furthermore, the collection of biometric data related to both fingerprints and iris scans of both eyes was found to be excessive and disproportionate compared with the purposes of the processing. The S-Travel pilot projects have now concluded in Milan, but further implementation of the system is being considered.

On March 31, 2005, the Law No. 43/2005 was adopted. The Law, which takes into account an Opinion on e-cards adopted by the Garante, consolidates various regulations regarding electronic ID cards, and indicates which data must be included on the card, which information may be included, and which information cannot be included. DNA information can never be included on the card, even with the cardholder’s consent. However, at the cardholder’s express request, biometric data, blood group data, and organ donation information may be included. The move from paper cards to electronic cards is voluntary, and there will be no obligation to obtain an electronic card. The Law also includes security standards and encryption standards for storage of biometric data in the card’s chip.[3075]

NGO Advocacy Work

Italy's Big Brother Awards (organized by Privacy International and the Winston Smith Project, in association with 14 other organizations) announced the 2006 winners. The Trusted Computing Group won two awards "thanks" to the privacy implications associated with DRM technologies used to enforce intellectual property rights. Telecom Italian won the "People's Lament" Award again, as well as the "Worst Private Firm" award. This "success" was due to the worst mass privacy violation involving computerized systems that has ever occurred in Italy.[3076]

International Obligations

Italy is a member of several organizations that influence the country's treatment of privacy and personal data. Most notably, Italy is part of the Council of Europe (CoE). Italy signed and ratified the CoE's Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.[3077] In addition, Italy ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms[3078] and signed the CoE's Convention for Cyber-crime, but has not yet ratified it.[3079] Italy is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

[3014] Constitution of the Italian Republic (Costituzione della Repubblica Italiana), available at <http://www.notarlex.it/codici.jsp> (in Italian).
[3015] Id. at Article 15.

[3016] No. 196, available at <http://www.garanteprivacy.it/garante/document?ID=727068> (in Italian and English).
[3017] "Italy Enacts a New Privacy Code," BNA World Data Protection Report Vol. 3, Issue 9, September 2003, at 19.
[3018] Legge No. 675 (December 31, 1996), amended by Decreto Legislativo No. 123 (May 9, 1997) and Decreto Legislativo No. 255 (July 28, 1997), available at <http://www.privacy.it/dl1997123.html>; Legge No. 676 (December 31, 1996), Delega al Governo in materia di tutela delle persone e di altri soggetti rispetto al trattamento dei dati personali.

[3019] Decree of the President of the Republic (Decreto del Presidente della Repubblica) No. 318 (July 28, 1999), available at <http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Normativa%2FItaliana%2FLeggi+e+decreti+legislativi>.

[3020] Legislative Decree (Decreto Legislativo) No. 282 (July 28, 1999), available at <http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Normativa%2FItaliana%2FLeggi+e+decreti+legislativi>.
[3021] Legislative Decree (Decreto Legislativo) No. 171.(May 13, 1998), available at <http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Normativa%2FItaliana%2FLeggi+e+decreti+legislativi>.
[3022] Legislative Decree (Decreto Legislativo) No. 281 (July 30, 1999), available at <http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Normativa%2FItaliana%2FLeggi+e+decreti+legislativi>.
[3023] Legislative Decree (Decreto Legislativo) No. 135 (May 11, 1999), available at <http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Normativa%2FItaliana%2FLeggi+e+decreti+legislativi>.
[3024] Id.

[3025] "Garante Per La Protezione Dei Dati Personali," available at <http://www.garanteprivacy.it/garante/navig/jsp/index.jsp>.
[3026] Decreto del Presidente della Repubblica No. 501 (March 31, 1998), reprinted in Gazzetta Ufficiale No. 25 (February 1, 1999), available at <http://193.207.119.193/MV/gazzette_ufficiali/25/2.htm>; the decree was subsequently partly repealed by the Data Protection Code.

[3027] Italian Data Protection Authority, Consultation on RFID, available at <http://www.garanteprivacy.it/garante/doc.jsp?ID=1078227>.
[3028] <www.garanteprivacy.it/garante/doc.jsp?ID=1368292>.

[3029] "Recent Examples of Enforcement Actions Carried Out by Data Protection Authorities," Article 29-Data Protection Working Party, (Article 29 WP Report) January 2005, available at <http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2004/wp101a_en.pdf>.

[3030] See § 2(1) of the Data Protection Code.
[3031] See Article 8 of the European Human Rights Convention as ratified in Italy by Legge No. 848/1955.
[3032] Council of Europe, European Committee on Legal Co-operation (CDCJ), Report Containing Guiding Principles for the Protection of Individuals with regard to the Collection and Processing of Data by Means of Video Surveillance, May 20-23, 2003.
[3033] Article 29 Data Protection Working Party, Opinion 4/2004 (WP 89) on the Processing of Personal Data by means of Video Surveillance, February 11, 2004, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2004/wp89_en.pdf>; Article 29 Data Protection Working Party, Working Document on the Processing of Personal Data by means of Video Surveillance (WP 67), November 25, 2002, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2002/wp55_en.pdf>.

[3034] Italian Data Protection Commission, "Personal Data and Elections-Instructions for Use," March 7, 2001.
[3035] "Non e' una firmetta!," Newsletter of the Garante per la Protezione dei Dati Personali, No. 163 (March 17-23, 2003), available at <http://www.garanteprivacy.it/garante/doc.jsp?ID=66974>.

[3036] "Nuovi elenchi telefonici: chiarezza nelle informazioni agli abbonati," Newsletter of the Garante per la Protezione dei Dati Personali, No. 163 (February 24-March 2, 2003), available at <http://www.garanteprivacy.it/garante/doc.jsp?ID=34804>.

[3037] See generally, Garante per la Protezione dei Dati Personali, supra.

[3038] Decreto del Presidente della Repubblica No. 447, Approvazione del Codice Procedura Penale (September 22, 1988).
[3039] Legge No. 547 (December 23, 1993).

[3040] Richard Owen, “Adulterers beware of the love bug as spying spouses get their way,” Independent.ie News, August 3, 2007 <http://www.independent.ie/world-news/europe/adulterers-beware-of-the-love-bug-as-spying-spouses-get-their-way-1050269.html>.

[3041] Decree No. 374/2001, converted into Act No. 438/2001.
[3042] On January 7, 2003, Giuseppe Pisanu, the Italian Interior Minister, went before parliament to address terrorism concerns. His testimony was supplemented by a "report in which he warned of a growing climate of 'widespread political illegality' which must be monitored and combated," "Italy: Interior Minister Link Terrorism and Activists," Statewatch News Online, February 2003, available at <http://www.statewatch.org/news/2003/feb/02italy.htm>.

[3043] Garante, Need for Enhanced Security Measures in Processing Telephone Traffic Data Decision of June 1, 2006, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/policy_papers/italy/telecom_security_jun06.pdf>.

[3044] UN Committee Against Torture, Consideration Of Reports Submitted By States Parties
Under Article 19 Of The Convention, May 18, 2007, available at <http://www.ohchr.org/english/bodies/cat/docs/AdvanceVersions/CAT.C.ITA.CO.4.doc>.

[3045] “Italy arrests terror suspects,” ISN ETH Zurich, July 27, 2007, available at <http://www.isn.ethz.ch/news/sw/details.cfm?ID=17918>.

[3046] Legge No. 93 (March 29, 1983).
[3047] Decreto del Presidente della Repubblica No. 513 (November 10, 1997), available at <http://www.privacy.it/dpcm19990208.html>.
[3048] Legge No. 300, § 8 (May 20, 1970).
[3049] Legge No. 547 (December 23, 1993).

[3050] Decreto Legislativo No. 72 (March 22, 2004), enforcing urgent actions to fight the illicit diffusion of audio-visual works, and to sustain movie and entertainment activities.
[3051] Aidan Lewis, "Italy Passes Tough Internet Piracy Law," USA Today, May 28, 2004, available at <http://www.usatoday.com/tech/news/techpolicy/2004-05-28-italy-piracy-law_x.htm?POE=TECISVA>.

[3052] Legge No. 45 (February 26, 2004), available at <http://www.garanteprivacy.it/garante/navig/jsp/index.jsp?folderpath=Normativa%2FItaliana%2FLeggi+e+decreti+legislativi> (in Italian).
[3053] "Italy to Retain Communications Data for Five Years," Statewatch, available at <http://www.statewatch.org/news/2004/jan/03italy-dataretention.htm>.
[3054] See Section 132 of the Data Protection Code.
[3055] Ninth Annual Report of the Article 29 Working Party on Data Protection, supra.

[3056] Legge No. 140 (June 20, 2003).
[3057] Id. at § 6.

[3058] Italian DPA's Report, supra.

[3059] Homepage <http://www.winstonsmith.info/index.html>.

[3060] "Answer to RFID consultation Italian Privacy Authority," EDRi-gram newsletter Number 3.1, January 12, 2005, available at <http://www.edri.org/edrigram/number3.1/>.

[3061] Law proposal n.1728 of 28th September 2006 "Norme in materia di raccolta, uso, conservazione e cancellazione di dati georeferenziati o cronoreferenziati, contenenti identificatori univoci di utente, effettuata mediante apparecchiature automatiche" (Norms regarding collection, usage, storage and deletion of georeferenced or chronoreferenced data containing Unique User
Identifier obtained through automatic data collection). See <http://www.camera.it/_dati/lavori/schedela/trovaschedacamera_wai.asp?pdl=1728&ns=2>.

[3062] Ninth Annual Report of the Article 29 Working Party on Data Protection, supra.

[3063] Will Sturgeon, "Italy Plans to Jail Spammers," Silicon.com, September 5, 2003, available at <http://www.silicon.com/research/specialreports/thespamreport/0,39025001,10005895,00.htm>.

[3064] "EU Directive on Privacy and Electronic Communications enters into force," Interchange of Data between Administrations, November 3, 2003, available at <http://europa.eu.int/ISPO/ida/jsps/index.jsp?fuseAction=showDocument&parent=whatsnew&documentID=1722>.

[3065] Italian DPA's Report supra.

[3066] “26 phishing arrests in Italy,” Virus Bulletin, July 17, 2007 <http://www.virusbtn.com/news/spam_news/2007/07_16.xml>.

[3067] Decreto Legislativo No. 269 (September 30, 2003).
[3068] Legge No. 326 (November 24, 2003).
[3069] Indeed, it would arguably always be possible to trace each data subject's medical history based on the information concerning prescriptions and specialists' advice. The Garante pointed out that the legislation in force already sets forth procedures to monitor health care expenditure without setting up centralised databases, and stressed that the need to increase the effectiveness of such procedures should not result in limiting the right to personal data protection. According to the Garante, in order to comply with personal data protection legislation, the monitoring system would have to prohibit the processing of identification data, and the setting up of a centralized database, if any, should be based exclusively on the use of anonymized data. E-Mail from Antonio Caselli, supra.

[3070] Homepage <http://www.sogei.it/>.
[3071] See "Italy eServices for Citizens," eGovernment News, January 12, 2005.

[3072] Cons. Stato. 4002/2003 Foro It. V. Stato.
[3073] Cons. Stato. 9276/2003 Foro It. V. Stato.
[3074] Cass. 8827/2003, 8828/2003.

[3075] Ninth Annual Report of the Article 29 Working Party on Data Protection, June 2006, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/9th_annual_report_en.pdf>.

[3076] <http://bba.winstonsmith.info/index.html>.

[3077] European Treaties Series ("ETS") Nos. 108, 181 (enacted July 1, 1997).
[3078] ETS No. 5 (ratified on October 26, 1955).
[3079] ETS No. 185 (signed on November 23, 2001).