BT Italia was formed after we acquired Albacom in 1995. We changed its name to BT Italia in 2006. Our head office is in Milan and we employ over 700 staff nationwide.
In Italy, we operate a 9,800-kilometre long haul fibre optic infrastructure which connects the domestic PoPs, nationwide spread, and GPoPs, running global MPLS. We also locally serve BT’s global multinational customers and some of the major Italian financial services firms, utilities, fashion, retail and manufacturing companies, providing them networking, cloud and security solutions.
There are a number of laws which govern interception and surveillance in Italy. The Code of Criminal Procedure allows a public prosecutor to ask a judge to authorise all forms of interception of communications in criminal cases, provided that it meets certain statutory conditions. In particular, interception is only permitted if there’s strong evidence that serious crimes are taking place – for example crimes punishable by at least five years in prison, drug or weapon trafficking, or child sexual abuse. Interception of communications can also only be permitted if it’s absolutely necessary for the purposes of the investigation.
The authorisation issued by a judge is valid for 15 days, or 40 days in cases about the prosecution of organised crime. This can be extended for another 15 days at a time, or 20 days in cases of organised crime. If it’s urgent and a delay could seriously prejudice an investigation, the public prosecutor can order interception without judicial authorisation, as long as the order is immediately (at least within 24 hours) communicated to a judge. The judge has to decide whether to confirm or revoke the order within 48 hours. If they don’t confirm this within 48 hours, the interception is stopped and any data collected can’t be used.
Under the Implementation Rules of the Code of Criminal Procedure, the Italian Home Office or senior officers of the main Italian police forces can ask the public prosecutor to authorise an interception to stop terrorism or organised crime. The prime minister or the directors of the secret services empowered by the prime minister can also make the same request, permitted by Law Decree no.144.
As a general rule, interception must be carried out using equipment installed at the public prosecutor’s office dealing with the investigation. But if it’s urgent and the equipment doesn’t work properly or isn’t right, the public prosecutor can issue a reasoned order authorising the interception to be carried out using the equipment of the judicial police. When intercepting electronic communications like emails, the public prosecutor can order that the operation is made through equipment owned by private entities or individuals.
The Italian rules around lawful interception were recently amended by Legislative Decree no.216 of 29 December 2017. This modified some rules of the Italian Code of Criminal Procedure, extending obligations of confidentiality for intercepted communications. In particular, the new rules provide that intercepted communications – and, when relevant, their transcriptions – must be stored at the public prosecutor’s office. Only the preliminary investigations judge, the lawyers of the relevant parties and other authorised roles (for example court officers) can access these. As well as this, the Legislative Decree reinforces the protection of private conversations between an accused person and their lawyer. If the lawyer asks, interceptions that aren’t relevant to a trial (including those containing sensitive data) must be destroyed.
Data retention requirements for preventing and punishing crime were originally contained in the Data Protection Code. This required telephone traffic data to be kept for 24 months and internet traffic data for 12 months (Article 132 of Data Protection Code).
Following the judgment in Digital Rights Ireland, which invalidated the underlying EU Data Retention Directive, Italy introduced an anti-terrorism law. This required all telephone and telematics data kept and collected on 21 April 2015 to be retained until 30 June 2017. This law then expired, which meant the general data retention rule under the Data Protection Code applied again. No specific government order is required for these general obligations.
Recently, Law 167/2017 provided a new exemption from the data retention requirements of the Data Protection Code. Under Article 24 of Law 167/2017, telephony and telematics traffic data can be kept for 72 months where necessary to stop certain types of serious crimes, for example terrorism or organised crime.
The law doesn’t provide a way to target specific individuals, whose data should be kept on the basis that there is objective evidence showing links to the planning or commission of serious crimes. In practice it is likely that those people will only be able to be identified afterwards, for example, by the public prosecutor when they start an investigation into the serious crime.
The disclosure of retained data is mainly governed by the Electronic Communications Code and the Data Protection Code. In general, the competent judicial authority can request that communication service providers provide data for the purposes of justice, with a detailed order referring to the criminal proceedings concerned and outlining the specific data required. The obligation of a communications service provider to comply is set out in Article 96 of the Electronic Communications Code.
Under Article 132 of the Data Protection Code, the public prosecutor, a person accused of a crime or their counsel can ask for retained data to be disclosed during the relevant retention periods.
Under Article 55 of the Electronic Communications Code, a judicial authority can also access, for purposes of justice, data held by the Home Office. Each communications service provider will have passed this data to the Home Office about their own subscribers.
Under Article 226 of the Implementation Rules of the Code of Criminal Procedure, the public prosecutor, the Home Office, directors of the national secret services or senior police officers can request data disclosure in terrorism or organised cases.
Communication service providers must disclose any requested information and grant access to their databases to the Italian secret services for national cyber-security reasons. This is under Act No.124 of 23 August 2007 and the Decree of the Prime Minister No.110835 of 17 February 2017.
Either a judicial authority (in criminal or civil proceedings) or a competent independent supervisory administrative authority (for specific crimes) can require a communications service provider to block access to internet sites or services.
The National Centre Against Child Pornography Centre, established by the Home Office, publishes a list of sites containing child abuse material. Internet service providers must block these within six hours of getting the list, which is continuously updated. Internet service providers must also tell the Centre if they become aware of any of this content. They must also block any material if a judicial authority orders them to for a criminal investigation.
There are also regulations which require internet service providers to block access to copyright infringing material if the Italian Communications Authority orders it. This can include removing single instances of copyright infringing material where the internet service provider hosts the material, or blocking access in the case of a serious infringement, including where the material’s on a website hosted in Italy.
Law 167/2017 requires the Authority to issue a new regulation which governs cases of online copyright infringement, specifically to include interim injunctions that rights holders can apply for from the Authority. This new regulation will, among other things, provide an appeal mechanism against the Authority’s decisions as well as appropriate measures to make sure violations aren’t repeated. So far this regulation hasn’t been adopted.