Communications policyRegulatory and institutional structure
Summarise the regulatory framework for the communications sector. Do any foreign ownership restrictions apply to communications services?
The primary legislation governing the communication sector in Italy is Legislative Decree No. 259 of 1 August 2003 – Electronic Communications Code (the Electronic Communications Code) that results from EU 2002 directives regulating the electronic communications networks and services, the authorisation of electronic communications networks and services, the interconnection of electronic networks and user rights.
In addition, the Italian Communications Authority (the Authority) issues resolutions as secondary legislation containing detailed rules in the offering of electronic communication services and networks. Indeed, the Authority, established by Law No. 249 of 31 July 1997, is a regulatory agency designed to actively promote the integration between the telecommunication and media markets and to supervise and monitor the markets.
Moreover, the Data Protection Authority issues resolutions containing specific obligations for operators in the storage, processing and use of personal data information.
The Ministry of Economic Development – Communications Department (the Ministry) is in charge, inter alia, of issuing authorisations and allocating the spectrum.
A general authorisation is required to offer electronic communications services in Italy. Such authorisation can be issued only to:
- entities with a permanent establishment in Italy or in a country within the European Economic Area (EEA);
- member states of the World Trade Organization; and
- countries granting Italian citizens reciprocal rights of access to the relevant telecoms activity (article 25 of the Electronic Communications Code).
Describe the authorisation or licensing regime.
In accordance with articles 25 and 26 of the Electronic Communications Code, an operator who intends to provide electronic communications networks and services or to establish and operate network equipment at a point of presence in Italy shall apply with the Ministry for the issuance of the above-mentioned general authorisation. The request must describe the services to be rendered and information about the applicant, such as the legal representatives of the relevant entity and the number of employees.
Following the filing of the relevant request, the operator can provisionally exercise the activity. Within 60 days of the application, the Ministry can deny the authorisation or request further clarifications. If the Ministry does not respond within this deadline, the authorisation shall be deemed as issued (the silenzio assenso mechanism).
The Ministry also grants authorisations for the use of numbers and radio frequency spectrums in mobile or satellite services. In respect of radio frequencies for which individual rights of use are required, the operator must obtain such rights before commencing use of the radio frequencies.
The duration of an authorisation depends on the type of services offered. As a general provision, the authorisations and licences last for up to 20 years and may be renewed.
The operator shall, in addition, be registered with the Register for Communications Operators (ROC) kept by the Authority.
General authorisations are subject to payment of an annual contribution to the Authority, calculated on the basis of the net turnover of the operator and to be paid by 1 April of each year. In accordance with Decisions No. 463/16/CONS and No. 62/17/CONS of the Authority, the 2017 fees shall be paid through an online procedure available on the following website: www.impresainungiorno.gov.it.
Moreover, the registration to the ROC also requires an annual communication to the done to the Authority on the numbering used and on the company’s details.Flexibility in spectrum use
Do spectrum licences generally specify the permitted use or is permitted use (fully or partly) unrestricted? Is licensed spectrum tradable or assignable?
The spectrum licences specify the permitted spectrum use. In accordance with article 14 of the Electronic Communications Code, the Ministry prepares the master plan for the use of spectrum licences, while the Authority is in charge of the allocation plan. The most up-to-date master plan is the Ordinary Supplement No. 49, published in the Italian Official Gazette on 19 October 2018 No. 244. It provides the principles for the allocation of the frequencies between 0 and 3,000GHz to each type of service (eg, fixed, mobile, satellite, radio navigation), the authorities to which the frequencies shall be required (eg, the Ministry of Economic Development, the Ministry of Defence) and the frequency bands and (if any) the international provision applicable.
Individual rights of spectrum use are granted within the limits set out in the master plan, and any holders of such rights shall be compliant with the spectrum use allocated.
Article 14-ter of the Electronic Communications Code allows the transfer of rights relating to radio frequency spectrum to comparable operators or providers, with a prior notification to the Authority and the Ministry.Ex-ante regulatory obligations
Which communications markets and segments are subject to ex-ante regulation? What remedies may be imposed?
According to EU Recommendation No. 879 of 17 December 2007, the electronic communications sector that is subject to ex-ante regulation can be divided into two groups: markets for fixed networks (eg, services for the access to new generation networks) and markets for interconnection services on fixed and mobile networks (eg, interconnection services on fixed networks). EU Recommendation No. 710 of 9 October 2014 has modified the number and list of markets that are subject to ex-ante regulation. In particular, the latest Recommendation has included fixed and mobile call termination markets in the list, as well as wholesale broadband access markets.Structural or functional separation
Is there a legal basis for requiring structural or functional separation between an operator’s network and service activities? Has structural or functional separation been introduced or is it being contemplated?
In accordance with article 16 of the Electronic Communications Code, companies with exclusive or special rights for public communication networks installation or communication services provision shall provide networks or electronic communication services accessible to the public only through their subsidiaries or affiliated companies (ie, structural separation). This limitation does not apply to companies that generate an annual turnover lower than €50 million with the provision of electronic communication networks or services in Italy.
Legislative Decree No. 70 of 28 May 2012 has also introduced functional separation as an exceptional remedy for competition problems or market failures. Article 50-bis of the Electronic Communications Code allows the Authority to require functional separation where it assesses that other available remedies have failed to achieve effective competition. If the Authority intends to impose a functional separation, it shall notify its proposal to the European Commission, explaining the grounds of such proposal.
The Electronic Communications Code also provides for a specific procedure for voluntary separation by vertically integrated companies. Pursuant to article 50-ter of the Electronic Communications Code, operators holding a significant market power may adopt a structural separation of some of their access network assets to offer wholesale services to retail providers, including their retail units.Universal service obligations and financing
Outline any universal service obligations. How is provision of these services financed?
The services that must be made available to end users and must be provided by all operators as universal service obligations are the following: access to end users from a fixed workstation (article 54 of the Electronic Communications Code); public pay telephones (article 56); and special measures for disabled and low-income users (articles 57 and 59.2 of the Electronic Communications Code).
If the Authority finds that an undertaking is subject to an unfair burden, it will decide, on request, to share the net cost of universal service obligations among providers of electronic communications networks and services using the ad hoc fund established by the Ministry (article 62 of the Electronic Communications Code).Number allocation and portability
Describe the number allocation scheme and number portability regime in your jurisdiction.
Fixed and mobile operators must provide portability to customers.
With Resolution No. 274/07/Cons (article 6 et seq), the Authority has set the standards for activation and migration of fixed number procedures and ‘pure’ number portability (it will take place without being accompanied by transfer of physical access resources).
In accordance with article 80 of the Electronic Communications Code, users have the right to change operator for mobile phone, voice and data services, while keeping their own mobile number (mobile number portability). The relevant inter-operator procedures are regulated by Resolution No. 339/18/CONS.Customer terms and conditions
Are customer terms and conditions in the communications sector subject to specific rules?
As a general principle, the Italian Legislative Decree No. 70 of 9 April 2003 (implementing Directive 2000/31/CE) establishes a regulatory regime concerning the provision of mandatory information to the final consumer. Moreover, the Italian Legislative Decree No. 206 of 6 September 2005 (the Consumer Code) protects consumers from unfair business-to-consumer commercial practices. In addition, the Electronic Communications Code provides for specific terms and conditions to be included in communications contracts, such as the services provided, the minimum service level, the procedures used by the company for measuring the network traffic (article 70 of the Electronic Communications Code). Furthermore, specific rules apply to tele-selling practices and to distance contracts (article 49 et seq of the Consumer Code).
The customer has the right to withdraw, free of charge and without any penalty, in case of amendments to the terms and conditions. The withdrawal has to be notified within 14 days from the effective date, as provided by article 9 of Directive 2011/83/EU; the final term is raised to one year, if the mandatory information has not been fulfilled.Net neutrality
Are there limits on an internet service provider’s freedom to control or prioritise the type or source of data that it delivers? Are there any other specific regulations or guidelines on net neutrality?
Net neutrality is regarded as a fundamental principle recognised by the Authority to ensure democratic internet service provision. Net neutrality is regulated by the EU Regulation No. 2015/2120, and in Italy, the competent Authority has issued a specific Resolution No. 348/18/CONS in relation to the net neutrality Regulation. Several legislative discussions have resulted in the Declaration of Internet Rights of 14 July 2015 approved by the Italian parliament, which addresses various internet issues including net neutrality.
Article 4 of Law No. 167 of 20 November 2017, which introduces article 16-bis of the Electronic Communications Code, has raised the maximum penalty that can be imposed by the Authority, in the case of a violation of net neutrality, to a limit of €2.5 million.
On 15 March 2017 (Resolution No. 123/17/CONS), the Administrative Authority imposed upon an Italian mobile operator to correctly use the zero-rating services to be compliant with the net neutrality principle and not to discriminate zero-rated services and non-zero-rated services once a user’s data cap is reached. As a matter of fact, the company allowed the user to continue using the zero-rated services after reaching a data cap. The resolution was appealed but the Administrative Court rejected it in January 2019.
The resolution concerning the abolition of net neutrality in the United States, taken by the Federal Communication Commission on 14 December 2017, does not seem to have influenced the activity of the Italian legislator yet. On the other hand, the advent of 5G connectivity may be a game-changer as it will be necessary to understand if the innovative capacity of the network is inextricably linked to its free accessibility or not.Platform regulation
Is there specific legislation or regulation in place, and have there been any enforcement initiatives relating to digital platforms?
No specific legislations or regulations have been enacted yet in Italy in relation to digital platforms. However, preparatory works for a law project have been carried out in recent years and a draft law concerning the regulation of digital platforms for the sharing economy was presented to the Italian Chamber of Deputies on 27 January 2016. The draft law began its parliamentary procedure on 4 May 2017, denominated as Act 3564 on ‘Discipline of digital platforms for the sharing of goods and services and provisions for the promotion of the sharing economy’.
In any case, the following legislation may apply to various aspects of the digital platforms: the e-commerce regulation provided by the Legislative Decree No. 70 of 9 April 2003, the Consumer Code and the data protection rules provided by GDPR and by Legislative Decree No. 101/2018 (the Data Protection Code).
Finally, EU Regulation No. 1150/2019, which will enter into force in July 2020, sets forth the relationship between business users of online intermediation services (marketplaces) and search engines. The purpose of this Regulation is to guarantee greater transparency in the contractual terms applied to business users by, among others, the ‘Bigs’ of the network. As a matter of fact, the target of the Regulation is the relationship of dependence that business users have towards these huge online players to offer their goods and services to consumers, that indirectly affects consumers who may not be able to enjoy balanced offers. The Regulation will be directly applicable in Italy; however, the member states may issue specific rules to implement the Regulation in the course of 2020.Next-Generation-Access (NGA) networks
Are there specific regulatory obligations applicable to NGA networks? Is there a government financial scheme to promote basic broadband or NGA broadband penetration?
On 15 November 2009, the Authority issued the ‘Program ACGOM ISBULWP 1.1 – Network infrastructures NGAN sets’, focused on the current situation and access systems, solutions examined, strategy of evolutions for Italy and development techniques.
In March 2015, the Council of Ministers approved the National Strategy for Next Generation Access Network, a national ultra-broadband plan. The plan aims at developing a high-speed access network throughout the country to create a future-proof telecommunication infrastructure.
In relation to the national and regional broadband financial instruments, the Council of Ministers has approved the investment plan for the broadband and next-generation access broadband penetration with Resolution CIPE No. 65-2015 (for example, €2.2 billion in ultra-broadband investments).
Moreover, on 11 February 2016, the Council of Ministers and the Conference of the Regions approved the ‘Framework agreement on developing of the NGA as European target 2020’, allocating €3 billion to the above-mentioned project, subdividing the funds to the regions, according to their population, and strengthening the management of the project.
The new portal on the NGA strategic plan is online on the website of the Ministry of Economic Development at the following link: http://bandaultralarga.italia.it/.Data protection
Is there a specific data protection regime applicable to the communications sector?
The provisions applicable to the communications sector are contained in the Data Protection Code and in the resolutions of the Data Protection Authority.
In particular, articles 121 to 132 of the Data Protection Code apply to the processing of personal data connected to the provision of electronic communication services accessible to the public on public communications networks.
The retention of data in the terminal equipment of a user or the access to information already stored is permitted only on condition that the user has given his or her consent after being informed in a simplified manner. This does not prohibit any technical archiving or access to information that has already been archived if it is solely aimed at transmitting a communication over an electronic communication network, or as strictly necessary for the provider of an information society service explicitly requested by the user to provide this service.
Traffic data concerning users processed by the provider of a public communications network or an electronic communication service accessible to the public are erased or anonymised when they are no longer necessary for the transmission of electronic communications.
The provider of an electronic communication service accessible to the public may process user data to the extent and for the duration necessary for the marketing of electronic communication services or for the provision of value-added services, only if the user to whom the data relates has previously expressed their consent, which is however revocable at any time.
The processing of personal data relating to traffic is allowed only to subjects authorised to process and operate under the direct authority of the provider of the electronic communication service accessible to the public or, as the case may be, of the provider of the public communications network and that deal with billing or traffic management, analysis on behalf of customers, fraud detection, or marketing of electronic communication services.
If the calling line identification is available, the service provider of electronic communication accessible to the public assures the calling user the possibility of preventing, free of charge and through a simple function, the presentation of the calling line identification, call by call.
Location data other than traffic data, referring to users can be processed only if anonymised or if the user has previously expressed his or her consent, revocable at any time.
Without prejudice to the provisions of articles 8 and 21 of Legislative Decree 9 April 2003, No. 70, the use of automated call or call communication systems without the intervention of an operator for sending advertising material or direct sales or for carrying out market research or commercial communication is permitted only with the user’s consent.
Finally, the provisions of the GDPR (articles 16 et seq) shall be integrated into the processing of data, including data protection impact assessment (article 35).Cybersecurity
Is there specific legislation or regulation in place concerning cybersecurity or network security in your jurisdiction?
In Italy, a relevant step ahead in the cybersecurity sector has already been made with the issuance of the Gentiloni Decree (Prime Minister’s decree – DPCM, 17 February 2017), with the creation of an institutional structure endorsing the implementation of cybernetic security, all responsibilities being traced back to the Prime Minister. One of the key institutions in this scenario was the Interministerial Committee for the security of the Republic, formed by different ministries (eg, Defence, Foreign Affairs, Economic development) and politically dependent on the Prime Minister’s office. This institution, assisted by its own tech department, still plays a central role in the current setting, providing for the political guidelines pertaining the subject.
An essential moment in the evolution of cyber-security regulation in Italy was the implementation of the NIS Directive, European Directive on Network and Information Systems Security (UE/2016/1148), through the issuing of Legislative Decree 65/2018. Besides the GDPR regulation, entrusted to the government, other relevant innovations were introduced.
The peak position of the Prime Minister’s office was confirmed, as well as his leading role. A new centralised cyber incident collection system was set, through the computer security incident response team. Along with this, on 19 September 2019, the Italian Council of Ministers approved the new Decree-law (No. 105 21/09/2019). The Decree-law was then converted into a full enforceable law by the parliament with Law No. 133/2019.
The aim of the above-mentioned Law is to guarantee a high level of safety for the networks, the information systems and the informatic services of the public administration, the institutions and private entities that rely on the implementation of an essential function or the provision of an essential service for the country.
Moreover, one of the relevant goals of the newly approved Law, was set by the NIS Directive itself, which provided for the competent authorities to identify essential services operators and to define minimum security measures, later set by the Agency for Digital Italy. The purpose, fully implemented by the present Law, with the creation of the ‘Cyber security Perimeter’, leading to the identification and protection of those essential services and functions providers, was to create an armour around such operators, both private and public entities, in order to shield the Republic from possible attacks and subsequent national crisis (preventing them and setting the ground to solve them as easily as feasible).
As far as network security is concerned, under article 16-bis of the Electronic Communications Code, network providers and telecom operators are obliged to comply with the network security measures set out by the Ministry and to provide the latter with information about any security or integrity breach.
Moreover, GDPR’s provisions on privacy by design and by default must be considered when dealing with cybersecurity, as telecom operators must comply with such obligation even before implementing a new product or service.Big data
Is there specific legislation or regulation in place, and have there been any enforcement initiatives in your jurisdiction, addressing the legal challenges raised by big data?
There are no specific rules on big data in Italy.
However, big data often includes personal data and in many cases it is not possible to separate these data from non-personal data; therefore, the privacy risks deriving from the use of big data are different:
- the processing of personal data outside the purposes for which it was collected;
- the use of incorrect or outdated information;
- discrimination or prejudice against certain individuals or groups resulting from the application of certain profiling algorithms; and
- the processing of personal data in excess of what is necessary to process them.
Considering therefore that the accuracy and reliability of a huge set of data may not be accurate but rather approximate, big data itself is contrary to a fundamental principle of the GDPR, namely that every organisation or entity must respect the principle of accuracy of the personal data relating to a subject.
As a general principle, moreover, article 22 of the GDPR provides that ‘the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her’.
In conclusion, an efficient way to avoid GDPR’s non-compliance would be to adopt anonymisation or pseudonymisation processes.
Moreover, GDPR provides for some exceptions to its principles. As a matter of fact, data controllers can re-use personal data for purposes compatible with the initial purposes and, if the processing is carried out for the purpose of public interest, scientific or historical researches or for statistical purposes, compatibility is implicit.Data localisation
Are there any laws or regulations that require data to be stored locally in the jurisdiction?
Pursuant to Italian law, there are no specific provisions expressly requiring that any kind of data shall be strictly retained within Italy’s national borders.
However, certain limitations may apply with reference to specific types of data.
By way of example, pursuant to article 39 of Presidential Decree No. 633 of 26 October 1972 (relating to VAT application to the sale of goods and services), any accounting document shall be retained by means of electronic archives and stored in a foreign country only to the extent that there are reciprocal assistance rights.
The GDPR imposes on the data controller, established outside the EU, but using instruments located in the national territory, to appoint a local representative, which will be subject to national legislation and responsible for data processing on the territory.
Pursuant to article 45 of the GDPR, the transfer of data from a data controller established in one of the member states of the European Union to a controller of a third country or an international organisation is allowed if the European Commission has decided that the third country or international organisation ensures an adequate level of data protection.Key trends and expected changes
Summarise the key emerging trends and hot topics in communications regulation in your jurisdiction.
The Authority has reported that the mobile market is one of the most active and competitive communications markets of recent years.
As a result of the merger between the second and third biggest Italian mobile operators (ie, H3G SpA and Wind Telecomunicazioni SpA) some radio frequencies used by the merging operators have been freed up and transferred to Iliad, a new French mobile operator that has just started operating in Italy.
The Italian Antitrust Authority has intervened with a note of November 2018, on the issue of the extension (from 2023 to 2029) of the licence for the right of use of the 3.4-3.6GHz frequencies.
The Authority has notified the Economic Development Ministry and the Italian Telecommunication Authority of its negative opinion about the extension of any such licence without the implementation of new competitive procedures, as that negatively affects the competition on the relevant market and does not allow the entrance into the market of new operators and the growing of the most efficient ones.
Another hot topic concerning data in telco business is the new ‘ePrivacy Regulation’ which will repeal Directive 2002/58 and will be considered as a lex specialis to the GDPR. This is a complementary regulation to the GDPR that establishes specific rules for the protection of data processed for the purpose of supplying and using electronic communication services. In fact, the GDPR has left numerous interpretative doubts, as well as not having analysed some relevant issues, which will be provided for in the future by the ePrivacy Regulation. This legislation contains some interesting innovations in terms of consent requests, aggressive marketing, soft spam, cookies as well as extending the applicability of the privacy regulations to ‘over-the-top’ (OTT) services (such as WhatsApp, Skype, Facebook etc) and to content and metadata deriving from electronic communications. Moreover, the same high sanctions as the GDPR will be applicable with just six months to adapt its business.
Finally, during the emergency of covid-19, and in order to fight pandemic effect, the government has drafted and issued a series of legislative provisions that also impact the telecommunications sector. For the most part, the legal provisions have a limited time of efficacy (see article 82 of the DPCM dated 11 March 2020 on electronic communications, broadband access, etc), mainly until 30 June 2020. The Authority immediately implemented the measures and opened working groups.
Law stated dateCorrect on
Give the date on which the information above is accurate.
1 May 2020