After almost three years of parliamentary debate, the Italian Law no. 71 of 29 May 2017 (‘Provisions for the Protection of Minors aimed at Preventing and Opposing Cyberbullying’) has been officially implemented, becoming the first legislative instrument specifically aimed at combating cyberbullying adopted at national level by an EU Member State.

The main purpose of the new law is the prevention of cyberbullying of minors, a goal to be pursued - according to lawmakers - through seminars and other educational activities, with the collaboration of teachers, social workers and experts in the field of online harassment.

The new law also provides victims of cyberbullying with a legal instrument for opposing the circulation of abusive content. Specifically, Art. 2(1) grants victims and/or their parents or legal guardians the right to request that the relevant data controller or the ‘website manager’ obscure, remove or block any personal data concerning a minor, as identified by the specific URL.

A “website manager” is defined as “any information society service provider which manages the content of a website/social media wherein cyberbullying activities takes place”. Providers of mere conduit, caching and hosting services (as defined in Articles 14, 15 and 16 of Legislative Decree No. 70 of 9 April 2003, implementing Directive 2000/31/EC) are, however, expressly excluded.

The choice to exclude information society service providers from the scope of application of the procedure might raise some interpretative issues, particularly among companies providing hosting services, as today the boundaries between those providing hosting (and to some extent also caching services) and those providing content are increasingly blurred.

As an additional safeguard for the minor, the law provides that if the responsible entity is not identifiable or fails to comply with said request within 48 hours, the interested person can also lodge a complaint with the Italian Data Protection Authority ('Garante per la protezione dei dati personali') and - within 48 hours from the receipt of the request - the Authority must take action pursuant to provisions of Articles 143 and 144 of Law no. 675 of 31 December 1996 ('Data Protection Code') to block or prohibit, in whole or in part, any processing of personal data found unlawful, unfair and/or otherwise prejudicial to one or more of the data subjects involved.

Although well-intended, the choice of establishing a “notice-and-takedown” mechanism to prevent the diffusion of material related to cyberbullying raises questions about the new procedure’s viability and actual effectiveness.

First, “notice-and-takedown” procedures are generally used for preventing unauthorised and/or unlawful uses of materials or data covered by intellectual property rights, which are objectively verifiable to a certain extent (e.g. copyrighted material). Furthermore, the recipients of said requests are usually information society service providers, which are generally inclined to comply with takedown requests - if not manifestly ungrounded - in order to avoid possible liabilities due to their knowledge of unlawful content made available through their platforms.

Therefore, in practice, said procedures are often quite 'requestor-friendly', and the rights of those who could be affected by the takedown (if any) are generally not considered thoroughly.

However, this is usually not the case when personal data is concerned. Generally, when determining whether a given circulation of certain data should be blocked, the rights to privacy and data protection of the data subjects will be duly balanced with other rights, such as freedom of expression and access to information.

In this regard, it can’t be ignored that there is no way to verify whether this balance will actually be carried out by the recipient of the request, nor that the procedure will be used improperly.

However, the legal instrument at issue, as codified by the new law, may only be accessed by a restricted group of subjects (victims and/or their parents) and may only result in the removal of specific content relating to abusive behaviour directed at minors. Thus, the rights of those who could be affected by a takedown should genuinely be upheld so that the rights of cyberbully victims will take enormous leaps from where they were nearly three years ago.

It should be borne in mind however, that due to the speed with which data circulates today, requiring data controllers or website managers to block or obscure content identified by a URL will still offer no real guarantee that abusive content won’t be shared on different websites, social media applications or even on the same website, but under a different URL.

Nonetheless, a law specifically devised at aiding victims of cyberbullying is certainly a huge and positive step in the right direction. In particular, a legal instrument that lacks any formal requirement, produces results in a short timeframe and may be accessed by minors on their own (allowing them to avoid the psychological distress of involving others in enforcement) is an instrument that certainly deserves due credit.