Europe · CoE Framework Convention signatory
This content is for informational and educational purposes only and does not constitute legal advice.
On 16 January 2026, the Italian Competition Authority opened two investigations into Activision Blizzard, a subsidiary of the Microsoft group, concerning potential misleading and aggressive commercial practices in the video games Diablo Immortal and Call of Duty Mobile. The Authority is examining whether the company breached the Consumer Code through the use of user-interface design choices that may influence consumers, including minors, to increase playtime and make in-game purchases without clear awareness. The assessment covers, among other aspects, the use of push notifications for time-limited items and virtual currency bundles whose structure may make the actual monetary cost of transactions less transparent. The investigations also consider default parental control settings, the mechanisms used to obtain consent for personal data profiling, the adequacy of information provided on contractual rights, and whether account suspensions may lead to the loss of funds spent on digital content.
On 18 December 2025, the Guarantor for the Protection of Personal Data (GPDP) issued a warning to users of artificial intelligence services regarding the generation of content using third-party voices or images via artificial intelligence technologies (deepfakes). The GPDP noted that such content potentially qualifies as personal data under Article 4(1) of Regulation (EU) 2016/679 (GDPR) and may constitute biometric data where processed for unique identification. The GPDP found that such processing, when lacking a valid legal basis and transparent information, may infringe Articles 5(1)(a), 6 and 9 of the GDPR. Consequently, the GPDP issued a formal warning under Article 58(2)(a) of the GDPR that such processing activities can constitute infringements of data protection rules.
On 10 October 2025, the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI) enters into force. The Bill requires public procurement platforms to prioritise AI suppliers that process and store strategic data within national data centres, ensuring disaster recovery, business continuity, and high security and transparency standards. Collaborative research between businesses, research bodies, and technology transfer centres is also promoted to commercialise AI research outcomes. Furthermore, the Bill specifies that AI systems used in the public sector, except those deployed abroad during military operations, must operate on servers located within Italy to safeguard citizens' sensitive data. Personal data processing by intelligence agencies and cybersecurity bodies must comply with existing data protection frameworks, specifically the Personal Data Protection Code and relevant cybersecurity legislation. The application of these principles to AI activities conducted for national security purposes by intelligence, military, and police bodies, as well as other authorised public and private entities, will be detailed in specific regulations issued under established legislative procedures.
On 10 October 2025, the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI), including consent rules for minors’ access to AI technologies enters into force. The Bill requires parental consent for users under fourteen and allows minors aged fourteen to eighteen to provide their own consent, provided the information is clear and accessible. The measure applies to AI service providers processing minors’ personal data and aligns with the General Data Protection Regulation and Italy’s Personal Data Protection Code.
On 10 October 2025, the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI) enters into force. The Bill amends Law No. 633 concerning the protection of copyright and related rights to state that copyright protection applies exclusively to works of human intellect. It explicitly recognises that works generated using AI tools are protected only if they represent the result of the author’s intellectual effort. Furthermore, the Bill adds a new provision allowing the reproduction and extraction of works or materials available online or in databases, provided there is legitimate access, for the purpose of text and data mining by AI models, including generative systems.
On 10 October 2025, the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI) enters into force. The Bill specifies the institutions empowered to oversee compliance. The Agency for Digital Italy (AgID) and the National Cybersecurity Agency (ACN) as the National Authorities for AI to ensure the implementation of the European Union AI Act (Regulation (EU) 2024/1689). AgID is tasked with promoting AI innovation and overseeing the evaluation, accreditation, and monitoring of AI conformity bodies. ACN is responsible for supervising AI systems, particularly in relation to cybersecurity, including inspection and sanctioning activities. Both agencies will jointly manage AI testing spaces, in coordination with the Ministries of Defence and Justice where relevant. Additionally, AgID is appointed as the notifying authority and ACN as the market surveillance authority under the EU AI Act.
On 8 October 2025, the Resolution establishing technical and procedural standards for online age verification under the 2023 Caivano Decree, enters into force. The Caivano Decree introduced measures for online safety and the protection of minors. The measure requires websites and video-sharing platforms distributing pornographic material in Italy to deploy verification systems consistent with the General Data Protection Regulation's principles of data protection and proportionality. The measure clarifies the scope and aligns with the Digital Services Act.
On 7 October 2025, the Italian Data Protection Authority (DPA) appeared before the 8th Committee of the Senate on the updated text adopted for Senate Bill No. 1136 on the protection of minors in the digital environment. The revised text allows the activation of social media and video-sharing accounts only for persons over 15 years of age and assigns the DPA the responsibility for verifying and sanctioning infringements in accordance with Articles 56(2), 58(2), and 83 of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR). The draft raises to 16 years the age for autonomous digital consent and restricts parental consent to minors aged 15 to 16. The DPA proposed being assigned monitoring functions under Article 3(4) and participation in the preparation of guidelines under Article 5. The hearing also addressed the development of privacy-preserving age-verification mechanisms, awareness campaigns under Article 6, and the possible attribution of powers to restrict or disable access to online services that breach data-protection provisions.
On 6 October 2025, the Italian Data Protection Authority issued a notice against ICF Technology, which manages the CamHub website. The authority stated that the website, currently blocked in Italy, streams sexually explicit videos, including private chat rooms. It also stated that collecting and sharing videos illegally recorded from cameras in private Italian homes violates European and national privacy laws. It warned that reactivating the site without the explicit consent of the data subjects could constitute unlawful processing of sensitive personal data and cause serious harm.
On 2 October 2025, the Italian Communications Authority (AGCOM) issued Presidential Order No. 21/25/PRES against Telegram Messenger Inc. following an investigation into alleged large-scale copyright infringement. The measure was adopted under the Regulation on the Protection of Copyright on Electronic Communication Networks (Resolution 680/13/CONS), based on a request received on 8 September 2025 from the Italian Publishers Association (AIE). The association reported the unauthorised distribution of more than 11'000 literary works, including titles from Giunti, Einaudi, HarperCollins, Newton Compton, and Mondadori, in violation of Copyright Law No. 633 of 1941. The Directorate for Digital Rights and Protection of Fundamental Rights opened an investigative proceeding on 11 September 2025 and confirmed the accessibility of a significant number of protected works, amounting to a serious and large-scale infringement. The investigation found no justification for access under copyright exceptions, and no counterarguments were submitted by the parties within the prescribed 3 working days. The President ordered Telegram to disable access to the infringing channel within 2 days of notification. Non-compliance may lead to sanctions under Article 1(31) of Law No. 249 of 31 July 1997 and referral to judicial police authorities under Article 182-ter of Law No. 633 of 1941. The order may be appealed before the Regional Administrative Court of Lazio within 60 days.
On 1 October 2025, the Italian Data Protection Authority (DPA) determined that the processing of personal data by AI/Robotics Venture Strategy 3 Ltd., operator of the ClothOff “deep nude” service, was unlawful under Articles 5(1)(a), 5(2), and 25 of the General Data Protection Regulation (GDPR). The DPA noted the company’s failure to provide requested information and its inadequate watermarking of manipulated images, which breached the principles of fairness, accountability, and data protection by design and by default. It imposed a temporary restriction on the processing of Italian users’ personal data under Article 58(2)(f), effective immediately and pending the outcome of the investigation. The measure also requires publication on the DPA’s website, entry in the internal register of measures, and makes reference to possible administrative sanctions under Article 83(5)(e) and criminal liability under Article 170 of the Personal Data Protection Code.
On 30 September 2025, the determination on compliance with the national competent authority under the Network and Information Security (NIS) Directive entered into force, except for the provision setting out the procedure and deadlines for continuous updating and confirmation of NIS entity and user information. The determination specifies the deadlines, methods, and procedures for the use and access to the Agency's digital platform, as well as additional information that entities must provide to the national NIS competent authority, and the deadlines, methods, and procedures for the designation of NIS representatives on national territory. The determination sets procedures for registration, annual and continuous updates, and user authentication through the Public Digital Identity System (SPID) or Italian Electronic Identity Card (CIE). It defines roles including contact points, substitutes, Computer Security Incident Response Team (CSIRT) representatives, and operators. Users must associate accounts with their Network and Information Systems (NIS) entity, confirm data accuracy, and report changes within 14 days. It was also highlighted that non-compliance may lead to penalties.
On 24 September 2025, the Italian Communications Authority (AGCOM) issued Presidential Order No. 20/25/PRES against Telegram Messenger Inc., following an investigation into large-scale copyright infringement. AGCOM's Directorate for Digital Rights launched the investigation on 11 September 2025 following a request received on 6 May 2025 from the Italian Publishers Association (AIE). The AIE reported that a Telegram channel and an associated website were distributing numerous literary works, including titles from Salani, Mondadori, Newton Compton, and Sperling & Kupfer, in violation of Copyright Law No. 633 of 1941. AGCOM’s checks confirmed the widespread unauthorised availability of protected works. The domain was registered via GoDaddy.com LLC using Domains By Proxy to maintain anonymity; the hosting services and servers were attributed to Telegram Messenger Inc., which is incorporated in the British Virgin Islands and has servers located in the United Kingdom. Under Articles 8 and 9 of the Regulation on the Protection of Copyright on Electronic Communication Networks (Resolution 680/13/CONS), AGCOM applied the abbreviated procedure and ordered Telegram to disable access to the infringing channel within 2 days of notification. Failure to comply may result in sanctions under Law No. 249 of 1997 and referral to law enforcement under Article 182-ter of Law No. 633 of 1941. This decision can be appealed to the Regional Administrative Court of Lazio within 60 days.
On 19 September 2025, the Italian National Cybersecurity Agency adopted the determination on compliance with the national competent authority under the Network and Information Security (NIS) Directive entered into force, except for the provision setting out the procedure and deadlines for continuous updating and confirmation of NIS entity and user information. The determination specifies the deadlines, methods, and procedures for the use and access to the Agency's digital platform, as well as additional information that entities must provide to the national NIS competent authority, and the deadlines, methods, and procedures for the designation of NIS representatives on national territory. The determination sets procedures for registration, annual and continuous updates, and user authentication through the Public Digital Identity System (SPID) or Italian Electronic Identity Card (CIE). It defines roles including contact points, substitutes, Computer Security Incident Response Team (CSIRT) representatives, and operators. Users must associate accounts with their Network and Information Systems (NIS) entity, confirm data accuracy, and report changes within 14 days. It was also highlighted that non-compliance may lead to penalties.
On 17 September 2025, the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI) was adopted by the Italian Senate. The Bill requires public procurement platforms to prioritise AI suppliers that process and store strategic data within national data centres, ensuring disaster recovery, business continuity, and high security and transparency standards. Collaborative research between businesses, research bodies, and technology transfer centres is also promoted to commercialise AI research outcomes. Furthermore, the Bill specifies that AI systems used in the public sector, except those deployed abroad during military operations, must operate on servers located within Italy to safeguard citizens' sensitive data. Personal data processing by intelligence agencies and cybersecurity bodies must comply with existing data protection frameworks, specifically the Personal Data Protection Code and relevant cybersecurity legislation. The application of these principles to AI activities conducted for national security purposes by intelligence, military, and police bodies, as well as other authorised public and private entities, will be detailed in specific regulations issued under established legislative procedures.
On 17 September 2025, the Italian Senate adopted the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI), including consent rules for minors’ access to AI technologies. The Bill requires parental consent for users under fourteen and allowing minors aged fourteen to eighteen to provide their own consent, provided information is clear and accessible. The measure applies to AI service providers processing minors’ personal data and aligns with the General Data Protection Regulation and Italy’s Personal Data Protection Code.
On 17 September 2025, the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI) was adopted by the Parliament. The Bill amends Law No. 633 concerning the protection of copyright and related rights to state that copyright protection applies exclusively to works of human intellect. It explicitly recognises that works generated using AI tools are protected only if they represent the result of the author’s intellectual effort. Furthermore, the Bill adds a new provision allowing the reproduction and extraction of works or materials available online or in databases, provided there is legitimate access, for the purpose of text and data mining by AI models, including generative systems.
On 17 September 2025, the Italian Senate adopted the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI). The Bill specifies the institutions empowered to oversee compliance. The Agency for Digital Italy (AgID) and the National Cybersecurity Agency (ACN) as the National Authorities for AI to ensure the implementation of the European Union AI Act (Regulation (EU) 2024/1689). AgID is tasked with promoting AI innovation and overseeing the evaluation, accreditation, and monitoring of AI conformity bodies. ACN is responsible for supervising AI systems, particularly in relation to cybersecurity, including inspection and sanctioning activities. Both agencies will jointly manage AI testing spaces, in coordination with the Ministries of Defence and Justice where relevant. Additionally, AgID is appointed as the notifying authority and ACN as the market surveillance authority under the EU AI Act.
On 15 September 2025, the Communications Regulatory Authority’s (AGCOM) resolution amending the Online Copyright Regulations to expand the scope of dynamic injunctions available under the Piracy Shield platform enters into force. The resolution enables accredited reporters, including anti-piracy associations and federations, to request disabling access to illicitly distributed content during the first thirty minutes of live broadcasts and premieres, through DNS resolution blocking and network traffic routing restrictions targeting IP addresses primarily engaged in illegal activities. The measures apply to providers of mere conduit, hosting, and caching services, as well as VPN providers, publicly available DNS service operators, and search engines involved in the accessibility of infringing resources. Reporters are required to act with diligence and avoid high-risk overblocking, or face suspension of accreditation. The resolution also empowers AGCOM to order the unblocking of resources inactive for at least six months and permits unblocking requests from reporters for non-infringing services. The revised regulation integrates provisions from the Digital Services Act (DSA), the Omnibus Decree amending the Anti-Piracy Law, and updates to the Consolidated Law on Audiovisual Media Services, which now includes disciplinary proceedings for copyright infringements by audiovisual media service providers.
On 11 September 2025, the Italian Communications Authority (AGCOM) opened an investigation into Telegram Messenger Inc. for alleged copyright infringement. The proceeding was initiated under the Regulation on the Protection of Copyright on Electronic Communication Networks (Resolution 680/13/CONS) following a request received on 8 September 2025 from the Italian Publishers Association (AIE). The association reported the unauthorised reproduction and distribution of more than 11,000 literary works, including titles from publishers such as Giunti, Einaudi, HarperCollins, and Mondadori.
On 11 September 2025, the Italian Communications Authority (AGCOM) opened an investigation into Telegram Messenger Inc. for alleged large-scale copyright infringement. The case was initiated following a request from the Italian Publishers Association (AIE) concerning the unauthorised distribution of literary works through a Telegram channel and an associated website. AGCOM’s Directorate for Digital Rights reviewed the request, found it admissible, and initiated proceedings under abbreviated terms due to the serious and large-scale nature of the alleged violations.
On 2 September 2025, the Regional Administrative Tribunal for Lazio issued a ruling partially annulling the Competition Authority's sanction of EUR 1.13 billion against Amazon to an unspecified lower amount due to inadequate justification for the fine imposed. However, the Tribunal upheld the decision against Amazon for abusing its dominant position in the Italian online marketplace services market. The Tribunal confirmed Amazon engaged in self-preferencing between 2016-2021 by tying essential marketplace benefits exclusively to its Fulfilled by Amazon (FBA) logistics service, affecting third-party sellers on Amazon Italy and competing logistics providers. Amazon controlled approximately 53% of the Italian marketplace intermediation services market and used discriminatory performance metrics that favoured FBA users whilst restricting Prime eligibility and promotional event access for sellers using independent logistics. The Competition Authority imposed a EUR 1.13 billion fine, and behavioural remedies requiring Amazon to publish clear Prime eligibility criteria, apply uniform performance monitoring regardless of logistics provider, and provide equal treatment for Prime-eligible offers.
On 20 August 2025, the Italian Data Protection Authority issued Provision No. 479, imposing urgent measures under Article 58(2)(f) of the General Data Protection Regulation (GDPR) to address the unlawful dissemination of a private audio recording on the YouTube channel “Falsissimo” and its subsequent circulation on Instagram. The action followed a complaint under Article 77 GDPR seeking removal and de-indexing of the content across multiple platforms, including YouTube, TikTok, Instagram, Facebook, X, Google, and company channels. The Authority recalled its earlier warning of 4 August 2025 (Provision No. 467) and the 6 August press release, which noted that the disclosure likely violated Articles 1, 5, 6, 17, and 21 GDPR, as well as Articles 1 and 167 of the Italian Privacy Code. Given that the audio remained accessible, accumulating over 1.3 million views, and new content had appeared on Instagram, the Authority concluded that the violations persisted. The order requires immediate removal of the specific audio segment from the YouTube episode, deletion of the Instagram reel, and a prohibition on any further dissemination. Non-compliance may result in administrative fines under Article 83 GDPR, and the measure can be appealed within the statutory timeframe before the ordinary judicial authority.
On 6 August 2025, the Italian Data Protection Authority opened an investigation into AI/Robotics Venture Strategy 3 Ltd., operator of the ClothOff “deep nude” service, by issuing a formal request for information (ref. 109872) concerning the processing of personal data and the implications of generating manipulated content potentially harmful to the reputation of data subjects.
On 4 August 2025, the Italian Data Protection Authority issued Provision No. 467 in response to the non-consensual disclosure of a private audio file taken from a chat conversation involving a well-known actor. The Authority considered the audio to form part of private correspondence protected under Article 15 of the Constitution and recognised that its publication constituted processing of personal data within the scope of Regulation (EU) 2016/679 (General Data Protection Regulation) and the Italian Personal Data Protection Code (Legislative Decree No. 196/2003, as amended). The Authority found that, while journalistic freedom of expression does not always require consent, the disclosure lacked materiality in relation to the actor’s public role and instead concerned intimate and emotional matters unrelated to public interest. Pursuant to Article 58(2)(a) of the Regulation and Article 154(1)(f) of the Code, the Authority issued a warning to potential users of the data subject’s personal data, emphasising that any further dissemination of the audio or related extracts could constitute a violation leading to sanctions. Furthermore, under Article 154-bis(3) of the Code, the Authority ordered publication of the decision in the Official Journal of the Italian Republic to ensure wider awareness. The provision also noted the right of appeal under Article 78 of the Regulation, Article 152 of the Code, and Article 10 of Legislative Decree No. 150/2011, allowing challenges before the competent judicial authority within 30 days in Italy or 60 days if abroad.
On 30 July 2025, the Communications Regulatory Authority (AGCOM) adopted a resolution amending the Online Copyright Regulations to expand the scope of dynamic injunctions available under the Piracy Shield platform to include all rightsholders of live events, audiovisual and cinematographic works, entertainment programmes, and similar audio content. The amendments enable accredited reporters, including anti-piracy associations and federations, to request disabling access to illicitly distributed content during the first thirty minutes of live broadcasts and premieres, through DNS resolution blocking and network traffic routing restrictions targeting IP addresses primarily engaged in illegal activities. The measures apply to providers of mere conduit, hosting, and caching services, as well as VPN providers, publicly available DNS service operators, and search engines involved in the accessibility of infringing resources. Reporters are required to act with diligence and avoid high-risk overblocking, or face suspension of accreditation. The resolution also empowers AGCOM to order the unblocking of resources inactive for at least six months and permits unblocking requests from reporters for non-infringing services. The revised regulation integrates provisions from the Digital Services Act (DSA), the Omnibus Decree amending the Anti-Piracy Law, and updates to the Consolidated Law on Audiovisual Media Services, which now includes disciplinary proceedings for copyright infringements by audiovisual media service providers.
On 30 July 2025, the Competition Authority (AGCM) opened an investigation against Meta to assess potential infringements of Article 102 of the Treaty on the Functioning of the European Union (TFEU). The investigation concerns alleged abusive tying conduct related to the pre-installation and prominent integration of the generative artificial intelligence service “Meta AI” within the WhatsApp instant messaging application. The AGCM identified distinct relevant product markets for consumer communication services via applications and general-purpose chatbot or AI assistant services, noting Meta's dominant position in the former market at both European and national levels. The AGCM considered that the integration of Meta AI into WhatsApp is likely to distort competition by facilitating rapid user base expansion and potentially training AI models on user interactions, thereby generating exclusionary effects. The proceeding is scheduled to conclude by 31 December 2026, and the parties have a 60-day period from notification to exercise their right to be heard.
On 23 July 2025, the Communications Regulatory Authority (AGCOM) adopted Resolution no. 199/25/CONS, launching an inquiry into how audience consumption is measured on digital platforms. The inquiry aims to address the lack of standardised, transparent methods across streaming services, social media, and other online media providers. Under Decree no. 208/2021, measurement systems must adhere to principles of accuracy, transparency, verifiability, and independent certification. However, AGCOM notes that large platforms still rely on proprietary tools rather than submitting data to independent Joint Industry Committees, leading to inconsistent and possibly inflated metrics. AGCOM highlighted the urgency of the issue due to digital advertising accounting for over 60% of Italy’s ad revenues, exceeding television, arguing that the lack of certified data impedes fair competition and the ability to make informed investment decisions. AGCOM’s inquiry seeks to clarify obligations under the European Media Freedom Act and the Digital Markets Act, which require large platforms to ensure transparency, impartiality, non-discrimination, independent audits, advertiser access to verification tools, and annual methodology reviews. The AGCOM will review current measurement models, including those using Software Development Kits and server-to-server technologies, against European standards and its previous guidance to establish rules for measurement perimeters and requirements to guarantee transparent, comparable audience data.
On 23 July 2025, the Italian Communications Authority adopted the Guidelines to ensure that influencers comply with the provisions of the Consolidated Law on audio visual media services. The guidelines apply to influencers who create, select, or curate content that informs, entertains, or generates income through commercial agreements or platform monetisation. The guidelines establish two categories including professional influencers with at least one million followers and 2% average engagement rates face enhanced obligations, whilst smaller influencers must meet baseline requirements. The guideline imposes editorial responsibility upon influencers for content transparency, requiring clear identification of promotional material, implementation of minor protection safeguards including content classification and age verification, and adherence to anti-discrimination provisions.
On 23 July 2025, the Italian communications authority (AGCOM) adopted the final Code of Conduct, following a public consultation launched under Resolution No. 472/24/CONS containing Guidelines to ensure that influencers comply with the provisions of the Consolidated Law on audio visual media services. The Code applies to influencers operating in Italy with at least 500,000 followers on one platform or more than 1 million monthly views, treating them as audio-visual media service providers under national law. It imposes several obligations, including editorial responsibility for content, mandatory use of standard advertising labels, disclosure of filters and digital alterations, and safeguards for minors and fundamental rights. Enforcement measures include fines of up to EUR 600,000 and removal from AGCOM’s public influencer register.
On 19 May 2025, the Italian Data Protection Authority (DPA) opened an investigation into Luka, the provider of the artificial intelligence chatbot Replika. The DPA will assess Luka’s compliance with the General Data Protection Regulation (GDPR) regarding its processing of personal data for the purposes of training its generative AI chatbot. The investigation builds upon previous investigations of Replika by the Italian DPA, requesting that Luka provide information on the life cycle of its data processing for generative AI training purposes, and in particular to clarify its risk assessment and data protection methods implemented.
On 18 April 2025, the United States and Italy adopted a joint statement to strengthen strategic alliance across security, economic, and technological issues. The statement committed to strengthening cooperation in emerging technologies, including 6G, Artificial Intelligence (AI), quantum computing, and biotechnology, with an emphasis on protecting data. The statement applies to technology developers and infrastructure providers operating in critical and security-sensitive sectors. The joint statement underscored the need to build trusted technology ecosystems that safeguard data from adversaries seeking to exploit vulnerabilities.
On 16 April 2024, the Italian Communications Authority (AGCOM) released Deliberation No. 74/24/CONS, concluding the procedure to define service regularity and image quality parameters for audiovisual media service providers, as required by Article 33, Paragraph 4, of Legislative Decree No. 208 of 8 November 2021. The deliberation establishes conditions and parameters for service quality and regularity, as well as effective and timely technical assistance tools and procedures for handling user complaints, requests, and reports. These measures must be implemented by all providers streaming "events of social or significant public interest," as defined by the Ministry of Economic Development's decree of 27 May 2022. The implementation deadline for these measures is set at 12 months from the adoption of the deliberation (i.e. on 16 April 2026), with an additional 6 months granted for developing user interfaces to access Key Performance Indicators (KPIs) directly from streaming applications (i.e. on 16 October 2026). A technical committee, coordinated by the AGCOM's Consumer Protection Directorate, is established to support the implementation of these measures.
On 10 April 2025, the Italian Data Protection Authority (DPA) announced that it had fined Luka, the provider of the artificial intelligence chatbot Replika, EUR 5 million for violating the General Data Protection Regulation (GDPR). The DPA identified three main violations. First, Luka failed to properly identify valid legal bases for its various data processing operations, including those related to developing its large language model Replika. The privacy policy contained only vague references to contractual necessity, consent, and legal authorization without specifying which applied to specific processing activities. Second, Luka's privacy policy was only available in English, lacked transparency, and contained multiple inaccuracies. It failed to clearly distinguish between "chatbot interaction" and "model development" processing purposes, did not specify data retention periods, provided misleading information about international data transfers, and incorrectly suggested the service used automated decision-making under GDPR. Third, despite claiming to exclude minors from the service, Luka implemented no effective age verification mechanisms. The company failed to assess the risks of processing minors' data and did not implement safeguards to protect vulnerable users. In February 2023, the DPA initially imposed a temporary ban on Replika's operations in Italy. Luka subsequently implemented various corrective measures, including age verification systems and improved privacy policies. However, technical investigations determined persistent deficiencies, such as users being able to change their birth date without verification after registration and the ability to bypass cooling-off periods through incognito browsing. The DPA also ordered Luka to further improve its privacy policy and strengthen its age verification system.
On 8 April 2025, the Italian Communications Authority adopted an order extending the deadline for implementing measures outlined in Deliberation No. 74/24/CONS on defining service regularity and image quality parameters for audio-visual media service providers. The order follows requests from operators for further clarification and additional time to address technical and operational challenges related to the implementation of quality of service and user assistance measures for streaming media services. It was highlighted that operators raised a range of technical and interpretative concerns, including the difficulty of identifying users without mandatory registration, the limited control over devices and network conditions, and the challenges of applying quality standards across diverse platforms and international users. Specific concerns were raised about the measurement and display of key performance indicators, the feasibility of providing continuous user support, the handling of user complaints, and the proportionality of compensation requirements.
On 20 March 2025, the Senate passed the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI). The Bill amends Law No. 633 to state that copyright protection applies exclusively to works of human intellect. It explicitly recognises that works generated using AI tools are protected only if they represent the result of the author’s intellectual effort. Furthermore, the Bill adds a new provision allowing the reproduction and extraction of works or materials available online or in databases, provided there is legitimate access, for the purpose of text and data mining by AI models, including generative systems.
On 20 March 2025, the Senate passed the Bill on Provisions and Delegation to the Government on Artificial Intelligence (AI). The Bill specifies the institutions empowered to oversee compliance. The Agency for Digital Italy (AgID) and the National Cybersecurity Agency (ACN) as the National Authorities for AI to ensure the implementation of the European Union AI Act (Regulation (EU) 2024/1689). AgID is tasked with promoting AI innovation and overseeing the evaluation, accreditation, and monitoring of AI conformity bodies. ACN is responsible for supervising AI systems, particularly in relation to cybersecurity, including inspection and sanctioning activities. Both agencies will jointly manage AI testing spaces, in coordination with the Ministries of Defence and Justice where relevant. Additionally, AgID is appointed as the notifying authority and ACN as the market surveillance authority under the EU AI Act.
On 1 March 2025, the obligation for manufacturers to ensure that devices support parental control applications under Decree-law n.123 on the safety of minors in the digital environment entered into force. The decree requires manufacturers to ensure that the operating systems of electronic devices allow the use and availability of applications for parental controls. It also mandates electronic communication service providers to ensure the availability of these applications within the scope of supply contracts. Furthermore, the decree requires device manufacturers to inform users about the importance of installing these applications and to provide the activation service without any additional cost. Finally, the decree prohibits the use of personal data collected during the activation of the applications for commercial purposes or profiling. The Authority for Communications Guarantees (AGCOM) will supervise the correct application of this decree.
On 30 January 2025, the Italian Data Protection Authority (DPA) ordered an immediate limitation on the processing of data of Italian users by DeepSeek. The order follows the communication from the company regarding the information on the personal data collected, its sources, purposes, legal basis, processing and storage locations, as well as how its AI system is trained. In particular, DeepSeek has denied operating in Italy and claimed that European regulations do not apply to the company. The response was deemed insufficient by the DPA which has subsequently launched an investigation.
On 28 January 2025, the Italian Data Protection Authority (DPA) launched an investigation into DeepSeek's compliance with the General Data Protection Regulation (GDPR) regarding its Artificial Intelligence (AI) chatbot services. The DPA requested information on the personal data collected, its sources, purposes, legal basis, and storage locations, particularly whether data is stored in China. DeepSeek must also explain how its AI system is trained, whether personal data is obtained via web scraping, and how users are informed about data processing. DeepSeek has 20 days to provide the requested information.
Last updated: 16/01/2026