Italian internet service providers (ISPs), and telecommunication companies are now forced to store the logs of your electronic communications data (telephone traffic data, electronic communications traffic data and data related to unsuccessful calls) for at least 6 years. Lexology poignantly calls this development in Italian law the “shadow of mass surveillance.”
The Italian Senate has recently passed the final approval for new data retention laws included in their 2017 laws. There are two main changes to the data retention laws that recently came into action. The first being the egregious extension of the amount of time that your online data needs to be maintained; the second being the introduction of web monitoring for copyright compliance… without prior judicial review. The Italian Authority for Communications Guarantees (AGCOM) has been granted the mandate to demand the takedown or blocking of websites without judicial oversight. Under this new law, actions like the Sci-Hub block – which caused a lot of controversy in the states – could happen at the drop of a hat and without judicial. Additionally, AGCOM has been granted the power to use deep packet inspection on all internet traffic.
This law, specifically the extraordinarily long mandatory data retention period, is expressly illegal according to the Court of Justice of the European Union (CJEU Despite the clear top-down direction that blanket data retention laws are unconstitutional, countries like Italy and Sweden are still implementing sweeping mandatory data retention laws. Earlier this year, Privacy International released a report about EU member states noncompliance with the CJEU. In the report, PI stated:
“Member States have an obligation to ensure that their laws comply with the CJEU’s jurisprudence, and EU law more generally. It is thus concerning to notice that only a limited proportion of Member States have actually annulled their pre-Digital Rights legislation and that practically no Member States’ laws currently comply with Tele-2/Watson.”
Despite CJEU rulings, unconstitutional data retention laws are still in vogue
Expect ISPs and telecoms to comply until the European Union and Italy come to a head and resolve this inconsistency. Across the globe, whenever new data retention laws are implemented (such as those in Russia, Sweden, Australia, Netherlands, and the UK) – even the local telecoms and ISPs complain because of the added cost of compliance, as well as the decreased amount of security and privacy for their users.