On 27 July 2005 the Italian government published a decree ‘with urgent measures to fight international terrorism’. Under Article 6 all telephony providers are obliged to store traffic data until 31 December 2007. The measure was converted into law on 31 July 2005. The data retention period for information about mobile and fixed telephony in Italy thus minimally is 2 years and 5 months, but the decree also obliges providers not to destroy any traffic data they already have of their customers, at least two years for telephony providers. Internet providers must retain all data for at least 6 months, with a possibility for extension to another 6 months. The access barrier to the data is lowered to the (deputy) public prosecutor, in case the investigation requires the data urgently. However, any such order has to be approved within 48 hours by an investigative judge.
Besides, the decree introduces compulsory identification for mobile telephony users, “before the service is actually activated, at the moment of the order or the SIM is handed-over.” Resellers of mobile subscriptions or pre-paid cards must take all measures to guarantee the identity of purchaser and keep a photocopy of each presented identity card. Article 7 decrees that all internetcafes and public telephone shops with at least 3 terminals must seek a license permit within 30 days from a ‘questore’, a local representative of the Ministry of Home Affairs. They have to store all traffic data of their customers as well. The length of this storage will be decided upon in a separate, yet to be issued, administrative decree. WIFI-points and locations that do not store traffic data will have to preventively demand ID from their users. This actually already is common practice in Italy; hotspots at several airports for example will only allow internet usage after the user has entered the serial number of his ID card or drivers license.
Literally, Article 6 decrees that all providers of public internet and telephony communication services and networks must store all data related to “the traceability of access and -if available- services”, without the content of such communications. Legally, the article enables traffic data retention by outlawing all the relevant data protection provisions until 31 December 2007. Under these provisions, service providers are obliged to anonymise or delete traffic data when they no longer need it to process the communication or to send bills (with a maximum of 6 months). The new surplus of stored traffic data can be accessed for anti-terrorism purposes and for general penal enforcement of criminal offences.
The decree does not contain any specific instructions for internet traffic data. With regards to telephony, the providers have to store all the unsuccesful dial attempts as well. This demand has been the topic of heated debate within the Council of Ministers of Justice and Home Affairs (JHA Council), since many operators protested fiercely to their governments about extremely high costs to implement those measures. The decree says the ministers will have a further debate on the registration of unsuccesful call attempts, with respect to a cost calculation and “allocation of relative costs, while excluding any financial reimbursement by the State.”
When Italy adopted the EU e-privacy directive of 2002, they immediately created an exception to the obligation to erase traffic data, in Article 132 of decree law n. 196 of 30 June 2003. This already specifies mandatory retention of telephony traffic data for 48 months, but without the location data. Data about the earliest 24 months are only accessible, according to a reference to the Penal Code, for investigations into cybercrime and into crimes committed within an organisational (mafia) structure or for services delivered by a citizen to a hostile state.
Law n.155 (in Italian, 31.07.2005)
Data protection law n. 196 (in Italian, 30.06.2003)
(Thanks Andrea Glorioso, Italian consultant on digital policies)