On 15 April 2015, the Italian Senate adopted a Government decree concerning, among other issues, “urgent measures to combat terrorism” (DDL 2893/R), as amended by the Parliament on its first reading on 31 March.

Before the vote in the Parliament, the government decided to exclude from the voting list the most controversial amendment on preventive interception of electronic communications. This happened after member of the Parliament (MP) Stefano Quintarelli raised the issue on his blog, thereby attracting public attention to the measure. Nevertheless, the adopted text still contains problematic provisions as regards data retention, blocking measures and data protection issues.

The decree, proposed following the terrorist attacks in France and Denmark in January and February 2015, amends laws and norms of the “Criminal Code” and of the “Code of Criminal Procedure”, aiming at combating terrorism and, in particular, the phenomenon of the so-called “foreign fighters”. In the forewords, the Government stresses the “extraordinary need and urgency” of the action being undertaken and states the intent of pursuing these goals “even through the simplification of the procedures needed for the processing of personal data by police forces”.

As to the content of the text, the first articles of the decree amend various provisions of the Criminal Code, for violations related to terrorism activities such as recruitment of terrorists, and endorsing or inciting to terrorism, if “committed by means of computer or telematic tools”.

Paragraphs 2, 3 and 4 of Article 2 provide measures for the blocking and taking down of terrorism-related websites. A unit of the Ministry of the Interior is empowered to generate and update a list of websites used for “subversive” and “terrorist” activities, in a similar way as already provided for child abuse websites. Also, Internet Service Providers (ISPs) can be requested to filter or to take down the websites on the list if asked by a Public Prosecutor.

Article 7 of the decree substitutes article 53 of the Italian “Data Protection Code”. As explained by the Senate’s briefing document, the new article allows the Code to be circumvented not only when police data processing is provided for by law, but also when it is foreseen in a regulation, lowering legal guarantees.

The most debated provision on preventive interception, as already mentioned, was the amendment on preventive wiretapping, presented by the Committee in charge of the file in the Italian Parliament just a few days before the first reading vote. The proposed amendment modified the “Code of Criminal Procedure” introducing the possibility of using “informatics tools and software to remotely acquire data and communications of computer system”. In his blog post, MP Stefano Quintarelli claimed: “with this amendment Italy become, as far as I know, the first European country to explicitly, and in a generalised way, legalise ‘remote computer searches’ and the use of ‘software for covert data collection’”.

This provision constitutes a direct threat to constitutional rights and freedom – namely articles 13 and 15 of the Italian constitution, as Quintarelli pointed out – and, as it seems not to be necessary nor proportionate, it is in clear violation of the Charter of Fundamental rights of the European Union and the European Convention on Human Rights.

Also, the Italian Data Protection Supervisor, Antonello Soro, expressed his great concern with regard to the proposed amendment, since “the relation between data protection and needs for investigation activities seem to be unbalanced,” particularly because the provision for preventive wiretapping covered not only terrorism-related crimes but also “crimes generally committed on-line or with computer tools”.

Another amendment to the original text, which in fact remained untouched in the final text and is now law, covers data retention. Article 4-bis extends data retention periods for internet traffic metadata to 24 months, the same that is provided for telephone traffic by the “Data Protection Code”. Also, missed calls data will be stored for the same amount of time by service providers.

The Italian Data Protection Supervisor complained that these new provisions are not in line with the ruling of the European Court of Justice (CJEU) on data retention, which on 8 April 2014 decided that the data retention Directive contravened EU law.

After Senate’s vote, the text entered into force on 21 April. Even if the most worrying amendment on preventive interception was cut out, the overall results is nevertheless a reduction of citizens’ guarantees against state surveillance. Not to mention the dangerous approach of discriminating online and offline crimes: promoting terrorist content or recruiting terrorists online is worse than doing it in the offline world, it seems.

As France and Denmark, another European country reacted to the fear caused by terrorist attacks in the most simplistic way, which is also the most detrimental for its citizens. Instead of defending and expanding European values and liberties, governments’ answer to these attacks seems to be an abandonment of the rule of law.

Text of the Italian “Antiterrorism decree” (only in Italian, 15.04.2015)

http://www.senato.it/service/PDF/PDFServer/BGT/00912502.pdf

A significant oversight in antiterrorism measure (only in Italian, 24.03.2015)

http://stefanoquintarelli.tumblr.com/post/114529278225/update-una-svista-rilevante-nel-provvedimento

Soro: great concerns for the amendments approved to the antiterrorism decree (only in Italian, 24.03.2015)

http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/3807700

EDRi-gram: Patriot Act à la française: France to legalise unlawful surveillance (25.03.2015)

https://edri.org/france-legalise-unlawful-surveillance/

EDRi-gram: Danish anti-terror proposal expands surveillance (11.03.2015)

https://edri.org/danish-antiterror-proposal-expands-surveillance/

(Contribution by Aldo Sghirinzetti, EDRi intern)