AI Tracker
Italy

Data protection

The Garante, Italy’s data protection regulator, plays a pivotal role in overseeing AI developments:

• Healthcare: the Garante has established a set of guidelines for implementing AI-driven healthcare services nationwide. Key requirements include that the legal basis for processing personal data must be rooted in public interest and that data controllers must provide a highly detailed Data Protection Impact Assessment (DPIA), including risk analysis and anti-discrimination measures, closely aligned with the provisions of the EU AI Act.
• Web scraping: the Garante issued guidance to protect personal data published online by public and private entities from web scraping. Where indiscriminate data collection is used to train generative AI models, the Garante issued a number of recommendations, including restricting access to certain website areas (for example, through user registration) to limit data exposure, incorporating anti-scraping clauses in website terms of service, monitoring web traffic to detect unusual data flows, and implementing anti-bot measures using available technological solutions.
• Enforcement: 
  • Notable enforcement actions include the temporary suspension of OpenAI’s ChatGPT service in April 2023 and the January 2025 blocking of the DeepSeek AI service, both due to data protection concerns.
  • OpenAI was further fined €15 million in November 2024 after it failed to notify the Authority about a data breach in March 2023 and processed users' personal data without a proper legal basis to train its AI model (in addition to transparency and age verification obligation failures).
  • In March 2025, the Administrative Court of Rome temporarily suspended the €15 million fine of OpenAI subject to the payment of a security deposit. The appeal proceedings are pending.
  • In May 2025, the Garante fined US-based Luka Inc. €5 million over its chatbot, Replika, not having an adequate privacy policy, not identifying a legal basis for processing operations and lack of a capable age-verification mechanism
  • In October 2025, the Garante blocked Clothoff, a generative AI system that generates "deep nude" images, i.e. fake photos and videos depicting real people in nude or sexually explicit or even pornographic poses.
  • In March 2026, the Court of Rome annulled the €15 million administrative fine imposed on OpenAI; the judgment’s reasons are still pending.

Data security

The Agenzia per la Cybersicurezza Nazionale (ACN) – the Italian National Cybersecurity Agency – has issued, together with other 23 National agencies in other States, Guidelines for secure AI, suggesting considerations and mitigations to help reduce the overall risk to the development process of organisational AI systems.

The guidelines are broken down into four key areas:

• Secure design, containing guidelines on risks and threat modelling, and design trade-offs for AI systems.
• Secure development, containing guidelines on supply chain security, documentation, and asset management during the AI development process.
• Secure deployment, containing guidelines on the deployment stage of the AI system development life cycle, including protecting infrastructure and models from compromise, threat or loss, developing incident management processes, and responsible release.
• Secure operation and maintenance, containing guidelines on actions particularly relevant once a system has been deployed, including logging and monitoring, update management, and information sharing.

Copyright

• In Italy, the Copyright Law (Law No. 633.1941) states that the copyright protection of literary works extends to computer programs that constitute the author's own intellectual creation. Copyright itself is acquired when the creation of work consists of an expression of "intellectual effort" from a human and is sufficiently original.
• In January 2023, the Supreme Court found that the use of AI to produce a work of art does not automatically disqualify a work from copyright protection for not being original but if an AI system fully replaces human creative input, the final output may not be considered an original work and therefore would not qualify for copyright protection. (Italian Supreme Court, Decision No. 1107 of 9 January 2023)
• The new Italian AI Law specifies that works of human creativity are protected by copyright even when created with the assistance of artificial intelligence tools, provided they are the result of the author’s intellectual effort.

Patents

• Regarding patentability, Article 45 of the Industrial Property Code (IP Code) maintains that software, including AI systems, are not considered inventions and therefore not patentable.

Consumer protection

The Autorità per le Garanzie nelle Comunicazioni (AGCOM) – the Italian Communications Regulatory Authority – has not issued any guidance on the use of AI yet. However, in January 2024 it established a Committee on AI in the fields of competence of the authority, tasked with conducting analysis and making proposals to AGCOM. The Committee became operational in January 2025, meaning AI-specific guidelines from AGCOM could be expected during 2025, based on its findings.

• In July 2025, AGCOM launched an investigation into Meta for suspected abuse of a dominant market position following Meta’s decision to integrate its artificial intelligence assistant, Meta AI, into its WhatsApp messaging service. As of November 2025, AGCOM is broadening its investigation after new terms exclude Meta's competitors from Meta's WhatsApp platform, effective in October 2025. The Authority is considering interim measures under national law and is examining whether these contractual changes risk breaching Article 102 TFEU. 
• In October 2025, Newspaper publishers associated with FIEG lodged a formal complaint with AGCOM, in its role as Italian National Coordinator of Digital Services, against Google's "AI Overviews" service and the "AI Mode" arguing that they violate key provisions of the Digital Service Act (DSA), by stealing audiences and revenue from newspapers. Similar actions are underway in other EU countries coordinated by the European Newspaper Publishers' Association (ENPA), with the common and shared goal of getting the European Commission to open a procedure under the DSA. The AGCM decided to hear FIEG and Google and is assessing, in its capacity as Digital Services Coordinator, whether to transmit a notification to the European Commission.