g-docweb-display Portlet

Legislative decree no. 109 dated 30 May 2008 ' Transposition of Directive 2006/24/EC of the European Parliament and of the Council of 15 March 200...

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

[doc. web n. 1670046]

Legislative decree no. 109 dated 30 May 2008 – Transposition of Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006, on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communication Services or Public Communications Networks and Amending Directive 2002/58/EC

versione italiana

THE PRESIDENT OF THE REPUBLIC

Having regard to Articles 76 and 87 of the Constitution;

Having regard to Act no. 13 dated 6 February 2007, which contains provisions to comply with obligations arising out of Italy´s membership in the European Communities – 2006 Community Act;

Having regard to directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006, on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communication Services or Public Communications Networks and Amending Directive 2002/58/EC;

Having regard to legislative decree no. 196 dated 30 June 2003 as subsequently amended, which contains the "Personal Data Protection Code";

Having regard to decree no. 144 dated 27 July 2005 as converted, with amendments, into Act no. 155 dated 31 July 2005, which contains urgent measures to counter international terrorism;

Having heard the Italian data protection authority;

Having regard to the preliminary resolution adopted by the Council of Ministers at its meeting of 27 February 2008;

Having obtained the opinion rendered by the competent Committee of the Chamber of Deputies;

Whereas the competent Committee of the Senate failed to render its opinion within the scheduled deadline;

Having regard to the resolution adopted by the Council of Ministers at its meeting of  21 May 2008;

Acting on the proposal put forward by the Minister for Community Policies and the Minister for Public Administration and Innovation in agreement with the Ministers of foreign affairs, justice, economy and finance, economic development, home affairs, and defence;

ISSUES

The following legislative decree:

Section 1
(Definitions)

1. For the purposes of this decree,

a. "user" shall mean any natural or legal person using a publicly available electronic communications service without necessarily having subscribed to such service;
b. "traffic data" shall mean any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof,

including the data required to identify a subscriber or user;

c. "location data" shall mean any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service, including data relating to the cell where a mobile telephony call is started or ended;

d. "telephone traffic" shall mean phone calls including voice, voicemail and conference and data calls, on condition they are provided by a telephone operator, supplementary services including call forwarding and call transfer, and messaging and multimedia services including short message services, enhanced media services and multimedia services;

e. "unsuccessful call" shall mean a connection established by a publicly available telephone service that has not been followed by communication because it has not been answered or there has been a network management intervention;

f. "user ID" shall mean a unique identifier allocated to persons when they subscribe to and/or register with an Internet access service or Internet communications service;

g. "uniquely allocated IP (Internet protocol) address" shall mean the (IP) protocol address enabling direct identification of the subscriber and/or user performing communications on the public network.

2. For the purposes of this decree, such additional definitions as are not mentioned in paragraph 1 and are listed in section 4 of legislative decree no. 196 dated 30 June 2003 – "Personal Data Protection Code", hereinafter "the Code" –  as subsequently amended shall also apply.

Section 2
Amendments to Section 132 of the Code

1. Section 132 of the Code shall be amended as follows:

a. in paragraph 1, the following words shall be added after "twenty-four months": "as from the date of the communication"; the words "including the data concerning unanswered calls" shall be deleted; and the words "six months" shall be replaced by the following: "twelve months as from the date of the communication";

b. after paragraph 1, there shall be inserted the following: "1-bis. The data related to unsuccessful calls that are processed on a provisional basis by the providers of publicly available electronic communications services or a public communications network shall be retained for thirty days.";

c. paragraphs 2, 4, and 4-bis shall be repealed;

d. paragraph 5 shall be amended as follows:

1. in the first sentence, the words "in paragraphs 1 and 2" shall be replaced by the following: "in paragraph 1" and the words "which are also aimed at" shall be replaced by the following: "which are aimed at ensuring that the retained data fulfil the same quality, security and protection requirements as network data as well as at";

2. letters b. and c. shall be deleted;

3. in letter d., the words "in paragraphs 1 and 2" shall be replaced by the following: "in paragraph 1."

Section 3
Categories of Data to Be Retained by Telephone and Electronic Communications Operators

1. The categories of data to be retained for the purposes set forth in section 132 of the Code shall be as follows:

a. the data required to trace and identify the source of a communication:

1. as for fixed network and mobile telephony:

1.1. the calling telephone number;

1.2. name and address of the subscriber or registered user;

2. as for Internet access:

2.1. name and address of the subscriber or registered user to whom an Internet protocol (IP) address, a user ID or a telephone number was uniquely allocated at the time of the communication;

3. as for electronic mail:

3.1. the IP address used and the electronic mail address as well as any additional ID related to the sender;

3.2. the IP address and fully qualified domain name of the mail exchanger host as regards SMTP technology, or of whatever host type in respect of any other technology that is used for the conveyance of the communication;

4. as for Internet telephony and the sending of faxes, SMS- and MMS-messages via the
Internet:

4.1. the IP address, telephone number and any other ID in respect of the calling user;

4.2. the demographic data related to the registered user who performed the communication;

b. the data required to trace and identify the destination of a communication:

1. as for fixed network and mobile telephony:

1.1. the number dialled, or else the called number(s) and, in cases involving supplementary  services such as call forwarding or call transfer, the number(s) to which the call is routed;

1.2. name and address of the subscriber or registered user;

2. as for electronic mail:

2.1. the electronic mail address as well as any additional ID of the recipient of the communication;

2.2. the IP address and fully qualified domain name of the mail exchanger host, as regards SMTP technology, or of whatever host type in respect of any other technology used, that has delivered the relevant message;

2.3. the IP address used by the recipient for receiving and/or browsing electronic mail messages irrespective of the technology and/or protocol used;

3. as for Internet telephony and the sending of faxes, SMS- and MMS-messages via the Internet:

3.1. the IP address, telephone number and any additional ID related to the called user;

3.2. the demographic data related to the registered user who has received the communication;

3.3. the number(s) to which the call is routed in cases involving supplementary services such as call forwarding or call transfer;

c. the data required to identify the date, time, and duration of a communication:

1. as for fixed network and mobile telephony, the date and time of the start and end of the communication;

2. as for Internet access:

2.1. the date and GMT time of the log-in and the log-off of the user of an Internet access service along with the IP address, whether static or dynamic, that is uniquely allocated by the Internet access provider to a communication and the ID of the subscriber or registered user;

3. as for electronic mail:

3.1. the date and GMT time of the log-in and the log-off of the user of an Internet-based electronic mail service along with the IP address used, irrespective of the technology and protocol that is applied;

4. as for Internet telephony and the sending of faxes, SMS- and MMS-messages via the Internet:

4.1. the date and GMT time of the log-in and the log-off of the user of the Internet-based service used along with the IP address used, irrespective of the technology and protocol that is applied;

d. the data required to identify the type of communication:

1. as for fixed network telephony and mobile telephony: the telephone service used;

2. as for Internet e-mail and Internet telephony; the Internet service used;

e. the data required to identify users´ communication equipment or what purports to be their communication equipment:

1. as for fixed network telephony: calling and called telephone numbers;

2. as for mobile telephony:

2.1. calling and called telephone numbers;

2.2. the International Mobile Subscriber Identity (IMSI) of the calling party;

2.3. the International Mobile Equipment Identity (IMEI) of the calling party;

2.4. the IMSI of the called party;

2.5. the IMEI of the called party;

2.6. in the case of pre-paid anonymous services, the date and time of initial activation of the card and the location label (Cell ID) from which the card was activated;

3. as for Internet access, Internet telephony, and the sending of faxes, SMS- and MMS-messages via the Internet:

3.1. the calling telephone number as for dial-up access;

3.2. the digital subscriber line (DSL) number or any other end point of the originator of the communication;

f. the data required to identify location of mobile communication equipment:

1. the location label (Cell ID) at the start of the communication;

2. data to identify the geographic location of the cell by reference to their location labels (Cell IDs) during the period for which communications data are retained.

2. The data to be retained may be specified, where this proves necessary also with a view to adjusting to technological evolution and within the framework of the data categories referred to in letters a. to f. of paragraph 1, via a decree issued by the Prime Minister and/or the Minister in charge for Public Administration and Innovation in agreement with the Ministers for European Policies, Economic Development, Home Affairs, Justice, Economy and Finance, and the Defence, after consulting with the Italian data protection authority.

Section 4
Supervisory Authority and Statistical Information

1. In section 154(1), letter a., of the Code, the following words shall be added at the end: "and with regard to the retention of traffic data."

2. The providers of the services referred to in this decree shall send the following information on a yearly basis, by the 30th of June, to the Ministry of Justice, which shall forward such information to the European Commission:

a. the overall number of the cases in which data on telephone or Internet traffic were made available to the competent authorities in pursuance of the applicable national law;

b. the time elapsed between the date on which the traffic data were stored and the date on which the competent authorities requested the data in question;

c. the cases where requests for access to the data could not be met.

Section 5
Punishments

1. After Section 162 of the Code there shall be inserted the following: "Section 162-bis. (Punishments Applying to Traffic Data Retention). 1. Any violation of the provisions set forth in section 132(1) and (1-bis) shall be punished by an administrative fine ranging from Euro 10,000 to 50,000, which may increased up to three times as much on account of the offender´s economic conditions, unless the facts at issue are established as a criminal offence and without prejudice to section 5(2) of the legislative decree transposing directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006."

2. Unless the fact is established as a criminal offence, failure to retain the data as per section 132(1) and (1-bis) of the Code, or retaining incomplete data, shall be punished by an administrative fine ranging from Euro 10,000 to 50,000, which may increased up to three times as much on account of the offender´s economic conditions. If the allocated IP address does not allow a subscriber or user to be identified uniquely, an administrative fine ranging from Euro 5,000 to 50,000 shall be imposed and may be increased up to three times as much on account of the offender´s economic conditions. The violations are established and the relevant sanctions imposed by the Ministry of Economic Development.

Section 6
Transitional and Final Provisions

1. No new or increased charges shall arise out of the implementation of this decree with regard to the State´s finances.

2. The public bodies concerned shall fulfil the obligations arising out of this decree with such human and financial resources and tools as are available on the basis of the legislation in force.

3. The provisions contained in section 132(1-bis) of the Code as added by section 2(1)b. shall be applicable after three months from the date of entry into force of this decree.

4. Section 6(4) of decree no. 144 dated 27 July 2005 as converted, with amendments, into Act no. 155 dated 31 July 2005 shall be repealed.
5. The providers of publicly available electronic communications services that make available Internet access services (Internet Access Providers) shall ensure that IP addresses are available and allow unique identification by ninety days as from the date of entry into force of this decree.

This decree bearing the State´s seal shall be included in the Official Collection of Regulatory Instruments of the Italian Republic. Everyone shall have to abide by it and ensure that it is abided by.

Done in Rome, this 30th day of May 2008.