Deepfake Law in Italy

Italy regulates deepfakes primarily through the EU AI Act and existing provisions of the Penal Code, with active enforcement by the Garante (data protection authority). A dedicated deepfake statute has been in parliamentary debate through 2024–2025 but has not yet been enacted.

Key provisions

EU AI Act. Directly applicable; AGCOM and the Garante share supervisory responsibilities depending on context.

Penal Code Article 494 — Substitution of persona. Criminalizes impersonation for gain or injury. Applied to deepfake-enabled fraud and impersonation cases. Penalties up to one year.

Penal Code Article 595 — Defamation. Covers deepfakes attributing false statements or actions to real persons. Aggravated forms (via press, repeated) carry up to six years.

Penal Code Article 600-ter (child sexual abuse material). Explicitly includes AI-generated CSAM; penalties up to twelve years.

Italian GDPR implementation (Dlgs. 196/2003). Garante enforces against unauthorized use of biometric or personal data in synthetic media.

Garante enforcement

The Garante has been among the most active European DPAs on AI:

• 2023 temporary ban on ChatGPT for data-protection concerns (lifted after OpenAI compliance changes).
• Ongoing guidance on generative-AI use and personal data.
• Active investigations into deepfake services operating in or accessible from Italy.

Practical implications

For organizations operating in Italy:

• AI service providers: Garante scrutiny on data-processing practices is intense. Compliance review before launch in Italy is essential.
• Platforms: cooperation with Garante takedown requests is expected.
• Enterprises: combined AI Act + GDPR + Penal Code exposure.

Italy is often described as a "watchful" rather than "aggressive" enforcer — significant regulatory action but fewer criminal prosecutions than Germany or Spain.

Related reading

• EU deepfake laws
• Germany deepfake laws
• Spain deepfake laws