Italy's Data Privacy Regulator Faces Corruption Charges Over Airline Perks

The Italian Data Protection Authority (Garante per la protezione dei dati personali) faces scrutiny as investigative journalist Sigfrido Ranucci continues questioning President Pasquale Stanzione, who now faces formal corruption charges yet refuses to step down from a role paying nearly €500,000 annually.

Speaking to ANSA on the sidelines of the Bologna Children's Book Fair in April 2026, the Report program host questioned why Stanzione, currently under investigation by Rome's Public Prosecutor's Office, continues to avoid direct engagement with his journalistic team while speaking freely to other media outlets. "We need to ask him what he's afraid of," Ranucci stated, following months of coverage that began when Report aired allegations on November 9, 2025, and escalated after Guardia di Finanza raids on the Authority's headquarters in January 2026.

Why This Matters

• The watchdog is being watched: Italy's data privacy regulator, responsible for sanctioning tech giants and enforcing GDPR rules, now faces formal corruption and embezzlement charges involving all four board members.

• Your data protections at risk: The Authority's ability to function independently is under question as investigations examine whether €6,000 loyalty cards from ITA Airways influenced sanction decisions.

• Institutional paralysis looms: With the parliamentary mandate running until July 2027, no clear mechanism exists to replace board members mid-investigation, potentially leaving the agency hobbled during critical enforcement periods.

The Anatomy of an Italian Institutional Crisis

The Garante per la protezione dei dati personali came under intense scrutiny through a combination of investigative journalism and judicial action. Ranucci's Report program first aired allegations of conflicts of interest on November 9, 2025, setting off a chain reaction that culminated in Guardia di Finanza raids on the Authority's Rome headquarters two months later.

Prosecutors coordinated by Deputy Prosecutor Giuseppe De Falco have constructed a detailed case touching multiple areas of alleged misconduct. The investigation centers on Pasquale Stanzione alongside board members Ginevra Cerrina Feroni, Agostino Ghiglia, and Guido Scorza—with Scorza having already resigned in January following the initial raids.

According to Report's investigation, prosecutors examined internal spending patterns at the Authority. Representation expenses reportedly increased between 2021 and 2024, while individual reimbursement allowances expanded significantly. The investigation alleges these funds supported luxury hotel stays, personal dining expenses, and other personal costs attributed to board members.

The ITA Airways Loyalty Card Question

Central to the corruption allegations is the relationship between the Authority and ITA Airways, Italy's state-owned flag carrier. Investigators claim board members each received "Volare Executive" cards valued at €6,000—high-tier frequent flyer status typically reserved for corporate clients spending significant sums annually.

The alleged quid pro quo: sanctions against the airline for data protection violations that were either minimized or delayed despite documented irregularities. Former ITA Airways CEO Fabio Lazzerini now finds himself under investigation for his role in distributing these benefits to regulators theoretically charged with policing his company.

What This Means for Data Protection in Italy

For residents navigating Italy's complex bureaucracy, the scandal raises immediate concerns about regulatory effectiveness. The Garante wields significant power over daily digital life—determining how employers handle worker data, whether apps can operate in Italian markets, and when foreign tech companies face meaningful penalties for privacy violations.

That authority now operates under a cloud. Rome's tribunal and Italy's Corte di Cassazione have both ruled against the Garante in recent months, with judges criticizing the watchdog for conducting investigations beyond statutory time limits and acting outside established legal frameworks—precisely the kind of procedural irregularity that undermines public confidence in regulatory decisions.

The institutional paralysis creates a vacuum at a critical moment. As artificial intelligence regulations take effect across the European Union and data breaches proliferate, Italy lacks a fully functional privacy enforcer. The four-member board structure requires consensus for major decisions, yet with one member already departed and the remaining three facing active investigations, the agency's capacity to act decisively on complex cases remains questionable.

Stanzione's Response and Political Protection

Stanzione maintains composure amid the scrutiny, stating publicly that he remains "absolutely calm" regarding the investigation and will continue exercising his duties with "unchanged serenity and independence."

Ranucci has not softened his position despite the ongoing judicial process. "I believe the Garante should be completely dismantled," he told reporters, arguing that the pattern of behavior his team documented demonstrates systemic failure rather than individual lapses. He framed the board members' refusal to resign in starkly economic terms: "I also put myself in their shoes—it's difficult to give up half a million euros a year. Then they'd have to find another job."

His accusation extends to Italy's political system. "If they keep staying there and nobody tells them anything, there must be someone guaranteeing them," Ranucci said—a phrase that has already entered Italian political discourse as "Il Garante è garantito"—the Guardian is guaranteed, or protected.

That protection appears to flow from Italy's parliamentary appointment structure. The Collegio was elected July 14, 2020, for a non-renewable seven-year term ending July 2027. No clear provision exists for mid-term removal absent criminal conviction, leaving Parliament theoretically responsible for replacement but practically hesitant to trigger a constitutional precedent.

The Road Ahead

The Report program has continued coverage of the case, maintaining public attention on an agency facing questions about its independence. For the thousands of companies operating under Italy's data protection regime—from local startups to multinational tech platforms—the uncertainty creates compliance challenges. Sanction decisions may face legal challenges based on alleged procedural irregularities. Guidance opinions carry less weight when issued by an Authority whose impartiality stands questioned.

The prosecution's timeline remains unclear, though Italian administrative corruption cases typically require 18 to 36 months from initial charges to first-instance verdicts. That schedule would push resolution past the current board's natural expiration in mid-2027, potentially leaving the question of accountability to history rather than immediate justice.