Innovation Law Insights

ARTIFICIAL INTELLIGENCE

Italian Privacy Authority issues guidelines to prevent AI web scraping

The Italian Privacy Authority, the Garante, recently released an information note with detailed guidelines on how to defend personal data published online by public and private entities from web scraping as part of training AI systems.

The guidelines are advisory and not mandatory. They serve as a useful benchmark for data controllers wishing to better protect personal information published online. The document reflects the contributions received from the Authority during an investigative inquiry that began last December and includes preliminary guidelines while the Authority prepares to make decisions on various ongoing investigations regarding AI systems.

Definition of web scraping and identifying the phenomenon

The Data Protection Authority has defined web scraping as the activity of massive and indiscriminate data collection, including personal data, through web crawling techniques. This practice involves not only the collection but also the storage and preservation of data collected by bots for subsequent uses, such as training generative AI systems. The document released by the Authority provides a detailed analysis of the phenomenon, noting that a significant portion of internet traffic is generated by bots and that the data collected is often used to train AI models.

Measures suggested by the Authority

To counter this phenomenon, the Authority has suggested several measures:

• Creating restricted areas: Limiting data access to registered users only reduces public data availability and the risk of scraping, in compliance with the GDPR’s data minimization principle and avoiding unnecessary data duplication.
• Clauses in terms of service: Including an explicit ban on scraping techniques in the Terms of Service can serve as a legal deterrent, allowing for legal action in case of breaches.
• Network traffic monitoring: Analyzing HTTP requests to identify anomalous data flows and implementing countermeasures such as Rate Limiting can prevent unauthorized access.
• Bot interventions: The use of CAPTCHAs and periodic updates to the HTML markup can hinder bot activity, as can embedding data in multimedia objects to complicate data extraction.
• Use of the robots.txt File: Although based on voluntary compliance by bots, this file can indicate not to index or collect certain data.

It’s crucial to recognise that none of these measures can guarantee complete protection against web scraping. So they should be considered precautionary tools that data controllers must evaluate and adopt based on the principle of accountability, to prevent unauthorized use of personal data by third parties.

Other European approaches and what to expect next

This isn’t the first time a data protection authority has taken a stance on web scraping. On 1 May 2024, the Dutch Data Protection Authority issued similar guidelines, clarifying that data scraping includes not only the automated collection of information from web pages but also collecting customer queries and complaints, or monitoring online messages for reputation management. The Dutch authority emphasized the need to conform this practice to the GDPR, ensuring that there’s an adequate legal basis for processing each category of personal data subject to scraping.

Generative AI offers enormous benefits, but training the systems requires a huge amount of data, often collected through web scraping. It’s crucial for website managers to adopt appropriate measures to protect personal data, balancing the need for innovation with the protection of individual privacy.

Although implementing measures like captchas is recommended to defend personal data on online platforms, it’s important to recognise that such solutions may not always be effective. Modern AI bots, for example, can now easily overcome captcha systems, highlighting the need for more sophisticated and multilayered security strategies.

Faced with these challenges, it’s essential that companies don’t rely solely on standardized solutions like captchas but explore more advanced and customized approaches to data protection. This can include the combined use of behavioural navigation analysis, multi-factor authentication, and continuous monitoring of suspicious activities to create a safer and more resilient environment against more sophisticated attacks.

Author: Tommaso Ricci

 

Data Protection and Cybersecurity

Italian Privacy Authority issues latest telemarketing fines for phone calls without consent and activating unsolicited contracts

As per its recent decisions, the Italian Data Protection Authority (Garante per la protezione dei dati personali), has imposed two fines of EUR100,000 each, on a company operating in the field of electricity and gas supply for unlawful processing of personal data and a call centre for carrying out telemarketing campaigns in violation of the applicable regulations on the processing of personal data.

Pursuant to the first decision, the Garante initiated inspections following numerous reports and two complaints from users complaining about receiving unsolicited phone calls and activating unsolicited energy supply contracts. The Authority’s investigations revealed that the calls were made without the consent of the data subjects and often directed to individuals registered in the Public Opposition Register (PRO), ie the Italian equivalent of the Robinson list.

In addition, investigations had revealed how contact lists were obtained by the call centre through third-party companies and the network of agents or proxies. In addition, a spot check found that within a week, the call centre had illicitly contacted as many as 106 users, who then concluded an energy supply contract.

Given the seriousness of the violations, the Garante has:

• imposed a fine of EUR100,000 on the call centre; and
• ordered the adoption of technical, organisational and control measures to ensure that the processing of users’ personal data complies with privacy regulations throughout the supply chain.

The Garante also issued a second order against a call centre for carrying out telemarketing campaigns in violation of the regulations applicable to the processing of personal data. The Authority also imposed an administrative fine of EUR100,000 for similar violations. Again, calls were made without the consent of the data subjects and using phone numbers of individuals registered in the Public Opposition Register.

Some considerations for companies

These decisions are of particular interest to companies to which the GDPR applies and that intend to process personal data for marketing purposes because they emphasize the importance of implementing the necessary accountability measures, especially when “invasive” means of sales promotion, such as telemarketing, are resorted.

When such companies intend to proceed with these processing activities, it will be necessary to correctly identify the legal basis applicable to the processing and respect the preferences expressed by users registered in the Public Register of Oppositions. They’ll also have to implement technical, organisational and control measures to ensure that the processing of users’ personal data complies with privacy regulations throughout the whole supply chain.

The Garante is particularly attentive to these types of processing because they’re considered particularly intrusive, and there have been numerous sanctions imposed. Recently, the Authority imposed a record penalty of EUR79 million on a well-known energy company for serious deficiencies in the processing of personal data of numerous data subjects carried out for telemarketing purposes. This is the highest penalty ever imposed in Italy. You can read more in this article “Italy’s Largest GDPR Fine Against ENEL Highlights Flaws in DPAs’ Enforcement Procedures”.

Author: Giorgia Carneri

 

Intellectual Property

Patents, genetic resources and traditional knowledge: New WIPO Treaty adopted

On 24 May 2024, the member states of the World Intellectual Property Organization (WIPO) approved the new Treaty on intellectual property, genetic resources and associated traditional knowledge.

This represents a milestone achieved after more than 20 years of discussions and negotiations. Daren Tang, WIPO Director General, said: “Today we made history in many ways. This is not just the first new WIPO Treaty in over a decade but also the first one that deals with genetic resources and traditional knowledge held by Indigenous Peoples as well as local communities. Through this, we are showing that the IP system can continue to incentivize innovation while evolving in a more inclusive way, responding to the needs of all countries and their communities”.

The Treaty addresses the balance between patents, genetic resources and traditional knowledge, providing provisions to protect the interests and knowledge heritage of indigenous peoples and local communities while promoting the efficiency, transparency and quality of the patent system.

Article 3 of the Treaty is particularly relevant. It introduces a disclosure requirement for those who file a patent application claiming an invention based on genetic resources or associated traditional knowledge. This is to limit the risk of a patent being granted for inventions that lack the requirements of novelty or inventive step.

If an invention claimed in a patent application is based on genetic resources, each contracting party will have to require applicants to disclose the country of origin or the source of the genetic resources. If, on the other hand, the invention claimed is based on traditional knowledge associated with genetic resources, each contracting country will have to require applicants to disclose the indigenous people or local community that provided the associated traditional knowledge, or, where the information is not known, the source of the associated of traditional knowledge.

According to Article 5 of the Treaty, contracting countries will also have to put in place appropriate, effective and proportionate legal, administrative and/or policy measures to address a failure to provide the information required, But no contracting country can revoke, invalidate or render unenforceable the conferred patent rights solely on the basis of the failure of the applicant to disclose the required information.

The Treaty, whose obligations will not be retroactive, will enter into force three months after 15 eligible parties have deposited their instruments of ratification or accession.

Author: Massimiliano Tiberio

 

Life Sciences

EU Council approves the regulation on substances of human origin

On 27 May 2024, the Council of the European Union approved the Regulation on standards of quality and safety for substances of human origin intended for human application (SoHO Regulation). The SoHO Regulation, repealing Directives 2002/98/EC and 2004/23/EC, outlines a new regulatory framework aimed at ensuring greater safety, quality, and ethical use of such substances in the EU.

Content and objectives of the SoHO Regulation

The SoHO Regulation, which will apply from 2027, aims at ensuring maximum safety and quality throughout the entire supply chain and use of substances of human origin. One of the most significant innovations is the inclusion of specific provisions for children born following medically assisted reproduction, extending protection to a group not explicitly covered by Directives 2002/98/EC and 2004/23/EC. Moreover, it establishes stricter standards for all substances of human origin, including intestinal microbiota and human breast milk, expanding its scope to reflect the latest scientific and technological developments. The phases ranging from donor registration and control to collection, processing, and application on the patient are carefully defined, ensuring rigorous management of the substances.

The main objectives of the SoHO Regulation include:

• ensuring that the substances of human origin are produced, handled, and used in compliance with the highest safety and quality standards, minimizing the risk to human health and the environment;
• promoting ethical practices in the use of such substances, respecting human rights, dignity, and privacy of donors, and ensuring fair and accessible distribution;
• enhancing traceability and tracking systems for the substances throughout the entire supply chain, from donation to final destination;
• harmonizing national regulations to ensure a consistent approach to the management of the substances of human origin and facilitate free trade within the EU market. To this end, the SoHO Regulation requires the designation of a national authority for substances of human origin and the creation of a digital platform. These measures will facilitate information gathering, streamline reporting procedures, and increase transparency.

The SoHO Regulation also establishes a rapid alert system to promptly address serious incidents or reactions that could endanger donors or recipients. member States must monitor the supply adequacy of substances of human origin in their countries and develop national emergency plans to address any critical shortages.

Finally, the SoHO Regulation reiterates the principle of voluntary and unpaid donations. But it grants Member States the possibility to compensate living donors, following transparent and defined criteria. It’s important to emphasize that such conditions must be carefully regulated through national legislation at the Member State level.

Approval process and entry into force

The European Commission presented the SoHO Regulation proposal on 19 July 2022, initiating a legislative process that included negotiations between the Parliament and the Council, which reached a political agreement on 14 December 2023. Then, the European Parliament officially approved the SoHO Regulation on 24 April 2024. Once signed by both the Council and the Parliament, it will be published in the Official Journal of the EU and will enter into force on the 20th day following its publication. The SoHO Regulation will apply from mid-2027, with some provisions taking effect the subsequent year.

The approval of the SoHO Regulation marks a significant step forward in regulating substances of human origin in the EU. It’s crucial for promoting safety, effectiveness, and ethical use of these substances and for ensuring more effective regulatory harmonization and equitable access to therapies for all European citizens.

Author: Nadia Feola

---

Innovation Law Insights is compiled by the professionals at the law firm DLA Piper under the coordination of Arianna Angilletta, Matteo Antonelli, Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Giorgia Carneri, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Alessandra Faranda, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Miriam Romeo, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna e Matilde Losa.

For further information on the topics covered, please contact the Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as a report analyzing key legal issues arising from the metaverse qui, and a comparative guide to regulations on lootboxes here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.