17 July 2025 • 24 minute read

Innovation Law Insights

17 July 2025

Podcast

Is your gambling business ready for Brazil, the UK and beyond? Key legal lessons on regulatory and litigation risks

In the latest episode of DLA Piper’s Gambling Laws of the World podcast, Giulio Coraggio from DLA Piper sat down with Benjamin Fellows (Legal Director, UK) and Diego Paes de Barros (Associate, Brazil) to explore how companies can successfully navigate authorization requirements in Brazil, mitigate legal exposure in the UK, and build litigation preparedness into their global compliance strategies.

We tackled some of the most pressing questions that operators are asking right now, especially in light of Brazil’s new gambling licensing regime, the surge in litigation in the UK, and the urgent need for responsible gambling strategies across jurisdictions.

Listen to the full podcast here.

Artificial Intelligence

GPAI Code approved: What it really means for AI compliance in the EU

The GPAI Code approved by the European Commission on July 10, 2025, is more than a symbolic move, it’s a powerful indicator of how the EU expects AI model developers to behave under the looming obligations of the AI Act. Although voluntary, the Code of Practice is poised to become a key instrument for navigating the compliance landscape surrounding general-purpose AI models.

By laying out principles for transparency, safety, and intellectual property compliance, the GPAI Code provides a structured, EU-endorsed path forward for companies that want to build and deploy AI models responsibly and strategically.

Why the GPAI Code approved status changes the game

With the GPAI Code approved, a new soft law standard now exists to guide providers of foundational AI models – such as large language models and multimodal systems – through their responsibilities under Articles 53 and 55 of the EU AI Act.

Its approval signals that EU authorities, including the European AI Office and national regulators, are ready to treat adherence to the Code as a trusted shortcut to compliance. If adopted, the Code can significantly reduce regulatory friction: enforcement bodies are expected to focus on whether a company fulfills the Code’s terms rather than conducting case-by-case investigations.

Put simply, signing up gives developers a strategic advantage. Failing to do so might expose them to greater legal uncertainty and higher scrutiny.

Transparency: Documentation becomes your first line of defense

Transparency is the cornerstone of the approved GPAI Code. It demands that developers compile a detailed Model Documentation Form, outlining everything from data sources and training methodology to licensing terms and security identifiers. This documentation must be shared with downstream users and regulators upon justified request.

Critically, the Code emphasizes data lineage and provenance – meaning developers have to explain how the data was gathered (eg scraped, licensed, or user-contributed) and document any filtering or preprocessing techniques applied.

This matters especially for models approaching systemic impact. Even open-source models have to comply with transparency obligations if they're later deemed high risk. The GPAI Code ensures transparency isn't just a gesture of public relations, but a legal and operational necessity.

Safety and risk: From theoretical talk to practical safeguards

With the GPAI Code approved, EU regulators now expect developers to go beyond risk awareness and put structured safety frameworks in place.

This includes:

conducting systemic risk assessments at every model development stage;
defining risk tiers and linking them to pre-set mitigation plans;
ensuring independent audits validate safety measures;
establishing continuous post-deployment monitoring.

The Code effectively introduces a lifecycle approach to risk, emphasizing anticipation, prevention, and accountability. If a major malfunction or unintended use arises, developers have to promptly notify the EU AI Office and national authorities and implement corrective actions.

By operationalizing safety, the Code reflects a growing maturity in how Europe treats AI governance: not as a compliance checkbox, but as an ongoing obligation.

Copyright compliance: No more excuses

One of the most anticipated aspects of the GPAI Code is its strong stance on intellectual property rights. It requires developers to:

adopt formal internal copyright policies;
avoid scraping content protected by paywalls or access restrictions;
exclude data from blacklisted pirate sites;
prevent AI systems from replicating protected works in outputs; and
establish complaint channels for rights-holders to raise concerns.

The Commission’s goal is not just to minimize copyright disputes, but to embed respect for IP directly into the AI development pipeline. This positions Europe at the forefront of balancing innovation with content ownership.

What happens now?

The GPAI Code approved status is just the beginning. In the coming weeks, we expect:

Formal endorsement by EU member states.
New guidelines on key definitions, clarifying who qualifies as a GPAI provider, what constitutes systemic risk, and how collaborative development projects are treated under the Act.
A push for broad industry adoption.

Early signatories may benefit from fewer inspections, reduced documentation burdens, and perhaps even leniency in enforcement decisions. While those who don’t engage may find themselves navigating an uphill compliance battle.

Final takeaway: The Code is voluntary, but the pressure isn’t

The GPAI Code is a turning point in AI governance. It doesn't carry the force of law, but its political, legal, and reputational weight makes it hard to ignore.

Companies serious about AI governance, ethical development, and EU market access should treat this as a strategic imperative. The question is no longer whether you’ll need to comply with the AI Act, it’s whether you want to do so on your own, or with the support and clarity the Code provides.

And if your company is building or deploying general-purpose AI in Europe, the time to decide is now.

Author: Giulio Coraggio

Data Protection and Cybersecurity

Personal data anonymization and the risk of the DPO being an executor

The Italian Data Protection Authority's recent decision gave guidance on the true meaning of personal data anonymization and the crucial distinction between the DPO as a monitor – not an executor. In a world driven by AI and public surveillance, both concepts are more relevant than ever.

On April 10, 2025, the Garante issued a EUR9,000 fine to AMAT, a company owned by the Municipality of Milan, for privacy violations involving a traffic-monitoring system using AI. The project involved video cameras capturing road users – including pedestrians and cyclists – with data being processed in real time. While AMAT claimed that data had been anonymized, the Authority found that personal data anonymization had not been effectively achieved.

When personal data anonymization falls short

The Garante reiterated that personal data anonymization requires more than simply blurring faces or license plates. To qualify as anonymous data under the GDPR, information must be stripped of all identifiers in a way that re-identification is impossible, even when combining data with other reasonably available sources.

In this case, although facial features and plates were blurred, the individuals could still be indirectly identified via contextual clues such as body shape, clothing and location. As a result, the data retained its status as personal data, triggering full GDPR obligations. The concept of personal data anonymization was misapplied – and this misstep became a key factor in the violation.

The DPO is not an executor: Independence matters

Perhaps even more critical was the issue surrounding the Data Protection Officer. AMAT had tasked its internal DPO with drafting and signing the Data Protection Impact Assessment (DPIA). According to the Garante, this directly conflicted with the GDPR's requirements – and with the DPO’s role as an independent advisor and monitor.

The GDPR explicitly states that a DPO must not be an executor of compliance activities. Their independence must be safeguarded, and assigning them operational responsibilities – such as authoring a DPIA – creates a conflict of interest. This decision reinforces the legal boundaries: the DPO is not an executor. Treating it as such undermines the integrity of the entire compliance framework.

This marks the third time in less than two years that the Garante has taken a public stance on the danger of the DPO being an executor. And it's clear the Authority is no longer tolerating blurred lines in this regard.

Transparency failures and poor governance

Alongside these two primary issues – personal data anonymization and the DPO being an executor – the decision also cited failures in transparency. Informational signs and privacy notices were either delayed or incomplete. Some notices inaccurately described the anonymization process and omitted critical details like data retention and the legal basis for processing.

The Authority also noted that the DPIA was not clearly dated or formally recorded, raising questions about whether it had even been completed before the launch of the surveillance activities.

Final takeaways

This decision is a clear signal to both public authorities and private companies:

Personal data anonymization must meet the GDPR’s high threshold – not just technical masking or cosmetic blurring.
The DPO must never be treated as an executor. Its role is oversight, not implementation.
Governance frameworks must clearly separate legal accountability from independent advice.

As cities and companies roll out AI-powered monitoring tools, these principles must be embedded from the start – not added later as risk-mitigation exercises.

Author: Giulio Coraggio

Technology

The EU’s Implementation Dialogue on consumer protection in the digital environment

On July 15, 2025, European Commissioner Michael McGrath will host the Implementation Dialogue on consumer protection in the digital environment in Brussels.

The event is invitation only and will convene businesses, business associations, consumer representatives, and national authorities to discuss the evolving challenges of the digital marketplace and identify areas for regulatory improvement.

The Dialogue is part of the European Commission’s broader effort to streamline and enhance the enforcement of EU rules, drawing on the findings of the Digital Fairness Fitness Check, published in October 2024.

A legal framework under digital pressure

The Digital Fairness Fitness Check reviewed three cornerstone directives:

Directive 2005/29/EC on unfair commercial practices between businesses and consumers
Directive 2011/83/EU on consumer rights
Directive 93/13/EEC on unfair terms in consumer contracts

While these instruments remain key pillars of EU consumer protection law, the evaluation highlighted significant gaps in their capacity to address the nuances of digital consumer experiences. Online consumer behavior is increasingly shaped by persuasive interfaces, persistent notifications, manipulative design, and profiling techniques, shifting the power dynamics away from the consumer.

Rather than enabling informed choices, many digital interfaces are intentionally structured to nudge or coerce user behavior.

Emerge issues of concern

The Digital Fairness Fitness Check identified several problematic practices, including:

Dark patterns that steer consumers towards unintended decisions (eg fake countdown timers, pre-ticked boxes).
Manipulative design and addictive mechanisms, often echoing gambling dynamics.
Personalized targeting based on emotional or situational vulnerabilities.
Opaque subscription management, including barriers to cancellation.
Deceptive influencer marketing, operating outside established EU transparency requirements.

These developments undermine user autonomy and raise fundamental questions about the adequacy of the current regulatory framework.

The role of the Digital Fairness Act

In response, the Commission has announced its intention to propose a new Digital Fairness Act (DFA) to complement existing legislation such as the Digital Services Act (DSA) and the Digital Markets Act (DMA). As stated by Commissioner McGrath at the April 2025 European Summit, the DFA will be “pro-consumer and pro-business,” aiming to eliminate manipulative practices while simplifying the regulatory environment, particularly for SMEs.

One of the central topics of the DFA will be dark patterns, design tactics that exploit users’ cognitive biases to influence their decisions. Common examples include:

Trick questions: ambiguously phrased prompts designed to elicit unintended responses.
Sneak into basket: additional items pre-ticked or auto added to a cart during online shopping.
Roach motel: easy to subscribe, difficult to cancel.
Hidden costs: unexpected fees disclosed only at the final checkout step (eg shipping, taxes, service charges).
Bait and switch: an expected process is altered at the last minute to surprise or confuse the user.
Camouflaged advertising: ads disguised as navigation tools or regular content.
Disguised subscriptions: free trials that silently convert to paid plans.
Confirm shaming: rejection options framed in a way that guilt-trips the user.

These tactics are widespread and often deliberately crafted to maximize profit at the expense of user autonomy and transparency.

Article 25 of the Digital Services Act already prohibits deceptive interfaces, but it doesn't address the full range of manipulative techniques. The Digital Fairness Act is expected to broaden the scope, provide clearer definitions, and introduce more effective enforcement mechanisms.

A platform for smarter, clearer regulation

The July 15 Implementation Dialogue offers a unique opportunity for stakeholders to share operational insights and discuss the practical impact of existing rules. Businesses, on the front lines of implementation, will be able to raise specific challenges and propose workable solutions to improve the effectiveness and enforceability of EU consumer law without increasing complexity or compliance burdens.

Consumer organizations and national regulators will also be integral to the discussion, ensuring a balanced exchange of views. The Commission is committed to achieving a fair equilibrium between protection and simplification, while avoiding both regulatory overreach (gold-plating) and harmful deregulation.

Participants will explore how to enhance legal coherence across member states and reduce the fragmentation that hampers the cross-border application of rules in the digital single market.

Author: Dorina Simaku

Intellectual Property

European Inventor Award 2026: Call for applications now open!

The countdown to the European Inventor Award 2026 has officially begun. Until September 30, 2025, candidates can apply for one of the most prestigious recognitions in the European technological innovation landscape.

The competition is open to inventors, co-inventors or research teams who have obtained at least one valid European patent, protecting an invention that brings tangible benefits to society, the environment or the economy.

Eligible applicants have to hold a European patent that's in force in at least one of the EPO member states and demonstrate that the invention has already had – or has the potential to have – a significant economic impact. Candidates must not have previously been finalists or winners with the same patent in past editions, and the intellectual property must not be subject to any opposition proceedings.

The award welcomes entries across a wide range of sectors and is also open to inventors from non-EPO countries, through a special category titled Non-EPO Countries. In addition to this category – which celebrates international innovation with relevance and application in Europe – the award includes the categories Industry, Research, SMEs, and Lifetime Achievement.

While the European Inventor Award doesn't offer a monetary prize, it is an exceptional international stage. Visibility, scientific and media recognition, networking opportunities – all of this was also true for the 2024 edition, which took place in Valletta. In that edition, the winners included Fiorenzo Dioni and Richard Oberle in the Industry category, for their advanced high-precision die-casting methods applied to the automotive sector. In the Research category, the award went to Cordelia Schmid, a pioneer in the field of AI, known for algorithms that enable machines to “see” like humans. The prize for SMEs was awarded to Olga Malinkiewicz and her team for their innovative perovskite solar panel technology. The Lifetime Achievement award was presented to Dame Carol Vivien Robinson, acclaimed for her impact on mass spectrometry. Lastly, in the Non-EPO Countries category, Japanese inventor Masato Sagawa was honored for developing the world’s most powerful permanent magnets.

Find out more and submit your application here.

Author: Noemi Canova

Gaming and Gambling

Italy’s online gambling device ban in shops ruled unconstitutional

In a long-awaited ruling that could reshape how Italy regulates digital access to gambling, the Italian Constitutional Court has declared unconstitutional the national gambling device ban in shops and other public venues.

The judgment – No. 104/2025 – marks a turning point for local businesses and digital service providers, and sends a powerful message: regulation must respect constitutional freedoms, even in sensitive sectors like gambling.

A blanket device ban with no nuance

The now-annulled provision – Article 7, paragraph 3-quater, of Decree Law No. 158/2012 (Decreto Balduzzi) – prohibited the availability of any device that could connect to the internet and be used for online gambling in public places (such as bars, shops and tobacconists). Even though this offering was licensed by the Italian gaming authority, ADM.

The rule applied to any computer, tablet or kiosk that was technically capable of accessing gambling websites, regardless of whether users actually did so. In short, a device didn’t need to be used for gambling to trigger penalties, it just needed to exist in the venue.

The ban, coupled with a EUR20,000 administrative fine introduced in the 2016 Stability Law, has for over a decade restricted how local business owners manage public digital access.

The Constitutional Court: Italy’s gambling laws must respect fundamental rights

The Constitutional Court ruled that this sweeping gambling device ban in public venues violated multiple principles of the Italian Constitution, including:

Article 3: breaching the principle of reasonableness and proportionality
Article 41: infringing on the freedom of private economic initiative
Article 42: undermining the right to property

The court acknowledged that Italy’s interest in preventing gambling addiction is legitimate. But it also emphasized that regulation must be appropriate, proportionate and evidence-based. A ban that doesn’t distinguish between actual and potential gambling activity is, by definition, disproportionate.

The ruling also flagged inconsistencies with EU law, including the Charter of Fundamental Rights of the European Union and the European Convention on Human Rights (ECHR), reinforcing the need for balance between public health goals and entrepreneurial freedom.

Fixed fines fail the proportionality test

Beyond the device ban, the court also struck down the flat EUR20,000 fine for violations. It found that the automatic nature of the penalty failed to account for the actual gravity of the offence and lacked any proportional assessment.

This is a broader constitutional message: sanctions in Italy must be graduated based on real-world conduct, not hypotheticals.

Why this matters for Italy’s gambling regulatory future

In a regulatory environment where the operators are about to receive new online gambling licenses for which they will pay EUR7 million and need to deal with the gambling advertising ban, the ability to have a land-based presence has become crucial. This scenario has led to an increase in shops – known as PVRs – involved in selling gambling vouchers.

If PVRs provide the public with devices that allow them to connect to platforms of gambling operators, it will be a game changer since a completely new market will open up with much larger opportunities for operators.

We’ll see how (and if) the government will react to this decision. The Constitutional Court’s ruling isn't a green light for unregulated online gambling in Italy. But it is a long-overdue correction of a deeply flawed device ban. And the decision makes even more relevant the highly expected decision on the currently challenged new regime applicable to PVRs. Read more about PVRs in this article “New Italian regime for gambling voucher shops (PVR) in place.”

Author: Giulio Coraggio

Technology Media and Telecommunication

On June 23, AGCom published Resolution No. 154/25/CONS, launching a public consultation on regulatory options concerning the assignment of radio frequencies for terrestrial wireless electronic communications systems whose rights of use will expire on December 31, 2029.

This initiative follows the public consultation launched in July of last year through Resolution No. 247/24/CONS. It addressed possible regulatory measures related to assigning radio frequencies for ultra-broadband terrestrial wireless electronic communications systems, with rights of use also expiring on December 31, 2029.

With the current consultation, the Authority aims to meet the market's need to address this issue well in advance, continuing to ensure a stable and long-term regulatory framework for the use of frequencies in electronic communications. This is intended to support investments by operators and promote development and competition, in line with national and EU policy objectives.

The consultation document, Annex A to Resolution No. 154/25/CONS, includes an introductory section in which the Authority outlines the premises for the current consultation. The Authority also presents its preliminary assessments in light of the previous consultation launched by Resolution No. 247/24/CONS.

In the subsequent section – “European Benchmark” – the Authority provides an overview of the initiatives undertaken in France, Germany and Spain in similar situations involving the upcoming expiry of radio frequency usage rights.

The third section presents AGCom’s positions following the first consultation (ie that initiated by Resolution No. 247/24/CONS) and outlines proposals for the new assignment plan, which also take into account the findings of the previous consultation.

The Authority notes that a significant portion of operators expressed a preference to extend or renew usage rights, considering these tools more suitable for ensuring service continuity and the economic sustainability of investments. Other stakeholders, however, highlighted the need for spectrum reallocation to rebalance frequency allocations among operators. Based on the positions that emerged, the Authority proposes two options for frequencies in the 800 MHz to 3.4–3.6 GHz bands:

A “mixed option,” which involves the application of the three solutions provided by Legislative Decree No. 259/2003, as amended (Electronic Communications Code, ECC), namely extension, renewal, and the adoption of a competitive or comparative assignment procedure for usage rights pursuant to Article 67 ECC, in a combined and differentiated manner depending on the frequency bands involved.
A “renewal option,” which provides for the renewal of all usage rights for the frequencies concerned until December 31, 2037, subject to specific commitments by the beneficiary operators at the time of renewal, as provided by the ECC, aimed at ensuring compliance with certain performance obligations of their networks and access conditions for other network and service providers.

Following these sections, the Authority – after setting out additional detailed considerations regarding the regulatory framework – invites stakeholders participating in the public consultation to:

provide and justify their position regarding the “mixed option” proposed by the Authority;
indicate and justify, with reference to the rights of use that would be subject to auction: which auction procedure and which award criteria should be adopted; and which auction caps should be established;
provide and justify their position regarding the “renewal option” proposed by the Authority;
indicate and justify, for each of the two proposed options: which pro-competitive measures should, in their view, be adopted; which coverage obligations should be associated with the rights of use of the relevant frequencies; and which access obligations they consider necessary to introduce.

The consultation document concludes with a paragraph dedicated to the 28 GHz band, whose technical usage modalities – according to the Authority – generated particular interest during the public consultation initiated by Resolution No. 247/24/CONS. AGCom highlights that no general opposition emerged against a possible extension of WLL usage rights at 28 GHz beyond 2029. In this regard, AGCom considers “the extension of all WLL usage rights, under the same conditions already set out in Resolution No. 426/21/CONS, until 2037 to be appropriate, with a view to aligning the future expiration dates of radio frequency usage rights.”

The final question of the public consultation concerns the above: AGCom invites participating stakeholders to provide “their comments on the Authority's proposal to extend until December 31, 2037, all WLL usage rights in the 28 GHz band expiring on December 31, 2029, without altering their technical conditions of use, without prejudice to the responsibilities of MIMIT in this regard.”

Interested parties can submit their contributions to the public consultation by September 21, 2025.

Authors: Flaminia Perna, Matilde Losa

Life Sciences

Medical devices and healthcare advertising: What's changing with the new guidelines from the Ministry of Health

The Ministry of Health has recently adopted a significant regulatory update concerning healthcare advertising: the new guidelines on the healthcare advertising of medical devices, in vitro diagnostic medical devices, and surgical medical devices.

The document aims to ensure two fundamental objectives:

to protect public health, through accurate and non-misleading healthcare communication; and
to simplify activities for industry operators, through clear, consistent, and up-to-date rules aligned with current communication channels.

More digital channels, but stricter rules

Among the notable updates:

the range of digital platforms on which advertising messages can be published has been expanded: Facebook, Instagram, YouTube, and TikTok are now explicitly included;
the principle of message staticity is reaffirmed: authorized content must not be altered or commented on by users. Specifically, each message must:

be devoid of “comment,” “reaction,” and “share” functions;
contain only clickable links that redirect to websites or profiles hosting already authorized promotional material and/or content not requiring authorization (eg health education);
include the following mandatory disclaimer: “The Ministry of Health exclusively authorizes the content of the advertising message. Any comments are the sole responsibility of the user; the company disassociates itself from user comments.”

Public advertising: Prior authorization and duration

The cornerstone (which derives from applicable law) remains the requirement of prior authorization from the Ministry of Health for any promotional message aimed at the public concerning medical devices, IVDs, and surgical medical devices. This applies to all channels: print, TV, radio, web, email, SMS, and, of course, social media.

Authorizations are valid for a standard period of 24 months, reduced to a shorter period (one year) for messages that claim novelty features.

Social media campaigns: Posts, carousels and stories

The Ministry allows the submission of advertising campaigns on social media, composed of up to ten posts, of which three can be videos, if each piece of content:

doesn’t exceed 70 words;
complies with staticity requirements;
is approved in its entirety (text, images, video);
includes the mandatory disclaimer.

Campaigns can only be published 45 days after the previous request or from the filing of the reformulated version in case of suspension.

Company profiles, testimonials and toll-free numbers

Corporate social media profiles (institutional, product-related, thematic) are permitted only if interactions are disabled and promotional content is pre-authorized. Using testimonials is allowed only if it doesn’t imply – even implicitly – any endorsement or preference for the product. Mere association between the image of a public figure and the product may render the message inadmissible.

Conclusion

The new guidelines mark a significant turning point in healthcare communication in the medical device sector, finally paving the way for structured advertising campaigns on high-visibility platforms like TikTok, Instagram, YouTube and Facebook.

This is a regulatory evolution that acknowledges the strategic role of social networks in building brand awareness and reaching the public, while still maintaining a rigorous framework for protecting health.

Author: Enila Elezi

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra, Enila Elezi.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.