Skip to main content
|

Add a bookmark to get started

Bookmarks info
Abstract_Lights_P_0152
18 April 202419 minute read

Innovation Law Insights

18 April 2024
Podcast

Artificial Intelligence and Media Unleashed: Exploring the opportunities and legal challenges

In this episode of the Diritto al Digitale podcast, Giulio Coraggio, Location Head of DLA Piper’s Italian Intellectual Property and Technology department sat down with Tom Ara, Global Co-Lead of DLA Piper’s Media, Sport and Entertainment Sector, to dissect the evolving landscape of media law amid the rapid advancements in technology, like AI, and global market expansions. You can listen to the podcast here.

 

Artificial Intelligence

AI and GDPR: French privacy authority issues recommendations on development of AI in compliance with the GDPR

The French Data Protection Authority (CNIL) has published useful recommendations on how to use AI solutions processing personal data to comply with GDPR.

Here are the key takeaways from CNIL's latest recommendations:

  • Development Phases: CNIL emphasizes the importance of adhering to GDPR from the inception phase of AI development, covering system design, database building, and the learning phase. We have many clients that are running AI related pilot projects and ignore compliance obligations because of the limited scope. But even limited AI projects require GDPR compliance.
  • Purpose Definition: A clear, explicit, and legitimate purpose for AI systems is pivotal. Whether for specific operational use or general purposes, outlining the potential capabilities and functionalities is crucial for GDPR compliance. Some AI solutions are of general purpose, but the GDPR requires a purpose definition and an ad hoc assessment.
  • Responsibility Clarification: Identifying whether you're a Data Controller, Processor, or fall under other roles defined in the EU AI Regulation is fundamental to determining your compliance obligations. It seems obvious, but it might not be the case if the provider has a prominent role in determining how the AI operates.
  • Legal Basis Identification: Establishing a legal basis for personal data processing, whether through consent, legitimate interest, or other GDPR provisions, is essential. Legitimate interest seems to be the most obvious, but businesses should run a substantiated LIA to prove the underlying legitimate interest.
  • Data Reuse and Minimization: CNIL advocates for the lawful reuse of personal data and stresses the importance of data minimization, ensuring that only necessary data for the defined purpose is processed. Given the massive capabilities of AI solutions defining what’s necessary appears to be burdensome. But it’s an essential assessment process.
  • Retention and DPIA: Setting a defined retention period for personal data and conducting a Data Protection Impact Assessment (DPIA) are recommended to mitigate risks and maintain data protection standards. It can be hard to argue that a GPAI does not process personal data on a large scale given its processing power.

These principles are useful and any company willing to exploit AI should adopt them in their internal policy to avoid third-party AI scrapping their copyright protected data. At DLA Piper, we’re helping several clients on the topic. Reach out to us if you want to know more.

Author: Giulio Coraggio

 

Italy’s AI Strategy for 2024-2026: The Key Points

In the past few days, AgiD (Agenzia per l'Italia Digitale) and the Department for Digital Transformation published an executive summary on the internet. It summarizes the vision and architecture of Italy’s AI Strategy for the next three years through four main pillars: scientific research, public administration, business, and training.

The document helps understand the Italian government’s vision of AI and contextualizes the domestic AI bill expected to be presented shortly. The AI bill aims to supplement the European Regulation on Artificial Intelligence (AI Act), soon to come into force, in several specific sectors.

The strategy’s objectives

AI is rapidly becoming a driving force in shaping the future of our society. To follow the wave of the ongoing technological revolution, Italy has developed an ambitious strategy for 2024-2026, aiming to guide the country toward a leadership position in the global AI landscape.

The strategy’s main objective is to fully exploit AI’s transformative potential to improve citizens’ lives and promote the country’s economic and social growth in synergy with the EU and the international community. In other words, it aims to build an ecosystem where AI is at the service of people, fostering ethical principles and social responsibility and safeguarding key factors such as privacy, security, gender issues, and environmental sustainability.

Pillars and key actions

The strategy highlights the importance of scientific research in improving the quality of life and the social environment. The actions proposed in this regard include the consolidation of an Italian AI research ecosystem that facilitates the exchange of knowledge between universities, research centres and businesses. This ecosystem is also expected to be a breeding ground for developing innovative startups, supporting a plan to retain and attract talent, developing national AI Large Language Models that respect the values of European regulations, and funding blue-sky research for next-generation AI.

AI is also seen as a critical tool in the transformation of the public administration to improve internal efficiency and provide services tailored to citizens’ needs. To fully exploit AI’s potential, we need a structured and systematic approach, including actions to guarantee privacy, security, and proper data management. We also have to develop AI systems for interoperability and train public personnel. In addition, guidelines should be adopted to promote the use of AI in public tenders and create AI applications for the public sector that can guarantee adherence to regulations. According to the executive summary, AI could also simplify the interaction between public authorities and citizens or businesses by developing large-scale solutions based on feedback and specific needs. The strategy urges comprehensive training on AI in public administration through upskilling courses for staff.

Regarding businesses, the strategy aims to shed light on AI’s benefits to the Italian production and entrepreneurial system, known for its process and product excellence, and manufacturing vocation. A twofold strategic approach is proposed: on the one hand, the role of Italian ICT companies in the development of AI systems should be enhanced by fostering collaboration with universities and research bodies and facilitating the management of regulatory and certification practices. On the other hand, companies not directly involved in technological development but influenced by AI should align their strategies towards a greater centrality of data and AI to increase their competitiveness, with a particular focus on the challenges of environmental sustainability. The strategy proposes coordinated actions to strengthen the AI ecosystem among SMEs through dedicated funding to support the adoption and development of interoperable AI solutions. It also highlights the need to create laboratories to develop AI applications in industrial contexts and to support the growth of startups operating in the sector.

Last but not least is AI training. The executive summary notes that there is currently a shortage of AI skills in Italy, which slows the adoption of innovative solutions. The strategy proposes an integrated plan to strengthen and spread knowledge of AI in the education system, from high schools to universities, paying particular attention to PhD programs. Structured reskilling and upskilling programs in both the public and private sectors are envisaged to update skills and retrain workers to use new technologies. Similarly, promoting AI literacy for the population becomes essential to avoid creating a knowledge gap that undermines social and economic cohesion in the long run. In this respect, the strategy proposes implementing AI learning paths in schools, creating internships, exchange and visiting programs in companies and research centres, introducing AI as a subject in university degree courses, and supporting the National PhD in AI.

Enabling Factors

A crucial element of the strategy is identifying strategic “enabling” actions that define the framework within which specific initiatives are to be deployed in the different pillars. They’re divided into infrastructural actions and actions for the implementation, coordination, and monitoring of the strategy: the former includes creating a repository of datasets and models as a national knowledge asset and strengthening network infrastructure for AI. The latter focuses on establishing an Artificial Intelligence Foundation as the body responsible for AI initiatives and analysis of the strategy implementation.

Authors: Giacomo Lusardi, Alessandra Faranda

 

Data Protection and Cybersecurity

Italian data protection authority takes a clear stance on processing of biometric data

In five recently issued decisions, the Italian Data Protection Authority, the Garante per la protezione dei dati personali, addressed the complex privacy related issue of processing biometric data in the workplace.

The case involved five companies engaged at the same waste disposal site that implemented a facial recognition system to monitor employee attendance. The decisions highlight the Garante’s commitment to ensuring that personal data, particularly highly sensitive data such as biometric data, is handled in compliance with the GDPR. In its decisions, the Italian Data Protection Authority scrutinized the legality and ethical implications of using facial recognition technology to track employee attendance.

Garante’s decisions on the processing of biometric data

The investigations conducted by the Italian Data Protection Authority revealed that the companies had been using a biometric system that was introduced to monitor absenteeism and fraudulent timekeeping practices. Employees raised concerns about the legitimacy of processing their biometric data, arguing that less invasive methods could achieve the same objectives.

The Garante found that the companies’ processing of biometric data lacked a proper legal basis under the GDPR. One of the companies used consent as a legal basis, which is not considered a valid legal basis for employers processing special categories of personal data.

The Italian Privacy Authority also noted with concern that some companies failed to provide a privacy information notice regarding the processing to employees, violating transparency obligations. According to the companies, the privacy notice was provided orally. But according to the Garante, this cannot prove that the employees had been adequately informed as required by the GDPR. Moreover, the companies did not appoint a DPO or conduct a data protection impact assessment (DPIA), which are crucial steps in ensuring data protection compliance, especially when dealing with sensitive data like biometric data.

The Italian Data Protection Authority emphasized the principles of data minimization and proportionality, stating that companies should have more appropriately used less invasive systems to check the presence of their employees and collaborators in the workplace (eg badges).

Implications for employers of the decision of the Italian data protection authority

The Garante’s decision underscores the importance of adhering to data protection principles in the workplace, especially when dealing with highly sensitive biometric data. The authority emphasized that any processing of biometric data must be necessary, proportionate and accompanied by appropriate safeguards to protect employees’ fundamental rights and interests.

This decision serves as a reminder to employers to carefully consider the implications of using biometric systems in the workplace. Employers must ensure they have a valid legal basis for processing the data and that they provide clear information to employees about how their data is being processed. Moreover, in light of the data minimization principle, alternative, less intrusive methods should always be explored when dealing with employee data.

Author: Roxana Smeria

 

Consent is not valid if not informed and free according to the Italian data protection authority

The Italian data protection authority, the Garante per la protezione dei dati personali, has deemed consent to the processing of biometric data invalid because the data controller had not provided sufficient information on the data processing and limited the freedom of choice of individuals.

The Garante has launched an investigation into a foundation’s cryptocurrency project that offers a phone application in which data subjects create a digital identity profile. A personal device which scans the iris and face of data subjects can be used to establish a “verified” ID. In exchange for providing consent to the processing of biometric data, data subjects were offered “free” tokens via the phone application.

The Italian Data Protection Authority issued a warning to the data controller for lacking a legal basis for the processing. It classified the iris and face images of data subjects as “biometric data” and warned that consent is unlikely to be sufficient as a justifying legal basis in this case because:

  • the data controller did not provide sufficient information about the risks involved in the processing to enable data subjects to give informed consent; and
  • the commitment to grant free tokens adversely affected the conditions of consent.

This measure comes on the heels of the challenges currently pending before the Garante with respect to the “Pay or Ok” business model for profiling cookies and the argued lack of freedom of consent. Investigations have been ongoing for a while, but the Italian Data Protection Authority hasn’t taken a clear stance on the matter as it waits for the official position of the European data protection board.

It’s not possible to argue that any type of economic benefit can damage freedom of consent. As the CNIL has already argued, one must make a careful assessment of the circumstances of the particular case in line with the principle of accountability.

Author: Giulio Coraggio

 

Gaming and Gambling

New Italian bonus sports betting rules: What you need to know

The Italian gambling authority has approved new sports betting bonus rules, providing a higher level of flexibility in bonus offerings.

In the context of the Italian sports betting market, bonuses play a pivotal role in informing players on recent offers and enhancing their gaming experience. But with the recent enactment of the new Italian Bonus Sports Betting rules, there are specific regulations that both operators and players need to adhere to.

The types of bonuses allowed under the new Italian sports betting rules

The decree approved by the Italian gambling authority outlines three distinct types of bonuses that can be offered by operators:

  • Bonuses for cash winnings redemption: the amount paid to the player are winnings that are considered withdrawal balance.
  • Reduced payout bonus: The winning amount is adjusted by deducting the value of the bonus used by the player for placing the bet.
  • Bonus payout: The winning amount is credited as a bonus, which typically requires wagering before withdrawal.

Regulatory changes and considerations

In addition to defining bonus types, the decree introduces regulatory changes that must be considered:

  • limitation on bonus use
  • reporting requirements
  • restriction on cashouts
  • maximum bonus amount according to which the bonus used for placing fixed-odds bets cannot go beyond EUR100
  • monthly bonus limit: operators are restricted in the amount of bonuses they can offer per license in a calendar month, with limits based on turnover and winnings
  • inclusion of bonuses in GGR calculations

Effective date and compliance

The decree is slated to come into effect on 1 June 2024, providing a grace period for operators to adjust their practices accordingly.

In essence, the new Bonus Sports betting Directorial rules bring clarity and standardization to the sports betting bonuses offering while ensuring fairness and transparency for both operators and players. Complying with these regulations is crucial for all stakeholders to maintain integrity in the industry and foster a positive gaming environment. It’s a major change in a market where, because of the Italian gambling advertising ban, there are considerable restrictions on promotions.

Author: Vincenzo Giuffré

 

 

Intellectual Property

Combating counterfeiting and strengthening enforcement of intellectual property rights: European Commission recommendations on domain names

On 19 March 2024, the European Commission published its recommendations on measures to combat counterfeiting and strengthen the enforcement of intellectual property rights (IPR).

Some of the recommendations are specific to domain names, in particular Top Level Domain (TLD) Registries and entities involved in domain name registration services, such as registrars and resellers. The strategies outlined include both preventative and reactive measures aimed at denying access to wrongdoers and effectively combating abusive registrations.

Domain names can infringe IPR, with the well-known activities of cybersquatting or typo-squatting.

The Commission stressed the importance of the accuracy and completeness of domain name registration data (WHOIS data) to ensure the security and stability of the domain name system.

Directive (EU) 2022/2555 obliges Member States to require TLD Registries and entities providing domain name registration services to collect and maintain accurate and complete registration data in a dedicated database that allows domain name holders to be identified and contacted. Access to certain domain name registration data must be provided if the legitimate applicant submits a legitimate and properly documented request. The accuracy and completeness of domain name registration data can also play a central role in enforcing intellectual property rights.

Recommended preventive measures also include introducing terms and conditions that provide for the suspension or cancellation of domain name registration in the event of IPR infringement. They also provide registrants with access to intellectual property registers during the registration process to verify the existence of prior conflicting signs already registered. Implementing verification procedures for domain name registration data is also recommended.

Reactive measures include correcting erroneous registration data and recognising the right of access to registrants' personal data in accordance with Directive 2004/48/EC.

Another important aspect is the extension of the Domain Name Information and Warning System to Geographical Indications (GIs), in line with the recent EU Regulation on GIs. GIs are names that identify a product as coming from a particular place by attributing to it qualities, reputation or characteristics specific to that geographical region. The extension of this system to GIs is essential to prevent the registration of domain names that infringe GIs.

It also essential that public and private operators cooperate to combat IPR infringements. Finally, it’s important to designate a single point of contact for IPR enforcement and to promote the adoption of alternative dispute resolution (ADR) procedures to deal with domain name disputes, which offer a cheaper and faster alternative to traditional litigation.

The EU Recommendations are an important step forward in protecting IPR, including domain names, and contribute to a safer and more secure online environment for all stakeholders. The implementation of these preventive and reactive measures, with the promotion of cooperation and dispute resolution through ADR, will provide a solid foundation to effectively combat counterfeiting and enforce IPR in the digital age.

Author: Maria Rita Cormaci

 

Google fined EUR250m for violating copyright related rights

The French competition authority (Autorité de la concurrence) issued a EUR250 million fine to Google for failing to comply with some of the commitments it made in June 2022. The search engine had been ordered to comply with interim measures in April 2020, but had failed to do so, receiving a fine of EUR500 million in July 2021.

This decision comes after France adopted the law on related rights (transposing the European Copyright and Related Rights Directive of 17 April 2019). It aims to create the necessary conditions for a balanced negotiation between news agencies, publishers and digital platforms. This set of laws aims to redefine the distribution of value in the print sector for the benefit of its operators, and to address the significant transformations the sector has undergone in recent years. These changes include the increasing presence of digital audiences, which goes hand in hand with the declining circulation of traditional print media, and the fact that a considerable portion of advertising revenue is now controlled by major online platforms.

In June 2022, the Autorité accepted, for a period of five years, renewable once, commitments proposed by Google to put an end to the competition concerns expressed. These commitments, however, have not been met.

According to the Authority, Google failed to comply with four of its seven commitments, the aim of which was to ensure Google:

  • negotiated in good faith, based on transparent, objective and non-discriminatory criteria, within three months;
  • provided media organizations and publishers with the necessary information to assess their remuneration for related rights in a transparent manner; and
  • took the necessary measures to ensure that the negotiations do not affect other economic relations between the company and the press organizations and publishers.

This enforcement action emphasizes the importance of upholding copyright law in a rapidly changing digital landscape. It also underlines the growing intersection between copyright and competition law, as regulators seek to address anti-competitive practices that may result from the abuse of intellectual property rights by dominant market players.

In this case, the issue specifically concerns AI chatbots developed by Google. The competition authority found that the company allegedly used content from news agencies and publishers to train the basic model of this AI service without getting authorisation. This unauthorised use of content not only undermines the rights of content creators, but also hampers their ability to negotiate fair remuneration for their work. By incorporating this content into its AI service without proper consent, the company has effectively circumvented the traditional channels through which the use of content is negotiated, creating a significant imbalance in the digital ecosystem.

In response to the fine imposed by the Authority, Google committed to implementing a series of corrective measures to address the violations. But the implications of this enforcement action go beyond this immediate response, signalling a broader shift in how regulators address the intersection of copyright, competition and AI technology in the digital age.

Author: Maria Vittoria Pessina

Innovation Law Insights is compiled by the professionals at the law firm DLA Piper under the coordination of Arianna Angilletta, Matteo Antonelli, Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Giorgia Carneri, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Alessandra Faranda, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Miriam Romeo, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna e Matilde Losa.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.

Print

Related capabilities

TechnologyMedia, Sport and EntertainmentIntellectual Property
Privacy policyLegal noticesCookie policyModern slaveryWhistleblowingSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2024 DLA Piper