Innovation Law Insights

Artificial Intelligence

Model Contractual Clauses for AI Procurement: How updated EU clauses help manage compliance risk

The European Commission has published the updated Model Contractual Clauses for AI Procurement (MCC-AI) to help businesses operating in the field of AI comply with the provisions of the AI Act.

Originally introduced in September 2023, the clauses serve as a practical and modular tool designed to help both public buyers and private operators navigate the regulatory challenges associated with sourcing and providing of AI systems.

Purpose of the MCC-AI

The MCC-AI have been drafted for those looking to procure AI. While primarily aimed at public sector AI buyers, as we explore below, private sector AI customers may find them of use. They are designed to facilitate alignment with key regulatory requirements under the AI Act, particularly in areas like transparency, risk management, accountability, and data governance.

Adopting the MCC-AI allows organizations to:

• reduce legal uncertainty;
• demonstrate regulatory readiness;
• potentially streamline contractual negotiations.

Two-Tiered Approach Based on Risk Level

The updated MCC-AI package includes two distinct versions:

• a full version for high-risk AI systems (AI systems intended to be used for emotion recognition, for recruiting or selecting of natural persons, or to evaluate the creditworthiness of natural persons);
• a light version for non-high-risk AI systems, which still ensures safeguards around key elements such as technical documentation and algorithmic transparency.

The package also includes an explanatory commentary offering guidance on how to tailor and integrate the clauses into existing contracts.

Usability for Private Sector Operators

Although originally tailored for public procurement, the MCC-AI can also be adopted by private sector entities, with the necessary adaptations. AI systems providers and procurers can incorporate these clauses into their contractual arrangements to align with emerging EU regulatory best practices.

This is especially valuable in today’s evolving legal landscape, where AI regulations are still taking shape and efforts are being made in some quarters to achieve greater harmonization.

Especially in the case of private companies, the MCC-AI are not a static tool to be incorporated into contracts as they are but need to be contextualized and adapted to the specific supply and the relevant economic sector.

Structure and Key Content Areas

The MCC-AI are not stand-alone contracts but are intended to be embedded in broader services agreements. They exclusively address AI-specific obligations under the AI Act and do not cover general contractual matters such as intellectual property, payment terms, applicable law, or traditional contractual liability, which the company involved must also carefully regulate.

The clauses are structured around five key thematic areas:

• AI System Compliance – Identifying applicable legal and ethical standards for the AI solutions provided.
• Supplier Roles and Responsibilities – Defining transparency requirements, risk management obligations, and compliance duties.
• Data Governance – Establishing criteria regarding data ownership, usage, and oversight of datasets used in AI systems.
• Verifiability and Traceability – Implementing audit tools, documentation requirements, and system performance monitoring.
• Cost Allocation – Clarifying financial responsibilities related to system implementation and necessary adjustments.

To facilitate adoption, the MCC-AI also include technical annexes with sample use cases, data governance templates, and model compliance documentation.

Why Consider Adoption?

For AI purchasers, these clauses provide a legal and ethical safeguard, particularly in scenarios where AI applications might affect fundamental rights or public safety.

The modular design of the MCC-AI is intended to allow for seamless integration and adaptation into existing contractual frameworks, supporting consistent management across different procurement contexts while simplifying processes and helping prevent potential disputes.

Although they are not legally binding, the MCC-AI offer a valuable operational support to address the issue of contractual governance in supplying and procuring of AI systems.

The difficulty with MCC-AI adoption is that relatively few AI procurements are undertaken in circumstances where the balance of negotiating power rests with the buyer. In a world of AI subscriptions from large vendors, and increasing adoption of open source/open-weights AI subject to short-form standard licenses, it will be interesting to see whether the updated MCC-AI terms gain traction.

Author: Giacomo Lusardi

GPAI: European Commission launches targeted consultation on rules, obligations and implementation practices

The European Commission has launched a targeted consultation to support the development of Guidelines for implementing the AI Act, inviting all relevant stakeholders to submit their input via a survey until May 22, 2025.

Through this multi-stakeholder consultation, the Commission aims to gather operational and practical insights from General-Purpose AI (GPAI) providers, downstream AI system developers, researchers, public authorities, and other professionals. The goal is to support the development of Guidelines that facilitate the effective enforcement of Regulation (EU) 2024/1689 (AI Act).

Why is this consultation critical?

GPAI systems present unique regulatory challenges. Their versatility enables them to perform a wide range of tasks and be embedded into countless downstream applications. This creates significant grey areas in legal qualification and compliance obligations – a complexity compounded by the rapid evolution of AI technologies.

With GPAI-specific provisions set to apply from August 2, 2025, the Commission seeks to clarify several key issues:

• Defining “GPAI”: establishing the scope of models falling under this classification.
• Providing accountability: identifying who holds responsibility in complex, layered development chains.
• Defining “placing on the market”: determining the precise moment a GPAI model is considered “placed on the market”.
• Calculating threshold estimation: defining how to measure computational resources used during model training.
• Open-source exemptions: clarifying when and how regulatory exemptions apply.
• Code of Practice: outlining the benefits and commitments of adhering to the voluntary Code.

The role of the European AI Office

The European AI Office, supported by the Joint Research Centre, will lead in drafting of these Guidelines. Although non-binding, they will serve as the Commission’s official interpretative framework for the implementaing the AI Act, especially Articles 52–55. They will be a crucial reference point for operators seeking compliance.

Code of Practice: Benefits of adhering

A central element of the consultation is the forthcoming AI Code of Practice, designed to support responsible GPAI development and use. The Commission asserts that participation in this Code will offer advantages for providers, including:

• increased trust: with non-signatories being expected to demonstrate AI Act compliance via other means, potentially with additional explanation;
• regulatory alignment: offering a structured path to meet AI Act obligations; and
• recognition of best practices: establishing operational standards at both EU and international levels.

The Code is intended to be fully aligned with the AI Act and will address key aspects such as documentation requirements, copyright risk management, and specific safeguards for models deemed to pose systemic risk (Articles 53 and 55).

What should developers and businesses know?

For organizations developing, modifying, or integrating GPAI models, this consultation is an opportunity to shape future regulatory expectations and seek clarity on their roles and responsibilities under the AI Act.

The consultation remains open until 22 May 2025, while the final Guidelines and Code of Practice are expected to be published between May and June 2025.

Final Remarks

This initiative marks a pivotal moment in the EU’s journey towards a coherent and operational AI regulatory framework. Rather than merely collecting opinions, the consultation is a participatory process – one that allows industry players to actively contribute to a future where innovation is matched by accountability. Engaging now means helping to define a legal environment built on clarity, cooperation, and mutual trust – the foundations for a trustworthy AI ecosystem in Europe.

Author: Dorina Simaku

 

Data Protection

The DPO cannot be a company’s legal representative in Italy

In a significant decision, the Italian Data Protection Authority (the Garante) addressed a critical issue concerning the roles of Data Protection Officers (DPO) and legal representatives in organizations operating in Italy.

The Garante concluded that appointing the same individual as both the DPO and the legal representative of a company constitutes a conflict of interest, violating the General Data Protection Regulation (GDPR).

Understanding the roles: DPO v legal representative

Under the GDPR, the DPO is responsible for overseeing data protection strategies and ensuring compliance with data protection laws. Crucially, the DPO must operate independently, without receiving instructions regarding how they complete tasks, and must report directly to the highest management level.

A legal representative under Italian law is an individual with representation powers of a company – such as a company director – who typically holds a position of authority in the organization and makes decisions about the purposes and means of data processing. According to the Garante, this dual role inherently compromises the DPO’s independence, as the individual cannot objectively monitor compliance with data protection laws if they’re also responsible for determining data processing activities.

The Garante’s investigation also revealed that a company had appointed its legal representative as the DPO without notifying the authority, as mandated by Article 37(7) of the GDPR and required even if the DPO was notified to other EU data protection authorities. This appointment violated several GDPR provisions:

• Article 37(6): The DPO must not hold a position that leads to a conflict of interest.
• Article 38: The DPO must perform their duties independently.
• Article 39: The DPO’s tasks include monitoring compliance, which is compromised if they’re also the legal representative.

As a result, the Garante imposed a fine of EUR70,000 on the company for these violations.

Implications for organizations operating in Italy

This decision serves as a critical reminder for organizations operating in Italy to carefully assess the appointment of their DPOs. Ensuring that the DPO operates independently and without conflicts of interest is not just a regulatory requirement but also a cornerstone of effective data protection governance.

Organizations must avoid assigning the DPO role to individuals who have decision-making authority over data processing activities, such as legal representatives or other senior executives. Instead, they should appoint individuals who can objectively oversee data protection compliance without undue influence.

The Garante’s decision underscores the importance of maintaining clear boundaries between roles in an organization to uphold the integrity of data protection practices. By ensuring that the DPO operates independently and free from conflicts of interest, organizations can better protect personal data and comply with the stringent requirements of the GDPR.

Author: Giulio Coraggio

 

Intellectual Property

Non-use of a trademark: Principles established by the EUIPO

On January 21, 2025, the EUIPO’s Cancellation Division ruled on a revocation application for non-use concerning a EU trademark registered in the class of perfumes and cosmetics. The applicant argued that the trademark had not been used for a prolonged period and was therefore subject to revocation. In response, the trademark owner submitted a series of documents in an attempt to justify the non-use during the relevant five-year period and to demonstrate an intention to resume marketing.

Part of the submitted documentation referred to periods prior to the relevant five-year timeframe, while other evidence related to preparatory activities such as correspondence with potential distributors, business plans, promotional images on social media, and requests for packaging and labelling quotations. Among the justifications provided for the lack of use, the owner cited: the transfer of ownership of the trademark following an assignment, the effects of the COVID-19 pandemic, and a French court decision prohibiting the previous owner from using the mark due to infringement.

The revocation applicant contested the relevance of the preparatory actions undertaken by the trademark holder, deeming them inadequate to reach the public. It also argued that the events cited couldn’t constitute legitimate reasons for the non-use. In support of this, it submitted market data showing an increase in perfume sales during the pandemic, particularly through e-commerce, suggesting that the owner could have used this channel to market its products. Regarding the injunction, the applicant pointed out that it was limited to the French territory, covered only part of the relevant five-year period, and didn’t entirely prevent use of the contested mark.

The Cancellation Division upheld the revocation request, relying on the principles established by European case law concerning trademark use, particularly regarding the time, place, manner, and extent of use, and also assessing the legitimate reasons invoked to justify the lack of use.

With respect to the time criterion, the EUIPO rejected the relevance of the submitted invoices, as they were dated outside the relevant five-year period. Although case law permits earlier documents to be relevant in some cases, this is only when supported by further evidence relating to the relevant timeframe.

Similarly, the documentation concerning preparatory acts was deemed insufficient to demonstrate genuine use of the trademark in the market, even though it fell within the relevant period. According to the settled case law of the Court of Justice, preparatory acts can be relevant only if they show that the products are close to being placed on the market. Actions considered merely internal and not perceivable in the market remain irrelevant. In this case, the documents provided as proof of preparatory acts (ie quote requests, correspondence with potential distributors, and the business plan) were judged insufficient to demonstrate use of the trademark in the marketplace, despite being within the relevant period.

As for the extent of use, the Cancellation Division recalled that genuine use of a trademark doesn’t necessarily require significant commercial volume, limited use can also suffice. However, in this case, the evidence provided was considered insufficient and inadequate to show an actual market presence of the trademark.

The business plan was considered an internal document without concrete follow-up (as it would have been, for instance, a funding application submitted to financial institutions). Similarly, quotation requests not followed by responses or developments were considered, at most, proof of internal use, not perceivable externally. The negotiations with potential distributors, which didn’t lead to actual agreements, were also not regarded as evidence of real commercialization. Finally, the occasional appearances of the trademark on social media – although within the relevant timeframe – were considered irrelevant due to a lack of data on the actual audience reached. On this point, the EUIPO guidelines are clear: “the mere presence of a trademark on a website is, of itself, not sufficient to prove genuine use unless the website also shows the place, time and extent of use or unless this information is otherwise provided.” The Division confirmed a strict application of the requirement for use to be minimal but genuine, highlighting the need for a concrete and perceivable presence on the market.

As for the assessment of the alleged legitimate reasons for non-use, the Cancellation Division reasoned as follows:

• It ruled out that, in this case, the COVID-19 pandemic could constitute a valid justification for interrupting trademark use. The owner merely invoked the pandemic in a generic way, without providing concrete evidence of its impact on business activities or of the impossibility of marketing products. Additionally, it didn’t contest the data submitted by the opposing party showing increased online sales in the sector during the pandemic. While acknowledging that the pandemic can, in theory, constitute a legitimate reason, the EUIPO reaffirmed that this must be supported by specific evidence directly linked to the inability to use the trademark, excluding generic invocation as a valid excuse.
  
  
• Regarding the French court injunction, the EUIPO recognized that a judicial measure can constitute an objective impediment to trademark use but ruled that this didn’t apply in this case. The injunction was limited to French territory, didn’t cover the entire relevant period, and ended with the transfer of the trademark to the current owner. Moreover, the obstacle was triggered by the current owner, who originally initiated the legal action that resulted in the ruling. For these reasons, the Office concluded that this circumstance couldn’t justify the absence of continuous use of the trademark.

The EUIPO’s Cancellation Division found that, although certain potential impediments to use had been submitted, they didn’t cover the entire relevant period and weren’t supported by sufficient and concrete evidence. In the absence of both concrete proof of actual use of the trademark in the relevant five-year period and valid objective reasons independent of the will of the trademark owner, the Office ordered the revocation of the European trademark registration.

Author: Carolina Battistella

 

EUIPO and the probative value of evidence based on hyperlinks and URLs

The Fifth Board of Appeal of the European Union Intellectual Property Office (EUIPO) recently issued a significant decision in case R 1470/2024-5, rejecting the opposition filed by FAEG against the registration of the “FAEG” trademark by A2Z World.

Background

The case originated when A2Z World applied to register the “FAEG” trademark for a wide range of electrical products. FAEG, the opponent in the proceedings, contested this registration, claiming to have used the “FAEG” trademark since 1965 and to have acquired significant notoriety in various European countries, including Italy.

Opposition Division decision

The EUIPO's Opposition Division initially rejected FAEG’s opposition, stating that the opponent hadn’t provided sufficient evidence to demonstrate rights to the invoked marks in accordance with national legislation. Specifically, the Division noted that the evidence presented didn’t demonstrate the non-purely local notoriety of the FAEG” trademark.

Appeal and Board of Appeal evaluation

FAEG appealed the decision, arguing that the “FAEG” trademark had been used continuously and had acquired non-purely local notoriety. The Board of Appeal examined the additional evidence, including transport documents, invoices, correspondence, and photos of trade fairs.

The Board concluded that the evidence was insufficient to demonstrate a non-purely local notoriety of the “FAEG” trademark in Italy. The Board noted that much of the proof referred to foreign transactions or events outside Italy. Additionally, the little proof related to the use of the trademark in Italy was geographically confined to the province of Bergamo, where the opponent is based, and didn’t demonstrate widespread knowledge of the trademark among the relevant public.

Even after considering the opponent’s belated evidence, the Board of Appeal (BoA) confirmed the Opposition Division’s conclusions that the opposition is unfounded under Article 8(4) EUTMR. The opponent’s evidence, which concerns only the territory of Italy, consists of invoices showing international transactions, financial statements, photographs without clear references to place and date, proof of acquisition of the domain name consisting of the contested sign, and a list of hyperlinks.

Evidence based on hyperlinks and URLs

A key aspect of the decision concerned the use of hyperlinks and URLs as evidence. FAEG submitted a list of 39 hyperlinks and URLs to demonstrate the presence of the “FAEG” mark in the market. The Commission held that mere references to websites, even when supported by direct hyperlinks, don’t constitute valid evidence. The nature of such evidence makes it difficult to verify the content and publication date of web pages, as they can be modified or taken offline over time.

The Commission emphasized that the burden of proof lies with the opponent and not with the Office. The Office doesn’t have to examine hyperlinks and URLs provided by the parties. Hyperlinks must be supported by additional evidence, such as printouts or screenshots of the relevant content. The lack of such supporting documentation led the Commission to conclude that the list of hyperlinks and URLs submitted by FAEG doesn’t provide meaningful information on the use of the earlier marks.

Regarding territorial scope, the Commission confirmed that the reputation of the mark was purely local, as the applicant had only submitted evidence of use in the city of Bergamo. The appeal was dismissed.

Author: Tamara D’Angeli

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Dorina Simaku, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.