5 June 2025 • 21 minute read

Innovation Law Insights

6 June 2025

Podcast

Google, Privacy and a USD1.3b fine: Who’s tougher – the US or EU?

Google has agreed to pay a USD1.375 billion fine to settle two major privacy lawsuits in Texas – its largest data-related payout ever. But is the US finally outpacing the EU in regulating Big Tech? In this episode of Diritto al Digitale, Giulio Coraggio compares this record-breaking settlement to key GDPR fines in Europe. From biometric data enforcement to location tracking, we explore the different legal models on both sides of the Atlantic. You can watch here.

Artificial Intelligence

AI in the Life Sciences sector

AI is transforming the way companies and organizations operate, opening new frontiers in strategic sectors – including healthcare.

Thanks to its ability to process vast amounts of data, learn from outcomes, and support complex decision-making, AI is driving significant change across the healthcare landscape. Despite the exponential growth of data generation, only a small portion is currently used to enhance the quality and efficiency of care. As a result, more and more stakeholders are investing in AI to streamline processes and optimize resource allocation.

AI applications in healthcare are already widespread. With regard to medicines, companies are using AI to support research and development of new molecules, manage preclinical and clinical trials, and optimize manufacturing processes. At the same time, the medical device sector has seen a sharp rise in the integration of AI-based systems in recent years. These technologies are revolutionizing the healthcare ecosystem by improving diagnostic accuracy and reducing clinical errors, thanks to their ability to identify conditions and treatment pathways with greater precision.

AI also plays a key role in accelerating and customizing care pathways, advancing the development of personalized medicine tailored to each patient’s specific needs while offering tangible benefits for healthcare system sustainability. These applications of AI not only improve performance but also create new opportunities to solve pressing issues in healthcare.

AI in the development of medicines and medical devices

Today, one of the most relevant areas where AI is making an impact is in research and development for new healthcare products. In particular, the use of AI-based solutions helps reduce costs while also accelerating and improving the identification and development of the most promising molecules. Regulation (EU) 2024/1689 (AI Act) is particularly noteworthy. Article 2(6) states that the Regulation doesn’t apply to AI systems or models – including their outputs – developed and put into service solely for scientific research and development. While some stakeholders advocate for a broad interpretation of this exemption to exclude all research and development-related AI systems in the pharmaceutical field, EU institutions currently favor a more restrictive view. At this stage, the scope of the exemption remains uncertain, and we await official guidance from the competent authorities.

AI can also play a decisive role in the later stages of product development. For example, it can identify eligible patients for clinical trials, optimize the design of protocols, and employ predictive models and real-time monitoring tools to analyze data more quickly, cost-effectively, and efficiently. One of the most promising developments lies in the use of digital twins. These in silico studies use virtual models to assess the efficacy and safety of medicines and medical devices, potentially reducing the time and cost of preclinical and clinical testing. In the future, the goal is to partly replace the use of human and animal subjects in traditional trials.

Meanwhile, AI is already transforming the medical device landscape by enhancing diagnosis, treatment, and patient monitoring. For example:

Computer-aided detection (CAD) systems use deep learning algorithms to analyze medical images and identify anomalies with accuracy often exceeding that of human experts. These systems are already helping to detect cancer at earlier stages, significantly improving survival rates.
Intelligent sensors and predictive algorithms allow medical devices to adapt to individual patient needs. These tools continuously monitor vital signs – such as blood pressure and glucose levels – and deliver real-time feedback to optimize treatment.
With the rise of telemedicine, AI-powered medical devices now play a central role in remote patient monitoring. They enable continuous data collection and early-warning alerts, which improve chronic disease management and reduce hospital admissions.

Regulatory framework

The current regulatory framework has not yet kept pace with these technological advances, especially when it comes to medicines. The existing rules, often dated, don’t explicitly address the use of AI. An update of the legal framework is essential to ensure the safe, effective, and responsible use of AI in healthcare.

That said, some progress is on the horizon. The in silico approach, for instance, appears in the EU’s proposed revision of pharmaceutical legislation as a possible alternative to animal testing. Additionally, in 2023, the European Commission launched the European Virtual Human Twins initiative to support the development of next-generation digital twins in healthcare. These tools aim to create virtual replicas of real patients, faithfully simulating their health status and treatment responses. The EDITH project (European Virtual Human Twin) complements this effort by building a shared cloud-based platform that aggregates models, datasets, algorithms, and best practices. This ecosystem will allow the creation of digital twins of specific organs and the integration of those into complete human models. The project places strong emphasis on ethical considerations and regulatory compliance, with the goal of creating a trustworthy and transparent platform that aligns with EU standards on data privacy and cybersecurity.

When it comes to medical devices, the overlap between sector-specific regulations and the AI Act raises important and still unresolved issues. Most software classified as a medical device – under Regulation (EU) 2017/745 (MDR) and Regulation (EU) 2017/746 (IVDR) – also falls under the category of “high-risk AI systems” within the meaning of the AI Act. This classification creates significant implications for manufacturers. In addition to meeting MDR/IVDR requirements, they must also comply with the specific obligations of the AI Act. In particular, they must undergo a conformity assessment procedure that simultaneously addresses both sets of requirements. As a result, Notified Bodies will need to expand their evaluations to include compliance with AI-related requirements, despite the current lack of clear guidance on how to conduct such assessments. This situation could delay the certification process, much like the disruptions experienced during the transition from the old EU Directives to the current regulatory regime.

In addition to a still fragmented and incomplete regulatory framework, several other challenges hinder the widespread adoption of AI in healthcare:

Data fragmentation: The lack of standardization and interoperability limits the optimal use of healthcare data, which is often held by different entities for various purposes. The implementation of the European Health Data Space is a relevant step toward better data sharing and interoperability across the EU.
Privacy and security: Handling sensitive health data requires strict compliance with the General Data Protection Regulation (GDPR), including appropriate technical and organizational safeguards. As a general rule, any AI-based personal data processing requires a risk-specific assessment. This assessment must focus on the AI system and examine its potential impact on the rights, freedoms, and security of data subjects. It is also necessary to document compliance with the fundamental principles of the GDPR, such as necessity and proportionality. The assessment of necessity should consider the option of using data that doesn’t allow for the (re)identification of a natural person, such as anonymized data. If this option isn’t feasible, the reasons should be justified, taking into account the objectives pursued.
Social challenges: People may lack trust in how healthcare systems handle their personal data. At the same time, many healthcare professionals still don’t fully understand how AI can enhance their work. Investing in professional training and in the digital education of citizens is essential to support AI adoption.

The future of AI in healthcare

With an ethical and collaborative approach, AI has the potential to radically transform healthcare, making it more efficient, accessible, and personalized. Initiatives such as the AI Act and the EMA’s AI work plan put the EU in a leading position, promoting responsible innovation that keeps the patient at the center.

AI is not just a futuristic technology – it already helps improve the lives of millions of people today.
When used responsibly and in full alignment with pharmaceutical legislation, data protection rules, trade secrets, intellectual property, and cybersecurity standards, AI can become a cornerstone of a more equitable and sustainable healthcare system, one where technology and humanity work together.

Authors: Nicola Landolfi, Nadia Feola, Roxana Smeria

Data Protection

Garante issues first GDPR fine over employees email metadata privacy breach in Italy

The Italian Data Protection Authority (the Garante) issued its first GDPR fine on the unlawful retention of metadata from employees’ emails and web browsing activities, applying its highly discussed guidelines of 2024 on the use of metadata in workplace email systems for the first time in Italy.

Processing metadata in the employment relations

Metadata generated through corporate email and internet usage includes information such as sender and recipient addresses, subject lines, date and time of transmission, the presence and size of attachments, and IP addresses. Although this data doesn’t include the actual content of messages, it can reveal patterns of behavior, relationships, and indirectly infer performance or productivity levels.

In the employment context, this type of metadata becomes highly sensitive. Its processing must comply not only with GDPR principles but also with Italian labor laws, especially Article 4 of Law No. 300/1970 (the Italian Workers’ Statute), which regulates the monitoring of employees. Notably, Article 114 of the Italian Privacy Code explicitly refers to the Workers’ Statute, anchoring labor law protections firmly within the data protection regime. As such, the breach of Article 4 of the Italian Workers’ Statute can generate an automatic breach of Italian data protection laws.

First enforcement of the Garante’s metadata guidelines on employee emails

In June 2024, the Garante released specific guidelines titled: “Programs and Services for Managing Emails in the Workplace and Metadata Processing”. These guidelines represent a major clarification for employers and IT service providers by stating:

Employee email metadata constitutes personal data and may be used to indirectly monitor employee conduct.
Maximum retention without further safeguards is 21 days.
Retention beyond 21 days requires one of two conditions:

an agreement with trade union representatives; or
authorization from the Territorial Labor Inspectorate.

Additionally, under a data protection law, it’s necessary to implement:

a detailed privacy information notice specifying the type of metadata that is processed, the legal basis, the purpose of the processing and the retention period;
a legitimate interest assessment since legitimate interest is likely to be the legal basis;
a data protection impact assessment given the relevant amount of processed personal data.

The guidelines aim to prevent disproportionate or opaque data processing practices that could undermine employees’ rights under the GDPR and labor laws. The guidelines are not by definition binding, but they represent the official position of the Garante on the matter, as shown in the decision outlined below, so companies have to comply with them.

The Garante case on the processing of metadata of employees in Italy

During an ex officio inspection, the Garante discovered that Regione Lombardia, one the largest Italian regions, had been retaining:

email metadata for up to 90 days;
web browsing logs for 12 months;
helpdesk log data (containing employee identifiers and ticket histories) for nearly 10 years.

These retention periods far exceeded what the guidelines deem proportionate, particularly given the absence of any trade union agreement or labor authority authorization.

The employer had also only entered into a trade union agreement after the inspection had commenced. The Garante clarified that the agreement cannot retroactively justify past data processing.

Legal breaches identified

The Authority found that Regione Lombardia violated multiple GDPR provisions:

Article 5(1)(c) (Data Minimization): Data was collected and stored beyond what was necessary.
Article 5(1)(e) (Storage Limitation): Metadata was retained for periods unjustified by any demonstrated necessity.
Article 6(1) (Lawfulness of Processing): There was no valid lawful basis for the retention of metadata for extended periods.
Article 35 (DPIA Requirement): Regione Lombardia failed to conduct a Data Protection Impact Assessment, despite the high-risk nature of systematic employee data processing.
Article 88 GDPR & Article 114 Privacy Code: The processing failed to comply with national provisions that integrate labor law protections.
Article 28 GDPR: Contracts with IT service providers had not been updated in accordance with current requirements.

Crucially, the Italian Data Protection Authority emphasized that the potential to use metadata to monitor employees triggers the application of Article 4 of the Workers’ Statute, even if monitoring isn’t routinely conducted.

Sanctions and corrective measures

In the light of the above, the Garante issued a EUR50 thousand fine, which was broken down as follows:

EUR20 thousand for unlawful processing of email metadata;
EUR25 thousand for excessive web browsing log retention;
EUR5 thousand for storing helpdesk ticket metadata for an excessive period.

Historically, GDPR fines issued against public authorities are lower that those imposed against private companies. So if the same proceeding was initiated against a company, the potential fine would have been considerably higher.

In addition to the monetary penalty, the Garante ordered Regione Lombardia to:

limit browsing log retention to 90 days and implement anonymization thereafter;
minimize and encrypt email metadata;
restrict access to metadata to authorized personnel only;
update internal policies and privacy documentation;
revise contracts with third-party IT providers to reflect Article 28 GDPR obligations;
conduct a DPIA to assess and mitigate privacy risks;
ensure future compliance with labor law obligations for any processing that can result in employee monitoring.

Why this decision matters

This Garante’s decision on processing metadata relating to employees’ emails is a watershed moment in the evolution of privacy enforcement in the workplace in Italy. It sets an authoritative precedent that:

email metadata is subject to full GDPR protection;
employers must treat metadata with the same seriousness as content;
labor law protections extend to digital traces, not just direct monitoring tools like video surveillance.

It also affirms the legally binding nature of the Garante’s guidelines. The decision shows the guidelines can serve as a benchmark for assessing compliance and imposing sanctions, even though they’re often seen as soft law instruments.

Practical implications for employers

Organizations operating in Italy – both public and private – must now:

map and re-evaluate all metadata retention practices related to employee communications and the purpose of their data processing;
align retention periods with the 21-day threshold or secure proper trade union authorizations;
assess vendor systems: email and IT platforms must allow for granular configuration of metadata retention settings;
update trade union agreements where necessary to cover new types of data processing;
conduct DPIAs whenever there’s a risk of profiling or monitoring and LIAs when the data processing is based on legitimate interest;
adopt detailed privacy information notices and internal policies on the usage of metadata; and
strengthen internal governance by assigning responsibility for ongoing monitoring and compliance.

Looking forward: A new compliance baseline

This first enforcement action under the metadata guidelines raises the bar for privacy compliance in the employment context. It illustrates that metadata, often regarded as low-risk, can in fact be highly sensitive when linked to employee identities and behaviors. Employers must no longer treat metadata as a technical byproduct. Instead, it must be classified, risk-assessed, and protected under a privacy-by-design framework. Failure to do so can now result in not just reputational harm, but financial penalties and legal scrutiny from both privacy regulators and labor authorities.

Conclusion

The Regione Lombardia decision sends a clear message: metadata retention is monitoring, and monitoring is regulated. It now requires a deep understanding of how even invisible data can impact fundamental rights in the workplace.

Organizations that proactively adapt to this new paradigm – by revising retention policies, investing in data governance, and fostering transparency with employees – will be better positioned to avoid regulatory action and build trust in a digitized work environment.

Author: Giulio Coraggio

Intellectual Property

Global counterfeiting: New routes of fakes amid e-commerce and logistics in light of the OECD-EUIPO 2025 report

In 2021, counterfeit goods accounted for 2.3% of global trade and nearly 5% of imports into the EU. This is the striking – yet, unfortunately, unsurprising – opening figure of the latest joint OECD-EUIPO report “Mapping Global Trade in Fakes 2025,” which outlines a phenomenon that is increasingly sophisticated, pervasive, and resilient to traditional enforcement tools.

The new face of counterfeiting: “Localized” production and fragmented logistics

One of the most relevant trends identified in the report is the localization of illicit activities: the production and assembly of counterfeit goods increasingly take place close to or within the destination markets, sometimes in free trade zones where customs controls are less stringent. Counterfeiters employ complex strategies, such as separately importing components, labels and packaging, to reduce interception risks and more easily circumvent anti-counterfeiting measures.

The exponential rise of e-commerce and the widespread use of small parcel shipments has shifted the logistics of counterfeiting: nearly 80% of shipments seized between 2020 and 2021 contained fewer than ten items, and nearly 60% were delivered via regular postal services. These channels are particularly hard to monitor, especially since the customs declarations are often vague (eg “stuff,” “daily necessities”).

Most affected sectors: Not just fashion and luxury

Counterfeiting affects nearly half of the product categories listed in the harmonized customs system. Clothing, footwear, leather goods, and electronics remain top targets, but seizures are also rising in the cosmetics, toys, medical devices, and – alarmingly – car spare parts and pharmaceuticals sectors.

This is not just an economic issue. Counterfeit items often fail to meet even basic safety standards and can pose serious risks to public health. Particularly dangerous are “zombie” car parts (eg non-functioning airbags) and cosmetics made with prohibited substances.

Fake trade routes: A global problem, with Europe on the front line

China and Hong Kong remain the main sources of counterfeit goods, followed by Türkiye, Lebanon and Syria. But countries like Bangladesh, Colombia and some African economies also rank among the jurisdictions with the highest propensity to export fakes (based on GTRIC-e scores).

On the demand side, the EU remains one of the most affected regions. In the 2020–2021 period, over 60% of the total value of global seizures was destined for EU member states, with Germany, Belgium and France topping the list.

Regulatory responses and unresolved challenges

The regulatory landscape is fragmented and often inadequate to address a phenomenon that is increasingly digitalized and transnational. While the EU has introduced specific measures to combat counterfeiting – such as Regulation (EU) No 608/2013 on customs enforcement – and promotes coordinated initiatives via EUIPO, enforcement remains highly uneven across member states.

Another critical issue lies in the priority given by authorities to anti-counterfeiting efforts: enforcement resources are often concentrated on more “dangerous” illegal activities (eg drugs, weapons, terrorism), leaving entire segments of the counterfeiting market unguarded – especially when dealing with seemingly “harmless” goods.

Business strategies: Between traceability, cooperation and technology

For companies – especially those holding registered trademarks – the OECD-EUIPO Report confirms the need to adopt multi-level strategies to combat counterfeiting. The most effective measures include:

strengthening online monitoring and brand protection programs;
cooperating with logistics operators to detect recurring anomalies in shipments;
investing in traceability technologies (eg secure QR codes, blockchain solutions);
leveraging tools offered by public observatories and customs authorities to report suspicious cases.

Conclusion

Global trade in counterfeit goods is far from a marginal issue: it’s a concrete and systemic threat to intellectual property rights, consumer safety, and fair market competition. Companies must address it with full awareness, equipping themselves with both technical and legal tools, while also contributing to the development of a more coordinated, agile and proactive regulatory ecosystem.

Author: Federico Maria Di Vizio

Technology Media and Telecommunication

AGCom Communication Markets Monitoring System for 2024

The Italian Communications Authority (AGCom) has published the Communications Monitoring Report No. 1/2025, containing data pertaining to 2024.

The data included in the Communications Monitoring Report reveals that the total number of direct fixed-line networks at the end of December 2024 showed no significant change compared to March 2024, remaining at approximately 20.3 million lines. On an annual basis, this represents an increase of 118,000 accesses, and compared to the corresponding period in 2020, there was an increase of 382,220 accesses (1.92% higher than 2020).

AGCom also notes that copper-based lines have decreased by approximately 178,000 units in the last quarter of 2024 and by 700,000 units compared to December 2023. Over the past four years, the decrease registered amounts to 4.30 million accesses.

However, even compared to lines based on more advanced technologies, there have been declines. Broadband lines are estimated to be around 18.86 million at December 2024, showing a decrease both on a quarterly and annual basis, amounting to 340,000 and 163,000 lines, respectively.

FTTC (Fiber To The Cabinet) accesses at the end of December 2024 totaled 9.13 million, showing a decrease of 705,000 lines, a 7.2% drop compared to December 2023. FTTH (Fiber To The Home) connections, totaling 5.86 million in December 2024, have increased by over 330,000 lines compared to the previous quarter and by 1.23 million compared to the same period in 2023. Compared to December 2020, this is an increase of approximately 4 million lines. Fixed Wireless Access (FWA) lines have also grown, though to a lesser extent (around 251,000 units annually), reaching about 2.37 million lines by the end of December 2024.

This trend indicates a significant improvement in connection speeds, as between December 2020 and December 2024, the proportion of lines with speeds of 100 Mbit/s or higher rose from 52.6% to 79.3% of the total. The share of lines offering transmission speeds of 1GB/s or higher also increased, from 8.7% to 28.4% of the total.

The data from the report confirms the continued increase in data consumption. The average daily traffic in terms of total volume for 2024 grew by 13.8% compared to 2023 and by 65.2% compared to 2020. These figures are reflected in daily broadband traffic per line: unit consumption has increased by 55.9% compared to 2020, from 6.08 GB to 9.48 GB per line on average per day.

With regard to the mobile network segment, AGCom reports that the total number of active SIMs at the end of December 2024 (including “human” SIMs, ie “voice only,” “voice+data,” and “data only” that involve human interaction, and M2M, ie “machine-to-machine”) reached 109.2 million, increasing by 680,000 units annually. Specifically, M2M SIMs grew by 462,000 units annually, totaling 30.5 million. Human SIMs, totaling 78.7 million by December 2024, saw a growth of 211,000 units compared to the same period in 2023. According to AGCom, 13.8% of human SIMs in December 2024 were business SIMs, while the remaining 86.2% were intended for residential customers.

According to AGCom, about 58.8 million human SIMs generated data traffic during 2024, an increase of approximately 2.3 million compared to the same period in 2023. This shows that mobile data traffic in December 2024 increased by 11.4% compared to the same period in 2023 and by over 140% compared to 2020. The average daily data consumption per SIM in the first half of the year is estimated to be about 0.86 GB, an increase of 11.4% compared to 2023 and of over 140% compared to 2020, when the daily data consumption was estimated at 0.36 GB.

Authors: Massimo D’Andrea, Flaminia Perna, Matilde Losa

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.

BOTTO & ESCOBAR SOCIEDAD CIVIL DE RESPONSABILIDAD LIMITADA | RUC: 20510886462

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA piper's structure, please refer the Legal Notices page of this website. All rights reserved. Attorney advertising.