Innovation Law Insights

Podcast

Legal Leaders Insights | Santiago Silva of Red Bull on the future of AI

Join Giulio Coraggio and Tommaso Ricci in this compelling episode of Legal Leaders Insights as they sit down with Santiago Silva, Senior Legal Counsel at Red Bull. They delve into the exciting intersection of law, innovation and AI. Watch the episode here.

 

Data Protection and Cybersecurity  

EDPB Guidelines 02/2025: Navigating GDPR Compliance with Blockchain Technologies

On April 8, 2025, the European Data Protection Board (EDPB) adopted Guidelines 02/2025 on processing of personal data through blockchain technologies (the Guidelines). They address the delicate and complicated intersection of distributed ledger technology with the EU’s General Data Protection Regulation (GDPR).

The Guidelines, open for public consultation until June 9, 2025, provide a thorough analysis for organizations processing personal data through blockchain technologies, clarifying expectations and compliance pathways for a sector long entangled in legal uncertainties.

The Guidelines focus on the application of GDPR’s strict requirements to blockchain’s decentralized, immutable, and often borderless nature. By doing so, the EDPB highlighted the importance of assessing the characteristics of different blockchain architectures, distinguishing between public permissionless blockchains (such as bitcoin and ethereum) and private permissioned blockchains (which are a more common choice in companies). Public permissionless blockchains are decentralized, meaning that all participants have equal rights and capacities and can read, write, or be candidates for creating new blocks. Private permissioned blockchains give a small group of entities the authority to give permission to participate: only selected nodes can read, write, or be candidates for creating new  blocks, depending on the rules that apply to the blockchain.

Defining roles and responsibilities

In accordance with the principle of accountability defined by the GDPR, the Guidelines stress the need for clear governance and defined roles and responsibilities in blockchain operations. According to the EDPB position, all actors involved in blockchain-based processing must define and document their roles, distinguishing between data controllers and processors. This is especially challenging in public, permissionless blockchains, where participants might have varying degrees of influence over the network. To address this issue, the EDPB encourages forming consortia or legal entities among nodes, which can act as the controller for GDPR purposes.

Data protection by design and by-default

As the EDPB notes, the data protection by design and by default approach is very important in the context of blockchain as the technology is particularly challenged by data protection principles. Controllers have to implement effective technical and organizational measures from the outset, minimizing data exposure and ensuring that personal data isn’t accessible to an indefinite number of people by default. This also includes carefully selecting blockchain architectures. Permissioned or private blockchains should be preferred over public blockchains, which according to the EDPB should only be used when their openness is strictly necessary for processing.

International data transfers: The challenge of global nodes

Among the most complex issues addressed is transfer personal data internationally. Blockchains, particularly public ones, generally involve nodes located in multiple jurisdictions that are neither necessarily chosen nor vetted, triggering GDPR’s compliance concerns. The Guidelines clarify that participation by nodes outside of the European Economic Area (EEA) constitutes an international transfer of personal data, requiring suitable safeguards such as Standard Contractual Clauses.

Based on the analysis contained in the Guidelines, controllers should map the locations of all nodes and assess the legal implications of cross-border data flows. For public blockchains, where node locations may be unknown or constantly changing, this presents a significant compliance challenge.

Data retention and data subject rights: reconciling immutability with storage limitation

GDPR’s storage limitation principle requires that personal data not be kept longer than necessary for the purposes for which it was collected. However, as immutability is one of blockchain’s core features, data, once written on it, can’t be deleted or modified.

The Guidelines address this tension by acknowledging the technical impossibility to comply with erasure, objection and rectification obligations on the blockchain, concluding that when deletion hasn’t been taken into account by design, this may require deleting the whole blockchain. This radical proposition has sparked concern in the blockchain community, who fear that the prevalence of interests linked to data protection compliance could undermine the advantages associated with the adoption of blockchain technology itself. The EDPB suggests that, if the combination of on-chain and off-chain data is taken into account by design, erasing off-chain data might make the on-chain transaction no longer related to an identified or identifiable person, ensuring the integrity of the blockchain while complying with GDPR principles.

The EDPB also considered that, in cases where processing doesn’t require a retention period equal to the lifetime of the blockchain, personal data shouldn’t be written to the blockchain unless it’s done in a way that effectively prevents identification of the data subjects. Moreover, the EDPB emphasized that controllers have to justify any retention period that extends for the lifetime of the blockchain, demonstrating necessity and proportionality.

The Data Protection Impact Assessment (DPIA) as a mandatory step

The Guidelines reminds that a DPIA is mandatory for any processing likely to result in high risks to individuals’ rights and freedoms, a threshold almost always met considering the criticalities of the interrelation between blockchain technology and GDPR principles. The DPIA should:

• Assess necessity and proportionality: Clearly articulate why blockchain is necessary for the intended processing, and whether less intrusive alternatives exist.
• Evaluate immutability risks: Analyze the impact of blockchain’s immutability on data subject rights, especially the rights to rectification and erasure.
• Review Privacy-Enhancing Technologies (PETs): Examine the effectiveness of PETs (eg zero-knowledge proofs, encryption) in mitigating risks.
• Consider international transfers: Detail the implications of cross-border data flows, especially in public chains with global nodes.
• Document mitigation measures: Propose technical and organizational safeguards, including access controls, off-chain storage, and governance structures.
• Describe the mechanism for exercising data subject rights: Outline procedures for responding to data subject requests, including potential limitations and alternatives if technical erasure is not feasible.

If the DPIA concludes that compliance with data protection law cannot be realistically ensured with appropriate technical and organizational measures, the controller should instead rely on a different model of blockchain or another technology that reduces, or doesn’t introduce, such risks.

The broader context: Why now, and what comes next?

The EDPB’s decision to issue these Guidelines reflects the rapid expansion of blockchain applications beyond cryptocurrencies into finance, supply chains, healthcare, and digital identity, all of which often involve processing personal data. So far, the lack of clear regulatory guidance has been a barrier to many privacy-conscious organizations adopting blockchain technology. The Guidelines aim to close this gap, ensuring that innovation doesn’t come at the expense of fundamental rights.

The Guidelines’ emphasis on governance, accountability, and controllability set a high bar for GDPR compliance, raising the stakes for blockchain projects. This may accelerate the shift towards permissioned and private blockchains for any use case involving personal data, to the detriment of more decentralized and open architectures. The fact that public, permissionless blockchains could be targeted for deletion if individual data cannot be erased amounts to an existential threat to decentralized systems.

A regulatory crossroads

The EDPB’s Guidelines mark a pivotal moment for blockchain in Europe. They were received with significant concern by blockchain experts, who characterized the Guidelines as presenting more obstacles than solutions for blockchain practitioners. The EDPB’s strong discouragement of storing personal data on-chain, preference for permissioned blockchains over public ones, and the concerning position that nodes on public blockchains may qualify as joint controllers under GDPR raise substantial legal exposure for participants who were previously considered neutral.

The public consultation period offers stakeholders an opportunity to influence the final text, but unless significant changes are made, the Guidelines are poised to reshape the European blockchain landscape, potentially favoring centralized models and raising existential questions for public, decentralized blockchains.

Authors: Andrea Pantaleo, Marianna Riedo

 

Intellectual Property

Can trademark owners act against cross-border stocking?

A recent preliminary ruling to the Court of Justice of the European Union (CJEU) raises an important question for trademark enforcement: can a trademark owner prohibit the stocking of infringing goods in a country where the trademark isn’t protected, if those goods are ultimately intended for sale in a country where it is protected?

This issue was at the center of the Tradeinn Retail Services (C 76/24) case, referred to the CJEU by the German Federal Supreme Court, and recently addressed in the Opinion of Advocate General Spielmann.

Background

The claimant owns two German trademarks, covering diving equipment such as suits, gloves, masks, and breathing apparatus. The defendant, which is based in Spain, offered similar goods on the German market, using the claimant’s trademarks, even though the trademarks weren’t affixed to the products or their packaging.

The claimant brought proceedings in Germany, seeking an injunction to prevent the use of its trademarks in connection with the marketing and sale of diving accessories in Germany, including the stocking of such goods for this purpose.

The referral to the CJEU

The German court asked the CJEU to clarify two main points under Article 10(3)(b) of the Trademark Directive 2015/2436 (TMD):

• Is a proprietor of a national trademark under Article 10(3)(b) TMD allowed to prohibit a person in another country from stocking goods that infringe his or her trademark for the purpose of offering those goods or putting them on the market in the country in which the trademark is protected?
• Does the concept of stocking within the meaning of Article 10(3)(b) TMD depend on the possibility of actually accessing goods in infringement of the trademark or is the possibility of being able to influence the person with actual access to those goods sufficient?

The AG’s opinion

AG Spielmann began by affirming that national trademark laws must coexist with the EU trademark system, and that their effects are territorially limited. But he emphasized that national law should still offer protection against activities carried out outside the territory, if they target consumers within it.

Regarding the first question, AG Spielmann, drawing on existing CJEU case law – including L’Oréal and Others (C 324/09) and Class International (C 405/03) – stressed that the essential element for finding an infringement is whether the contested use targets consumers in the territory for which the trademark is protected. Otherwise, the effectiveness of Art. 10(3)(b) TMR would be undermined if the defendant could simply stock the goods abroad while still intending to offer them or putting them on the market in the territory of protection. AG Spielmann concluded that “Article 10(3)(b) [TMD] must therefore be interpreted as meaning that it ensures the protection of a national trade mark against the stocking outside the territory in which it is protected of a product that infringes the rights in that trade mark, where the product is stocked for the purpose of being offered or put on the market in the country in which the trade mark is protected.”

As for the meaning of “stocking,” AG Spielmann clarified that the concept must be interpreted autonomously under EU law, without relying on national legal definitions.

Referring to prior judgments  dealing with the concept of “use” (notably Daimler, C 179/15, and TOP Logistics, C 379/14), which require active behavior and direct or indirect control of the act constituting the use, AG Spielmann stated that the decisive factor is control – either direct or indirect – over the stocking activity. A trademark owner can take action against a party who stocks infringing goods themselves or instructs another party to do so on their behalf, provided that they exercise decisive influence over the distribution or destination of those goods.

Final remarks

If the court follows AG Spielmann’s Opinion, it would reinforce the reach of national trademark rights in the digital and cross-border marketplace. What matters is not where the infringer is based or where the goods are held, but whether the conduct is directed at consumers in the protected territory.

Author: Maria Vittoria Pessina

 

The future of industrial design in Europe: Phase I of the Design Package completed, Phase II underway

May 1, 2025, represented the completion of the first phase of the Design Package (Regulation (EU) No. 2024/2822 and Directive (EU) No. 2024/2823), which updates Regulation (EC) No. 6/2002 on Community designs and Directive No. 98/71. The entry into force of the amendments in the first phase of the Design Package is a significant preview of change, which is aimed at adapting the regulatory landscape to new digital scenarios.

Among the main changes in the first phase, the introduction of new terminology stands out: community designs will now be called European Union Designs (EUD).

In addition to formal changes, substantial changes have also been introduced. The definition of “design” and its protection will now include animations, transitions and dynamic contents, as well as non-physical products such as graphic interfaces, logos and digital works.

The Regulation definitively abandons the use of national offices. Applications must now be filed exclusively with EUIPO. In addition, designs relating to different product classes can be included in a single application, with significant economic advantages for applicants, who will have to pay a single fee for filing and publication and a fixed cost of EUR125 for each additional design in the case of multiple applications.

In addition to extending the exclusive rights granted by the registration of a design to 3D printing, the Regulation also provides for two exceptions to the exclusive rights of the holder on grounds of public interest. First, the use of a protected design for the purposes of commentary, criticism or parody is now expressly permitted, extending freedom of expression and freedom of the press. Secondly, thanks to the new Regulation, it’s now permitted to identify or refer to a product protected by a design where this is necessary to ensure interoperability between products, such as spare parts. With regard to the latter, a “repair clause” has been introduced, whereby spare parts for complex products can be excluded from protection if they’re used exclusively to restore the original appearance of the product.

The second phase will end by July 1, 2026, and aims to harmonize national legislations, optimize registration procedures and actions for revocation.

Member states will have until December 9, 2027, to transpose the Directive. Until then, it will be interesting to see how national legislations will gradually adapt to this important change, which marks a new era for industrial design in Europe.

Author: Noemi Canova

 

Technology Media and Telecommunication

Infratel publishes report on the progress of the National Ultra-Broadband Plan as of March 31, 2025

In a press release dated April 15, 2025, Infratel announced the publication of a report on the progress of the National Ultra-Broadband Plan, updated to March 31, 2025.

The National Strategy for Ultra-Broadband – “Towards the Gigabit Society”, was included in the National Recovery and Resilience Plan (Piano Nazionale di Ripresa e Resilienza – PNRR) and approved on May 25, 2021, by the Interministerial Committee for Digital Transition (Comitato interministeriale per la Transizione Digitale – CiTD). It aims to bring 1 Gbp/s connectivity across Italy by 2026 and foster the development of fixed and mobile telecommunications infrastructure.

The strategy encompasses several public intervention plans to promote and incentivize the coverage of geographical areas where the provision of infrastructure and ultra-high-speed digital services by operators is either absent or insufficient.

The operational activities of the National Ultra-Broadband Plan were initiated in 2016 by Infratel Italia. Infratel’s aim is to intervene in market failure areas by building and integrating broadband and ultra-broadband infrastructure to extend access opportunities to high-speed internet for citizens, businesses, and public administrations. Through Infratel, the Ministry of Enterprises and Made In Italy is implementing measures defined in the National Ultra-Broadband Strategy to reduce infrastructure and market disparities across Italy, creating favorable conditions for the integrated development of electronic communications infrastructure.

The report describes the plan’s progress, focusing on the five main operational phases: final design (progettazione definitiva), executive design (progettazione esecutiva), works’ execution, testing, and start of service.

During the final design phase, the layouts of the networks to be built are identified, along with the infrastructure to be reused, the authorities responsible for granting authorizations for FTTH (Fiber To The Home) technology deployment, and the necessary sites for FWA (Fixed Wireless Access) technology deployment. Once Infratel approves the final designs, the executive design phase begins, aimed at obtaining the necessary authorizations. Subsequently, onsite work can start. Once the work is completed, Infratel will conduct final verifications and, if checks are successful, issue a positive testing certificate (collaudo).

The report indicates that as of March 31, 2025, the final design for the FTTH network has been approved in 6,059 municipalities, 4 fewer than in September 2024. As highlighted in the report, the number of planned projects may vary over time due to redesigns prompted by various obstacles. Specifically, during the progress of the executive design phase, some municipalities were found to lack any so-called “white” housing units to connect, leading to the issuance of new regional technical plans that incorporated the cancellation of interventions in certain municipalities. As a result, the number of municipalities with approved final designs for the FTTH network is slightly lower than the figure recorded in September.

There are no changes regarding the number of municipalities in which the final design for the FWA network has been approved. In fact, as of March 31, 2025, the number of municipalities with approved final designs for the FWA network was 6,956 – the same as in September 2024.

As stated in the report, the municipalities for which the executive design of FTTH (Fiber to the Home) network infrastructure has been approved total 6,032, while a total of 3,504 executive projects have been approved for the implementation of FWA (Fixed Wireless Access) technology networks. This reflects an increase of 32 municipalities with approved executive designs for FTTH networks. For FWA technology, the number of approved executive projects has decreased by 79 compared to September 2024. As noted above, the number of projects may vary due to the cancellation of interventions in certain areas.

As of March 31, 2025, infrastructure work has been completed in 9,940 out of 11,615 total active sites for fiber construction and in 3,417 out of the 3,502 sites for the FWA network construction.

Infrastructure work for FTTH technology was completed with positive testing in 4,746 municipalities, covering a total of 8,730 projects; compared to September 2024, projects related to the FTTH network have been positively tested in an additional 375 municipalities and the number of positively tested projects increased by 991 units.

Infrastructure work for FWA technology was completed with positive testing in 2,572 sites, an increase of 413 units compared to last September.

Authors: Massimo D’Andrea, Flaminia Perna, Matilde Losa

 

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Dorina Simaku, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.