12 June 2025 • 25 minute read

Innovation Law Insights

12 June 2025

Webinar

Legal Design and Privacy Compliance

Join our next webinar on Legal Design and Privacy Compliance organised by W@Privacy Association!

On 16 June (12:30 pm CET) our DLA Legal Design experts Deborah Paracchini and Francesca Oprandi, with Stefania Passera, CEO of Passera Design, will explore how legal design can transform privacy compliance.

Through practical examples and expert insights, our speakers will show how applying legal design principles to internal privacy compliance documentation – such as DPO reports, internal policies, and data protection impact assessments – can significantly enhance clarity, usability, and strategic value. By rethinking how these documents are structured and presented, legal design can help organizations better align with regulatory requirements, support internal stakeholders in understanding their roles and responsibilities, and foster a culture of privacy compliance. To register, click here.

Podcast

Legal Leaders Insights | Bendetta Volpi General Counsel of Nextalia

How do legal teams support strategic investments in the fast-evolving technology sector? In this episode of Legal Leaders Insights, Giulio Coraggio speaks with Benedetta Volpi, General Counsel of Nextalia SGR, about how private equity can be a powerful engine for digital transformation and innovation across tech-driven industries. You can listen here.

Data Protection and Cybersecurity

EDPB Guidelines on Guidance for Controllers and Processors in the Event of Requests from Third Countries

On 4 June 2025, the European Data Protection Board (EDPB) adopted the final version of Guidelines 02/2024 on Article 48 of the GDPR (the Guidelines). The purpose of the Guidelines is to clarify the scope of Article 48 of the GDPR – which governs the limits on recognising and enforcing judicial or administrative decisions from third countries requiring the transfer of personal data – to provide practical mechanisms for companies called upon to respond to requests for transferring or disclosing personal data from authorities of third countries.

Scope of Application of Article 48 of the GDPR

Pursuant to Article 48 of the GDPR: “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter”.

Although the provision refers exclusively to “judgments” or “decisions”, according to the Guidelines, the terminology used by the third country to qualify its request is not relevant; the crucial element is that the request comes from a public authority of a third country and concerns access to personal data. According to the EDPB, the scope of Article 48 includes any method through which a controller or processor in the EU could make data accessible to a third country. In other words, any official request from a public authority of a third country – regardless of its purpose and context – addressed to a private entity established in the EU falls within the scope of application of Article 48 of the GDPR.

Obligations and preliminary assessments for EU-based entities

If a request is received from a third country authority, the controller has to carefully assess the request to determine whether it should be complied with. Where the request is addressed to the processor, the processor has to, without undue delay, inform the controller and comply with its instructions, unless EU or member state law prohibits such communication for reasons of important public interest.

In deciding whether the transfer is permissible, the following must be carefully assessed:

compliance with Article 6 of the GDPR, relating to the need to identify an appropriate legal basis for the processing; and
compliance with the requirements of Chapter V of the GDPR, regarding transfers of personal data to third countries or international organisations. It‘s necessary to identify one of the grounds expressly indicated in Chapter V of the GDPR to carry out an international transfer to third countries.

Legal Basis

The first step is to identify the correct legal basis.

Where there is a legal obligation to share data arising from an international agreement, the legal basis is compliance with a legal obligation pursuant to Article 6(1)(c) of the GDPR.
Where no legal obligation arises from an international agreement, except for the contractual performance basis under Article 6(1)(b) – which is expressly excluded – the other potentially applicable legal bases are:

Consent, pursuant to Article 6(1)(a) of the GDPR, subject to careful assessment of its applicability to the specific case;
Performance of a task carried out in the public interest, pursuant to Article 6(1)(e) of the GDPR, in situations where disclosure, while not mandatory under an international agreement, is permitted under EU or member state law;
Protection of the vital interests of the data subject, pursuant to Article 6(1)(d) of the GDPR;
Legitimate interest, pursuant to Article 6(1)(f) of the GDPR. In such cases, it is also essential to carry out a Legitimate Interest Assessment (LIA).

Legal Grounds for the Transfer (Chapter V)

Once the legal basis has been identified, it‘s necessary to identify one of the grounds legitimising the transfer to third countries, including:

Adequacy decision by the European Commission (pursuant to Article 45 of the GDPR): if the European Commission has adopted an adequacy decision attesting to a level of protection equivalent to that offered by the GDPR, the transfer is permissible.
Appropriate safeguards (pursuant to Article 46 of the GDPR): in the absence of an adequacy decision, additional safeguards must be identified to permit the transfer. Pursuant to Article 46(2)(a), such safeguards may be provided by a legally binding and enforceable instrument between public authorities or bodies, ie an international agreement under Article 48. However, the mere existence of such an international agreement is not sufficient: it‘s essential that the agreement contains appropriate safeguards for the transfer. Where such safeguards are absent, the international agreement is insufficient, and additional measures must be adopted (eg standard contractual clauses adopted by the European Commission or by a supervisory authority, certification mechanisms).
Derogations (Article 49 of the GDPR): in the absence of an applicable adequacy decision or appropriate safeguards, it is possible to rely on the derogations under Article 49 of the GDPR. These allow for data transfers in a limited number of specific situations (eg where the transfer is necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims in judicial proceedings), even without the safeguards mentioned above. However, these derogations must be interpreted narrowly, and a thorough case-by-case assessment is essential to determine their applicability.

In conclusion:

If an international agreement exists that provides both the legal basis of compliance with a legal obligation and appropriate safeguards, the transfer can take place.
If an international agreement exists that provides the legal basis of compliance with a legal obligation but does not include appropriate safeguards, another ground for transfer under Chapter V of the GDPR must be identified.
If no international agreement exists, both the legal basis and the ground for the transfer under Chapter V of the GDPR must be identified.

Conclusions

The Guidelines provide important clarification on requests for personal data from authorities of third countries, emphasising the absence of any form of automatism and the obligation to comply with the principles of the GDPR when transferring data to such authorities.

Every request must be carefully and thoroughly assessed to verify, on the one hand, the existence of a legal basis for the processing in accordance with Article 6 of the GDPR, and, on the other hand, the presence of a valid ground for the transfer to the third country pursuant to Chapter V of the GDPR.

Author: Federico Toscani

Artificial Intelligence

Defining high-risk ai systems under the AI Act – Consultation now open!

The European Commission has launched a consultation on high-risk AI systems to support the adoption of the implementing act under Article 6(2) of the AI Act, a crucial step for any sort of business.

As the AI Act begins its phased adoption across the EU, one of its most critical components – the classification of high-risk AI systems – is now under the spotlight. The European Commission is gathering feedback through a public consultation on high-risk AI that will shape how the most stringent regulatory requirements are applied in practice.

Background: The AI Act and the high-risk category

The AI Act, which entered into force on 1 August 2024, establishes the first comprehensive EU-wide framework for regulating AI. It aims to create a single market for safe and trustworthy AI while safeguarding fundamental rights, democracy, and the rule of law.

The Act adopts a risk-based approach, classifying AI systems into four categories: unacceptable risk (prohibited), high risk, limited risk, and minimal risk. Among these, high-risk AI systems are subject to the most stringent obligations. They include AI systems that either:

act as safety components in products regulated under EU law (Article 6(1) and Annex I); or
pose significant risks to health, safety, or fundamental rights in sensitive areas such as education, employment, law enforcement, and public services (Article 6(2) and Annex III).

These systems must comply with detailed technical and organisational requirements, including risk management, transparency, human oversight, and conformity assessments prior to market deployment.

What is the consultation on high-risk ai about?

Pursuant to Article 6(5) of the AI Act, the European Commission is tasked with adopting guidelines by 2 February 2026 that explain how to implement Article 6 in practice. This includes how to interpret the classification criteria and how to apply the exemptions under Article 6(3). The Commission must also provide practical examples of AI systems that are and are not to be classified as high-risk.

To support this process, the Commission has launched a consultation on high-risk AI, open for six weeks (from 6 June to 18 July 2025). The results will inform both the classification guidelines and the obligations that apply across the AI value chain.

Who should participate?

The consultation is targeted, but broadly inclusive. It welcomes feedback from:

AI system providers and deployers
industry bodies and associations
public authorities and regulators
academia and independent experts
civil society organisations

Respondents can choose which parts of the survey to answer, and are strongly encouraged to provide practical examples and real-life scenarios that can inform the final guidelines.

Structure of the consultation questionnaire

The consultation is divided into five key sections:

Article 6(1) – AI in Regulated Products

Covers questions on AI systems embedded in regulated products (eg machinery, medical devices) and the concept of “safety components” under Annex I.

Article 6(2) – Sectoral Use Cases in Annex III

Focuses on use cases in areas such as biometric identification, education, employment, law enforcement, and public services. It also addresses exemptions under Article 6(3) for systems that, despite being listed, may not pose significant risk.

General Questions on Classification

Includes questions on the “intended purpose” of AI systems, overlaps between Annex I and III, and the treatment of general-purpose AI systems.

Requirements and Value Chain Obligations

Seeks input on the technical and procedural obligations for high-risk AI, including quality management systems, conformity assessments, and the roles of various actors under Article 25 of the AI Act.

Annual Review of Annex III and Article 5

Gathers feedback for the mandatory annual review of the list of high-risk use cases and prohibited AI practices.

Why this consultation on high-risk AI is crucial

The stakes are high. AI systems classified as high-risk will have to meet comprehensive standards covering:

data governance and quality
human oversight mechanisms
transparency obligations
robustness, accuracy, and cybersecurity
conformity assessment before market deployment

For providers, this means implementing quality management systems and ensuring full compliance before placing a system on the market. Deployers, in turn, are responsible for monitoring usage, ensuring appropriate oversight, and providing transparency to affected individuals.

By shaping the consultation on high-risk AI, stakeholders have the opportunity to:

influence the scope and applicability of high-risk classification;
avoid disproportionate regulatory burdens;
clarify the interaction between the AI Act and other EU regulations; and
shape future enforcement strategies and legal certainty.

Timeline and next steps

Consultation deadline: 18 July 2025
Implementation guidelines due: 2 February 2026
Full compliance for high-risk AI systems required by: 2 August 2026

Read the consultation here.

Conclusion

The consultation on high-risk AI marks a crucial milestone in the operationalization of the EU AI Act. Whether businesses are developing AI, deploying it across critical sectors, or planning to exploit it, this is an opportunity to shape the AI Act’s future trajectory. At DLA Piper, we are assisting clients on the topic. Feel free to reach out to us if you‘d like to discuss it with us.

Read DLA Piper’s AI Law Journal for more on this topic.

Author: Giulio Coraggio

Intellectual Property

Düsseldorf Local Division renders first UPC’s decision on second medical use patents

On 13 May, the Düsseldorf Local Division rendered the first UPC’s decision on second medical use patents.

The proceedings, which involved leading international companies in the pharmaceutical sector, is part of a broader context of litigation started since 2014 before national courts.

The dispute, brought before the Unified Court by the holder of the patent and its exclusive licensee, concerns the alleged infringement of a patent concerning the second medical use of a drug already known for reducing cholesterol, the second medical use of which is instead aimed at reducing the levels of lipoprotein(a) in the blood. According to the plaintiff, the defendant group of companies commercialized a drug infringing the patent, by marketing it not only for hypercholesterolemia, but precisely for reducing lipoprotein(a), infringing the patent.

In addition to requesting the rejection of the opposing claims, the defendant brought a counterclaim for the patent to be declared invalid, raising several grounds for invalidity.

After recalling the general principles on novelty as a parameter for patentability, the court recognised its existence in the present case. In particular, the judges held that the claimed therapeutic use was novel since neither the therapeutic indication nor the group of patients for which it is intended were included in the state of the art. Based on these findings, the judges also recognised the existence of inventive step, ruling out the possibility that an expert in the field could have achieved the results covered by the patent on the basis of the knowledge available before the date of patenting the invention.

As to the sufficiency of disclosure, the court, reiterating principles already expressed in some previous case law, clarified how, to assess this requirement, the patent as a whole, including examples, and the common and general knowledge of the expert in the field must be taken into consideration. Furthermore, in cases of second therapeutic use, the use – as part of the claim – must also be sufficiently described. That being said, in the present case, given the technical information provided in the patent at issue, including the clinical data presented, and in light of the common knowledge of the expert in the field, the Local Division held that the requirement of sufficiency of disclosure was also fulfilled.

With regard to the added matter, in the defendants‘ view, certain key data for identifying the patient population targeted by the second medical use could not be directly and unambiguously inferred from the original patent application. The court took a different view, however, stating that this information could be directly and unambiguously derived from the patent application by the person skilled in the art, setting aside the objection raised.

Having excluded the invalidity of the patent, the court ruled on determining the alleged infringement. Firstly, the court clarified that, to date, there are no specific regulatory provisions on infringement of patents for second medical use, and no consolidated orientation of the UPC. That being said, and reiterating the need for a correct balance between the need to ensure adequate protection for the patent holder and that of ensuring reasonable legal certainty for third parties, the court affirmed the existence of infringement when objective and subjective elements are present. In particular, as regards the objective profile, the infringer must have offered, or placed on the market, the drug in such a way as to determine, or be capable of determining, the therapeutic use claimed in the patent. With regard to the subjective element, on the other hand, it is necessary that the infringer knew, or was in a position to know, that the considered therapeutic use would be applied.

In the present case, the lipoprotein-lowering effect is mentioned among the drug‘s properties and not, however, among the official therapeutic indications. This means that it is not a use authorized from a regulatory point of view, nor promoted as such by the pharmaceutical company. In other words, the mention of the therapeutic effect resulting from the second patented use is merely descriptive and not prescriptive: it merely reports an objective fact without inviting the doctor to use the drug for that specific purpose.

In any event, as the court pointed out, the mere knowledge of the therapeutic effect by doctors or patients is not sufficient to establish liability for infringement. The opposite would have been the case if the company had actively directed the use of the drug towards the patented indication, through instructions, promotions, information materials or other means. However, the plaintiff has not provided any evidence of this.

In light of all these considerations, the court dismissed the infringement claim.

Düsseldorf Local Division‘s decision, on the one hand, confirmed the protection granted by European law to second medical use claims, emphasizing therapeutic innovation even in the absence of new molecules. On the other hand, it put a check on limited extensive interpretations of the notion of infringement, requiring the infringer to have a clear promotional intention, or at least an incentive for patented use, placing a precise burden of proof on the holder of the infringed right.

Author: Laura Gastaldi

Supreme Court closes another chapter in the battle over Battisti’s repertoire

The Italian Supreme Court has put an end to yet another judicial chapter involving Lucio Battisti’s heirs and a major record label, upholding the Milan Court of Appeal’s decision to reject the damages claim filed by the label against the artist’s heirs.

Anyone living in Milan may recall seeing huge billboards in the subway a few years ago, where a well-known music streaming platform announced that – after years of absence – Lucio Battisti’s songs would finally be available online.

As is well known, this turning point came after years of legal battles – in the plural – as there have been multiple lawsuits involving Battisti’s heirs and major labels. One such case was recently concluded with a Supreme Court decision dated 14 May 2025.

Supreme Court Decision No. 12956/2025

In this ruling, the court rejected the appeal brought by a major label against Aquilone S.r.l. and Edizioni Musicali Acqua Azzurra S.r.l. (in liquidation), confirming the judgments of the lower courts.

The record label had claimed approximately EUR7 million in damages, arguing that the companies involved (effectively controlled by Battisti’s heirs) had hindered the commercial exploitation of the artist’s works – specifically the phonographic recordings – by revoking the SIAE mandate for online use and blocking the use of those recordings in commercials.

The Supreme Court fully upheld the Court of Appeal’s reasoning, which rejected the appellant’s arguments on two main grounds:

Lack of causal link between the conduct and the alleged damage: according to the court, a significant amount of time had passed between the claimant’s awareness of the allegedly unlawful conduct and the filing of the claim, breaking the causal link between the contested actions and the alleged damages – both for online distribution and synchronization rights.
Absence of unlawful or defaulting conduct: the court also found the claims unsubstantiated due to the lack of any illicit behaviour on the part of the defendants. Specifically, there was no evidence that negotiations had been initiated with rights holders after the SIAE mandate was revoked, nor were there any concrete proposals relating to synchronization rights. As such, no obligation of specific conduct or mutual reliance could be established between the parties.

On the issue of liability from “social contact” – raised by the claimant – the court clarified that such liability, governed by contractual liability rules despite the absence of a formal agreement, arises only when the damage results from the violation of a specific legal duty imposed to protect third parties from the risks of the activity in question. It doesn’t apply whenever a third party merely suffers a secondary effect of someone else’s conduct.

In this case, the argument was dismissed as inadmissible due to a lack of specificity, since no legal provision was identified as imposing the alleged duty of conduct. The claim was also rejected for being insufficiently reasoned in the brief.

Other legal disputes over Battisti’s repertoire

Beyond the case at hand, Battisti’s heirs have been involved in other legal disputes concerning the management of the artist’s copyright. One of the most significant involves Acqua Azzurra S.r.l., a company founded in 1969 by Battisti and Mogol to manage the rights to their works.

After Battisti’s death, the company’s management became a point of contention between the heirs, Mogol, and a prominent record label holding a significant share in the company. Disagreements over control and exploitation of the catalogue led to a series of lawsuits, culminating in a 2016 ruling that awarded Mogol significant compensation.

In 2017, the company entered liquidation. A few years later, the liquidator decided to return the mandate to SIAE – including for web-related royalties – making Battisti’s catalogue available on major streaming platforms.

Conclusion

The Supreme Court’s decision adds another key piece to the complex legal puzzle surrounding the economic exploitation of Lucio Battisti’s repertoire. The ruling underscores the importance of rigorously assessing legal responsibilities and excludes any presumption of liability without unlawful conduct or clearly defined legal obligations between the parties.

Ultimately, it‘s a reminder of the need for clarity and precision in managing and protecting copyright – especially in the music industry, where economic interests, artistic legacy, and technological innovation are increasingly intertwined.

Author: Lara Mastrangelo

Gaming and Gambling

Online Gambling – Clarification on determining revenues for Italian Digital Service Tax (DST) purposes

With Ruling No. 6 of 3 June 2025, the Italian Tax Authority provided important clarification on determining taxable revenues for digital services tax (Digital Services Tax, or DST) purposes for operators in the online betting and gaming sector. Among the most significant aspects, we note the exclusion of bonuses granted to players from calculating the DST tax base.

Before examining the clarifications introduced by the interpretative ruling, it should be noted that the digital services tax – governed by Article 1, paragraphs 35 to 50, of Law No. 145/2018, as subsequently amended – applies at a rate of 3% to revenues deriving from specific services provided in Italy, namely:

providing digital interfaces for delivering targeted advertising messages based on the analysis of data collected during users‘ browsing (Article 1, paragraph 37, letter a), Law No. 145/2018);
managing multilateral digital interfaces that enable interaction between users and the sale of goods and services between them (Article 1, paragraph 37, letter b), Law No. 145/2018);
transmitting to third parties data generated by users‘ activities on digital platforms (Art. 1, paragraph 37, letter c), Law No. 145/2018).

In its original wording, the DST applied only to entities which, individually or as a group, simultaneously achieved:

global revenues of at least EUR750 million;
revenues from digital services in Italy of at least EUR5.5 million.

However, as of 1 January 2025, pursuant to the provisions of Article 1, paragraph 21, of Law No. 207/2024 (2025 Budget Law), requirement (ii) has been repealed. Consequently, the DST now applies to all entities providing the abovementioned digital services in Italy, provided that their global revenues – including at group level – exceed the threshold of EUR750 million.

With specific reference to the online betting and gaming sector, Circular No. 3/E of 2021 (which provides general guidelines for applying the DST) had already clarified that, although the sums represented by “bets” are excluded from the scope of the tax, for the purposes of applying the DST, it‘s important to draw a distinction based on the role of the gaming platform operator:

“Where the entity operates as a bookmaker (ie as an entity that accepts bets from players by setting odds, such as in the case of sports or other event betting) or a banker (ie as an entity against which players bet, such as in the case of online poker or roulette), the entity assumes risks on its own account and the proceeds are therefore excluded under Art. 37-bis, lett. b)”.
“Where it operates as an entity that allows players (users) to bet or gamble against each other, the entity does not bear any risk associated with the betting or gaming, but acts as an intermediary Although the sums represented by ‘wagers’ are excluded under subparagraph 37(a) or (b), the interface operator ‘commission is instead digital revenue within the meaning of subparagraph 37(b), realised as an intermediary in transactions between users”.

Interpretative Ruling No. 6/2025 confirms this approach and provides useful operational guidance on determining the revenues from digital services provided in Italy that constitute the taxable base for DST purposes. In particular, the tax will apply exclusively to the portion actually retained by the operator, ie the amount remaining after deducting the prize money paid to players and any single tax on gambling from the payments made by users. This criterion also applies where, in a single tournament, the winnings distributed exceed the bets collected, confirming that the taxable base coincides with the actual margin retained by the platform, which varies according to the type of game and the specific contractual conditions. Incidentally, reference is made to “tournament” as the game mode that falls within the scope of the DST, as it’s clear that the role played by the platform managed by the concessionaire is to allow users to play against each other in return for remuneration in the form of a commission.

Particular attention is paid to the treatment of bonuses granted to players (eg welcome bonuses, free plays). As these amounts are granted free of charge and without consideration, they don’t generate actual revenue for the operator and must therefore be excluded from the calculation of the taxable base for DST purposes. It follows that, in determining the commission subject to tax, the gross gaming revenue must be adjusted by subtracting the value of any bonuses paid. The dual track system for bonuses under the DST and the single tax on gaming is clear: while the document in question clarifies that bonuses do not contribute to the taxable base for the DST, the same does not apply for gaming tax purposes. In fact, as clarified by the provision of 10 June 2011 (Prot. 2011/20659/Giochi/GAD), bonuses are generally included in the collection.

In light of these clarifications, operators who, in previous tax periods, falling within the scope of application of the DST, included the bonuses granted to users in the calculation of the taxable base, or adopted criteria that differed from the approach outlined by the Italian Tax Authority, may have made an excessive payment. In such cases, it will be necessary to assess, on a case-by-case basis, the most appropriate methods for recovering the excess amount paid.

Authors: Giovanni Iaselli, Mario Russo

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra, Enila Elezi.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.