Skip to main content
|

Add a bookmark to get started

Bookmarks info
7 May 202426 minute read

Innovation Law Insights

7 May 2024
Artificial Intelligence

AI Regulation in Europe: Italy's new draft AI Law introduces local peculiarities compared to the EU AI Act

As the EU gets closer to enacting the AI Act, signalling its upcoming application, EU Member States, like Italy, are actively developing their own AI regulations.

This situation is reminiscent of the aftermath of the GDPR, where countries implemented additional localised measures, despite the harmonising intent of EU legislation. Compliance with EU regulation is often merely the initial step. Companies, including those outside the EU offering their services in the EU, have to be ready to navigate the individual (and often contrasting) regulatory landscapes in each Member State. In many cases, as in the case of the Italian law, these local regulatory approaches are likely to become binding before many of the provisions of the AI Act.

Approved at the end of April by the Italian government, Italy's draft AI law proposes a comprehensive national strategy addressing AI's societal, regulatory, privacy, and economic impacts. While the draft law is still subject to parliamentary processes and not yet enacted, the draft anticipates some of the AI Act's principles and introduces many specific national nuances. In particular, it requires that AI systems comply with the principles of transparency, proportionality, security, protection of personal data, confidentiality, accuracy, non-discrimination, gender equality, and sustainability. Alongside compliance with these principles, the draft AI law mandates that development of AI systems and models has to take place using data and processes that must be monitored for correctness, reliability, security, quality, appropriateness and transparency. Fulfilling all these requirements must be proven with evidence and companies have to implement appropriate policies and document the activities performed during the development, implementation, and use of AI systems.

Below DLA Piper reviews the key elements of the Italian draft AI law, and draws comparison of many of its terms with the AI Act. 

Applicability

A key component of the AI Act and the Italian draft AI law is their express determination of scope and applicability. In both the EU and AI rules, there’s an exception of applicability provided for AI used in the context of national security and defence activities. These exclusions include vital elements of society, including national cybersecurity regimes, police forces, and the armed forces. In contrast to the EU’s approach, the Italian rules are far more restrictive. They require local and foreign companies offering their services in Italy to ensure that, despite their approach to ensure compliance with the AI Act, they also comply with laws and restrictions at a local level.

Priority for local storage

The Italian draft AI law mandates that the state and public authorities prioritise, through their e-procurement platform, providers that use local data centres to store and process generative AI services and tools involving critical data. Although critical data has not yet been defined in the Italian draft AI law, it’s likely to include information strategically vital for national security and economic stability. This definition is expected to be broad, with specific details to be clarified in subsequent text revisions.

Prioritising local storage indicates an awareness of the potential for harm when AI is used with data sensitive to national infrastructure – a fact not fully accounted for in the provisions of the AI Act. Italy’s approach is not in isolation, as many governments, including the US through its recent Executive Order limiting certain transfers of US information to offshore locations, are beginning to seek restriction of offshoring certain types and quantities of data.

AI in healthcare

Specific rules are also introduced for AI systems used in the healthcare sector, recognising their potential to contribute to the improvement of the healthcare system and the prevention and treatment of diseases. The Italian draft AI law does recognise that this must be achieved by developing and managing AI that considers the rights, freedoms, and interests of the data subject, including in terms of personal data protection. For example, in line with European regulations, the Italian draft AI law provides that:

  • AI systems and their related data used in the healthcare sector must be reliable and periodically verified and updated; and
  • the patient involved has the right to be informed about the use of AI technologies, the diagnostic and therapeutic benefits derived from using new technologies, and information on the decision-making logic used.

In contrast to the AI Act, the Italian draft AI law also provides that data processing, including processing personal data, performed by public and private nonprofit entities for research and scientific trials in the development of AI systems for healthcare purposes, as necessary for the creation and use of databases and basic models, is of significant public interest. And this has a considerable impact on the applicable legal basis under the GDPR. As such, additional scrutiny and measures are expected to be applied in addition to the existing Europe-wide regimes.

This rule is particularly relevant for overseas companies involved in sponsoring research in Italy. The rule stipulates that data processing for clinical trials and scientific research purposes in the healthcare sector must be approved by the relevant ethical committees and must be communicated to the Data Protection Authority. This process can be complex for companies operating from abroad, and can result in increased and unexpected financial and time costs.

AI in the workplace and intellectual professions

The Italian draft AI law addresses one of the most sensitive issues of public opinion in Italy at this time: the use of AI in the workplace.

Like the AI Act, the Italian draft AI law explicitly bans any AI applications that result in worker discrimination based on gender, age, ethnic origin or sexual orientation. The Italian draft AI law goes beyond these prohibitions and establishes a dedicated observatory led by the Italian Minister of Employment and Social Policies to define a strategy for AI use in the workplace and monitor its impact on the job market. The Italian draft AI law also restricts AI in the context of professional services to supporting professional activities and obligates professionals to inform their clients about the AI systems they use clearly and comprehensively.

The Italian draft AI law closely follows many of the foundations of the AI Act, including transparency. But the restriction on the use of AI in employment is yet another example of local nuances far exceeding the Europe-wide approach that is most visible to companies abroad. And it must be suitably factored into any international approaches to the use of AI.

Local AI authorities and innovation funds

To ensure the implementation of the AI Act, and of the national legislation on AI, Italy will establish two national AI authorities:

  • AgID (Agenzia per l'Italia Digitale) that will be tasked with promoting AI innovation and development. This agency will also define procedures and conduct evaluation, accreditation, and monitoring of entities responsible for verifying AI system compliance.
  • ACN (Agenzia Nazionale di Cybersecurity) that will be responsible for overseeing cybersecurity, including inspection activities, to safeguard national cybersecurity.

This addition to the proposed Italian regime is a point of regulatory contention. The Italian Data Protection Authority has previously indicated that it would be more qualified than the proposed authorities to act as the national AI authority. There’s a clear understanding of AI's relevance to the global economy and, consequently, of the power that authorities in charge of applying relevant regulations would have. 

The government wants to encourage the creation and growth of startups and small to medium-sized enterprises focusing on emerging technologies and innovative solutions with high potential for innovation and scalability. It plans significant venture capital investments managed by the state of up to EUR1 billion in companies operating in the field of AI and in other innovative technologies, and those, even if located abroad, developing AI solutions with the goal of creating a national AI champion. 

Exemptions to copyright law for the use of AI

In line with the AI Act, authors (or economic rights holders, if different from the authors) must use machine readable watermarks on video content or audio indications within audio content if it has been generated, modified, or altered by AI systems. This requirement aims to disclose when data, facts, and information presented as real are AI-generated.

The Italian government, through the Italian draft AI law, has also attempted to modify Italian copyright law by adding a specific reference to the need of a human contribution in the creation of copyright protected works. Human contribution must be, at minimum, creative, relevant and provable. Failure to sufficiently establish these qualities will mean that the work cannot be protected under Italian copyright law. This approach is in line with the view taken by EU and US courts, where courts draw the line between what is protected and not. Companies will have to carefully document their creative output to establish that sufficient human contribution has been included to get copyright protection.

The Italian draft AI law also refers to the text and data mining exception provided by the EU Copyright Directive 2019/790 where copyright-protected materials are used to train AI systems. The AI Act contains a mere cross-reference to the relevant provision of the EU Copyright Directive without any significant discussion or information for organisations to use. The Italian draft AI law goes further and more specifically discusses the modalities of implementing the opt-out mechanism by copyright holders and the disclosure obligations to which AI systems reproducing or extracting protected works are subject.

At this point in time, there’s some confusion in the market regarding the concept of reproduction or extraction by AI systems during their training phase. A more precise level of clarification would help copyright holders better understand how to exercise their opt-out rights. And it would help providers and deployers of AI systems know what the limit of their rights is. It’s unclear at this stage whether this will be addressed by the guidance and developments of the AI Office at an EU-wide level, or whether local regulators, such as those in Italy will be required to fill in the gaps.

What can foreign companies providing and using AI solutions in Italy expect?

The EU’s layered regulatory environment of EU Regulations, EU Directives, and local EU Member State law presents a complex challenge for international organisations operating in the market. This multifaceted regulatory structure – comprising both EU-wide legislation and country-specific laws – requires a nuanced understanding and strategy from AI developers and organisations seeking to use AI-powered tools and systems.

While the AI Act sets the stage for regulation of AI in Europe, the details and additional requirements organisations will be expected to address could (and often do) vary significantly across Member States. For both companies located in the EU and non-EEA companies offering their services in the EU, this means that merely aligning with EU regulations may not be sufficient to ensure compliance of wider business activities with all applicable regulation. Continuous engagement with local legal developments and an adaptive compliance strategy is a preferred methodology.

The evolving nature of the EU and Italy's legislative landscapes also indicates that the regulatory environment remains unsettled. Stakeholders have to be proactive in monitoring current requirements and potential future changes that could affect their operations.

While the AI Act forms a critical baseline, understanding and adapting to country-specific laws such as Italy's proposed AI regulations is crucial for comprehensive compliance. Entities have to recognise that their regulatory obligations in the EU will be as dynamic and nuanced as the technology they want to deploy.

Companies can’t wait to comply with regulations applicable to AI, including the Italian draft AI law that’s expected to come into force before many of the provisions of the AI Act becomes binding. On the one hand, AI businesses feel the urgency of adopting AI solutions; on the other hand, they’re concerned that their employees are already using AI solutions that haven’t been approved by the company, potentially putting the business at risk of legal disputes. Many companies are seeking to maximise the data available to train their AI systems – leading them into an area of regulatory contention where data is protected by copyright protections.

DLA Piper is monitoring international regulatory activity on the subject of AI and we can help companies at this critical moment in navigating regulatory developments.

For more information on AI and the emerging legal and regulatory standards, visit DLA Piper’s focus page on AI.

Gain insights and perspectives that will help shape your AI strategy through our newly released AI Chatroom series.

For the latest information on the development and position of the EU AI Act, and to learn how to prepare for compliance, watch DLA Piper’s latest webinar on AI Act Readiness.

Authors: Giulio Coraggio, Danny Tobey, Tommaso Ricci, Coran Darling and Matteo Antonelli

 

Data Protection and Cybersecurity  

European Parliament approves the Regulation on the European Health Data Space

On 24 April 2024 the European Parliament approved the Regulation on the European Health Data Space (EHDS) signalling a fundamental step toward the creation of a robust European Health Union.

This development was accomplished thanks to the agreement reached last 14 March between the Parliament and the Council of the European Union on the proposed Regulation submitted by the Commission on 3 May 2022.

The text of the Regulation will now have to be formally approved by the Council and will then enter into force 20 days after publication in the Official Journal of the European Union, which is expected in autumn.

The EHDS Regulation is one of the pillars of the Commission's ambitious European Data Strategy, which already includes several legislations, and aims to create a single market for data, ensuring Europe's global competitiveness and sovereignty over data, including through the creation of common spaces for information sharing.

The EHDS Regulation is an essential resource for the entire health sector, the adoption of which will improve people's access to and control over their own health data, while allowing it to be reused for public interest purposes (secondary use). The project envisions the creation of a specific environment for health data that will help promote a single market for digital health products and services, benefiting patients and society as a whole.

The most significant changes introduced as a result of the agreement between the Parliament and the Council

Article 1(1) of the draft indicates that the Regulation establishes the European Health Data Space by identifying common rules, standards and infrastructure and a framework for the governance of health data, with the aim of facilitating access to electronic health data for primary and secondary use.

The Regulation will have an impact on an already highly regulated sector. The proposal specifies that the Regulation is without prejudice to the application of European and national laws that already regulate the sector, including the GDPR, the e-Privacy Directive, Regulation (EU) 2018/1725, the AI Act – which is expected to be approved soon – and the Medical Devices and In Vitro Diagnostic Medical Devices Regulations.

Provisions on EHR systems

The Regulation introduces the requirement that electronic health record systems (or EHR systems) comply with the specifications set forth for the European electronic health data exchange format, to ensure data security and make it possible to share data across Member State borders.

Electronic health record systems include any device or software used for processing electronic health records, the latter defined as any set of electronic health data collected in the health system, relating to an individual and used for health purposes.

One of the significant changes introduced by the agreement between Parliament and the Council concerns the obligation to adopt two software components (ie the European interoperability component for EHR systems and the European logging component for EHR systems) in EHR systems to ensure the possible sharing of data across the borders of Member States.

The Regulation also introduces the European digital testing environment which is to be developed by the Commission to evaluate the components of EHR systems. In addition, Member States have to establish a digital testing environment, in accordance with the specifications provided by the Commission in subsequent executive acts.

Before placing EHR systems on the market, manufacturers will have to use the digital testing environments to evaluate their systems, and the results of the tests will have to be included in the technical documentation accompanying the systems.

Further novelty lies in the possibility for manufacturers of wellness applications to establish interoperability with EHR systems for the primary use of data, duly informing users. Sharing or transmitting data through such applications will be subject to the consent of the user, who will be able to choose which categories of health data available on the application they want to include in the EHR systems.

The primary use of electronic health data

Article 5 of the EHDS Regulation identifies the categories of electronic health data (priority categories of personal electronic health data for primary use) that are to be made accessible and shared for purposes of healthcare and treatment, leaving it up to Member States to add additional categories of information.

The European Commission will be in charge of clarifying, through appropriate implementing acts, the format for the exchange of this information. It must be commonly used, machine-readable, and allow transmission of electronic health data between different software applications, devices and healthcare providers, supporting both the transmission of structured and unstructured health data.

The newly adopted text includes several articles that regulate how patients and their representatives can exercise patients’ rights, including the right of access to electronic health data, the right to supplement data directly through their electronic health record, the right to rectification of health data, and the right to portability of such data. The most significant novelty is the possibility for Member States to provide for the right to opt-out, ie the right of patients to inhibit access to their health data both by health professionals, for primary use, and by other parties entitled to use the data for secondary use, although in that case the right to opt-out is subject to some strict conditions.

Another important innovation, included in the latest draft of the Regulation, is the prohibition on healthcare providers from charging fees:

  • to patients, for requesting access to or sharing their health data; and
  • to other parties, for making electronic health data available to them.

The secondary use of electronic health data

The Regulation identifies several purposes for which secondary use is permitted and others for which it must be considered radically prohibited. For example, purposes whose pursuit is permitted under the Regulation include those of public interest in the field of public health and labour, scientific research and policy making.

Article 33 of the draft also identifies minimum categories of electronic data for secondary use, with a far more substantial list than the one outlined in Article 5 for the primary use of health data. Member States can provide for additional categories of information to be made accessible for secondary use.

In the case of reusing health data, the need to protect personal data and intellectual property rights and trade secrets remains intact. Member States will also be able to adopt stricter measures to regulate access to certain types of sensitive data (eg genetic data), for scientific research purposes, providing for additional limitations to those established by the Regulation.

The newly adopted text of the Regulation also includes an exemption from the obligations laid down in relation to the secondary use of electronic health data for individual researchers and individuals and legal persons that qualify as micro-enterprises.

Conclusions

The establishment of the EHD will have a significant impact on the entire health sector. It will generate enormous benefits for public and private actors in this sector and for the community as a whole.

It’s important for practitioners to familiarise themselves with the contents of the Regulation to prepare for it coming into force and to consider how best to take advantage of the opportunities it offers.

But the new arrangement also brings with it some significant risks, particularly for the individuals’ privacy, for the protection of patients, and for the protection of trade secrets.

The hope is that the European institutions and Member States will adequately address the critical issues related to the establishment of the EHDS through a comprehensive risk assessment and adopting appropriate measures to protect shared health data.

In our view, the success of the European initiative will depend in large part on the ability of the actors involved to make the operation of the EHDS secure and reliable. In closing, the words of the EDPB and the EDPS in their joint opinion 03/2022 issued on the proposed Regulation seem appropriate: “The European Health Data Space should serve as an example with regard to transparency, effective accountability and proper balance between the interests of the data subjects and the shared interest of the society as a whole.”

Authors: Cristina Criscuoli and Roxana Smeria

 

Gaming and Gambling

Supreme Court invalidates provisions of the Spanish gambling advertising ban

Several provisions of the Spanish gambling advertising ban have been invalidated through a decision of the Supreme Court that might have an echo effect in other European jurisdictions that adopted similar restrictions.

The Spanish Supreme Court has issued a ruling declaring certain articles of the Spanish Royal Decree 958/2020 on commercial communications of online gambling activities (RD 958/2020) null and void.

The following Articles have been declared null and void:

  • Articles 13.1 (prohibition of promotions to engage new customers) and 13.3 (requirements/criteria for promotions). The lawsuit argues that Article 13(1) entirely and unconditionally prohibits the possibility of directing promotions to attract new customers. Also, it considers that Article 13(3) restricts the possibility of making commercial communications related to promotions. The court ruling considers that there’s no legal coverage to establish this limitation that affects the essence of commercial advertising, aimed at offering and promoting the product or service to attract new customers. It concludes that Article 13(1) and (3) should be annulled.
  • Article 15 (appearance of persons of public relevance or notoriety in commercial communications). This Article is also challenged for lack of sufficient legal coverage to limit the appearance of persons or characters of public relevance or notoriety in commercial communications. In this sense, the Supreme Court considers this prohibition lacking legal coverage. Article 15 of RD 958/2020 is annulled.
  • Article 23.1 (prohibition to disseminating commercial communications by gambling operators in information society services). The Supreme Court considers that this limitation has no legal coverage, and it’s not enough to invoke the protection of minors. Also, it indicates that it restricts the possibility of directing commercial communications to those who already use the web pages or applications intended for gambling. The court concludes it should be annulled.
  • Article 25.3 (requirements for offering commercial communications through the video-sharing platform). The Supreme Court understands that this limitation lacks legal coverage given its general scope. It concludes it should be annulled.
  • Article 26.2 and 3 (restrictions on offering commercial communications through social media). According to the Court Ruling, this limitation, like the previous ones, lacks legal coverage in the regulations in force when the regulation was issued and should be annulled.

The Supreme Court was also reviewing Articles 12, 18 to 22, and 24 of the RD 958/2020. But their nullity has not been considered.

The court ruling is not subject to appeal, meaning it has effects after its publication, which occurred on 10 April 2024. It’s essential to bear in mind that the rest of the provisions within the RD 958/2020 are fully applicable and this court ruling does not imply a total invalidation of the Spanish gambling advertising ban. But the decision significantly affects the Spanish market and potentially in other jurisdictions like Italy, which also adopted similar restrictions.

We will see whether other European courts will consider the arguments made by the Spanish Supreme Court. This decision might become a game-changer, overturning the legislators’ tendency to impose heavy restrictions on gambling advertising.

Authors: Paula Gonzalez, Elisa Lorenzo and Andrea Fernandez from DLA Piper Spain

 

Intellectual Property

Third-party access to records and documents in proceedings before the UPC: Court of Appeal issues its first decision

On 10 April 2024 the Court of Appeal of the Unified Patent Court ruled on the possibility for third parties to have access to the records and documents of the proceedings, governed by Article 45 of the UPCA and Rule 262(1)b of the Rules of Procedure.

The proceedings stem from an appeal of a decision rendered by the Nordic-Baltic Local Division in October 2023. Through that pronouncement, the court had granted a third party's request for access to the court documents, based on its interest in understanding how the deeded claims had been formulated – given the pendency of two parallel proceedings – and the more general collective interest in having the debate about the functioning of the newly introduced judicial system enriched by knowledge of the court documents.

The orientation expressed in the Nordic-Baltic pronouncement was contrasted with a more restrictive one outlined by the Munich Central Division. Specifically, the Munich Central Division had held it was necessary that the request for access to the records and documents of the proceedings was based on a legitimate, concrete and verifiable ground, also given the distinction between the publicity of proceedings – enshrined in Art. 45 UPCA – and the publicity of the acts of the parties. The Nordic-Baltic local division had interpreted the principle of publicity of proceedings more broadly. It held that, in principle, the acts and documents of the proceedings should be made accessible to the third party, except in cases where it was appropriate to keep them confidential in the interest of a party or because of more general reasons of justice or public order.

The Luxembourg Court, called upon to rule on the issue, espoused a more permissive orientation.

The court first clarified that the notion of publicity of the proceedings also includes the documents of the proceedings and that, in principle, they must be publicly accessible, unless the conflicting interests involved –primarily that of confidentiality – prevail at the outcome of a careful balancing act.

To enable the courts to assess whether the conditions for granting access to documents are met, it’s necessary for the third party's request to be supported by adequate reasoning and to indicate the purpose for which the documents are to be consulted (Rule 262). The court noted that, in principle, the general interest of the community in scrutinising the court's work, especially following the conclusion of the proceedings, may also be relevant. On the other hand, during the pendency of the proceedings, the direct interest of a third party in the validity of a patent or the interference with it of a product similar to that marketed by them may be particularly relevant. In such circumstances, in the court's view, the interest in obtaining access to the records of the proceedings should in principle prevail. And it may nevertheless be subject to appropriate measures to protect confidentiality which can be extended to the documents and evidence subject to consultation in their entirety.

Applying the principles, and in the absence of a request by the appellant to keep specific information contained in the documents in question confidential, the court upheld the decision of the first instance division.

Authors: Massimiliano Tiberio and Camila Francesca Crisci

 

Technology, Media and Telecommunications

Italian Communications Authority launches second public consultation for updated calculation of costs for international roaming service

With a communication of 19 April 2024, the Italian Communications Authority (AGCom) announced that it has initiated, on behalf of the European Commission, the second public consultation concerning the proposal to update the cost model for defining wholesale roaming costs.

This public consultation, following a previous one started in January 2024, is part of the process to review wholesale international roaming service costs undertaken by the Commission in June 2023. This updating process has become necessary in light of the new roaming regulation set forth by Regulation (EU) No. 2022/612. It requires the Commission to conduct reviews and submit reports to the European Parliament and the Council by 30 June 2025 and 2029, respectively. The reports should be accompanied, where appropriate, by a legislative proposal to amend Regulation (EU) No. 2022/612 where made necessary by market developments.

The Commission, deeming it necessary to allow stakeholders to provide comments on the Commission’s guidelines regarding the consultation topics, has entrusted national regulatory authorities with the role of gathering inputs from national stakeholders. The results of the first public consultation initiated by AGCom in January 2024 have led the Commission to prepare a new version of the cost model, which is currently the subject of this second consultation.

As outlined by the Commission, the consultation has the main objectives of:

  • providing full transparency with regards to the methodology, inputs and outcomes of the cost model developed to calculate the cost of providing international roaming services;
  • gathering feedback from stakeholders on the methodology, inputs and results of the second updated cost model; and
  • maximising the accuracy and representativeness of the results for each of the countries included in the cost study.

The Commission has prepared the documents submitted for public consultation and concern the characteristics and functioning of the new model for the calculation of costs, the algorithms implemented, the methodology adopted for the update and other technical aspects.

Any subject interested in participating in the public consultation must submit their contributions by 20 May 2024.

Authors: Flaminia Perna and Matilde Losa

Innovation Law Insights is compiled by the professionals at the law firm DLA Piper under the coordination of Arianna Angilletta, Matteo Antonelli, Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Giorgia Carneri, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Alessandra Faranda, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Miriam Romeo, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna e Matilde Losa.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.

Print

Related capabilities

TechnologyConsumer Goods, Food and RetailMedia, Sport and EntertainmentIntellectual PropertyLife Sciences
SitemapPrivacy policyYour privacy choicesLegal noticesCookie policyMake a payment

DLA Piper is global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA piper's structure, please refer the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2024 DLA Piper US