6 March 2025 • 12 minute read

Innovation Law Insights

6 March 2025

Podcast

200 billion challenges: AI, deregulation and the future of Europe

The European Commission announces a maxi-fund for AI while US policy pushes deregulation and Mario Draghi warns of the risk of stifling bureaucracy. In this new episode of Diritto al Digitale, Giulio Coraggio from DLA Piper reveals how Europe can balance the desire to innovate with the imperative to protect fundamental rights at a time when digital transformation is moving faster than the rules. Will the EU be able to seize this opportunity without being bridled by its own bureaucracy? Listen to the episode here.

Artificial Intelligence

EIOPA launches public consultation on AI governance and risk management in the insurance sector

The European Insurance and Occupational Pensions Authority (EIOPA) has launched a public consultation on its opinion on AI governance and risk management in the insurance sector. The public consultation is open until 12 May 2025 and gives stakeholders an opportunity to help shape regulatory expectations in this rapidly evolving area.

Context and legal basis

EIOPA's opinion is based on its mandate under Regulation (EU) No 1094/2010, which aims to promote a harmonized supervisory culture across the EU. It's also consistent with Directive (EU) 2016/97 (Insurance Distribution Directive), Directive 2009/138/EC (Solvency II Directive) and Regulation (EU) 2022/2554 (Digital Operational Resilience Act – DORA). The Opinion provides guidance on AI governance, while complementing the AI Act (Regulation (EU) 2024/1689), which establishes a risk-based approach to AI regulation across industries.

Scope and objectives

AI is increasingly being integrated across the insurance value chain, offering benefits such as improved risk assessment, automated claims handling and fraud detection. But AI also poses risks, including bias, lack of accountability and governance challenges.

The AI Act classifies some AI applications in insurance as high-risk, particularly those related to risk assessment and pricing in life and health insurance. These systems are subject to strict governance and risk management requirements. EIOPA's opinion focuses on AI applications in insurance that aren't classified as high-risk or prohibited by the AI Act. It aims to clarify how existing insurance legislation applies to them.

Key principles for AI governance and risk management

EIOPA’s opinion adopts a principle-based approach, ensuring consistency with existing sectoral regulations. It outlines eight key governance and risk management areas:

Risk-based approach and proportionality:

Insurers have to assess the risks associated with AI use cases and implement proportionate governance measures.
Criteria such as data sensitivity, level of automation and potential impact on consumers should be considered.

Risk Management System:

AI systems need to be integrated into an insurer's broader governance framework.
Policies should address fairness, data governance, transparency and cybersecurity.

Fairness and ethics:

AI models should avoid bias and discrimination.
Consumer-centric AI practices should be embedded throughout the insurance value chain.
AI-driven decisions that affect customers should be explainable and contestable.

Data governance:

Data used in AI models must be accurate, complete and representative.
Bias mitigation techniques should be applied to training and operational data sets.

Transparency and Explainability:

Customers need to be informed when interacting with AI.
AI-driven decisions should be understandable and, where necessary, supplemented by human oversight.

Human oversight:

AI systems should be subject to human oversight and intervention where appropriate.
Accountability frameworks should define the roles of senior management, compliance teams and data protection officers.

Documentation and Record Keeping:

Insurers must maintain clear records of AI models, including training data, methodologies, and decision-making rationales.
Proper documentation ensures transparency, facilitates audits, and supports regulatory compliance.

Accuracy, Robustness, and Cybersecurity:

AI models should be designed to maintain high levels of accuracy and reliability across their lifecycle.
Adequate cybersecurity measures must be in place to safeguard AI systems against data breaches, adversarial attacks, and manipulation.

Next steps and industry involvement

EIOPA invites stakeholders, including insurers, regulators and consumer organizations, to provide feedback via the EU Survey platform by 12 May 2025. Following the consultation, EIOPA will assess the contributions, refine its opinion and publish a final version incorporating stakeholder perspectives. EIOPA also plans to monitor AI adoption trends in the insurance sector and assess regulatory convergence across EU member states.

Author: Giacomo Lusardi

Data Protection and Cybersecurity

Telemarketing: Italian DPA issues another fine against a telecommunication company

The Italian Data Protection Authority, the Garante per la protezione dei dati personali, (Italian DPA) has again issued a fine to a telecommunication company for breaching the GDPR in its telemarketing practices.

Key findings

The investigation was initiated following complaints from multiple users that received promotional calls without their consent. The findings revealed multiple violations of the General Data Protection Regulation (GDPR) and the Italian Privacy Code, particularly concerning telemarketing practices and inadequate data security measures. The key issues included:

Unauthorized promotional communications: the company was found to have engaged in telemarketing activities without obtaining valid consent from the individuals contacted. Some of these contacts were made using purchased data lists. With reference to these lists, the company didn't properly verify whether those individuals had provided explicit consent. Some consents had expired or been withdrawn, but the company failed to update its records accordingly, resulting in continued data processing beyond the permitted retention period.
Lack of appropriate security measures and incident response processes: A significant security issue arose when a customer unintentionally accessed the personal data of another individual through the company's online portal. This breach was traced back to insufficient authentication controls, highlighting deficiencies in the company’s data security protocols. The incident revealed systemic weaknesses in the company’s user verification mechanisms, which could have led to unauthorized access to sensitive customer information on a larger scale. Despite the clear risk posed to individuals due to the security breach, the company didn't promptly notify the Italian DPA as required under Article 33 of the GDPR. Under GDPR rules, companies must report a data breach within 72 hours unless it’s unlikely to result in a risk to individuals. In this case, the lack of notification suggested an oversight in company's internal incident response processes and an underestimation of the potential impact of the breach on customer privacy.

The sanction

The Italian DPA imposed a financial penalty of EUR347,520. Beyond the financial sanction, the company has to implement corrective measures, including revising its consent management practices, improving its data security infrastructure, and ensuring greater transparency in its marketing activities.

Conclusions

This case highlights how telemarketing practices might be subject to strict scrutiny by the Italian privacy authority. Most of the major GDPR fines issued by the Garante relate to privacy violations connected to telemarketing practices. Performing telemarketing practices requires robust technical and organizational measures reinforced by internal procedures and monitoring third parties involved in providing services.

Author: Roxana Smeria

Intellectual Property

Birkenstock loses copyright battle in Germany

In recent years, Birkenstock has launched a complex legal battle to protect its iconic sandals from imitation. The German company approached the Federal Court of Justice multiple times, seeking protection against competitors such as Tchibo (Germany), Bestseller (Denmark), and Shoes.com (US), accused of copying four of its most famous models: Arizona, Gizeh, Madrid, and Boston Clog.

Birkenstock's main argument? The sandals shouldn’t be seen as mere design items, but as works of “applied art” deserving of copyright protection. But the issue has sparked conflicting interpretations. Some courts recognize the artistic value of the Birkenstock sandals. Others have rejected this claim.

After a long legal process, the Federal Court of Justice ruled against Birkenstock, stating that its sandals aren’t eligible for copyright protection, as they don’t constitute works of art but design objects. The court emphasized that “For the copyright protection of applied art, as with all other types of works, the design level must not be too low,” and “A purely technical creation using formal design elements is not eligible for copyright protection. Instead, to qualify for copyright protection, the design must demonstrate individuality.”

The distinction between works of art and industrial design is crucial. According to German case law, a work of art is defined by its autonomous creativity, independent of its practical and commercial function. Design, on the other hand, is intended for practical use and large-scale production, which limits its potential for copyright protection. Additionally, under German law, while copyright protects artistic works for 70 years after the creator’s death, design protection is shorter, lasting up to 25 years.

Had Birkenstock’s argument been accepted, the company could have extended the protection of its sandals, securing a copyright period similar to that of artistic works.

The ruling aligns with previous decisions on copyright and design. In the past, some design objects, such as a Porsche model and some Bauhaus lamps, have received copyright protection. However, in Birkenstock’s case, the court determined that there was insufficient originality to warrant such recognition.

Despite the defeat in Germany, Birkenstock’s legal battle isn’t over. The company has already announced plans to bring the case to Italy, France, and the Netherlands, where copyright laws might offer greater protection. Furthermore, an appeal to the European Court of Justice is possible, in hopes of obtaining protection on a community-wide scale.

Author: Carolina Battistella

Food and Beverages

Extension of the Obligation to Indicate the Origin on Labels: Publication of the New Interministerial Decree

On 12 February 2025, the Interministerial Decree of 23 December 2024 was published in the Official Gazette. It extends the experimental regimes regarding the indication of the origin of raw materials on labels for certain food products until 31 December 2025.

The decree is part of the legal framework defined by Regulation (EU) No. 1169/2011, which sets provisions regarding the provision of food information to consumers, including the indication of the country of origin or place of origin of the primary ingredient used in food preparation.

We’re still waiting for more stringent regulatory framework at the European level for indicating the origin of certain raw materials on food product labels. And the European Commission has long been assessing the revision of Regulation (EU) No. 1169/2011. So Italy has decided to extend the experimental regime for the indication of origin on certain food products, introduced several years ago, until the end of 2025. This decision was made to maintain an effective protection system for consumers and Italian businesses. It also aims to enhance Made in Italy agro-food products, which are an important resource for the national economy.

The decree also responds to the need to provide greater transparency to consumers, allowing them to make more informed choices. And it should contribute to protecting Italian agro-food supply chains, which are often threatened by competition from products of uncertain origin.

Article 1 of the decree specifies the products subject to the obligation of indicating the origin on labels, including:

rice as defined by Law No. 325 of 18 March 1958 (customs code 1006)
durum wheat pasta as per Presidential Decree No. 187 of 9 February 2001, except for pasta covered by Articles 9 and 12 of the same Presidential Decree
tomato derivatives as per Article 24 of Law No. 154 of 28 July 2016
sauces and tomato-based condiments (customs code 21032000), obtained by mixing one or more of the derivatives mentioned above with other vegetable or animal products, with a total net weight consisting of at least 50% of the derivatives mentioned above;
all types of milk and dairy products as per Annex 1 of the Ministerial Decree of 9 December 2016, prepackaged under Article 2 of Regulation (EU) No. 1169/2011, intended for human consumption
meat from domesticated ungulates of the swine species, mechanically separated, preparations of swine meat, and products made from swine meat

The decree extends, until 31 December 2025, the effectiveness of the experimental regimes set out in previous decrees, including:

the decree of the Minister of Agricultural, Food and Forestry Policies and the Minister of Economic Development of 26 July 2017, on the “Indication of the origin on labels of durum wheat for durum wheat pasta”
the decree of the Minister of Agricultural, Food and Forestry Policies and the Minister of Economic Development of 26 July 2017, on the “Indication of the origin, on labels, of rice”
the decree of the Minister of Agricultural, Food and Forestry Policies and the Minister of Economic Development of 16 November 2017, on the “Indication of the origin on labels of tomatoes”
the decree of the Minister of Agricultural, Food and Forestry Policies, in concert with the Minister of Economic Development and the Minister of Health of 6 August 2020, on the “Provisions for the mandatory indication of the place of origin on labels of processed pork meats”
the decree of the Minister of Agricultural, Food and Forestry Policies and the Minister of Economic Development of 9 December 2016, on the “Indication of the origin on labels of raw materials for milk and dairy products, in implementation of Regulation (EU) No. 1169/2011, regarding the provision of food information to consumers”

Author: Federico Maria Di Vizio

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Giorgia Carneri, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as a report analyzing key legal issues arising from the metaverse qui, and a comparative guide to regulations on lootboxes here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.