Innovation Law Insights

Podcast

Technology Law Predictions 2026 with DLA Piper

In this episode of Diritto al Digitale, Giulio Coraggio hosted a roundtable with his DLA Piper colleagues to share predictions on the key legal trends for 2026, including AI governance, GDPR enforcement, cyber incidents, cloud contracts and crypto. You can watch the episode here.

 

Privacy and cybersecurity

EDPB's strict approach on legal bases for requiring the creation of a user account on e-commerce websites

On 3 December 2025, the EDPB published the Recommendations 2/2025 on the legal basis for requiring users to create accounts on e-commerce websites (the Guidelines).

The EDPB based its analysis on the observation that, to date, users often have to create an account to access offers or purchase goods and services online. This obligation to create an account is generally justified by data controllers to make a sale, allow subscription to services, guarantee access to exclusive offers to their users, or facilitate the operational management of orders. But, according to the EDPB, creating an account may also expose data subjects to additional risks to their rights and freedoms.

Below we outline the main points raised by the EDPB.

Main risks for data subjects

According to the EDPB, mandatory user accounts inherently increase the amount, scope and duration of personal data processing. As a result of collecting personal data, the EDPB identifies many threats, including:

• risk of unauthorised access, data breaches or misuse, particularly where accounts are inactive for a prolonged period;
• account-based systems can facilitate the data controller to log browsing history and track the browsing habits of users to improve their commercial strategies, through profiling or marketing, which go beyond the user’s original expectation;
• e-merchants may prompt data subjects to disclose more personal information than strictly required for purchasing and delivering goods, often through the use of deceptive designs, especially when the creation of online user account is requested between shopping cart validation and payment.

Analysis of possible legal bases

The EDPB provides an analysis of the most common legal bases organisations use when requesting the user to create an account. The main legal bases are:

• Performance of a contract: The first and most frequently invoked legal basis is the necessity of processing for the performance of a contract. Data controllers often argue that a user account is required to conclude or execute an online sales contract. The EDPB rejects this reasoning in most standard e-commerce scenarios and outlines that processing is only justified under Article 6(1)(b) if it's objectively indispensable for performing the specific contract requested by the user. For one-off purchases, the EDPB concludes that an account is generally not necessary, as there are less invasive methods to perform the sale contract. However, the EDPB acknowledges limited situations where an account may be contractually necessary. These include ongoing subscription services or access to exclusive offers. Even in such cases, the account must be strictly limited to what’s required for the contractual relationship.
• Complying with a legal obligation: The second legal basis examined is processing necessary for compliance with a legal obligation. Some controllers claim that mandatory user accounts are required to meet obligations under consumer, tax or accounting law. The EDPB takes a cautious approach to this argument. The recommendations emphasize that Article 6(1)(c) applies only where a specific and clear legal rule requires the controller to process personal data in a particular way. General obligations to issue invoices, retain transaction records, or ensure consumer rights don’t automatically mandate the creation of user accounts. In most cases, the legally required data can be collected at the time of purchase without establishing a permanent account. As a result, the EDPB concludes that legal obligation will rarely, if ever, justify mandatory user accounts.
• Legitimate interest: Finally, the EDPB analyses the use of legitimate interests as a legal basis. Businesses frequently rely on this ground to justify accounts for reasons such as fraud prevention, customer support efficiency, or to build customer loyalty. The EDPB accepts that these interests may be legitimate in principle but stresses that they must undergo a balancing test, identifying and describing the data subjects’ interests, fundamental rights and freedoms; the impact of the processing on data subjects; the reasonable expectations of the data subject; and the final balancing of opposing rights and interests. This balancing test is where mandatory accounts often fail according to the EDPB. More specifically, the Authority notes how users generally don’t expect to be forced into long-term data storage for a single transaction. Moreover, many legitimate interests cited by controllers can be achieved through less intrusive measures. Where a realistic, less intrusive alternative exists, making accounts mandatory is unlikely to pass the balancing test required under Article 6(1)(f).

Solution suggested by the EDPB

To mitigate the risks associated with mandatory user accounts and ensure compliance with the GDPR, the EDPB proposes a solution that takes into account the principles of data minimization, necessity and privacy by design.

According to the EDPB, one viable option is to offer alternative access options, particularly allowing users to complete purchases or access services without long-term registration where an account isn’t strictly necessary, by allowing a guest mode. Where accounts are offered, they should be optional by default, with clear and neutral presentation that doesn’t nudge users into registration.

Moreover, the EDPB recommends data controllers to allow data subjects to withdraw the consent via the same interface as the consent was obtained and avoid silently switching the lawful ground from consent to another legal basis if the consent is being withdrawn, as every change in the data processing should be notified to the data subject.

Conclusions

These recommendations display the particularly strict approach adopted by the EDPB when assessing the use of legitimate interests, performance of a contract, and compliance with a legal obligation as legal bases for processing.

The EDPB makes clear that where a processing activity can be reasonably achieved through a less intrusive alternative, it will generally fail the balancing test required for legitimate interest and won’t meet the high threshold of being strictly necessary for the performance of a contract. In light of this position, organisations are expected to carry out a careful, case-by-case assessment of their processing operations and service design, with a particular focus on identifying privacy-friendly alternatives. In the context of e-commerce, this includes the availability of guest mode options, which the EDPB views as a key measure for aligning business practices with the principles of the GDPR.

Author: Roxana Smeria

 

Technology

From the ODR platform to a digital ADR ecosystem

For about a decade, alternative dispute resolution (ADR) for consumers in the EU has been based on a dual architecture:

• the national network of ADR bodies governed by Directive (EU) 2013/11; and
• the European online dispute resolution platform (ODR) and its variations in Directives (EU) 2015/2302, (EU) 2019/2161 and (EU) 2020/1828; designed as a single digital access point for cross-border online disputes.

With the definitive discontinuation of the ODR platform and the adoption of Directive (EU) 2025/2647 (the Directive) of 16 December 2025, this balance is being radically rethought.

Assessments conducted by the European Commission (EC) in 2019 and 2023 highlighted structural limitations that were difficult to overcome through the ODR platform alone. Added to this was the evolution of the digital market itself, characterised by the spread of digital content and services, contractual models based on the provision of personal data, and increasingly opaque and manipulative commercial practices.

In this scenario, the Directive marks a significant conceptual shift: from the idea of a centralised online dispute resolution platform to a distributed, digitally accessible, inclusive ADR ecosystem integrated with the broader framework of consumer protection in the EU. Out-of-court dispute resolution is no longer conceived as an ancillary tool, but as a structural component of digital market governance, in dialogue with the rules on unfair commercial practices, digital content, the rights of users of tourism services and, last but not least, Regulation (EU) 2022/2065 on Digital Services (DSA).

The end of the ODR platform: Technological failure or systemic choice?

In addition to the structural criticalities already highlighted by the EC, systemic factors have also emerged over time. The ODR platform was designed in a context where e-commerce was developing mainly in the EU and disputes largely concerned traditional goods or services sold online. However, the current digital economy presents a totally different and constantly changing picture, to use a cliché. In this context, a centralized and technologically “neutral” platform has proved incapable of addressing the legal complexity of disputes and communicating effectively with national ADR bodies, enforcement authorities and other protection instruments provided for by EU law.

The Directive acknowledges this operational failure and makes a fundamental choice: shifting the focus of protection from the technological “container” to the qualitative strengthening of ADR procedures, investing in bodies, procedural guarantees, accessibility and cross-border cooperation. The guidance and support function previously performed by the ODR platform is redistributed through ADR contact points and, in the future, through a new European digital tool, designed not as a resolution platform but as an information and support infrastructure.

An ADR that looks beyond cont(r)acts

One of the most significant changes in the directive concerns the extension of the scope of ADR, which has been redesigned to reflect the reality of consumer relations in the digital economy. The European legislator acknowledges that consumer disputes no longer fall exclusively within the scope of traditional contracts, nor are they limited to the performance phase of the contract.

• Firstly, the directive clarifies that disputes relating to digital content and digital services fall fully within the scope of ADR, definitively overcoming any remaining ambiguity of interpretation. The sale of tangible goods is no longer the reference paradigm: disputes may arise from apps, platforms, cloud services, digital subscriptions and, more generally, from business models based on access to and continuous use of online services.
• Relevant is the inclusion of situations where the consumer doesn’t pay a monetary price but provides personal data as consideration. The directive incorporates a fact that’s now well established in European consumer law: the economic value of data and its centrality in digital exchange models. Disputes arising in relation to these contracts become expressly accessible to ADR procedures.
• A further element of discontinuity concerns the opening up of ADR to disputes with traders established in third countries. The directive recognises the structurally cross-border nature of digital commerce and allows access to ADR procedures even when the trader is outside the EU, provided that it directs its activities towards one or more member states. The concept of “directing business activities” is based on criteria that are now well established in EU law: language used, currency, domains, targeted advertising, localized customer support.

Digital-ready ADR procedures: Access, traceability, inclusion and transparent automation

Once the scope of disputes has been broadened, the directive addresses the issue that, in practice, determines whether ADR really works or remains a “paper” institution: the way in which procedures are accessible, manageable and reliable in a context where consumers interact with traders almost always online and often across borders.

• The first piece of the puzzle concerns the minimum access structure. ADR bodies must have an up-to-date website that provides parties with easy access to information on the procedure and, above all, allows consumers to submit complaints and supporting documentation online in a traceable manner. This isn’t a formal detail: traceability becomes a prerequisite for making ADR credible as a channel of protection, because it prevents complaints from getting lost in opaque processes and allows for the management of timelines and subsequent communications. In the same vein, the directive clarifies that access to ADR cannot be exclusively digital: consumers must be able to choose whether to use digital or non-digital channels, so as to prevent digitization from becoming a barrier for those with lower literacy skills or limited tools. When ADR bodies offer digital procedures, they must do so using “easily accessible and inclusive” tools.
• The most delicate and interesting passage concerns the use of automated means in the ADR decision-making process. The directive doesn’t prohibit automation: it recognises it as a possible response to growing volumes of disputes and mass phenomena (such as collective cancellations or standardized complaints). However, it subjects it to two clear conditions, which effectively create a “trust clause” on AI or automated tools: prior transparency and effective human oversight. The directive also specifies what’s meant by “decision-making,” including choices that affect the admissibility of the case and the outcome, and not just the final act: this is a way of preventing automation from creeping into invisible stages (triage, classification, prioritization), effectively influencing protection.
• Finally, following on from this “digital-ready” framework, the directive includes an explicit reference that is anything but ornamental for operators. ADR bodies will have to take the necessary measures to ensure that personal data is processed in compliance with the GDPR. This conclusion is consistent with the extension of ADR to “data-for-services” contracts and with the growing use of digital tools and automated systems: the more the procedure is online, the more data becomes the infrastructure of protection, and the more necessary it is for the circuit to be governed by clear rules.

Overall, this part of the directive shifts ADR from a traditional model, often designed for “analogue” disputes and with long timeframes, to a model designed for the digital economy: accessible online but not exclusively online, traceable, inclusive, scalable and compatible with the use of automation only if transparent and reviewable by a human decisionmaker.

Professional involvement: Obligation to respond, timelines and operational consequences

One of the historical limitations of ADR, which emerged in the EC's assessments and stakeholder consultations, has always been the lack of involvement of professionals. In many jurisdictions, ADR was formally available but was effectively ineffective because professionals didn't respond, delayed or evaded the procedure without any real consequences. The directive addresses this very point, without turning ADR into a mandatory jurisdiction, but by strengthening its grip on the behaviour of economic operators.

• The first step is conceptual but significant: when the competent ADR body decides to deal with a consumer's complaint according to its own procedural rules, the trader concerned must be contacted and invited to participate in the ADR procedure, regardless of whether participation is mandatory or voluntary under national law. This clarifies that the activation of ADR is no longer entirely dependent on the informal willingness of the trader: once the case enters the ADR circuit, the trader is formally “called into play.”
• This summon corresponds to a specific and time-bound obligation. Professionals established in the EU must notify the ADR body within a reasonable time limit whether or not they intend to participate in the proposed procedure. The time limit, as a rule, may not exceed 20 working days. Only in the case of complex disputes or exceptional circumstances may the ADR body grant an extension, which in any case may not exceed a total of 30 working days. The directive also imposes a transparency obligation towards the consumer: if the deadline is extended, the consumer must be informed.

However, the Directive avoids a rigid approach and introduces some pragmatic exceptions. The obligation to respond doesn’t apply when the trader's participation in the ADR procedure is already mandatory by law; when the ADR body can still reach a conclusion without the trader's participation; or when the trader has already contractually committed to using ADR to resolve disputes with consumers.

A multi-level system also in light of the DSA

One of the most significant clarifications introduced by the directive concerns the systemic positioning of ADR within the overall consumer protection architecture. The directive reiterates that recourse to an ADR body doesn’t preclude the consumer from turning to other entities, such as consumer associations or public authorities responsible for enforcing consumer protection legislation. Conversely, the intervention of public authorities doesn’t preclude the possibility of out-of-court settlement.

This coordination is particularly important in cases where consumer disputes are the result of systemic practices such as potentially unfair terms, opaque pre-contractual communications, non-transparent pricing strategies, or manipulative interfaces. In such cases, ADR bodies aren’t called upon to legally classify the practice as unlawful – a function that’s reserved for the competent enforcement authorities – but can act as a qualified information hub, reporting to the existence of repeated phenomena that emerge from the handling of individual complaints. The directive clarifies that such information exchange must comply with personal data protection rules and cannot result in a surreptitious delegation of sanctioning powers to ADR bodies.

The relationship between ADR and enforcement becomes even more nuanced when digital platforms come into play. The directive expressly addresses the risk of overlapping with the rules on digital services, clarifying that where a dispute between an online platform provider and a service recipient concerns the moderation of illegal or harmful content, the special rules on out-of-court dispute resolution provided for in the DSA apply. In such cases, consumer ADR is not “absorbed” by digital law, but consciously takes a back seat, leaving room for a more specific and detailed regime.

After ODR: ADR contact points and cross-border assistance

The cornerstone of this new framework is the ADR contact points. Each member state has to designate one or more contact points responsible for assisting consumers and professionals in cross-border disputes, with clearly defined tasks. These aren’t decision-making bodies or entities representing the parties, but support and guidance structures, called on to facilitate access to the competent ADR body and to make the right to out-of-court protection effectively enforceable.

• The directive introduces a simple but significant rule: consumers contact the ADR contact point in their place of residence, while traders contact the one in their place of establishment. This choice aims to avoid forum shopping and ensure that assistance is provided in the legal and linguistic context closest to the party requesting it. This is a seemingly technical measure, but one that has a direct impact on the perceived fairness of the system.
• The tasks of the ADR contact points are clearly defined. They include, at a minimum, assistance in submitting the complaint and relevant documentation; support for communication between the parties and the competent ADR body; provision of information on applicable procedural rules; guidance on consumer rights at EU and national level; and indication of any alternative means of redress if ADR is not feasible. In a cross-border context, assistance may also include language support, including machine translation of relevant information.
• The directive also allows member states to extend the functions of ADR contact points to domestic disputes. This option is particularly relevant for vulnerable consumers or those with limited digital literacy, for whom access to even formally simple procedures can be complex.

In addition to the contact points, the directive entrusts the EC with the task of developing, by 20 April 2026, an easy-to-use interactive digital tool to provide information on consumer redress and the use of ADR, including in a cross-border context. Unlike the ODR platform, this tool isn’t designed as a place for dispute resolution, but as an information infrastructure: a guidance point that helps consumers understand what options are available and identify the most appropriate channel. The presence of direct links to the complaint forms of ADR bodies and automatic translation functions reinforces this support function without recreating the rigidity of the previous model.

Conclusions

From this perspective, the discontinuation of the ODR platform appears less like a surrender and more like a choice of regulatory maturity. The EU is abandoning the illusion of a centralized, technologically neutral solution in favour of investing in a distributed ecosystem made up of qualified bodies, contact points, cross-border cooperation, and digital guidance tools. It’s a less visible model, but potentially more effective because it’s rooted in the practices and responsibilities of the actors involved.

For economic operators, the message is clear: ADR is no longer an informational requirement to be relegated to the general terms and conditions, but a structural element of legal and reputational risk management in the European digital market. Preparing for the full implementation of the directive means rethinking complaint management flows, coordinating legal and customer care functions, updating information notices and strategically assessing when and how to participate in ADR procedures, including cross-border ones.

Author: Giulio Napolitano

 

Launch of the public consultation for the update of the National Numbering Plan and the rules on caller identification

With Resolution No. 60/25/CIR, published on 30 December 2025, AGCom launched the procedure and the public consultation for the update of the National Numbering Plan (NNP) in the telecommunications sector and the implementing framework set forth by Resolution No. 8/15/CIR, on the identification of the originating party of a communication (Calling Line Identity – CLI).

The consultation forms part of the broader framework of measures adopted by AGCom through Resolutions No. 106/25/CONS and No. 271/25/CONS. The resolutions aim to strengthen transparency for the protection of end users and consolidate security measures against CLI spoofing, namely the manipulation of information relating to the caller’s identity, and against teleselling and telemarketing practices carried out through aggressive methods of contacting customers. Resolution No. 60/25/CIR highlights how the current market is characterised by widespread phenomena of aggressive commercial contacts, frequently associated with the manipulation of the CLI.

As stated in the consultation document, set out in Annex B to Resolution No. 60/25/CONS, AGCom considers it necessary for entities, trade associations and operators to adequately inform consumers of the risks associated with contracts concluded following calls originating from foreign numbering ranges and to disclose the numbering ranges used by call centres for teleselling and telemarketing activities. According to the Authority, a measure capable of promoting transparency and supporting operators acting legitimately is represented by the possibility of using short numbers for teleselling and telemarketing calls, which are easily recognisable by users and attributable to specific operators.

The consultation document highlights that the current NNP allows the use as CLI, for calls and messaging, only of geographic numbers and numbers for mobile and personal services (in addition to alphanumeric CLIs for business messaging services). To increase the transparency and security of communications, the Authority proposes to assess an extension of the numbering ranges that may be used as CLI, to enable users to more easily distinguish legitimate communications from those that are potentially nuisance or fraudulent.

AGCom has submitted its proposal for consultation aimed at allowing, limited to the national territory, the use as CLI for calls and/or messaging. This would also apply to numbering ranges for services that are free to the calling party, including:

• emergency services
• public utility services
• European harmonised services with a social value
• customer care services
• services charged to the called party

The consultation also covers the possibility of extending the use of the CLI to additional categories of numbering, such as numbering for: internal network services; nomadic voice communication services; shared-cost services; and single-number or personal services.

Interested parties can submit their contribution to the public consultation by 13 February 2026.

Authors: Massimo D’Andrea, Matilde Losa, Arianna Porretti

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Giovanni Chieco, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Andrea Pantaleo, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Marianna Riedo, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, , Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA)

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani