AI Regulation in Europe: Italy’s new draft AI Law introduces local peculiarities compared to the EU AI Act

As the European Union (EU) gets closer to enacting the AI Act, signaling its upcoming application, EU member states, like Italy, are actively developing their own AI regulations that are also set to apply.

This situation is reminiscent of the aftermath of the GDPR, where countries implemented additional localized measures, despite the harmonizing intent of EU legislation. Compliance with EU regulation, therefore, is often merely the initial step. Companies, including those outside the EU offering their services in the European Union, must be prepared to navigate the individual (and often contrasting) regulatory landscapes across each member state that. In many cases, as in the case of the Italian law, these local regulatory approaches are likely to become binding before many of the provisions of the AI Act.

Approved at the end of April by the Italian Government, Italy’s draft AI law proposes a comprehensive national strategy addressing AI’s societal, regulatory, privacy, and economic impacts. While the draft law is still subject to parliamentary processes and not yet enacted, the draft anticipates some of the AI Act’s principles and introduces many specific national nuances. In particular, it requires that AI systems comply, among others, with the principles of transparency, proportionality, security, protection of personal data, confidentiality, accuracy, non-discrimination, gender equality, and sustainability. Alongside compliance with these principles, the draft AI law mandates that development of artificial intelligence systems and models has to take place using data and processes that must be monitored for correctness, reliability, security, quality, appropriateness and transparency. Fulfilment of all these requirements must be proven with evidence and companies must therefore implement appropriate policies and ensure to document the activities performed during the development, implementation, and use of AI systems.

Below DLA Piper reviews the several key elements of the Italian draft AI law, and draws comparison of many of its terms with the AI Act.

Applicability

A key component of the AI Act and the Italian draft AI law is their express determination of scope and applicability. In both the EU and AI rules, an exception of applicability provided for AI used in the context of national security and defense activities. These exclusions include vital elements of society, including national cybersecurity regimes, police forces, and the armed forces. In contrast to the EU’s approach, the Italian rules are far more restrictive, and would therefore require local as well as foreign companies offering their services in Italy to ensure that, despite their approach to ensure compliance with the AI Act, they are also in compliance with laws and restrictions at a local level.

Priority for local storage

The Italian draft AI law mandates that the state and public authorities prioritize, through their e-procurement platform, providers that utilize local data centers to store and process generative AI services and tools involving critical data. Although ‘critical data’ has not yet been defined in the Italian draft AI law, it is likely to include information strategically vital for national security and economic stability. This definition is expected to be broad, with specific details to be clarified in subsequent text revisions.

Prioritizing local storage indicates an awareness of the potential for harm when AI is leveraged with data sensitive to national infrastructure – a fact not fully accounted for in the provisions of the AI Act. Italy’s approach is not in isolation, as many governments, including the US through its recent Executive Order limiting certain transfers of US information to offshore locations, are beginning to seek restriction of offshoring certain types and quantities of data.

AI in healthcare

Specific rules are also introduced for AI systems used in the healthcare sector, recognizing their potential to contribute to the improvement of the healthcare system and the prevention and treatment of diseases. The Italian draft AI law does recognize that this must be achieved through the development and management of AI that considers the rights, freedoms, and interests of the data subject, including in terms of personal data protection. For example, in line with European regulations, the Italian draft AI law provides that:

• AI systems and their related data used in the healthcare sector must be reliable and periodically verified and updated; and
• The patient involved has the right to be informed about the use of artificial intelligence technologies, the diagnostic and therapeutic benefits derived from using new technologies, and information on the decision-making logic used.

However, in contrast to the AI Act, the Italian draft AI law also provides that data processing, including the processing of personal data, performed by public and private non-profit entities for research and scientific trials in the development of AI systems for healthcare purposes, as necessary for the creation and use of databases and basic models, is of significant public interest which, among others, has a considerable impact on the applicable legal basis under the GDPR. As such, additional scrutiny and measures are expected to be applied in addition to the existing Europe-wide regimes.

This rule is particularly relevant for overseas companies that are involved in the sponsorship of research in Italy. The rule stipulates that data processing for clinical trials and scientific research purposes in the healthcare sector must be subject to approval by the relevant ethical committees and must be communicated to the Data Protection Authority. This process can be complex for companies operating from abroad, and can result in increased and unexpected financial and time costs.

AI in the Workplace and Intellectual Professions

The Italian draft AI law addresses one of the most sensitive issues of public opinion in Italy at this time: the use of AI in the workplace.

Like the AI Act, the Italian draft AI law explicitly bans any AI applications that result in worker discrimination based on gender, age, ethnic origin, or sexual orientation. The Italian draft AI law, however, goes beyond these prohibitions and establishes a dedicated observatory led by the Italian Minister of Employment and Social Policies to define a strategy for AI use in the workplace and monitor its impact on the job market. The Italian draft AI law also restricts AI in the context of professional services to supporting professional activities and obligates professionals to inform their clients about the AI systems they use clearly and comprehensively.

While the Italian draft AI law closely follows many of the foundations of the AI Act, including transparency, the restriction on the use of AI in employment is yet another example of local nuances far exceeding the Europe-wide approach that is most visible to companies abroad, and one that must be suitably factored into any international approaches to the use of AI.

Local AI Authorities and Innovation Funds

To ensure the implementation of the AI Act, as well as of the national legislation on artificial intelligence, Italy will establish two national AI authorities:

1. AgID (Agenzia per l’Italia Digitale) that will be tasked with promoting AI innovation and development. This agency will also define procedures and conduct evaluation, accreditation, and monitoring of entities responsible for verifying AI system compliance.
2. ACN (Agenzia Nazionale di Cybersecurity) that will be responsible for overseeing cybersecurity, including inspection activities, to safeguard national cybersecurity.

This addition to the proposed Italian regime is a point of regulatory contention, as the Italian Data Protection Authority has previously indicated that it would be more qualified than the proposed authorities to act as the national AI authority. There is a clear understanding of AI’s relevance to the global economy and, consequently, of the power that authorities in charge of applying relevant regulations would be provided.

To encourage the creation and growth of startups and small to medium-sized enterprises focusing on emerging technologies and innovative solutions with high potential for innovation and scalability, the government also plans significant venture capital investments managed by the state of up to one billion euros in companies operating in the field of artificial intelligence and in other innovative technologies, as well as those, even if located abroad, developing AI solutions with the goal of creating a national AI champion.

Exemptions to Copyright Law for the use of AI

In line with the AI Act, authors (or economic rights holders, if different from the authors) must use machine readable watermarks on video content or audio indications within audio content if it has been generated, modified, or altered by AI systems. This requirement aims to disclose when data, facts, and information presented as real are AI-generated.

The Italian Government, through the Italian draft AI law, has also attempted to modify Italian copyright law by adding a specific reference to the need of a human contribution in the creation of copyright protected works. Human contribution shall be, at minimum, creative, relevant and provable. Failure to sufficiently establish these qualities will mean that the work cannot be protected under Italian copyright law. This approach is in line with the view taken by EU and US courts, where courts draw the line between what is protected and not. Companies will therefore be required to carefully document their creative in order to establish that sufficient human contribution has been included to afford copyright protection.

The Italian draft AI law also makes reference to the text and data mining exception provided by the EU Copyright Directive 2019/790 where copyright-protected materials are used to train AI systems. The AI Act contains a mere cross-reference to the relevant provision of the EU Copyright Directive without any significant discussion or information for organizations to utilize. The Italian draft AI law goes further and more specifically discusses the modalities of implementing the opt-out mechanism by copyright holders and the disclosure obligations to which AI systems reproducing or extracting protected works are subject.

At this point in time, there is some confusion in the market regarding the concept of reproduction or extraction by AI systems during their training phase, and a more precise level of clarification would help copyright holders better understand how to exercise their opt-out rights and providers and deployers of AI systems to what the limit of their rights is. It is unclear at this stage whether this will be addressed by the guidance and developments of the AI Office at an EU-wide level, or whether local regulators, such as those in Italy will be required to fill in the gaps.

What can foreign companies providing and using AI solutions in Italy expect?

The EU’s layered regulatory environment of EU Regulations, EU Directives, and local EU member state law presents a complex challenge for international organizations operating in the market. This multifaceted regulatory structure – comprising both EU-wide legislation and country-specific laws – requires a nuanced understanding and strategy from AI developers and organizations seeking to leverage tools and systems powered by AI.

While the AI Act sets the stage for regulation of AI in Europe, the details and additional requirements organizations will be expected to address could (and often do) vary significantly across member states. For both companies located in the EU as well as non-EEA companies offering their services in the EU, this means that merely aligning with EU regulations may not be sufficient to ensure compliance of wider business activities with all applicable regulation. Continuous engagement with local legal developments and an adaptive compliance strategy is therefore a preferred methodology.

The evolving nature of the EU and Italy’s legislative landscapes also indicates that the regulatory environment remains unsettled. Stakeholders must therefore stay proactive in monitoring current requirements and potential future changes that could affect their operations.

While the AI Act forms a critical baseline, understanding and adapting to country-specific laws such as Italy’s proposed AI regulations is crucial for comprehensive compliance. Entities must recognize that their regulatory obligations in the EU will be as dynamic and nuanced as the technology they wish to deploy.

Companies cannot wait to comply with regulations applicable to AI, including the Italian draft AI law that is expected to come into force before many of the provisions of the AI Act becomes binding. On the one hand, AI businesses feel the urgency of adopting AI solutions; on the other hand, they are concerned that their employees are already using artificial intelligence solutions that have not been approved by the company, potentially putting the business at risk of legal disputes. Furthermore, many companies are seeking to maximize the data available to train their AI systems – leading them into an area of regulatory contention where data is protected by copyright protections.

DLA Piper

DLA Piper continues to monitor international regulatory activity on the subject of artificial intelligence and is prepared to assist companies at this critical moment in navigating regulatory developments.

For more information on AI and the emerging legal and regulatory standards, visit DLA Piper’s focus page on AI.

Gain insights and perspectives that will help shape your AI strategy through our newly released AI Chatroom series.

For the latest information on the development and position of the EU AI Act, and to learn how to prepare for compliance, watch DLA Piper’s latest webinar on AI Act Readiness.

For further information or if you have any questions, please contact any of the authors.