Innovation Law Insights

Event

AI Act comes into effect: How should in-house lawyers prepare?

On 2 February 2025, the first AI Act provisions on prohibited practices came into effect. They also affect privacy, intellectual property, employment law, and taxation.

To support in-house legal departments, DLA Piper is organising an event on 18 February at its Milan office titled “The AI Act comes into effect: How in-house counsel should handle the challenges of the future”. During the meeting, Luisella Giani, Head of Advisory ICEG& UAE at Avanade, will analyse the adoption of AI in Italian companies and Guido Scorza, lawyer and member of the board of the Italian Data Protection Authority, will give a keynote speech on the initiatives of the Garante with respect to AI.

Lawyers from our Intellectual Property and Technology (Giulio Coraggio, Alessandro Ferrari, Giacomo Lusardi, Tommaso Ricci), Employment (Federico Strada) and Tax (Giovanni Iaselli) practices will present a case on the use of AI, highlighting critical issues and best practices.

For information on how to participate, contact eventi@dlapiper.com.

 

Podcast

AI Act on Prohibited Practices is now in force – are you ready?

The first provisions of the EU AI Act are now enforceable, banning AI systems that pose unacceptable risks.

This marks a turning point for AI regulation, with businesses, developers, and regulators all bracing for the impact. In this episode of our Diritto al Digitale podcast, Giulio Coraggio and Tommaso Ricci from DLA Piper discuss:

• The AI practices now banned under the EU AI Act
• How the DeepSeek case became a regulatory warning
• What businesses must do NOW to comply and avoid fines

Listen to the Diritto al Digitale podcast for free on your device at Apple Podcasts, Google Podcasts, Spotify, Audible, YouTube.

 

Artificial Intelligence

Enforcing data subjects’ rights in the context of AI

The European Data Protection Board recently published a report by a pool of experts on the enforcement of data subjects’ right in the context of AI-complex algorithms.

More specifically, the GDPR gives data subjects the right to rectification, the right to erasure, and the right to object to automated decision-making. But implementing these rights in AI-driven systems presents substantial challenges because of how AI models learn and retain information from personal data.

Challenges in implementing data subjects’ rights

AI models, particularly those based on deep learning, memorize training data in a compressed form. This creates difficulties in ensuring compliance with the right to rectification and the right to erasure. The key challenges include:

• Limited understanding of how each data point affects the model: AI models function as black boxes, making it difficult to determine the specific impact of individual data points.
• Stochasticity of training: The training process is inherently random due to batch sampling, random ordering, and parallel processing, leading to variations in the trained model.
• Incremental training process: In federated learning environments, data updates influence subsequent updates, making the removal of a single data point insufficient to eliminate its effect.
• Stochasticity of learning: the learning algorithm is also probabilistic, so it could be difficult to correlate how a specific data point contributed to the “learning” in the model.

Techniques for deleting and unlearning data

1. Retraining models from scratch

A straightforward approach to data erasure is deleting the personal data, retraining the model without it, and replacing the old model with the retrained version. While effective for small models, this method is computationally expensive for large-scale AI systems, making it impractical for frequent data deletion requests.

2. Exact unlearning methods

Several machine unlearning methods have been developed to remove specific data points without retraining the entire model:

• Model agnostic unlearning: This method stores model gradients or modifies the training process to facilitate unlearning. A notable approach is the SISA (Sharded, Isolated, Sliced, and Aggregated) technique, which divides training data into multiple shards, limiting the influence of individual data points to specific portions of the model.
• Model intrinsic unlearning: Some unlearning techniques are designed for specific AI models, such as decision trees and random forests, where strategic modifications allow selective forgetting.
• Application specific unlearning: In recommendation systems, where data sparsity is high, efficient data structures can be used to remove personal data without retraining the entire model.

3. Approximate unlearning techniques

When exact unlearning is computationally prohibitive, approximate methods are used to minimise the influence of deleted data without completely retraining the model:

• Finetuning: The model undergoes limited additional training to reduce the impact of specific data points.
• Influence unlearning: This method estimates the influence of deleted data on the model and updates parameters accordingly.
• Intentional misclassification: Instead of removing data, models are retrained to misclassify deleted data points, making them unrecognisable.
• Parameter deletion: By storing historical parameter updates, unlearning can be achieved by rolling back specific updates.

Verification and concerns with machine unlearning

One of the biggest challenges in unlearning is verification. Metrics such as unlearning accuracy, remaining accuracy, and membership inference attacks are used to assess whether a model has successfully forgotten data. But approximate unlearning lacks strong guarantees, and some models can produce nearly identical outputs despite differences in training data.

Additional concerns include:

• Privacy risks: If attackers can compare model outputs before and after unlearning, they may infer which data was removed.
• Bias and fairness issues: Deletion requests are more likely from certain demographic groups, which could introduce biases in AI models.

Addressing data leakage in generative AI

Generative AI models, such as large language models and image generators, pose unique risks as they may inadvertently output personal data. To mitigate these risks, several approaches have been developed:

• Model finetuning: Adjusting training to prevent the generation of specific data or concepts.
• Data redaction: Using adversarial training to prevent models from learning certain types of personal information.
• Output modification: Employing classifiers to filter and block certain outputs before they reach users.

Conclusion

Ensuring compliance with data subjects’ rights in AI systems remains a complex challenge. While retraining from scratch offers the most robust solution, it’s impractical for large models. Emerging unlearning techniques, both exact and approximate, provide alternative solutions, though they still require refinement.

As AI continues to evolve, the focus should be on data protection by design, incorporating mechanisms for data rectification and deletion from the outset. Additionally, stricter regulations and transparency measures can help ensure AI systems respect individuals’ rights while balancing technical feasibility.

Author: Roxana Smeria

 

Data Protection and Cybersecurity  

Italy takes steps to adapt laws to DORA Regulation: New rules on supervisory authorities and penalties

Regulation (EU) 2022/2554 (DORA or the Regulation) became officially applicable throughout the EU on 17 January 2025.  Member states are now rushing to approve their respective national adaptation laws. In Italy’s case, the draft legislative decree (the Decree) aimed at adapting national sector legislation on banking institutions, credit institutions, financial intermediaries, insurance companies, etc. has recently been made available.

The Decree, in addition to providing for the necessary interventions to adapt the national legislation in force, defines the sanctions that will be applied to financial entities supervised by the Italian authorities. Below is a summary of the most relevant provisions.

Application to financial intermediaries

First, the Decree extends the application of DORA to financial intermediaries pursuant to Article 106 of the Italian Consolidated Bank Law, which, unlike insurance and reinsurance intermediaries, aren’t expressly listed among the entities included in the DORA scope (Article 2 of the Regulation). The Decree establishes that financial intermediaries are subject to a “simplified” framework for managing IT risks provided for in Article 16 DORA for smaller or less complex financial institutions (Article 6). But the Bank of Italy has the power to identify a certain category of financial intermediaries that may be considered “significant” (also in terms of the type of activities carried out) and which should apply the full risk management framework instead of the simplified one (Article 6, par. 3).

Competent authorities

The Decree identifies the Bank of Italy, Consob, IVASS and COVIP as the competent authorities for compliance with the obligations imposed by DORA on supervised entities, according to their respective supervisory powers (Article 4, paragraph 1).

Specifically, the Decree establishes the competence to:

• Bank of Italy, with reference to credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers authorised under Regulation (EU) 1114/2023 (MiCAR) and issuers of asset-referenced tokens, central counterparties, managers of alternative investment funds, management companies, crowdfunding service providers, and wholesale trading venues for government bonds, Cassa depositi e prestiti S.p.A. and Poste Italiane S.p.A. for the activities of Bancoposta.
• Consob, with reference to central depositories and trading venues, with the exception of wholesale trading venues for government bonds.
• IVASS, with reference to insurance and reinsurance undertakings and insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries.
• COVIP, with reference to institutions for occupational retirement provision.

These authorities enjoy the supervisory and inspection powers recognised by DORA (Article 8) and will be the recipients of notifications of major ICT incidents and voluntary reports of significant cyber threats (Article 4).

Reporting incidents to CSIRT Italy

Financial entities in the banking sector and financial market infrastructures referred to in Annex I to Directive (EU) 2022/2555 (NIS Directive), and entities belonging to the banking sector and financial market infrastructures identified as critical pursuant to Directive (EU) 2022/2557 (CER Directive), have to provide notifications relating to major ICT incidents pursuant to Article 19 DORA also to the CSIRT (Computer Security Incident Response Team) set up at ACN with the task of monitoring incidents at national level and issuing early warnings, alerts, information on risks and IT incidents (Article 4 par. 3).

As already provided for by the CER and NIS2 Directives, once information relating to cyber threats, vulnerabilities and incidents has been received, ACN sends it to the intelligence bodies referred to in Law no. 124 of 2007 for their institutional purposes (Article 5 par. 3).

Cooperation with the Guardia di Finanza and ACN

Regarding cooperation between the Authorities, the Decree provides for the stipulation of a memorandum of understanding between the competent DORA Authorities and the Guardia di Finanza for regulating the exchange of information relating to serious ICT incidents and significant cyber threats, for prevention, detection and repression of economic and financial offences (Article 5, paragraph 2).

If the National Cybersecurity Agency, in its supervision or enforcement duties, becomes aware of a breach of reporting obligations by a financial entity, it must inform the DORA competent authorities without undue delay (Article 5, paragraph 4). This may occur, for example, in the case of incidents involving critical third-party suppliers within the meaning of DORA who have also been identified as essential or important entities under the NIS2 Directive.

Sanctioning regime

The Decree (Article 8) gives the DORA competent authorities supervisory and sanctioning powers against financial entities and their ICT third-party service providers that support critical or important functions. Article 10 regulates the administrative fines to be applied, based on two levels of severity.

• For more serious breaches, in violation of DORA’s rules on governance, IT risk management, detection and recovery in the event of anomalies, incident management and reporting, digital operational resilience tests, the Decree applies penalties starting from EUR500 up to 12.5% of total annual turnover, depending on the type of financial entity that committed the breach.
• For violations deemed less serious, such as those related to DORA rules on systems and protocols, log management, communication, incident classification, TLPT, third-party risk management, penalties go from EUR500 up to 9% of total annual turnover, depending on the type of financial entity that committed the violation.

The Decree also establishes administrative fines for natural persons who perform administrative, management or control functions and for the personnel of companies and entities against whom violations are ascertained. Penalties can range from a minimum of EUR500 to a maximum of EUR5 million, in the most serious cases, and from a minimum of EUR500 to a maximum of EUR3.5 million in less serious cases, depending on the type of financial entity in which the individual performs their duties.

The Decree also provides for the possibility of applying the ancillary administrative sanction of disqualification, for a period of not less than six months and not more than three years, in consideration of the seriousness of the violation.

Entry into force

The decree is currently under review in Parliament for its opinion, as defined by the delegation law, with a deadline set for mid-February. Once approved, the President of the Republic will issue the Decree it will be and published in the Official Gazette. It will enter into force 15 days after publication.

Author: Marianna Riedo

 

Intellectual Property

Protection of non-traditional trademarks: The case of Juventus’ ‘Be the Stripes’ kit

The Turin Court of Appeal recently issued a ruling of particular significance regarding the protection of a non-traditional trademark, specifically addressing the case concerning Juventus’ official 2019/2020 season kit, known as “Be the Stripes”. The dispute involved the Turin-based club, its authorized retailer Pegaso, and the Portuguese company Mussara.

The litigation cantered on the commercialization of kit replicating the distinctive features of the original design created by Adidas for Juventus. In 2019, the club initiated legal proceedings against Pegaso, alleging infringement of an unregistered trademark, unfair competition, and violation of an unregistered design. The Turin Court ruled in favour of Juventus, ordering Pegaso to pay over EUR100,000, an amount determined based on illicit profits obtained from the sale of the infringing products.

Pegaso appealed the decision, denying the existence of an unregistered trademark on the disputed kit and arguing that any rights belonged exclusively to Adidas as the entity responsible for the design. However, the Court of Appeal upheld the first-instance ruling in full, rejecting both Pegaso’s main appeal and the incidental appeals filed by Juventus and Mussara.

From a legal perspective, the court recognised Juventus’ ownership of the trademark represented by the colour combination of the kit (a de facto colour mark), emphasising that the distinctive black-and-white striped pattern had been inseparably associated with the club for over a century. The court further noted that the existence of similar colour schemes used by other football teams didn’t undermine the validity of Juventus’ colour trademark, as similar distinctive signs can coexist in the market under Article 28, paragraph 1, of the Italian Industrial Property Code.

A particularly significant aspect of the ruling was the application of the principle of cumulative protections, established by the Court of Justice of the European Union in the Cofemel case (C-683/17, September 12, 2019). The Court of Appeal recognised the possibility of multiple intellectual property rights coexisting on the same kit – namely, Adidas’ registered design rights and Juventus’ trademark rights.

On this basis, the court confirmed that Pegaso had infringed Juventus’ trademark and engaged in unfair competition under Article 2598 of the Italian Civil Code. The ruling identified three key elements of the infringement: the unauthorised reproduction of the championship-winning badge (scudetto) on the counterfeit kit, the identical colour scheme with the distinctive pink stripe separating the black and white bands, and the use of the “CR7 Museu” mark, licensed by Mussara, which directly referenced Juventus’ star player at the time, Cristiano Ronaldo.

The court also found Mussara contractually liable for breaching the principle of good faith in contractual performance, as established by Articles 1175 and 1375 of the Italian Civil Code. Mussara had denied Pegaso authorisation to market an alternative kit model after the original had been judicially banned, undermining the legitimate expectations of its licensee.

The Court of Appeal’s ruling sets a significant precedent in the field of intellectual property protection in professional football, where official kits result from commercial agreements between clubs and technical sponsors. The case highlights Juventus’ ability to assert its rights, even in the absence of claims from its technical sponsor, reinforcing the principle that the consistent use of a specific colour combination can generate a legally recognisable and protectable unregistered trademark.

This ruling is part of a broader legal strategy pursued by Juventus to safeguard its brand, as evidenced by other actions, including the well-known 2022 decision by the Rome Court against the unauthorised use of the club’s trademarks in digital content and NFTs.

Looking ahead, the implications of this decision could extend well beyond the sports sector, significantly influencing the legal framework governing intellectual property rights and the management of commercial partnerships in industries where multiple parties often hold distinct rights over the same asset.

Author: Rebecca Rossi

Comparing trademarks in invalidity and infringement proceedings: Different criteria?

The Italian Supreme Court recently ruled on a dispute concerning the validity of an Italian trademark, which was challenged by two US companies holding an earlier registered and allegedly well-known fashion brand. This case provided an opportunity to clarify whether the comparison between signs, in invalidity proceedings, should be conducted in abstract or concrete terms and to what extent this evaluation differs from that carried out in infringement proceedings.

According to Article 12, paragraph 1, letter d) of the Italian Industrial Property Code, a trademark can’t be registered if it’s identical or similar to a pre-existing one for similar products or services, where this may create confusion among the public. This provision reflects the principle of protection of prior trademarks, which is also established at the European level by Article 5 of Directive (EU) 2015/2436 and Article 8 of Regulation (EU) 2017/1001.

In this case, the Milan Court of Appeal had rejected the invalidity claim against the Italian trademark, ruling that there was no risk of confusion with the US companies’ sign and denying that the latter enjoyed any reputation in Italy. The decision was based on a concrete analysis of the actual use of the trademarks and their respective product classes, highlighting a functional difference between the goods and services offered under the respective distinctive signs.

But the Supreme Court partially overturned the appeal ruling, clarifying a fundamental point: in invalidity proceedings, the comparison between signs must be made in abstract terms, meaning that only the registrations should be considered, rather than the actual use of the trademark. Conversely, in infringement proceedings, the risk of confusion must be assessed in concrete terms, taking into account how the sign is used and how the relevant public perceives it.

This ruling is particularly significant as it confirms that the assessment of the risk of confusion doesn’t follow the same criteria in the two types of proceedings. In invalidity cases, the comparison is based on formal data, whereas in infringement cases, the analysis considers commercial reality and the actual market interaction between trademarks.

This distinction has significant implications for trademark protection, as it highlights that a trademark can be declared invalid even in the absence of an actual risk of confusion in the market, and conversely, that the use of a trademark may be deemed unlawful even if its registration is formally valid.

Author: Maria Vittoria Pessina

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Giorgia Carneri, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani,  Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as a report analyzing key legal issues arising from the metaverse qui, and a comparative guide to regulations on lootboxes here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.