Skip to main content
|

Add a bookmark to get started

Bookmarks info
10 October 202420 minute read

Innovation Law Insights

Journal

Diritto Intelligente – Issue No. 2

As we move toward 2024, the legal landscape surrounding AI is evolving at an unprecedented pace. With privacy concerns at the forefront, the integration of generative AI tools presents both opportunities and significant challenges. The question is whether we're approaching a critical juncture for more stringent regulation. Privacy frameworks such as the GDPR are under pressure to evolve as AI technologies develop, and global regulations will need to adapt quickly.

Find out about these topics and more in No. 2 Issue here.

 

Podcast

The future of Italian startups in the US with Fabrizio Capobianco

After spending 23 transformative years in Silicon Valley – where he founded multiple successful companies fuelled by exceptional Italian engineering talent – Fabrizio Capobianco has returned to his roots in Valtellina, Italy. He’s launched The Liquid Factory, an innovative hub dedicated to nurturing the talent behind Italy’s next unicorn startups. In this captivating episode of the podcast Diritto al Digitale, Fabrizio sits down with Giulio Coraggio from DLA Piper to share his remarkable journey, unveil the visionary mission of the Liquid Factory, and discuss what it takes for Italian startups to thrive on the global stage. Listen here.

 

Data Protection and Cybersecurity

ECJ rules data protection authorities don't have to impose fines for every GDPR violation

In a landmark decision, the European Court of Justice (ECJ) has clarified that Data Protection Authorities (DPAs) are not obligated to impose corrective measures or monetary fines in every instance of a General Data Protection Regulation (GDPR) violation. This ruling holds significant implications for enforcing data protection laws across Europe, particularly concerning data breaches resulting from cyber attacks.

Traditionally, DPAs have often leaned towards a strict liability regime when addressing data breaches. There has been an implicit presumption that the occurrence of a breach automatically indicates the data controller has inadequate security measures. But this approach might not always be fair or reflective of the complex realities of cybersecurity. It's widely acknowledged that no software is entirely free from bugs or vulnerabilities. Many cyber-attacks succeed not because of negligence but because cybercriminals have exceptional skills and employ sophisticated methods to exploit even the smallest weaknesses.

A substantial number of data breaches are attributable to human error, which can be inevitable despite robust training and security protocols. Humans are fallible, and even the most diligent employees can make mistakes that lead to unintended data exposures. In such contexts, imposing strict penalties on organizations might not effectively address the root causes or contribute to enhanced data protection.

The ECJ's decision recognizes these nuances and provides DPAs with the discretion to assess each case individually. If a data controller has proactively taken necessary steps to remedy the violation and ensure full compliance with the GDPR, authorities can choose not to take further punitive action. This approach encourages organizations to focus on remediation and continuous improvement of their data protection measures rather than operating under the constant threat of fines.

This ruling could signal a shift in how European authorities enforce data protection laws. By allowing for discretion, DPAs can consider factors such as the organization's intent, the effectiveness of their security measures, and their response to the breach. It promotes a more balanced enforcement strategy that weighs the circumstances surrounding each violation.

But this development also raises important questions. Will the discretion granted to DPAs lead to inconsistencies in enforcement across different jurisdictions in the EU? How will authorities ensure this discretion doesn't result in leniency that could undermine the GDPR's objectives? Organizations and legal experts will be closely monitoring how this discretion is applied in practice.

In conclusion, the ECJ's decision reflects an understanding of the complex and evolving nature of cybersecurity threats. It acknowledges that while adherence to the GDPR is crucial, punitive measures are not always the most appropriate response to every violation. The focus may shift towards encouraging organizations to adopt proactive and effective data protection strategies, emphasizing remediation and prevention over punishment.

Whether this ruling will lead to a significant change in enforcement practices remains to be seen. Organizations should continue to prioritize strong data protection measures and stay informed about legal developments in this area. The decision offers an opportunity for a more nuanced approach to data protection, balancing the need for stringent security with the practical challenges faced by data controllers in a digital age.

Will we see a shift in how European authorities enforce data protection laws? This decision could mark the beginning of a more flexible and context-sensitive enforcement landscape, but only time will tell how DPAs will exercise their new discretion.

Author: Giulio Coraggio

NIS2 Directive implemented in Italy: Legislative Decree No. 138/2024

As we've already discussed here, last February, the Italian Parliament delegated to the government the implementation of the (now famous) NIS2 Directive. The Delegation Law stipulated that the government should adopt the legislative decree to implement the Directive within the deadline of four months before the deadline specified in the relevant directive, so by mid-June 2024. But approval in the Council of Ministers didn't occur until early August. We then waited until October for the publication of Legislative Decree 4 September 2024, No. 138 in the Official Gazette.

The text of the Legislative Decree is basically in line with the text of the Directive. But there are some differences.

Scope of application

The first difference from the Directive is the scope of the Legislative Decree. As noted above, the scope of the Directive is subject to the combined presence of three different criteria:

  • a size requirement, where the company qualifies as a medium-sized or large enterprise under the meaning of Article 2 to Recommendation 2003/361/EC; and
  • a territorial requirement, where the company provides its services or conducts its business in the EU;
  • a sectoral criterion, where the relevant company provides its services or carries out activities in one or more of the economic sectors listed in the Annexes to the Directive.

With respect to this last point, the Legislative Decree slightly broadens the scope by including other entities among the sectors to which the new regulation applies:

  • public administrations identified on the basis of a graded criterion, the evolution of the public administration's degree of exposure to risk, the probability of incidents occurring and their severity; and
  • regardless of size (i) entities that provide local public transportation services, (ii) educational institutions that carry out research activities, (iii) entities that carry out activities of cultural interest, and (iv) in-house companies, investee companies, and publicly controlled companies, as defined in Legislative Decree No. 175 of August 19, 2016 (Consolidated Law on Public Participation Companies).

Deadlines for compliance

Although the NIS2 Directive is applicable starting from 17 October 2024, in reality the compliance obligations applicable to companies within its scope are broadly expanded with the adoption of the Legislative Decree.

As the Decree makes clear, the first activity required to companies is to assess the applicability of the Legislative Decree to their operations. Although this seems obvious, in reality, this assessment isn't always straightforward given the often very broad subcategories related to the sectors referenced by the NIS2 Directive. By the end of the year, companies have to carry out a timely analysis to understand whether their services fall within the scope of the Legislative Decree, taking into consideration the relevant sectors but also the dimensional and territorial criteria mentioned above.

Pursuant to Article 6 of the Legislative Decree, from 1 January (until the end of February, except in the case of some companies that have to register by 17 January 2025) companies that believe they fall within the scope of the Legislative Decree will have to register on a special portal being adopted by CAN. The companies have to provide a range of relevant information such as, the company name, updated address and contact information, including email addresses and telephone numbers of the company, designation of a point of contact, indicating the role at the entity, relevant sectors, sub-sectors and types of entities listed in the annexes to the Legislative Decree.

Following this, ACN will have until 31 March 2025 to analyse the companies registered in the platform and draw up the list of essential and important parties, who will then be notified of their inclusion in the relevant list by 15 April 2025.

In addition to the dates mentioned above:

  • notification obligations of computer incidents have been extended to nine months after receipt of notification about being on the applicability lists of the Legislative Decree (so indicatively to January 2026); and
  • obligations of administrative and governing bodies and obligations on information security risk management measures are extended until 18 months after the above-mentioned notice (so indicatively October 2026).

Does this mean that there is nothing to be done in the meantime? In our view, no. Central to this remains the need to ascertain by the end of the year whether relevant companies enter the scope of the NIS. This is followed by the need for an assessment with respect to the IT systems, which requires time and detailed analysis with respect to the internal governance. The example of GDPR was certainly helpful: although the timeframe was wide (a full two years from entering into force until it actually applied), companies needed ample time to take all the necessary measures and to enable them to adopt an internal compliance system in line with business needs.

Competent authorities

With reference to the competent authorities, the National Cybersecurity Agency (ACN) certainly stands out. ACN is called upon to:

  • oversee the implementation and enforcement of the Legislative Decree;
  • prepare measures necessary to implement the Legislative Decree;
  • carry out regulatory functions and activities, including adopting guidelines, recommendations, and non-binding guidance;
  • identify essential and important actors; and
  • participate in the NIS Cooperation Group and other EU-level activities.

To implement the Decree at the sector level, other NIS Sector Authorities are also identified to support ACN. Specifically:

  • the Presidency of the Council of Ministers for the ICT service management sector, the space sector, public administrations and in-house companies, and publicly owned or controlled companies
  • the Ministry of Economy and Finance, for the banking and financial market infrastructure sectors
  • the Ministry of Enterprise and Made in Italy for the digital infrastructure sector, the postal and courier services sector, the chemical manufacturing, production and distribution sector as well as the sub-sectors of computer and electronic and optical products manufacturing, electrical equipment manufacturing and manufacturing of machinery and equipment not elsewhere classified (n.e.c.), the sub-sectors of motor vehicle, trailer and semi-trailer manufacturing, and manufacturing of other transport equipment, digital service providers
  • the Ministry of Agriculture, Food Sovereignty and Forestry for the food production, processing and distribution sector
  • the Ministry of Environment and Energy Security for the energy sector, the drinking water supply and distribution sector, the wastewater sector, and the waste management sector
  • the Ministry of Infrastructure and Transport for the transport sector, entities providing local public transport services
  • the Ministry of University and Research for the research sector and for educational institutions conducting research activities
  • the Ministry of Culture for entities carrying out activities of cultural interest
  • the Ministry of Health for the health sector, the sub-sector manufacture of medical devices and in vitro diagnostic medical devices

Sanctions

Failure to comply with the obligations can result in significant penalties for operators. Specifically, following ACN's reporting of non-compliance, the relevant authorities can issue administrative penalties of up to EUR10 million or 2% of the subject's total annual worldwide turnover for the previous fiscal year, whichever is higher.

To avoid these penalties, companies should assess the applicability of the NIS2 Directive to their reality as soon as possible. They should also consider the applicable reporting requirements and carefully map their cyber structure from both a technical and compliance perspective to take the necessary measures as soon as possible.

Author: Giulia Zappaterra

 

Legal Design

Legal design tricks – tips to use in your daily activities

Trick #2: How to incorporate legal design in your work?

Let’s adopt (Legal) Design Thinking!

Legal design merges the principles of design thinking with law to make legal information more accessible, clear and engaging for users.

Why Design Thinking?

Design thinking is a human-centred approach to problem-solving. It emphasizes understanding user needs, improving user experience, fostering creativity, and encouraging collaboration to develop innovative solutions.

How to Apply Design Thinking?

Design thinking follows a five-step process:

  1. Empathize with your users
  2. Define the problem
  3. Ideate solutions
  4. Prototype
  5. Test your idea

Ask yourself the key questions!

In your daily work, always consider:

  • Who is this for, and what do they need?
  • What are you trying to achieve?
  • What constraints should you keep in mind?
  • How can you simplify the legal information?
  • How can you we gather feedback from users?

Did you know?

Legal design isn't a one-time fix. It’s an ongoing cycle of testing, feedback, and improvement to meet evolving user needs.

Our infographics will guide you through these concepts with engaging visuals and practical information. Check the infographic here.

Stay tuned for Trick #3, where we will dive into how to "Empathize" with your users!

Author: Deborah Paracchini

 

Intellectual Property

SHEIN under scrutiny by AGCM for misleading advertising on garment sustainability

The Italian Antitrust Authority (AGCM) has launched an investigation into Infinite Styles Services CO. Limited, which manages Shein's Italian website. The investigation relates to the possible misleading nature of statements on the sustainability of the brand (greenwashing) reported in the "#SHEINTHEKNOW," "evoluSHEIN" and "Social Responsibility" sections of the website of the famous Chinese giant of the ultra fast fashion sector.

In recent years, Shein has often found itself at the centre of heated controversy. The company has been accused of using harmful chemicals in its products sold in Europe, raising serious health concerns for consumers. Furthermore, its mass production model, which allows garments to be sold at ridiculously low prices, allegedly contributes to significant textile waste generation, fuelling environmental concerns. Shein is also notorious also for the miserable working conditions of its employees, who are forced to work exhausting shifts and receive inadequate compensation.

But on its website, Shein claims to be committed to sustainability. According to AGCM, given consumers' growing sensitivity to the impact of their consumption choices on the environment, Shein is allegedly trying to convey an image of production and commercial sustainability of its garments through generic, vague, confusing and/or misleading environmental statements on the subject of "circularity" and the quality of products and their responsible consumption.

In particular, Shein declares that its "evoluSHEIN" clothing collection is sustainable, and this, according to AGCM, misleads consumers as to the quantity of "green" fibres used, also failing to inform them about the non-additional recyclability of the garments. Moreover, according to AGCM, Shein also emphasizes its "green" commitment in a generic way in the context of the process of decarbonizing its activities, while the objectives indicated on the website are contradicted by the significant increase in greenhouse gas emissions indicated in Shein's sustainability reports for 2022 and 2023.

The AGCM's investigation comes in the context of increasing attention to sustainability, amplified by the introduction of the new Green Claims Directive (EU 2024/825), which came into force on 26 March. The legislation, which will become fully applicable from 27 September 2026, aims to combat greenwashing and promote a transparent ecological transition. Companies will have to meet stricter standards for environmental claims, ensuring clearer and more responsible communication to consumers.

Author: Carolina Battistella

 

Technology Media and Telecommunication

Embedded insurance through regulation and digital innovation

The current regulatory framework

The Insurance Distribution Directive (IDD)

"Embedded insurance" refers to offering insurance services bundled with noninsurance products or services. This usually results in insurance products being distributed through noninsurance channels by noninsurance players in their products and services. In this way, companies can maximize their market penetration and complement their offerings with the insurance component.

Until Directive (EU) 2016/97 (IDD) entered into force and was transposed into national law, there was no specific regulation for these practices, although they were already widespread in the market and monitored by the Italian Institute for the Supervision of Insurance (IVASS).

Embedded insurance was implemented through partnerships consisting of different types of contractual models between non-insurance companies and insurance companies, with some limitations.

First, it was only large companies that had the capacity to implement such models. In most cases, insurance products weren't really embedded in a complex offering and in a single customer journey: the agreements between the parties included the mere obligation for the noninsurance operator to give its customers the opportunity to take out a standardized insurance policy, at its own choice and discretion, after the main purchase of a product or service. So there were separate contractual relationships with distinct obligations and performance between the customer on the one hand, and the insurance company and the service or product provider on the other. This also made the insurance company easily replaceable in the model, unless the partnership agreement bound the noninsurance company with exclusivity clauses or otherwise long-term commitments. It also resulted in absent or ineffective data sharing and exploitation.

The IDD regulates "insurance distribution" activities, which can only be carried out by duly authorized entities subject to supervision by the Supervisory Authorities.

Understanding which activities fall under the IDD's scope of application and which are excluded – and can, therefore, be carried out freely by any market player – is crucial in the context of embedded insurance, where companies and intermediaries work closely with business partners that are often outside the insurance world.

Consider, for example, travel policies bundled with airline tickets, accidental damages policies bundled with electronic devices, or credit protection insurance bundled with credit cards. Although these "packages" may appear simple, they conceal often complex distribution models. In fact, their implementation involves interaction between multiple parties, such as service providers or digital platforms, who probably don't hold an insurance license.

In this context, it's essential to understand what's meant by "insurance distribution."

The IDD's definition of insurance distribution is quite broad. It includes any activity of advice or proposal or other preparatory activity for concluding insurance contracts, assisting in the management of such contracts or supporting in case of claims. Conversely, merely providing information about potential policyholders or insurance products doesn't constitute insurance brokering, if no further action is taken to facilitate the taking out of the policy.

The connected contracts exemption

Also worthy of attention is the "Connected Contracts Exemption." Ancillary insurance intermediaries can take advantage of this exemption, avoiding the application of the IDD. So, in essence, they can distribute insurance products without being registered with the RUI (the Italian Register of Insurance Intermediaries), if:

  • they offer insurance complementary to the different good or service offered; and
  • the premium doesn't exceed EUR600 per year or EUR200 for insurance policies combined with services of less than three months' duration.

If the intermediaries don't meet these conditions, they have to get an insurance license, unless the distributor limits their activity to merely "introducing" the insurance product, which in that case, would probably be purchased at a later date, as was the case in the "old" embedded insurance model.

Obligations regarding cross-selling

Regardless of which distribution model is adopted, in all cases where the insurance product is ancillary to another product (or vice versa), certain provisions must be observed.

Article 24 of the IDD (and Article 120-quinquies of the Italian Insurance Code) provides specific transparency obligations in the case of cross-selling, with the aim of ensuring clarity and freedom of choice for consumers. In particular, distributors have to inform customers about the possibility of purchasing different components of a package separately or provide a detailed description of the individual components and their costs.

New models of embedded insurance

The combination of specific legislation on cross-selling and the evolution of digital technologies, including cloud, algorithms and a greater general ability to leverage data, are leading to the development of new models of embedded insurance. They unify all customer interactions into one articulated flow, and unlike the old model, which offered opportunities primarily to large companies, they're now an opportunity for operators of all sizes.

New models need to be reflected in the contracts between the stakeholders involved. This is especially important in terms of IT integration of their respective systems, data access and control, obligations of the parties according to their role in data protection, project governance and accountability. It's also key to customer relationship management, regulatory compliance, liability, KPIs to monitor the success of the project, but also termination of the partnership and its consequences. Finally, through data processing and algorithms, companies can offer highly customized insurance solutions in line with each client's unique needs.

But the regulatory and market framework isn't yet complete. So companies can't maximize the benefits of new embedded insurance models. Data sharing remains based on the initiatives of insurance ecosystem players and the contracts between them: insurance companies, brokers, technology providers and enablers. There's still no mandatory regime for data sharing in the insurance industry. And this is precisely the goal of the new European FIDA (Financial Information Data Access) regulation proposed by the European Commission, which is expected to apply from 2027.

Authors: Giacomo Lusardi and Valentina Grande

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo BardelliCarolina BattistellaCarlotta BusaniGiorgia Carneri, Noemi Canova, Gabriele Cattaneo, Noemi CanovaMaria Rita CormaciCamila CrisciCristina CriscuoliTamara D’AngeliChiara D’OnofrioFederico Maria Di VizioNadia FeolaLaura GastaldiVincenzo GiuffréNicola LandolfiGiacomo LusardiValentina MazzaLara MastrangeloMaria Chiara MeneghettiDeborah ParacchiniMaria Vittoria Pessina, Marianna Riedo,  Tommaso RicciRebecca RossiRoxana SmeriaMassimiliano Tiberio, Federico Toscani,  Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’AndreaFlaminia Perna and Matilde Losa.

For further information on the topics covered, please contact the partners Giulio CoraggioMarco de MorpurgoGualtiero DragottiAlessandro FerrariRoberto ValentiElena VareseAlessandro Boso CarettaGinevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as a report analyzing key legal issues arising from the metaverse qui, and a comparative guide to regulations on lootboxes here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.

Print

Related capabilities

TechnologyMedia, Sport and EntertainmentLife SciencesConsumer Goods, Food and RetailIntellectual Property
Privacy policyLegal noticesCookie policyModern slaveryWhistleblowingFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2024 DLA Piper