Skip to main content
|

Add a bookmark to get started

Bookmarks info
9 January 202515 minute read

Innovation Law Insights

9 January 2025
Podcast

EU Digital Decade: How To Tackle This 2025’s Regulatory Avalanche?

The EU Digital Decade has arrived, and 2025 ushers in an unprecedented wave of regulations that businesses must navigate, including the AI Act, NIS 2 Directive, Data Act, and DORA. In this episode of Diritto al Digitale, Giulio Coraggio explores the complexities of these laws, highlights key compliance themes, and presents a practical framework to simplify obligations and enhance efficiency. Learn how to turn these challenges into strategic opportunities and thrive in the era of European Union digital transformation. Listen to the podcast here.

 

AI and Data Protection

When is an AI system anonymous? Privacy implications

On 18 December 2024, the European Data Protection Board (EDPB) published an opinion addressing critical issues at the intersection of Regulation (EU) 2018/679 (GDPR) and AI, including the anonymization of AI systems.

The opinion provides an important framework clarifying when an AI system can be considered anonymous and what risks arise for entities involved in processing personal data when improperly anonymized AI systems are used.

Definition of anonymization under the GDPR for AI solutions

According to the opinion, an AI system can be considered anonymous when the likelihood of extracting personal data or re-identifying individuals using “reasonable means” is insignificant. This definition is particularly relevant because it emphasizes that merely removing personal data from a dataset is insufficient;  the system must be designed to prevent any extraction of personal data.

For generative AI systems that produce textual or graphic outputs, anonymization is achieved only if the system:

  • doesn't accidentally reveal personal data during its normal operation;
  • is designed to resist targeted prompts, ie specific user queries aimed at extracting personal information or details about one or more individuals.

Anonymization involves not only removing personal data from the dataset but also designing the model and its functionalities. In this sense, even a system trained unlawfully can be fully anonymized if it guarantees that no personal data can be extracted from it.

Privacy implications for AI systems

The opinion connects the definition of an anonymous system with the broader context of privacy implications stemming from unlawful processing during the training phase and subsequent use of an AI system. This issue is particularly significant, as many companies use AI systems developed by third parties, assuming the role of data controllers for operations performed during the system's deployment (eg data collected while the AI system interacts with users).

The opinion distinguishes two main scenarios.

If the AI system is anonymous, personal data is no longer retained in the model and cannot be extracted under any circumstances. Even if unlawful processing occurred during the training phase, the subsequent deployment of the model doesn't involve processing personal data used during training. Consequently, this wouldn't affect the subsequent processing operations when deploying the model. For entities using an anonymous system, there are no risks associated with irregularities in the training phase. Still, any processing carried out as data controller during the deployment of the system must comply with GDPR principles.

If the AI system isn't anonymous and retains information about identified or identifiable individuals, violations during the training phase could affect subsequent processing. For example, if the initial unlawful processing was based on legitimate interest but this legal basis was compromised, subsequent processing activities might also be affected.

The opinion highlights the need to conduct thorough due diligence on the AI system to ensure the model was not developed through unlawfully processing personal data. Key factors to consider include:

  • the source of the data used for training
  • any findings by authorities or courts determining that the model resulted from a GDPR violation

These evaluations are critical because irregularities during the training phase may continue to pose risks to users even after training has concluded.

Conclusions

The EDPB's opinion highlights the critical need for GDPR compliance at every stage of an AI system's lifecycle, from training to deployment. It underscores the dual responsibility of data controllers involved in the training phase and those conducting processing operations as data controllers when using non-anonymous AI systems developed by third parties.

Both developers and users must adopt robust privacy safeguards to minimize risks. Recent penalties imposed on providers of generative AI systems demonstrate the importance of proactive measures to prevent violations, particularly through comprehensively assessing training processes.

For more on this topic, listen to the podcast "EDPB opinion on AI model Training: How to Address GDPR Compliance?"

Author: Federico Toscani

 

Intellectual Property

Empowering SMEs to protect trade secrets: The European Commission’s Cyber-Theft Prevention Toolkit

In today’s rapidly evolving digital landscape, safeguarding trade secrets from cyber threats has become an increasingly vital priority for small and medium-sized enterprises (SMEs).

In a globalized economy where information can spread instantaneously, the ability to protect and exploit trade secrets is a cornerstone of long-term business success and an essential component of intellectual property strategy. In response to this pressing need, the European Commission has developed a comprehensive cyber-theft prevention toolkit to equip SMEs with the essential tools and resources they need to effectively protect their valuable trade secrets.

Trade secrets are vital assets for businesses. They play a crucial role in ensuring and maintaining a company's competitive advantage.

The definition introduced by Directive (EU) 2016/943, which was implemented in article 98 of the Italian Industrial Property Code (Legislative Decree n. 30/2005), says information can be awarded trade secret protection if the information:

  • is secret, in the sense that it's not generally known among or readily accessible to persons that normally deal with the kind of information in question;
  • has commercial value because it's secret;
  • has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.

Unlike other intellectual property rights, such as patents, trade secrets don't require public disclosure to be protected. So companies can safeguard valuable information such as formulas, manufacturing processes, and customer lists, for an indefinite period, if they remain confidential. The regime of protection for trade secrets enables businesses to reduce the risks and costs associated with formal intellectual property registration. This is a substantial advantage for startups and SMEs operating with constrained resources. Trade secrets have to be protected by robust security measures, so companies can get the edge on competitors and foster innovation by developing unique technologies and strategies that aren't easily replicable.

Despite the importance of protecting trade secrets, across Europe SMEs struggle with common challenges. According to data published by the European Commission, only 30% of SMEs consider intellectual property management software crucial in preventing cyber theft. Only 40% have formal plans for managing trade secret protection, including related policies and procedures. Just 26% of SMEs track and safeguard their trade secrets by documenting them in an internal registry, and only 55% have taken steps to limit access to confidential information from employees' personal devices. Alarmingly, 40% of SMEs perceive the risk of misappropriation and theft of trade secrets as low, highlighting a significant gap in awareness about current cyber-attack trends. Many SMEs denounce a lack of clear national guidance on essential cybersecurity requirements.

To address these challenges, the European Commission has produced a toolkit with a range of resources, including guidelines outlining best practices for securing trade secrets and increasing awareness of cyber theft risks. The toolkit also includes training courses for employees to identify and prevent cyber threats, and interactive tools that provide insights into the motivations of cyber criminals, the potential impact of cyber theft, which can result in significant financial losses and damage to reputation, and various cybersecurity attack methods.

The European Commission's guidelines stress the importance of identifying trade secrets, determining what information is vital for a company's competitive advantage, and what, if lost or stolen, would harm the organization. SMEs have to assess strategic risks, evaluate supply chain security, and establish clear security governance, ensuring staff are trained to handle sensitive information. Companies should be vigilant about insider threats, educate employees on recognizing information theft, and manage data environments with strong access controls. Additionally, SMEs should regularly update security defences and incident response plans, maintaining robust defences against cyber threats targeting trade secrets.

In light of the great attention reserved to trade secrets protection, DLA Piper has developed the Trade Secrets Scorebox, a jurisdiction-neutral tool based on EU law that gives an overview of the maturity level of the respondent's organization regarding trade secrets protection. The tool provides a guided analysis by testing several areas of interest, including awareness with respect to trade secrets in a company and the implementation of a dedicated strategy. Access the Trade Secrets Scorebox here.

By using these resources, SMEs can start strengthening their trade secrets strategy, including setting up defences against cyber threats and ensuring the sustainability of their businesses in an increasingly digital world.

Author: Chiara D'Onofrio

 

European Union Intellectual Property Office publishes latest report on online copyright infringement in the EU

The European Union Intellectual Property Office (EUIPO) has published its latest report on "Online copyright infringement in the European Union." The report focuses on films, music, publications, software and TV contents.

The report follows several pieces of work the EUIPO has produced on the evolution of online copyright infringement in 2019, 2021 and 2023. The new report delves deeper into the intricacies of copyright infringement, taking into account the latest trends and data up to 2023.

The 2024 report offers a detailed analysis of web-based illegal consumption of protected TV, music, film, software and publications content in EU member states. It also introduces a three-year focus (2021-2023) on software and publication piracy, which previously weren't at the centre of the EUIPO's attention.

The report is structured into two principal sections. The first is a descriptive analysis of the data, helping readers understand the patterns of digital piracy. The second section focuses on the econometric analysis of the data, presenting a statistical examination of the socio-economic variables influencing piracy in EU member states.

According to the data analysed by the EUIPO, the extent of TV piracy in EU member states stabilised in 2023 at 5.1 accesses per internet user per month. But the data shows there's an inconsistent situation in the EU, as the impact of TV piracy and the relevant data differs vastly among the different member states. Streaming remains the most common means of infringement and desktop devices are used more than mobile devices for pirated TV content, accounting for around 60% of total accesses.

Significantly, film piracy in the EU decreased by about 25% in 2023, with an average of 0.9 accesses per internet user per month. Streaming accounts for 74% of accesses, followed by torrenting. Desktops are the preferred devices, but mobile devices are close according to numeric evidence.

Contrary to the above, and not surprisingly, software piracy in the EU increased by 6% in 2023, with an average of 0.9 accesses per internet user per month. Mobile software, including games, is the most pirated genre.

Researchers found that music piracy closed 2023 at 0.6 accesses per internet user per month in the EU, which is slightly above 2022 levels. The preferred method for accessing pirated music is ripping, which accounts for nearly half of all the accesses to pirated music in 2023. However, there are substantial differences regarding the preferred methods for pirated music consumption across the 27 EU member states.

The report shows that online copyright infringement is a complex and multifaceted phenomenon, with trends shifting over time. And, according to the econometric analysis carried out by the EUIPO, economic and social factors can cause an increase or decrease in online piracy.

Another crucial finding of the report is that the volume of legal offers available in the member states contributes to reducing piracy in almost all domains.

Author: Federico Maria Di Vizio

 

Legal Tech Bites – Expert insights on the latest trends and innovations

Implementing AI in legal operations is a complex challenge and an extraordinary opportunity for in-house legal teams. It’s essential to approach AI strategically to harness its full potential, identifying areas where it can genuinely enhance efficiency while maintaining the high standards of legal work.

In 2024, I had the privilege of designing and testing several AI-driven solutions, transforming our workspace into an innovative testing ground. Below, I share key use cases I developed and piloted in beta versions for internal testing. These solutions are already operational, demonstrating how AI can revolutionize the legal profession, streamline processes, and deliver a tangible competitive advantage.

ROI Calculator for LegalTech Investments: getting approval for LegalTech investments requires being able to calculate the potential benefits accurately, but traditional ROI calculations weren't capturing all the benefits unique to legal technology. So I developed a Legal Tech ROI calculation methodology and a specialized calculator that accounts for both direct cost savings and harder-to-quantify benefits like risk reduction and improved legal service delivery. The tool:

  • performs comprehensive cost analysis, including licenses, research time, proof of concept, training, and implementation;
  • evaluates benefits through multiple metrics including productivity gains, risk reduction, and customer satisfaction;
  • generates detailed ROI projections and reporting for different stakeholder audiences.

In-house legal teams often struggle to justify technology investments to management. This tool provides a structured methodology to quantify both tangible and intangible benefits of LegalTech solutions, facilitating the approval of strategic investments and enabling firms to monitor their actual return over time.

Information Visualization for regulatory trends: Analyzing the Italian Data Protection Authority's long and complex annual reports from 2021-2023 is time-consuming. Identifying meaningful patterns in enforcement decisions and focus areas requires significant effort. So I created a data visualization tool that transforms these complex reports into clear insights by automatically extracting and analyzing key data points to reveal emerging trends in privacy enforcement and regulatory priorities. The platform:

  • automatically processes and visualizes enforcement statistics from Garante's reports;
  • generates dynamic comparisons of fines, violations, and focus areas across years;
  • provides interactive dashboards showing evolution of regulatory priorities;
  • enables detailed analysis of specific enforcement patterns and decision rationales.

Effective data visualization is crucial for communicating trends and insights to management and stakeholders. This tool can be adapted to monitor any type of relevant legal data; from litigation statistics to compliance KPIs, making complex information immediately understandable and facilitating decision-making processes.

Interactive AI Audit Checklist: after the EDPB released their AI audit framework, I noticed how time-consuming it was to manually complete the assessments for each AI system in use. The process was prone to inconsistencies, and it was difficult to track progress across multiple audits. So, I built an automated system that:

  • guides users through a structured audit workflow;
  • automatically generates risk scores based on input data;
  • maintains comprehensive audit trails and documentation;
  • provides configurable assessment criteria and weightings.

With increasing AI use in companies, legal teams have to ensure compliance for a growing number of systems. This tool automates and standardizes the audit process, significantly reducing the time needed for assessments and ensuring a consistent and documented approach to AI compliance.

In 2025, our laboratory will continue exploring new ways to apply AI in the legal sector, focusing on finding the most practical and innovative use cases. Legal professionals interested in learning more are welcome to contact me for a hands-on demonstration of our tools and to join the lab’s ongoing efforts. In the next update, we’ll share additional use cases and fresh insights into how AI is transforming the legal profession.

Author: Tommaso Ricci

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo BardelliCarolina BattistellaCarlotta BusaniGiorgia Carneri, Noemi Canova, Gabriele Cattaneo, Maria Rita CormaciCamila CrisciCristina CriscuoliTamara D’AngeliChiara D’OnofrioFederico Maria Di VizioNadia FeolaLaura GastaldiVincenzo GiuffréNicola LandolfiGiacomo LusardiValentina MazzaLara MastrangeloMaria Chiara MeneghettiDeborah ParacchiniMaria Vittoria Pessina, Marianna RiedoTommaso RicciRebecca RossiRoxana SmeriaMassimiliano Tiberio, Federico Toscani,  Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’AndreaFlaminia Perna and Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio CoraggioMarco de MorpurgoGualtiero DragottiAlessandro FerrariRoberto ValentiElena VareseAlessandro Boso CarettaGinevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as a report analyzing key legal issues arising from the metaverse qui, and a comparative guide to regulations on lootboxes here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.

Print

Related capabilities

TechnologyConsumer Goods, Food and RetailMedia, Sport and EntertainmentLife SciencesIntellectual Property
Privacy policyLegal noticesCookie policyModern slaveryWhistleblowingFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2025 DLA Piper