7 November 202419 minute read

Innovation Law Insights

7 November 2024
Podcast

Legal challenges of the Data Act with Stefano Leucci of Mobilisights

In this episode of Diritto al Digitale, Giulio Coraggio, Location Head of DLA Piper's Italian Intellectual Property and Technology Department, sat down with Stefano Leucci, the Head of Data Protection and Governance at Mobilisights, the data company of the Stellantis group, to explore the dynamic world of data sharing and the impact of the Data Act on businesses exploiting Internet of Things and connected technologies. You can listen here.

 

Artificial Intelligence

AI Agents: Legal Implications of Autonomous AI

The world of AI is rapidly evolving, and a new milestone has been reached with the launch of advanced AI agents, which creates significant legal considerations.

These agents are poised to transform our interaction with technology by not only responding to text commands but also performing actions on our computers as a human would: moving the cursor, typing, clicking, and reading the screen. Imagine a future where your computer doesn’t just answer your queries but actively assists you by navigating windows, filling out forms, and managing your tasks. While this represents a significant advancement in AI technology, it also brings forth a host of legal challenges that must be carefully addressed.

Beyond text: What do advanced AI agents do?

Traditional AI chatbots have been confined to responding within the boundaries of text. But the new generation of advanced AI agents breaks free from this limitation. Developers can now program AI that interacts directly with the computer environment, automating repetitive and mundane tasks. Although these systems are still in their infancy – prone to errors and operating at slower speeds – they signal the beginning of a shift towards AI agents handling more complex activities autonomously.

For instance, an AI agent could gather information from your computer and complete forms without human intervention. This might seem trivial, but the implications are far-reaching. Such capabilities could revolutionize productivity by offloading routine tasks from humans to AI agents, allowing individuals to focus on more strategic and creative endeavours.

Several tech giants and startups are investing in similar AI agent technologies. What sets these agents apart is their ability to act beyond text, directly interfacing with computer systems to manage intricate projects with greater autonomy.

Privacy and security concerns of AI agents

The advent of AI agents capable of operating our computers raises significant privacy and security issues. To function effectively, these agents require direct access to our devices, which poses risks of data breaches and unauthorized data transmission. There have been instances where companies delayed launching similar functionalities due to security concerns. Ensuring that user data is protected and used securely is paramount in the legal landscape of AI.

Moreover, granting such deep access to AI agents could inadvertently expose sensitive personal or corporate information. Without robust security measures, there's a heightened risk of malicious exploitation by cybercriminals who might hijack these agents for nefarious purposes.

This pivotal moment in the future of AI is happening just days before the European Data Protection Board’s event dedicated to AI models. Hopefully, data protection authorities will understand that generative AI, including advanced AI agents, is the future of our economy. Solutions need to be found to adequately balance protecting individuals with exploiting the technologies within the legal framework.

The liability cannot rest solely on providers of generative AI. Potential misuses are performed by deployers who may not have a clear understanding of the legal limits within which such technologies should be used.

Potential for misuse of AI agents

The power of advanced AI agents also opens the door to potential misuse. Autonomous navigation capabilities could be exploited for activities like spamming, phishing, or generating large-scale AI-created content that floods digital spaces. The ease with which these agents can perform tasks might enable the rapid dissemination of misinformation or the creation of fraudulent schemes.

This scenario underscores the necessity for clear, responsible management that needs to be implemented by setting out an internal AI governance framework, leading to precise internal rules and technical guardrails in AI usage. Developers and companies must implement safeguards to prevent abuse, such as strict authentication protocols, usage limits, and monitoring systems to detect and halt suspicious activities, all within legal boundaries.

Legal challenges to address

With the emergence of such potent AI agents, companies adopting these technologies must address several legal challenges that demand attention:

  • Data Protection and Privacy: How can we ensure AI agents don't access or transmit personal data outside the control of the company and without the relevant legal basis? Compliance with data protection laws like the GDPR becomes even more critical in the realm of AI.
  • Liability Issues: In cases where an AI agent makes an error or causes harm, determining liability becomes complex. Is it the developer, the user, or the AI agent itself? This poses significant legal questions that need clear answers.
  • Intellectual Property Rights: AI agents that create content or gather data from various sources may infringe on intellectual property rights, leading to legal disputes.
  • Regulatory Compliance: Existing laws might not adequately cover the capabilities of advanced AI agents. There’s a pressing need for updated regulations that address these new AI technologies within the current legal system.

Looking beyond the 'text box'

The shift from text-based AI to agents that can interact with our computers is a game-changer. While current versions may be imperfect, continual improvements will enable these AI agents to handle increasingly complex tasks. We can foresee a future where AI agents manage appointments, fill out forms, respond to emails, and even curate personalized news briefings without any manual input.

But embracing this future means we have to confront the accompanying legal and ethical implications. Security, privacy, and ethical use aren't just technical challenges but legal ones that require collaboration between technologists, legal experts, policymakers, and society at large.

Conclusion

The advent of advanced AI agents heralds an exciting new chapter in AI technology, offering unprecedented convenience and efficiency. But it also brings forth significant legal challenges that can't be overlooked. Addressing these issues is crucial to harnessing the full potential of AI agents while safeguarding users’ rights and maintaining public trust.

As we stand on the cusp of this technological revolution in AI, it's imperative to engage in open dialogue and proactive policymaking. By doing so, we can ensure that the integration of AI agents into our daily lives is both beneficial and responsible within the legal framework.

As mentioned above, whatever AI solution a company wants to adopt, a crucial step in the adoption relates to creating an AI governance framework. Feel free to contact us if you have any questions on the topic, and try our PRISCA AI Compliance tool described here.

Author: Giulio Coraggio

 

Data Protection and Cybersecurity

The NIS2 Directive now in force – What to do to comply?

On 16 October the Legislative Decree 138/2024, which transposes the NIS2 Directive, came into force.

In the coming months, entities required to comply with the new legislation must take steps to ensure they comply with their obligations under the Directive.

What is the NIS2 Directive?

The NIS2 Directive, which replaces the previous NIS1 Directive, is part of the EU Strategy to strengthen cybersecurity and establish common standards for critical services and infrastructure.

The legislation reflects the growing awareness of the risk that cybercrime poses to the economic and social stability of the EU by promoting collaboration among member states to raise cybersecurity standards.

Among its main obligations, the NIS2 Directive provides for:

  • adopting proportionate and appropriate cybersecurity risk management measures according to a multi-risk approach;
  • implementing due diligence in the supply chain, ensuring that suppliers also adopt good cybersecurity practices;
  • three-step reporting of “significant incidents,” performing initial notification within 24 hours of learning of the incident;
  • personal liability of members of governing and administrative bodies.

Which entities fall under the scope of the NIS2 Directive?

To determine whether an entity falls within the scope of the NIS2 Directive, it's essential to verify that it belongs to one of the identified sectors.

The scope of NIS2 is significantly broader than that of the NIS1 Directive and includes sectors such as managed services and managed security services, social media, waste management, food, cloud computing services, energy, and many others.

But belonging to one of the sectors under the NIS2 Directive is not in itself decisive. To fall within the scope of NIS2, the entity belonging to the sectors covered by NIS2 has to provide its services in the EU and meet the thresholds to be considered a “medium-sized enterprise,” as defined by Recommendation 2003/361/EC.

However, for entities that don't meet these thresholds, the Recommendation also considers the relationship with other “related” or “associated” enterprises. In essence, this means that even smaller organizations may fall within the scope of the NIS2 Directive if they can be considered related to another organization by virtue of factors such as voting rights of the parent company or common shareholders, or the exercise of a dominant influence over an affiliated or associated enterprise.

Next steps

According to the NIS2 application criteria described above, organizations required to comply will have to register on the digital platform that the ACN (the National Cybersecurity Agency) will make available from 1 December 2024. For some categories, such as domain name system service providers, cloud computing service providers, online marketplace providers and others, there's a tighter deadline for registration, set for 17 January 2025.

The operational modalities for registration will be defined in a special implementing measure of the ACN. This registration is essential to enable the ACN to keep track of entities operating in the monitored sectors and offer them support in implementing their obligations under NIS2.

Failure to register will result in an administrative penalty of up to 0.1% of the offending entity's annual global turnover.

This is without prejudice to ACN's ability to identify additional subjects deemed critical. These subjects will receive a specific direct communication, following which they can proceed with registration.

Following registration, in April 2025, registered subjects will receive a communication to confirm, or not, their inclusion in the list of NIS subjects.

Upcoming implementation measures for the NIS2 Directive

ACN has published a detailed timeline of the implementation measures that will be taken in the coming months to ensure full implementation of the NIS2 Directive. Specifically:

  • Within 30 days of the entry into force of Legislative Decree 138/2004:
    • DPCM on criteria for the application of the safeguard clause;
    • DPCM on any additional sector specifications;
    • ACN Determination on modalities for access to the platform and additional information to be shared by entities;
    • ACN Determination on governmental identifications of subjects in NIS application scope even in the absence of prescribed size requirements.
  • By 31 March 2025:
    • ACN Determination ordering the application of the safeguard clause, if necessary;
    • ACN Determination with list of NIS subjects.
  • Within six months from the effective date of Legislative Decree 138/2004:
    • DPCM on criteria, procedures and modalities for monitoring, supervision and enforcement activities;
    • DPCM on modalities for the application of litigation deflective instruments;
    • ACN Determination on national coordinated vulnerability disclosure policy;
    • ACN Determination on modalities of notification to ACN of sharing agreements between entities;
    • ACN determination on basic obligations.

Conclusions

The entry into force of the NIS2 Directive represents a significant breakthrough for cybersecurity in the EU, extending protection to increasingly strategic and vulnerable sectors. For affected companies, complying with these new requirements requires a thorough internal assessment and the adoption of proactive cybersecurity measures. It's essential for organizations to start now to check whether they fall within the Directive's new criteria, conducting the necessary assessments and preparing for the upcoming registration on the ACN platform.

Author: Cristina Criscuoli

 

Intellectual Property

Misleading invoices: New Munich Court ruling protects EUIPO customers

In September 2024, the Munich Court in Germany reached a landmark decision by finding three defendants guilty of commercial gang fraud. The case involved misleading invoices sent to EUIPO customers, designed to resemble official EU intellectual property fee notices. Each defendant received a prison sentence of one year and ten months, which was suspended with a three-year probation period. In addition, the court ordered the confiscation of nearly EUR200,000 – equivalent to the total amount the fraudsters had unlawfully obtained – to compensate affected individuals.

The EUIPO considers this an important legal precedent, marking the second time that a criminal court of an EU member state has qualified the sending of misleading payment requests to intellectual property (IP) system users as a criminal offence of fraud. This decision paves the way for ongoing and future investigations and indictments in other jurisdictions.

The case began in December 2020, when the EUIPO filed a criminal complaint with German authorities after receiving numerous reports from customers regarding suspicious invoices. The fraudulent scheme, operated under the name “IP Register UG,” involved letters sent to EUIPO customers bearing the misleading title “European IP Register.” The letters included “total due” amounts, payment deadlines, and bank details, resembling official EUIPO fee notices. Only a small, barely visible disclaimer at the bottom identified the payment as a proposal rather than an official invoice.

Between November 2020 and April 2021, the scheme netted approximately EUR200,000 from unsuspecting customers, highlighting the need for vigilance against such misleading requests.

This case joins a similar ruling from Sweden in 2017, where defendants were convicted of gross fraud for similar schemes. Together, these cases reinforce the position that fraudulent payment requests within the IP field constitute criminal fraud.

Stay vigilant against misleading payment requests

To better protect customers, EUIPO and WIPO have made searchable databases of scam letters and emails accessible on their website. These databases, updated regularly and shared across social media, help EUIPO and WIPO customers stay informed about fraudulent activities. Stay informed and safeguard your IP investments by checking each communication with your IP consultants.

Author: Tamara D'Angeli

 

Bologna Court of Appeal confirms authorization is needed for commercial use of historical images

The recent ruling by the Bologna Court of Appeal on 24 September 2024, reinforces the significance of the Italian Cultural Heritage Code (ICHC) in regulating the commercial use of images of cultural heritage. This decision highlights how the protection of Italian cultural assets intersects with commercial law requirements.

The Cultural Heritage Code and the valorization of historical images

Italian case law has established over the years the obligation to obtain authorization for the profit-driven use of images or symbols of national cultural heritage. Articles 107 and 108 of the ICHC stipulate that any commercial use of cultural assets requires prior consent from the competent authority and a fee, determined based on the type of use and the economic benefits generated. This principle was at the heart of a case involving a producer of Balsamic Vinegar from Modena, who was sued for using the image of the Duke d’Este owned by the Estense Gallery of Modena on his product packaging without authorization.

The case

In 2018, the Ministry of Culture initiated legal proceedings against the producer, asserting that this use violated the ICHC, which states commercial use of cultural assets on needs authorization from the public administration. The Bologna Court of First Instance sided with the Ministry, ordering the producer to pay damages of over EUR22,000 for each year of unauthorized use of the image. On appeal, the producer contested the legality of the ICHC, labelling it a sort of "copyright sui generis, of indefinite duration," which he argued conflicted with fundamental copyright principles and the Constitution, which protects economic freedom and promotes culture.

The Court of Appeal’s decision

The Court of Appeal upheld the ruling, clarifying that cultural assets enjoy a "right to image of a perpetual nature," akin to that of individuals. The court stated that "image rights certainly extend to cultural heritage assets, given their collective value." Consequently, any unauthorized commercial use constitutes damage to this value, deserving of compensation.

The court also dismissed the notion that the ICHC creates a "sui generis copyright," explaining that the administrative protection of the Code isn't comparable to copyright, as its purpose is "to safeguard the memory of the national community and territory and to promote cultural development," in line with Article 9 of the Constitution.

Additionally, the ruling references the jurisprudence of the Court of Justice of the European Union (CJEU) (Commission v. Italy, C-180/89), which holds that the preservation of historical and artistic heritage may justify restrictions on the freedom to provide services, supporting the public interest in protecting cultural assets.

Conclusions

This decision underscores a consolidated trend in Italian jurisprudence regarding the protection of cultural assets, granting them a sort of "perpetual image right." The ruling emphasizes the importance of administrative oversight over the commercial use of Italian cultural heritage, serving as a clear warning to businesses intending to use images of cultural assets for commercial purposes without prior authorization.

Author: Maria Vittoria Pessina

 

Louis Vuitton wins legal battle over 'Toile Monogram' trademark

Louis Vuitton has successfully blocked the registration of a trademark bearing visual similarities to its famous "Toile Monogram" trademark. The European Union Intellectual Property Office (EUIPO) rejected the application filed by a Chinese citizen, emphasizing the protection afforded to iconic luxury brands against attempts to exploit their prestige.

The background of the case

The case began in February 2023 when the applicant sought to register a pattern containing floral elements and the letters “B” and “R,” prompting a swift opposition from Louis Vuitton. The luxury fashion house argued that the trademark would unfairly capitalize on the established reputation of its iconic "Toile Monogram," which has been synonymous with the brand's identity and a symbol of luxury and prestige since 1896. Louis Vuitton objected under Article 8(5) of the EU Trademark Regulation (EUTMR), arguing that the opposed sign would dilute its trademark and take unfair advantage of its established reputation.

Reputation and unfair advantage under Article 8(5) EUTMR

The case hinged on Article 8(5) of the EUTMR, which allows a registered trademark owner to oppose the registration of a new trademark if it takes unfair advantage of the reputation of the existing mark, even if there is no direct confusion between the two signs.

The EUIPO sided with Louis Vuitton, emphasizing the importance of protecting well-known trademarks from misuse by third parties. Central to the decision was the reputation that Louis Vuitton’s monogram enjoys across the EU, particularly in France and Italy. The luxury brand provided extensive evidence, including media articles, advertising campaigns, and participation in high-profile events such as the FIFA World Cup and Formula 1 Monaco Grand Prix. This evidence demonstrated that the monogram had been widely used in connection with luxury products like handbags, luggage, and clothing.

According to the EUIPO, reputation in this context is defined as a level of recognition that extends beyond mere market presence. The opposition division determined that Louis Vuitton's monogram had achieved the necessary threshold of recognition, holding significant market share and a widespread reputation, particularly in the leather goods and fashion industries.

Visual and conceptual similarity

The visual similarity between the two signs was also a key factor in the EUIPO's decision. Despite minor differences, the EUIPO found that the structure and elements of the applicant's sign were close enough to create confusion. Both trademarks featured repeating floral patterns and stars, which could lead consumers to associate the applicant's goods with Louis Vuitton's high-end products.

The EUIPO’s decision also reflected concerns about a potential mental link between the two trademarks, given the overlapping product categories – primarily bags, clothing, and accessories.

Risk of free-riding

The ruling emphasized that allowing the applicant’s trademark registration would likely result in "free-riding" on Louis Vuitton’s reputation. By using a pattern similar to the luxury brand’s well-established monogram, the applicant's products stood to gain an unwarranted commercial advantage without making significant marketing or advertising investments. This form of free-riding would give the applicant’s products an aura of luxury and exclusivity, qualities closely associated with Louis Vuitton.

A broader message on trademark protection

This case highlights the robustness of trademark protections for luxury brands in the EU. Louis Vuitton's success in blocking the opposed application underlines the value of reputation in trademark law and the importance of preventing third parties from exploiting the goodwill of established brands. It also reflects the EUIPO's commitment to protecting the distinctiveness of well-known trademarks from being diluted by similar signs.

Author: Valentina Mazza


Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo BardelliCarolina BattistellaCarlotta BusaniGiorgia Carneri, Noemi Canova, Gabriele Cattaneo, Maria Rita CormaciCamila CrisciCristina CriscuoliTamara D’AngeliChiara D’OnofrioFederico Maria Di VizioNadia FeolaLaura GastaldiVincenzo GiuffréNicola LandolfiGiacomo LusardiValentina MazzaLara MastrangeloMaria Chiara MeneghettiDeborah ParacchiniMaria Vittoria Pessina, Marianna RiedoTommaso RicciRebecca RossiRoxana SmeriaMassimiliano Tiberio, Federico Toscani,  Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’AndreaFlaminia Perna and Matilde Losa.

For further information on the topics covered, please contact the partners Giulio CoraggioMarco de MorpurgoGualtiero DragottiAlessandro FerrariRoberto ValentiElena VareseAlessandro Boso CarettaGinevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as a report analyzing key legal issues arising from the metaverse qui, and a comparative guide to regulations on lootboxes here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.

Print