The future of GDPR? Focus on Automated Decisions

Legal news, , , , , , ,

The Digital Omnibus Proposal.  The so called “Digital Omnibus” regulation proposal promises to lighten the burden of compliance with data protection legislation. Its aim is “to ensure that the rules continue to be fit for supporting innovation and growth”. Europe is not giving up on privacy, but it is willing to simplify it.

EDPB and EDPS Chime In.  The proposal, published in November 2025, has recently been the subject matter of a joint opinion by the European Data Protection Board and the European Data Protection Supervisor. While these two bodies are apparently in favor of facilitating GDPR compliance and strengthening consistency in its application, they express significant concerns regarding the impact of the changes on the fundamental rights and freedoms of individuals. They also fear that the proposal will create additional legal uncertainties.

The GDPR of the Future.  Gitti and Partners is embarking in a series of blog posts to explain what the GDPR may look like if the Digital Omnibus proposal becomes law. Today we focus on changes to the provision on automated decisions.

Automated Decisions: from Right to Prohibition.  Article 22 of the current GDPR regulates automated individual decision-making. The current language of the provision frames the rule as a “right”: a data subject is entitled not to be subject to a decision based solely on automated processing, unless certain conditions apply. The new proposal, instead, shapes a similar rule as a prohibition.

Conditions for Automated Decisions.  The new proposal reads (new language highlighted in yellow): “1. A decision which produces legal effects for a data subject or similarly significantly affects him or her may be based solely on automated processing, including profiling, only where that decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller regardless of whether the decision could be taken otherwise than by solely automated means. […]”

While – as before – the automated decision is legitimate if necessary to enter into or perform a contract with the data subject, the novelty is that the necessity of the automated decision can be assessed “regardless of whether the decision could be taken otherwise than by solely automated means”. Therefore:

  • An automated decision that does not produce any legal effects is fine.
  • An automated decision producing legal effects may be based on automated processing only if the decision is necessary to enter into or perform a contract with the data subject.
  • No automated decision is allowed unless it is necessary to enter or perform a contract with the data subject.
  • In order to add certainty to the interpretation of the requirement of “necessity”, the proposal clarifies that the decision may be regarded as necessary also if the decision could be made by a human. In the words of the EDPB/EDPS opinion, “the requirement of necessity does not mean that the mere fact that a decision could theoretically also be taken by a human should prevent the controller from taking the decision by solely automated means”.
  • In short, “The fact that the decision could also be taken by a human does not prevent the controller from taking the decision by solely automated processing” (recital (38) of the Digital Omnibus proposal).

Bottom line: the data controller may choose a human decision process or an automated decision process so long as they are necessary to enter into or perform a contract with the data subject.

In conclusion, as shown in the “AI First” policy, the EU is now worried that AI may not be fully exploited. The above changes are supposed to encourage automated decisions even if such decisions could be taken by a human being.

Stay tuned for more angles of the Digital Omnibus.

Privacy vs. freedom of the press: 3 Italian cases you need to know about

Legal news, ,

2026 kicked off with three significant decisions by Italian authorities that shed light on where journalism ends and privacy begins. Here’s what you need to know. The common thread?Private information can only be shared when there’s a genuine public interest at stake.

SANGIULIANO CASE. On January 22, 2026, the Court of Rome threw out a Euro 150,000 fine that the Italian Data Protection Authority had slapped on public broadcaster RAI. The offense? Airing a private phone call between former Culture Minister Sangiuliano and his wife on the investigative show “Report”. The call touched on the Minister’s alleged affair and his wife’s demand to revoke institutional appointments supposedly given to the other woman.

The Court’s verdict? The broadcast served a legitimate public interest. Yes, the content was personal, but it raised serious questions about whether top government appointments were being handed out based on personal relationships rather than merit. In the Court’s own words, the conversations touched upon “a topic which is certainly of public interest, relating to the possibility that the assignment of high institutional positions may be influenced by matters of a purely personal nature”.

SIGNORINI CASE. Just four days later, on January 26, 2026, the Court of Milan took swift action against Mr. Corona, ordering the immediate takedown of all defamatory content he had posted about Mr. Signorini on his podcast “Falsissimo“. This included private conversations, intimate photos, and sexually explicit material. The Court also prohibited any further dissemination.

The Court expressly excluded the applicability of the right to privacy under Article 21 of the Italian Constitution, finding that no public interest existed that was capable of justifying such a serious intrusion into personal privacy. It emphasized that the disseminated material concerned exclusively Mr. Signorini’s sexual preferences and habits, which, in themselves, do not constitute matters of public concern. Moreover, the Court did not find sufficient evidence supporting Mr. Corona’s claim that the disclosures revealed a system of sexual blackmail within the entertainment industry. Lastly, the Court noted that Mr. Corona is not a journalist and therefore cannot benefit from the constitutional safeguards afforded to the press.

GARLASCO CASE. On January 30, 2026, the Italian Data Protection Authority issued a formal measure addressed to journalists, warning against the disclosure of names and personal details in media reconstructions of the Garlasco case that go beyond what is strictly necessary for informational purposes. The Authority noted that the level of detail in some articles and TV coverage was turning legitimate news into a “morbid spectacle.” This kind of reporting, they warned, violates the principle of essentiality of information and breaches both data protection laws and journalistic ethics.

Despite their different facts, all three decisions reaffirm a core principle of Italian case law: privacy is constitutionally protected, but it’s not absolute. Courts must always balance it against other fundamental rights, especially press freedom.

The bottom line? Sharing private information is only acceptable when there’s a concrete and legitimate public interest.

A More Volatile World: The Digital Omnibus

Legal news, , , , , , , ,

On November 19, 2025, the European Commission unveiled a landmark proposal: the Digital Omnibus Regulation. This initiative is not just another legislative tweak – it signals a philosophical shift in how Europe approaches digital regulation. In a world increasingly defined by volatility, complexity, and rapid technological change, the Commission seems to be saying: “We’ve heard you – let’s regulate, but let’s make it easier to comply.”

Why Now? The Context Behind the ‘Digital Omnibus’

The proposal comes against a backdrop of mounting pressure on Europe’s competitiveness. In his now-famous “Please, do something” speech to the European Parliament, Mario Draghi urged EU institutions to act decisively to restore Europe’s ability to innovate and compete globally. Could the Digital Omnibus be seen as a response to this heartfelt appeal?

For years, the EU has been a global pioneer in digital regulation – think GDPR, AI Act, Data Act, Digital Services Act (DSA), Digital Markets Act (DMA), NIS2, and more. But this success has come at a cost: fragmentation, complexity, and heavy compliance burdens. Businesses have struggled to navigate overlapping obligations. The Digital Omnibus is designed to change that. In the “explanatory memorandum” to the Digital Omnibus, the Commission emblematically acknowledges, for instance, that “some entities, especially smaller companies and associations with a low number of non-intensive, often low-risk data processing operations, expressed concerns regarding the application of some obligations of the GDPR”.

The ‘Digital Omnibus’ Proposal

The proposal introduces technical amendments and structural simplifications across a wide range of legislation, including:

  • General Data Protection Regulation (GDPR)
  • AI Act
  • Data Act
  • ePrivacy Directive
  • NIS2 Directive
  • Data Governance Act
  • Free Flow of Non-Personal Data Regulation
  • Platform-to-Business (P2B) Regulation (to be repealed

Key Highlights

  • GDPR Simplification:
    • Clarifies the definition of personal data
    • Supports controllers with respect to the criteria and means to determine whether data resulting from pseudonymization does not constitute personal data
    • Introduces flexibility for AI development: processing personal data for AI training under “legitimate interest,” with safeguards.
    • Modernizes cookie consent rules – centralized browser settings to end “cookie fatigue.”
  • AI Act Adjustments:
    • Expands regulatory sandboxes and simplifies compliance for SMEs and mid-cap companies.
    • Clarifies the interplay between the AI Act and other EU legislation
    • Introduces an obligation on the Commission and Member States to foster AI literacy
  • Incident Reporting:
    • Creates a single-entry point for incident notifications under GDPR, NIS2, DORA, and CER – ending duplicative reporting.

A New Philosophy?

There are strong indications that the “Digital Omnibus” is more than a mere technical adjustment and may represents a strategic shift in EU “digital law”. The proposals will now proceed to the European Parliament and the Council for deliberation. It remains to be seen whether words will be turned into action.

Italy’s New AI Law: A Boost for Healthcare Research?

Legal news, , , , , , , , , , , ,

Italy has recently enacted its own “Artificial Intelligence Act”, set to take effect on October 10, 2025.

You might be wondering: Did we really need another layer of AI regulation? That was our initial reaction, too. But a closer look reveals that the Italian AI Law introduces several interesting provisions, especially in the healthcare sector, that could facilitate research for both public and private entities. Here are some highlights:

1. Healthcare Data Processing as Based on Public Interest

The law explicitly recognizes that the processing of health-related personal data by:

  • Public or private non-profit entities,
  • Research hospitals (IRCCS),
  • Private entities collaborating with the above for healthcare research,

is of “substantial public interest.” This significantly expands the scope of Article 9(2)(g) of the GDPR, offering a clearer legal basis for processing sensitive data in research contexts.

2. Secondary Use of Data

The law introduces a simplified regime for the secondary use of personal data without direct identifiers. In particular:

  • No new consent required, as long as data subjects are informed (even via a website).
  • Automatic authorization unless blocked by the Data Protection Authority within 30 days of notification.

This provision applies only to the entities mentioned above so it is limited in scope, but in any case significantly strengthens the framework for nonprofit research projects.

3. Freedom to Anonymize, Pseudonymize and Synthesize

Under Article 8(4) of the AI Law, processing data for anonymization, pseudonymization, or synthesization is always permitted, provided the data subject is informed. This is a major step forward in enabling privacy-preserving AI research.

4. Guidelines and Governance

The law delegates the creation of technical guidelines to:

  • AGENAS – for anonymization and synthetic data generation.
  • Ministry of Health – for processing health data in research, including AI applications.

It also establishes a national AI platform at AGENAS, which will act as the data controller for personal data collected and generated within the platform.

Final Thoughts

While the GDPR aimed to support research, its implementation often created legal uncertainty and operational hurdles. Italy’s AI Law appears to address some of these gaps, offering a more pragmatic and enabling framework for healthcare research.

European Biotech Week 2025 Webinars

Legal news, , , , ,

We hope you had a refreshing and inspiring summer! Hopefully you are fully recharged and ready to dive into the webinars we’ve organized for the European Biotech Week 2025 — a week dedicated to showcasing the power of biotech in improving lives, driving innovation, and shaping a sustainable future.

Curious about the interaction between the AI Act and the Medical Device Regulation? Join us and life sciences experts of the Alliance of European Life Sciences Law Firms for a lively discussion on September 30 (in English) https://www.linkedin.com/feed/update/urn:li:activity:7371220934059450368

Interested to hear how scientists view “biosolutions” and their impact on the future? https://www.womentech.eu/eventi/il-futuro-del-biotech-scienza-per-le-generazioni-che-verranno/ on October 1 is the place to be. This will be a fascinating 360-degree review (in Italian) of what biotech can achieve, and about obstacles to the adoption of biotech scientific solutions. Professors Gardossi and Abbracchio, along with biotech entrepreneur Elena Sgaravatti, will enlighten us.

Focused on life sciences legislation and worried that you may have missed anything new? Head to the hybrid event at our offices (Via Dante 9 – Milan) or online held by our team on October 2 (in Italian) that will tackle the pharma reform, shortages of pharma products, intelligent devices and a new decision on anonymized personal data: https://www.grplex.com/it/convegni/download/1537/life-sciences-tutte-le-novita-normative-del-2025

Hope to see you there!

WHAT’S NEW IN THE UPDATED GUIDELINES ON MEDICAL DEVICE ADVERTISING?

Legal news

The Italian Ministry of Health has published new guidelines on advertising of medical devices (“Guidelines”), which replace all previous guidelines issued by the Ministry over the years.

  • WHAT’S NEW?
  • Advertising aimed at healthcare professionals

When advertising is directed at HCPs, the following requirements must be met:

  • A disclaimer must be included stating that the content is intended exclusively for HCPs; but also
  • a “pop-up” message and/or similar technologies must be implemented to require users to confirm that they are HCPs before accessing the advertising content.
  • Content of the advertising message

Each advertising message must include the following wording: “It is a CE medical device (including the notified body number, if applicable). Read the warnings or instructions for use carefully. Ministerial Authorization of dd/mm/yyyyy”.

  • Expanding use of social networks – including TikTok

The list of approved social networks for medical devices advertising now includes TikTok. However, the following features must be disabled:

  1. Comment function;
  2. Duet function (which allows the user to post his/her video side-by-side with a video from another creator);
  3. Stitch function (which allows a user to crop and integrate scenes from another user’s video into his/her own video).
  • ANY ADVANTAGES FOR COMPANIES?
  • Simplified compliance. Companies now benefit from a single, consolidated regulatory framework gathering all the regulations concerning medical devices’ advertising.
  • Broader digital scope. The inclusion of platforms like TikTok increases the scope of digital channels where advertisement of medical devices is regulated. Regrettably, rules on LinkedIn are lacking.
  • Other marketing channels. The Ministry of Health may admit the use of additional social networks (beyond Facebook, Instagram, YouTube, and TikTok), subject to prior authorization.

Bottom line: a consolidated document is certainly helpful, but we do not understand the choice not to regulate LinkedIn, the channel where the boundary between corporate communication and advertisement of medical devices is more problematic.

What if hospitals don’t pay?

Legal news, ,

Many of our clients encounter challenging dilemmas when public hospitals fail to reimburse the supplies they provide. Our seminar, held yesterday in our auditorium, was designed to discuss risks and potential solutions.

We regret if you were unable to attend, particularly as it was followed by an enjoyable aperitivo. However, we have included the slides presented by our attorneys, Fabrizio Sardella, Damiano Pallottino, and Francesco Clerici, who offered an analysis of the topic from a criminal, administrative, and civil law perspective.

slidesDownload

NIS2: new guidance for companies

Legal news

On April 14, 2025, the National Cybersecurity Agency (“NCA”) published measure no. 164179 (“Measure”) to further implement the decree 138 of 2024 (“NIS2 Decree”).

  • What’s new?

With this Measure, the NCA has identified:

  • Security measures that companies must guarantee in case they are identified as an important subject (annex 1) or an essential subject (annex 2);
  • Types of significant incidents that companies must report, depending on whether they are classified as an important (annex 3) or essential subject (annex 4).
  • Since when?

The Measure will enter into force on 30 April 2025. However, companies will have:

  • 18 months from the communication of their inclusion on the NIS subject list to comply with these new security measures;
  • 9 months from the communication of inclusion on the NIS subject list to activate mechanisms to ensure the notification of incidents identified as significant.
  • As a company, what do you have to do now?
  • Wait for the NCA’s communication to verify if your company has been included in the NIS list;
  • In case of a positive answer, your company will be required to provide further information (such as member states where the service is carried out; name and contact details of a substitute for the point of contact) by May 31, 2025;
  • Implement, within 9 months from the communication of the inclusion on the NIS subject list, mechanisms for the notification of incidents expressly identified by NCA as “significant incidents”;
  • Implement, within 18 months from the communication of the inclusion on the NIS subject list, the security measures expressly identified by the NCA.