All posts by Leonardo Moscati

A More Volatile World: The Digital Omnibus

Legal news, , , , , , , ,

On November 19, 2025, the European Commission unveiled a landmark proposal: the Digital Omnibus Regulation. This initiative is not just another legislative tweak – it signals a philosophical shift in how Europe approaches digital regulation. In a world increasingly defined by volatility, complexity, and rapid technological change, the Commission seems to be saying: “We’ve heard you – let’s regulate, but let’s make it easier to comply.”

Why Now? The Context Behind the ‘Digital Omnibus’

The proposal comes against a backdrop of mounting pressure on Europe’s competitiveness. In his now-famous “Please, do something” speech to the European Parliament, Mario Draghi urged EU institutions to act decisively to restore Europe’s ability to innovate and compete globally. Could the Digital Omnibus be seen as a response to this heartfelt appeal?

For years, the EU has been a global pioneer in digital regulation – think GDPR, AI Act, Data Act, Digital Services Act (DSA), Digital Markets Act (DMA), NIS2, and more. But this success has come at a cost: fragmentation, complexity, and heavy compliance burdens. Businesses have struggled to navigate overlapping obligations. The Digital Omnibus is designed to change that. In the “explanatory memorandum” to the Digital Omnibus, the Commission emblematically acknowledges, for instance, that “some entities, especially smaller companies and associations with a low number of non-intensive, often low-risk data processing operations, expressed concerns regarding the application of some obligations of the GDPR”.

The ‘Digital Omnibus’ Proposal

The proposal introduces technical amendments and structural simplifications across a wide range of legislation, including:

  • General Data Protection Regulation (GDPR)
  • AI Act
  • Data Act
  • ePrivacy Directive
  • NIS2 Directive
  • Data Governance Act
  • Free Flow of Non-Personal Data Regulation
  • Platform-to-Business (P2B) Regulation (to be repealed

Key Highlights

  • GDPR Simplification:
    • Clarifies the definition of personal data
    • Supports controllers with respect to the criteria and means to determine whether data resulting from pseudonymization does not constitute personal data
    • Introduces flexibility for AI development: processing personal data for AI training under “legitimate interest,” with safeguards.
    • Modernizes cookie consent rules – centralized browser settings to end “cookie fatigue.”
  • AI Act Adjustments:
    • Expands regulatory sandboxes and simplifies compliance for SMEs and mid-cap companies.
    • Clarifies the interplay between the AI Act and other EU legislation
    • Introduces an obligation on the Commission and Member States to foster AI literacy
  • Incident Reporting:
    • Creates a single-entry point for incident notifications under GDPR, NIS2, DORA, and CER – ending duplicative reporting.

A New Philosophy?

There are strong indications that the “Digital Omnibus” is more than a mere technical adjustment and may represents a strategic shift in EU “digital law”. The proposals will now proceed to the European Parliament and the Council for deliberation. It remains to be seen whether words will be turned into action.

Regulation On Space Activities Under Parliamentary Examination

Legal news, , , , , , ,

When it comes to human activities in space, a paradigm shift is currently taking place. Government authorities, instead of operating on their own, increasingly opt for the development of multiple forms of interaction with private operators, while the latter are keen to invest to ultimately conduct space activities in partial independence from governments. The involvement of private actors in space missions is led by technological progress and by the view of space as an economic asset.

This phenomenon implies the need for new regulations, shaping the peculiarities of the relationship between governments and private entities, while avoiding any overregulation that would constrain a rising market. The matter is, in fact, sensitive:

1) States – while wishing to interact with private entities and boost the “space economy” – are bound by international treaties and agreements.

2) Private entities need a clear delimitation of the perimeter in which they can profitably intervene, with legal certainty on the allocation of responsibilities. 

3) States and private entities ultimately need each other to harness the inherent potential of space economy. 

Today, space laws regulating the relationship between States and private operators have been adopted by more than 40 countries. Generally, States opt for an authorization system either for specific missions or for a fixed period of time.

Italy still lacks a relevant specific discipline, being merely part of international treaties regulating states’ access to outer space and space resources.

Additionally, section 189 of the Treaty on the Functioning of the European Union excludes the possibility of any harmonization of laws and regulations of EU member states in space-related policies. Thus, member states must ultimately rely on their own forces to regulate the space economy.

The good news is that Italian Parliament is currently examining a legislation, proposed on September 10, 2024, potentially able to fill the regulatory void

Specifically:

  1. the regulation would apply to space activities carried out both by operators of any nationality in Italian territory and by Italian national operators outside Italian territory;
  2. the relevant space activities virtually concern all possible extra-atmospheric human activities and are subject to authorization issued by the Government, which may involve a single space activity or several space activities of the same type or several interrelated space activities of different types;
  3. issuance of authorization is subject to objective (safety of space activities, resilience of infrastructure and, interestingly enough, environmental sustainability) and subjective criteria (including having an insurance contract and financial soundness). However, the Government’s power to deny authorization is broad and highly discretionary: authorization is in fact denied if space activity is detrimental to national interests or if there is any link between the space operator and non-democratic states.

The proposed regime for the allocation of liabilities provides for a liability of the operator for damages caused to third parties on the earth’s surface as well as to aircraft in flight and to persons and property on board of such aircraft. The liability is excluded only if the operator proves that the damage was caused exclusively and maliciously by a third party – unrelated to the space activity – and that could not have been prevented.

Furthermore, the Italian Government will be entitled to exercise a right of recourse against the space operator who caused damage to persons or property.

Will Parliament consider this framework enough to get the ball of space economy rolling? Stay tuned for the parliamentary progresses of this piece of legislation.

Substances of Human Origin (or SoHO): the New EU Regulation

Legal news, , , ,

PURPOSE OF THE NEW REGULATION. On June 13, 2024, the European Parliament and the Council adopted a new regulation on the substances of human origin (so-called SoHO), repealing Directives 2002/98/EC and 2004/23/EC. The new regulation:

  • was necessary because previous directives only partially managed to harmonize member states’ legislation on cells, tissues and blood; also, a new definition of SoHO was needed;
  • introduces mechanisms to grant continuity and resilience of SoHO supplies and to facilitate EU cross border exchanges and access to SoHO;
  • enhances safety of donors and recipients (included the offspring born from medical assisted procreation).

WHAT IS A ‘SOHO’? A SoHO is now defined as “any substance collected from the human body, whether or not it contains cells and whether or not those cells are alive, including SoHO preparations resulting from the processing of the above-mentioned substance”. The definition has been expanded to include breast milk and gut microbiota, as well as blood preparations different from those used for transfusions. Any future SoHO will be automatically included in the regulation. The regulation also defines SoHO preparation as a SoHO subjected to processing, with a specific clinical indication, intended for human application on a recipient or for distribution.

WHO DEALS WITH SOHO? The regulation also defines which will be the main actors in the organizational chain from SoHO donation to application. Specifically:

  • A SoHO entity is a legal entity established in the EU that carries out SoHO-related activities (e.g. collection, processing, control, storage, release, distribution, import, export, application on human beings,  clinical studies and outcomes recording on SoHO preparations)
  • A SoHO establishment is a SoHo entity that carries out one of the following SoHO-related activities: A) both processing and storage; B) release; C) import; D) export;
  • Competent authorities for SoHO are appointed by each member state and 1) maintain SoHO entities’ registry, 2) deal with authorization process for SoHO establishments and SoHO preparations 3) carry out inspections and evaluate plans for monitoring clinical outcomes.

WHEN?  The regulation will be enforceable by mid-2027.

TAKEAWAYS. Apparently, it is science-friendly as the definition of SoHO will be broader and more flexible than before. Also, in view of its structure, there is hope that it will succeed in ensuring more uniformity and granting an enhanced minimum level of safety across EU.

Your Face at the Airport: the EDPB Weighs in on Face Boarding

Legal news, , , , , ,

As you wander around an airport waiting to travel for the summer, you may notice that your image is captured by various devices. This process, known as facial recognition or “face boarding”, has recently been the subject matter of an opinion by the EDPB https://www.edpb.europa.eu/edpb_it, which issued an opinion (no. 11/2024, https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-112024-use-facial-recognition-streamline_en, pursuant to article 64 of the GDPR) – on the processing of data obtained in airports using facial recognition to streamline airport passenger’s flow.

The EDPB assessed the compatibility of such data processing with:

  • article 5(1)(e) and (f) of the GDPR on storage limitation and integrity and confidentiality;
  • article 25 of the GDPR on privacy by default and privacy by design;
  • article 32 of the GDPR on security of processing.

The opinion takes into account four different scenarios:

  • Scenario 1: Storage of an enrolled biometric template – which is a set of biometric features stored in a database for future authentication purposes – only in the hands of the passenger.

Enrolment consists in recording – by each passenger who has consented to such processing – the biometric template and ID necessary for the processing, on the passenger’s device. Neither the passengers’ ID, nor their biometric data are retained by the airport operator after the enrolment process.

The passenger is authenticated when going through specific checkpoints at the airport (equipped with QR scanners and cameras), through the use of a QR code produced by the passenger’s device, where the biometric template is stored.

The EDPB opinion concludes that such processing could be considered in principle compatible with article 5(1)(f), 25 and 32 of the GDPR (nonetheless, appropriate safeguards must be implemented, including an impact assessment).

  • Scenario 2: centralized storage of an enrolled biometric template in an encrypted form, stored in a database within the airport premises and with a key solely in the passenger’s hands.

The enrolment is controlled by the airport operator and consists in generating ID and biometric data that is encrypted with a key/ secret. The database is stored within the airport premises, under the control of the airport operator. Individual-specific encryption keys/ secrets are stored only on the individual’s device

Passengers are authenticated when going through specific checkpoints, equipped with a control pod, a QR scanner and a camera. The passenger’s data are sent to the database to request the encrypted template, which is then checked locally on the pod and/or user’s device.

The opinion concludes that such processing could be considered in principle compatible with article 5(1)(e)(f), 25 and 32 of the GDPR subject to appropriate safeguards. In fact, the intrusiveness from such processing through a centralized system can be counterbalanced by the involvement of the passengers, who hold control of the key to their encrypted data.

  • Scenario 3: centralized storage of an enrolled biometric template in a database within the airport, under the control of the airport operator and Scenario 4: centralized storage of an enrolled biometric template in a cloud, under the control of the airline company or its cloud service provider.

The enrolment is done either in a remote mode or at airport terminals.

At the airport passengers go through dedicated control pods equipped with a camera. Biometric data is sent to the centralized database or to the cloud server – where the matching of the data is processed. The biometric matching is only performed when the passengers present themselves at pre-defined control points at the airport, but the data processing itself is done in the cloud or in centralized databases.

The EDPB considers that the use of biometric data for identification purposes in large central databases, as in Scenarios 3 and 4, interfere with the fundamental rights of data subjects and could possibly entail serious consequences. As such, Scenarios 3 and 4 are not compatible with article 25 of the GDPR because they imply the search of passengers within a central database, by processing each biometric sample captured. Also, taking into account the state of the art, the measures envisaged in such Scenarios would not ensure an appropriate level of security under article 5(1)(f) of the GDPR.

In conclusion, the EDPB regards with suspicion the processing (through matching-and-authenticating process) of biometric templates of the passengers when it happens in centralized storage tools (databases or clouds). The EDPB regards that this increases risks for the security of data, requires the processing of much more data and does not leave passengers in control of the data.

New Guidelines on Web Scraping

Legal news, , ,

Pursuant to Article 57(1)(b) of the GDPR, on May 20, 2024 the Italian Data Protection Authority (“Italian DPA”) adopted guidelines [LINK] on web scraping, with the aim of providing guidance to operators of websites and online platforms, acting in Italy as data controllers of personal data made available online to the public.

Web scraping is defined by the Italian DPA as the massive collection of personal data from the web for the purpose of training generative artificial intelligence models. Specifically, whenever such phenomenon involves the collection of traceable information – linked to an identified or identifiable natural person – a data protection issue arises with reference to the identification of an appropriate legal basis for the processing of such data.

According to the guidelines, the assessment of the lawfulness of web scraping must be carried out on a case-by-case basis. Personal data are made available on the web as a result of a primary level processing by operators of online platforms as data controllers. Only then, third parties – often web robots or “bots” – may gather such data for different purposes while scraping the web. This is the reason why the Italian DPA addresses its guidelines to operators of online platforms: they are, in fact, the only ones able i) to more easily evaluate how data are used after being scraped from their platforms and ii) to implement measures on their platforms that may prevent or mitigate web scraping activity for purposes of training algorithms.

Possible precautions or enforcement actions identified by the Italian DPA are the following:

  • Creation of restricted areas, which can only be accessed after registration. In this way, certain personal data would be removed from public availability;
  • Inclusion of ad hoc clauses in the terms of service of the online platform expressly prohibiting the use of web scraping techniques;
  • Monitoring network traffic to detect any abnormal flow of data and adopting limits as countermeasures;
  • Direct intervention on bots (e.g. insertion on websites of CAPTCHA checks or monitoring log files to block undesirable users).  

Such measures should be adopted by the data controller after an independent assessment – in compliance with the accountability principle, which increasingly appears to govern new data protection legislation and strategies. At any rate, the Italian DPA acknowledges that, albeit useful, none of these measures can be expected to entirely prevent web scraping from happening.  

Processing Health Data: the Most Recent Amendment to Italian Privacy Code

Legal news, , , , , , ,

The Italian “Privacy Code” (Legislative Decree No. 196/2003), which governs data protection in Italy together with the European GDPR, has recently been amended.

Law No. 56/2024, further implementing the National Recovery and Resilience Plan, intervened on section 110 of the Privacy Code, which deals with the processing of health-related data for the purposes of medical, biomedical or epidemiological scientific research.

Section 110 provides that consent of the data subject for the processing of health-related data for the purpose of medical, biomedical or epidemiological scientific research is not required when:

  • the research is carried out on the basis of legal provisions or European Union law, when processing is necessary for scientific research or statistical purposes, provided that an impact assessment is carried out pursuant to sections 35 and 36 of the GDPR; or
  • informing the data subject is impossible or involves a disproportionate effort, or would render impossible or seriously jeopardise the attainment of the purposes of the research.

In such cases – before the latest amendment – the data controller had to:

1) take appropriate measures to protect the rights, freedoms and interests of the data subject;

2) obtain a favorable opinion of the competent ethics committee; and

3) consult the Italian Data Protection Authority prior to processing.

The obligation to consult the Italian Data Protection Authority has now been repealed. Thus, there is no need to apply for the Authority’s clearance prior to processing health-related data (in those cases where consent of the data subject is not required under section 110 of the Privacy Code). 

This amendment may have a significant impact especially on retrospective studies for which informing data subjects is particularly burdensome. The data controller will, in fact, be able to proceed without the Authority’s permission. Nonetheless, the data controller will still have to comply with specific guarantees and ethical rules issued by the Authority – as specified by the amended section 110.

On the one hand, the amended section 110 seems to favor accountability and to soften the procedural requirements in processing health data for research purposes, making the overall procedure quicker. When it comes to “secondary use” of health data, the accountability approach should be considered strong enough to protect data and favorably welcomed, as it moves in the same direction of the European Health Data Space – which intends to provide a reliable and efficient system for the re-use of health data in areas as research and innovation.

On the other hand, though, the Italian Data Protection Authority has already issued some interim guarantees, specifying that data controllers – when processing health data related to deceased or non-contact subjects – must carry out and publish an impact assessment, pursuant to section 35 of the GDPR, notifying it to the Authority. It remains to be seen how the amendment will be handled by the Authority in practice: the effects of the simplification provided by the new version of section 110 may be diminished if the guarantees set forth by the Authority generate equally articulate procedures.      

A New European Digital Identity

Legal news, , , , , , ,

On March 26, 2024 the Council adopted a new framework for a European digital identity (eID).

Background. In June 2021, the Commission proposed a framework for a eID that would be available to all EU citizens, residents, and businesses, via a European digital identity wallet (EDIWs). The new framework amends the 2014 regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS regulation n. 910/2014), which laid the foundations for safely accessing public services and carrying out transactions online and across borders in the EU. According to the Commission, the revision of the regulation is needed since only 14% of key public service providers across all Member States allow cross-border authentication with an e-Identity system.

Entry into Force.  The revised regulation will be published in the EU’s Official Journal and will enter into force 20 days after its publication. The regulation will be fully implemented by 2026.

Digital Wallets.  Member States will have to offer citizens and businesses digital wallets that will be able to link their national digital identities with proof of other personal attributes (e.g., driving license, bank account). Citizens will be able to prove their identity simply using their mobile phones.

EU-wide Recognition.  The new EDIWs will enable all citizens to access online services with their national digital identification, which will be recognised throughout the EU. Uses of EDIWs include: opening a bank account, checking in in a hotel, filing tax returns, storing a medical prescription, signing legal documents.

The Right to Digital Identity.  The fundamental purpose of the regulation is to establish the right to a digital identity for Union citizens and to enhance their privacy.

Main features of EDIWs.  According to the new regulation:

• the use of EIDWs shall be voluntary and shall be provided directly, under mandate or recognition by a Member State;

• EDIWs shall enable the user to (1) securely request, store, delete, share person identification data and to authenticate to relying parties; (2) generate pseudonyms and store them encrypted; (3) access a log of all transactions and report to the national authority any unlawful or suspicious request for data; (4) sign or seal by means of qualified electronic signatures; (5) exercise the rights to data portability.

Privacy.  Privacy will be safeguarded through different technologies, such as cryptographic methods allowing to validate whether a given statement based on the person’s identification data is true without revealing any data on which that statement is based. Moreover, EDIWswillhave a dashboard embedded into the design to allow users to request the immediate erasure of any personal data pursuant to Article 17 of the Regulation (EU) 2016/679.

Corporate Liability Under Legislative Decree No. 231/2001: Latest Developments

Legal news, , , , ,

In the context of criminal proceedings for aggravated fraud for obtaining public funds (art. 640 bis of the Criminal Code) and for ideological falsity of the private party in a public deed (art. 483 of the Criminal Code), the Italian Supreme Court (ruling No. 3196/2024 Jan. 26, 2024) had the opportunity to reiterate some useful principles in the context of 231 Models:

the legal representative of the entity, suspected or accused of the predicate offense, cannot appoint the entity’s defense attorney, due to the absolute prohibition of representation posed by Article 39 of Legislative Decree No. 231 of 2001. The incompatible representative cannot perform any defensive act in the interest of the entity and, if performed, must be considered ineffective. However, the entity may join the proceedings by replacing the representative who has become incompatible or by appointing an ad hoc representative.

•The Court must always make an independent determination of the administrative liability of the entity and this means that:

1)It is not necessary to make a final and complete finding of individual criminal liability of the natural person, but a mere incidental finding is sufficient.

2)The configurability of criminal liability of managers for 231 crimes is not sufficient to affirm the liability of the entity. The judge must carry out a judgment of the suitability of the 231 Model adopted, ideally placing it at the time when the offence was committed, in order to verify whether compliance with the 231 Model would have eliminated or reduced the danger of the occurrence of offences of the same kind as the one that occurred.