A possible adverse impact on fundamental human rights has been one of the first concerns at a domestic level. The main principles of the National Strategy for Artificial Intelligence have been identified as follows: 

1. Support the adoption of AI applications to enhance management practices, production models, and innovation projects, developing country-specific AI systems that preserve the competitive advantages of Italian excellence.
2. Promote foundational and applied scientific research, encouraging the connection of national research units with international development platforms and developing AI applications consistent with the competitive needs of the country. Additionally, supporting AI for social well-being, with applications in welfare, environmental and cultural heritage protection, education processes, and health.
3. Create favourable conditions to enhance the potential of AI, focusing on the growth of talents with appropriate skills and improving Public Administration services through AI solutions.

According to the National Strategy for Artificial Intelligence, developing a system according to the values and the idea of the rights of a nation brings with it an inescapable interest in having a technology that conforms to the constitutional values of its legal framework, while at the same time reaffirming and preserving them. This is why strategic actions aimed at promoting generative models, and services to citizens, will have to incorporate the need to develop systems in compliance with ethics and legislation, as well as acting as a defence of the very values of democracy.

Even though there are no specific Italian provisions relating to AI systems, the Italian Constitution provides for different principles and provisions which AI can affect. These include the fundamental principles (such as those aimed at recognising and protecting the inviolable rights of individuals, equality among citizens, effectiveness of access to work and working conditions) and the main civil, political, economic and social rights and freedoms (for example, personal freedom, freedom of domicile, correspondence, free movement, freedom of associating, professing religious beliefs, freedom of expression, right of defence, and so on). According to scholars, AI systems are capable of both strengthening and interfering with those main principles, rights and freedoms. Accordingly, AI could bolster the evolution of constitutional duties by giving rise to new rights and freedoms, such as the right to transparency regarding the rationale and logic behind any AI decision and the right not to be subject to decisions made solely based on automated processing.

The Italian Council of State (the highest administrative court) has ruled on algorithmic decision-making by public administration that affects individual rights and freedoms, even though such decisions concern algorithms in general, i.e., not strictly those related to AI. By reiterating some principles laid down at international and European level, such as the European Parliament resolution of 16 February 2017 with recommendations to the Commission on Civil Law Rules on Robotics (2015/2103(INL)), the court clarified that decisions based on fully automated systems should comply with the following principles: 

• transparency of the algorithm must be guaranteed in all aspects, such as the identity of the creators, the process used for its creation, the decision mechanism, including the priorities identified in the evaluation process and the data selected as relevant;
• the decision must not be the result of a solely automated process, i.e. a minimum of human intervention must always be ensured; and
• non-discrimination should be ensured, according to which the controller should use appropriate mathematical or statistical procedures for profiling, as well as putting in place appropriate technical and organisational measures, also to avoid inaccuracies and minimise the risk of errors (Consiglio di Stato sez. VI, 13/12/2019, decision No. 8472).

Italy has signed and ratified the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg, 28 January 1981).

AI raises new legal issues when it comes to non-human creation of creative and original content, whether it is eligible for protection and who should be granted the relevant rights.

According to Article 45, paragraph 2 of the Industrial Property Code (Legislative Decree, 10 February 2005, No. 30 (IP Code)), an AI system, like any other mathematical method and/or computer programme, is not an invention and therefore it is not patentable, unless certain requirements are satisfied:

• it produces a technical effect resulting from its execution that goes beyond the normal interaction between the software and the computer; and
• it is original and the result of an intellectual creation.

Different issues arise in relation to the ownership of patent rights for inventions created by AI.

Under the IP Code, moral rights on the patent may be attributed only to a natural person and can be exercised only by the inventor (and, after their death, by the descendants).

Attribution of rights arising from the invention to a person other than the inventor/natural person is allowed only in limited exceptions. For example, in respect of employee inventions, the rights deriving from the invention belong to the employer, and for a research team’s invention the rights belong to the relevant research entrepreneur.

In the case of a computer-implemented invention, the right to the patent belongs, therefore, to the employer or the research entrepreneur who owns the AI.

For the protection of works, the Italian Copyright Law (Law No. 633/1941) requires a creative character as well as originality, resulting from the author’s intellectual creation. Protection is granted only to human intellectual creations, with the author — a natural person — being the only eligible creator. 

The main obstacle for AI creations to be copyright-eligible is, therefore, the absence of human creativity.

Neighbouring rights seem the most appropriate way to exploit AI commercial benefits, as they offer more adequate and effective instruments for the protection of the interests involved. 

The legal protection on such works could therefore be configured as a sui generis right, similar to the existing rights for non-original databases (meaning databases whose content, presentation or verification has been obtained through substantial investment). 

The question is still open in Italy and the said sui generis right — that is, a specific property right — might be a possible way of protecting these computer-generated works, as assets resulting from huge financial and business investments by those who funded them, rather than as purely creative works.

As an alternative to patent protection, AI algorithms could be protected as secret information.

Trade secrets are governed by Articles 98 and 99 of the IP Code and are defined as business information and technical and industrial experience, including commercial information, subject to the legitimate control of the owner, where such information is secret, has economic value and is subject to reasonable measures in order to maintain its secrecy.

Unlike patents, no application or registration is required to obtain trade secret protection when the above requirements are satisfied.

In January 2023, the Italian Supreme Court rejected the appeal of RAI (namely, Radiotelevisione italiana, the national public broadcasting company of Italy) and confirmed the decision of the ordinary court regarding the ownership of a digital work. The latter consisted of a digital image created with the help of software, used in the set design of Sanremo (a well-known Italian song festival). According to the ordinary court, the digital image was not just a simple reproduction of a flower but was a true work of art deserving of protection under copyright law, as it was an original and creative idea of its author. 

RAI argued that the use of software to generate a work eligible for copyright protection would have been sufficient to exclude the creativity of the work insofar as the image would have been created by means of an algorithm, and the author’s process would thus have been limited to choosing an algorithm and approving the result generated by the software. 

Despite deeming this ground of objection inadmissible (as it had never been raised in earlier stages of the proceedings), the Italian Supreme Court stated that the use of software does not prevent the creation of an intellectual work from being eligible for copyright protection. The level of creativity of such work would just have to be examined more rigorously. In any event, if such an objection had been raised in the ordinary courts, a more thorough factual assessment would have been required to determine whether and to what extent the use of the software “absorbed” the creative work of the artist who used it. 

Although the court was therefore not able to rule extensively on the issue, the topic of works created using digital technologies has become increasingly significant in recent times.

In 2019 the Italian main regulatory authorities (the Data Protection Authority (the Garante), the Competition Authority (ICA) and the Communications Authority) concluded a joint inquiry on big data, where they highlight that AI — especially machine learning — in the field of big data is a powerful tool for extracting new knowledge.

At a domestic level, personal data are covered by a comprehensive set of rules under Legislative Decree No. 196/2003. As for non-personal data, there is no specific legislation, except for open data (see below Section 3.3).

In 2016, the Garante found it unlawful for a platform to collect several categories of personal data from sources other than the data subjects for the purpose of calculating a “reputational rating” of those data subjects, as it was likely to have a serious impact on their (professional and private) lives. The Supreme Court of Cassation confirmed the Garante’s decision, stating that — even though this activity might not in principle be considered as unlawful — the consent of those subjects could not be considered legitimately obtained where the algorithm’s execution logic is unknown to the data subjects.

With reference to the use of personal data for training of AI algorithms, in 2022 the Garante issued a EUR 20 million fine against Clearview AI for its unlawful use of personal data. The company had created a database of over 10 billion facial images through web scraping techniques. The Garante stated that the fact that the images were publicly available on the web did not justify their use for facial recognition purposes by a private platform whose activities are not transparent for the relevant data subjects.

Moreover, in 2023 the Garante took action against OpenAI, imposing a temporary limitation on its generative AI tool, ChatGPT, due to lack of data protection requirements, including the legal basis for training the algorithm, inadequate information notice to data subjects, and failure to prevent the use of the tool by minors under 13 years old. Subsequently, in January 2024, the Garante formally challenged the relevant breaches of data protection; at the moment the case is still pending, and no decision has been issued.

In recent months, the Garante has shown a specific interest in web scraping by opening a public survey concerning the collection of personal data online to train third-party AI algorithms. The initiative aims to ascertain what security measures public and private websites have implemented to avoid such massive collection of personal data.

Legislative Decree No. 196/2003 includes different provisions that specify and integrate the EU’s General Data Protection Regulation: for instance, authorisations and requirements related to the processing of special categories of personal data, as well as various criteria for application of administrative sanctions, etc.

Legislative Decree No. 82/2005 and Legislative Decree No. 36/2006 aim to foster free access to data owned by public administrations, public enterprises and certain private companies providing public services. Such bodies must create, collect, store and make available and accessible their data via information and communication technologies, so that they can be used both by other public administrations and by private entities and individuals. To this end, the Italian Government has adopted a national data strategy and is creating a digital national data platform. This mandates that the use of such data should be free of charge, except for the recovery by data owners of costs incurred in copying, making available and disclosing such information, as well as for the anonymisation of personal data or for further data protection measures.

Pursuant to Law Decree No. 139/2021, converted into Law No. 205/2021, it is forbidden to install and use, in public places or places open to the public, video surveillance systems with facial recognition technologies based on the processing of biometric data. This ban falls both on private entities and on public authorities and will last until 31 December 2025 or, in any case, until a specific set of rules covering this area is adopted.

As noted above, in February 2022, the Garante ruled on a case involving processing of biometric data: it fined the US-based company Clearview AI for carrying out biometric monitoring activities via its AI systems; namely, for creating profiles using facial images extracted from public web sources via web scraping, without an appropriate legal basis and in a non-transparent manner.

To date, there is no specific domestic regulation in Italy focusing on bias and discriminatory practices in the field of AI.

AI-related acts of discrimination are potentially covered by a range of existing pieces of law based on the general principle laid down under Article 3 of the Italian Constitution — according to which “all citizens shall have equal social dignity and shall be equal before the law, without distinction of gender, race, language, religion, political opinion, personal and social conditions” — and on EU law provisions (mainly related to direct and indirect discrimination). Accordingly, there are specific rules on equal treatment and bans on direct and indirect discriminatory practices with reference to:

• immigration law (Legislative Decree No. 286/1998);
• access to work, goods and services, home, healthcare, education and social security (Legislative Decree No. 215/2003); 
• work and working conditions (Legislative Decree No. 216/2003; Law No. 300/1970; Legislative Decree No. 276/2003); and
• disabilities (Law No. 67/2006).

Further rules have been laid down with reference to gender equality in working contexts, in particular Article 37 of the Italian Constitution, according to which “Working women are entitled to equal rights and, for comparable jobs, equal pay as men. Working conditions must allow women to fulfil their essential role in the family and ensure appropriate protection for the mother and child”.

Additionally, it is again worth mentioning Italian case law on algorithmic discrimination — even though this is not related to AI — in the area of treatment of workers and tender procedures. A first instance tribunal (see Tribunale Bologna, sez. lav., ord. No. 31/12/2020) found that an algorithm used by a food delivery company was discriminatory, whereby — to be eligible for a certain delivery — workers were selected on the basis of ranking parameters that indiscriminately penalised all forms of absence from work (i.e. even lawful ones, like strikes).

The Italian Council of State, in a case concerning secondary school teachers’ rankings, has considered it possible to proceed with the use of algorithms in evaluation procedures, but with guarantees of transparency (i.e., the algorithm must be capable of being understood by reference to its authors, to the procedure used for its elaboration, to the decision mechanism, including the priorities assigned in the evaluation and decision procedure and the data selected as relevant) and of verification in court (Consiglio di Stato, sez. VI, 08/04/2019, decision No. 2270).

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (the so-called NIS2) updates earlier EU legislation in cybersecurity area, extending the list of sectors within the scope of the regulation and providing more information on the entities that are subject to its cybersecurity requirements. 

Among the innovations introduced by NIS2, there are also some in the field of AI. Indeed, according to the directive, Member States should encourage the use of any innovative technology, including AI, the use of which could improve the detection and prevention of cyberattacks, enabling resources to be diverted towards cyberattacks more effectively. Member States should therefore encourage in their national cybersecurity strategy activities in research and development to facilitate the use of such technologies, in particular those relating to automated or semi-automated tools in cybersecurity, and, where relevant, the sharing of data needed for training users of such technology and for improving it. NIS2 underlines that the use of any innovative technology, including AI, should comply with EU data protection law. The directive, which entered into force on 16 January 2023, requires EU Member States to adopt and publish the measures necessary to implement the directive by 17 October 2024.

Moreover, in Italy the draft local AI legislation mentioned below, in Section 7.1, currently states that “the national cybersecurity agency promotes and develops any initiative, including partnership between public and private entities, aimed at enhancing artificial intelligence as a resource for strengthening national cybersecurity”.

Lastly, in Italy a new law regarding provisions for the enhancement of national cybersecurity and computer crimes was recently published (Law No. 90/2024). The aim of the law is to introduce and harmonise a very wide and varied range of cybersecurity-related aspects. Among the main innovations introduced by the law are a series of obligations that apply to public administrations. By way of example, these latter must: (i) set up an internal ad hoc cybersecurity board to verify that computers and electronic communication programmes and applications in use comply with the guidelines on encryption and password storage adopted by the National Cybersecurity Agency and the Garante; (ii) designate a specific cybersecurity contact person, appointed on the basis of professional expertise, to act as a single point of contact for the National Cybersecurity Agency; (iii) report a series of security incidents, complying with specific deadlines laid down by the law; and (iv) promptly adopt the remedial actions indicated by the National Cybersecurity Agency, if the latter indicates specific vulnerabilities to which the public administrations concerned by this law are potentially exposed. In the event of non-compliance, the law also provides for pecuniary administrative sanctions.

At a domestic level, the NIS2 will be implemented following the criteria outlined by the European Delegation Law (Law No. 15/2024). In particular, regarding technology infrastructure requirements, the government shall identify which technologies are necessary to ensure the effective activation of Cybersecurity risk-management measures pursuant to Article 21, paragraph 2 of the Directive.

The ICA is continuing to conduct a thorough analysis and study of the phenomenon of big data to assess the impact on businesses of the use of AI, in order to update its competition and consumer protection interventions.

In its inquiry on big data (see above Section 3), the ICA stated that, at least theoretically, machine learning mechanisms such as dynamic pricing algorithms could lead to tacit collusion between undertakings. More specifically, according to the ICA, the high transparency of online markets (i.e., the wide availability of data on competitors’ prices and other relevant information), the frequency of price adjustments (i.e., the ability of algorithms to monitor markets in real time by being able to change prices instantaneously and continuously), as well as the ability to learn optimal pricing strategies through machine learning, meant that the use of pricing algorithms had the potential to facilitate collusion. However, the ICA itself admitted that tracing similar violations of Article 101 of the Treaty on the Functioning of the European Union (TFEU) is particularly complex, especially regarding sophisticated algorithms, characterised by machine learning mechanisms.

The concerns expressed in the inquiry on big data were recently recalled in the ICA’s contribution submitted for the 140th Organisation for Economic Co-operation and Development (OECD) Competition Committee meeting in June 2023 (see one.oecd.org/document/DAF/COMP/WD(2023)10/en/pdf).

However, it is of interest to note that the 2023 Annual Report on the ICA’s activities (available at www.agcm.it/dotcmsdoc/relazioni-annuali/relazioneannuale2023/AGCM_Relazione_annuale_2024.pdf) also highlights the flip side of the coin, i.e., the potential of digitisation and the use of AI in business processes as a means of driving competitiveness. Furthermore, the ICA has announced the implementation of AI and artificial machine learning technologies to enhance its ability to monitor markets, identify potential cartels, acquire and manage large databases and conduct document searches.

The ICA’s enforcement activity in relation to AI is starting to grow (especially with regard to consumer protection), although it is still quite limited.

The risk that AI mechanisms could facilitate the standardisation of competitors’ conduct was one of the concerns that led to the ICA commencing proceedings No. I844 — ANIA anti-fraud project on 3 November 2020. The subject matter of these proceedings was the creation, by the Italian Association of Insurance Companies (ANIA), of a platform accessible to insurance companies aimed at enabling the detection of fraudulent events, by identifying the most recurring types. On 21 September 2021, the ICA closed its proceedings without a finding of infringement, by accepting ANIA’s commitments (which included affording insurance companies the possibility of weighing fraud risk indicator factors differently, as well as the use of an “anomaly detection” algorithm and not a “self-learning” one). 

In 2021, the ICA found that the Amazon group abused its dominant position by employing a series of articulated commercial strategies often based on self-preferencing, which also included the use of an algorithm to select the so-called Featured Offers on the marketplace Amazon.it (proceedings No. A528 — FBA AMAZON).

On the other hand, the ICA has welcomed the use of AI-based mechanisms to prevent violations of consumer protection laws. Specifically, in 2020, it accepted commitments by three marketplace operators that introduced image-matching technology and algorithms aimed at detecting listings of products related to the COVID-19 pandemic that used images or wording that could mislead consumers as to the possibility of preventing the contagion, or that were characterised by price gouging (proceedings No. PS/11716 — AMAZON; No. PS/11717 — EBAY; No. PS/11734 — WISH).

Recently (March 2024), the ICA imposed a fine of EUR 10 million on TikTok, contesting the exploitation of AI techniques capable of generating undue conditioning in users, especially the young and vulnerable, in violation of the Italian Consumer Code (proceedings No. PS12543 — TIKTOK CICATRICE FRANCESE). In particular, the ICA focused on an algorithm underlying the operation of the platform, which, by using user data, reproduced content similar to that already displayed and interacted with through the “like” function.

To date, there is no specific domestic regulation in Italy focusing on the trade, anti-trust and competition law aspects of AI.

In April 2024, the Italian Government brought a national draft law before the national Parliament outlining regulations for the development and adoption of AI technologies. The legislation, which is currently under parliamentary review, aims to drive technological innovation to bolster the competitiveness of Italian companies in European and global markets, while also promoting high-quality and professional employment opportunities.

The national draft law includes provisions regarding investments up to EUR 1 billion in companies active in the field of AI, cybersecurity and quantum computing.

Additionally, the draft law aims at specifying the application of certain general principles in fields like health care, scientific research, electronic health records, employment, intellectual professions, public administration, and judiciary activities. Amendments to copyright law are under discussion as well. Additionally, the government will be appointed to draft legislative decrees for adapting the local laws to the EU AI Act. 

At the time of writing this is still a proposal with undefined developments, requiring further time for clarification.

In April 2024, the Italian department for digital transformation and the digital agency for Italy (the AGID) released the executive summary of the Italian Artificial Intelligence Strategy 2024–2026. This document outlines the vision and framework of the Italian Strategy for Artificial Intelligence for the upcoming three years, focusing on four main pillars: scientific research, public administration, business and education.

In the field of scientific research, the strategy proposes a series of actions, including continuing research programs on the foundational aspects of AI, retaining and attracting talent by articulating hiring plans aimed at absorbing excellence among researchers, developing national multimodal foundational models, implementing interdisciplinary projects for social well-being and enhancing international collaborations on AI projects. Among the actions to be taken in the field of public administration are the definition of guidelines to promote the adoption of AI as well as the development of AI applications within the public administration, and the promotion of AI training in the public sector. 

So far as business is concerned, the focus is on creating an “ecosystem of facilitators” for AI in small and medium-sized enterprises (SMEs) that intercept the innovation needs of companies, supporting the development and adoption of AI solutions, establishing a network of laboratories for the development of AI applications in industrial contexts, supporting the development of AI start-ups by defining a specific fund, and supporting information and communication technologies companies developing AI technologies. Finally, the strategy outlines a series of actions to be taken in the field of education, emphasising the need to structure pathways for introducing AI in schools, spreading AI education in university degree courses, implementing upskilling and reskilling programs for businesses and public administration, and educating on the use of AI tools to promote conscious use of new technologies through initiatives in local areas and communication channels.

8.1. Does a specific regulation on AI exist in Italy? 

No; however general principles apply, and certain AI solutions have already been scrutinised by courts and authorities. That said, Parliament is discussing a law regarding the application of AI in certain specific fields and, among other things, the amendment of copyright law.

8.2. Which aspects of AI have been mainly subject to enforcement in Italy? 

To date, the main enforcement on AI technology has involved data protection aspects. There have been additional enforcement activities which have focused on employment issues and usage of AI in the public sector. 

8.3. Will any AI-focused law be issued in the short term in Italy? 

A draft law is under discussion before Parliament, but we cannot predict when (and with which final provisions) this will be approved. We can also expect some further local provisions regarding the fine-tuning of local laws with the EU AI Act.