Ecodesign and sustainability: the game-changing EU Regulation 2024/1781.

Gianpaolo Todisco - Partner

Aiming to bring about a sustainable revolution in the European market, EU Regulation 2024/1781 on Ecodesign for Sustainable Products Regulation (ESPR) sets new standards for product design. This legislation is in the context of the European Green Deal, aiming for greater sustainability and reduced environmental impact. Here are the main changes:

  • Longer-lasting and more sustainable products : The regulation promotes products that are designed to last, easily repairable and recyclable, with preference given to recycled and sustainable materials.

  • Transparency and traceability at the click of a mouse: Thanks to the introduction of the Digital Product Passport, it will be possible to access crucial information such as composition, environmental impacts and end-of-life options for products.

  • Stop the destruction of unsold goods : for sectors such as fashion, reuse or donation of unsold goods becomes mandatory, eliminating waste.

Challenges for businesses

Companies will be called upon to radically change their production and management processes. In particular, they will need to:

  • Develop systems to collect data on unsold goods and product life cycles;

  • Update their processes to align with new design and disclosure standards;

  • Adopt advanced technologies to implement the Digital Product Passport.

Products under the Lens: EU Priorities.

By April 2025, the European Commission will present an operational plan to identify priority products, with a focus on those with the greatest environmental impact. The main sectors targeted include:

  • Textiles, including clothing and footwear;

  • Materials such as iron, steel and aluminum;

  • Furniture, from beds to mattresses;

  • Tires, detergents, paints and lubricants;

  • Chemicals and electronics, including ICT technologies and energy.

A Passport to the Circular Economy

The Digital Product Passport represents one of the regulation's most significant innovations. This tool will collect key information on:

  • Material composition;

  • Environmental impact;

  • Repair and recycling methods;

  • Full life cycle traceability.

The goal is to create an efficient circular economy, where data will be easily accessible to supply chain actors.

Focus on the fashion industry: toward greater responsibility

The legislation introduces stringent requirements for the fashion sector, mandating:

  • Transparency on unsold items : companies will have to make public information on the destination of unsold garments and accessories.

  • Ban on destruction: it will be prohibited to dispose of unsold items. Reuse and donation will become the norm.

When does it go into effect?

For large businesses, the changes will be operational from 2026. Considering the significant impact of these measures, it is crucial that companies start now to:

  1. Assess how the regulation will affect their products;

  2. Set up systems to monitor and manage unsold products;

  3. Plan sustainable strategies to ensure regulatory compliance.

A new course for sustainability

The ESPR is not just a regulation, but a real challenge to redefine the rules of the European market. Companies that can adapt proactively will not only ensure compliance, but also gain a competitive advantage in an increasingly sustainability-driven landscape.

Italy adopts the NIS 2

Gianpaolo Todisco - Partner

Legislative Decree No. 138, which implements Directive (EU) 2022/2555, known as NIS 2, was published in the Official Gazette on Oct. 1, 2024. The planned provisions will come into force as of Oct. 18, 2024.

This measure represents a significant step for Italy in the management of cyber security, with the introduction of measures to ensure a high common level of cyber security both nationally and throughout the European Union.

The adoption of this decree comes in an increasingly digitized context, in which cyber security has emerged as a crucial priority. Indeed, cyber threats are becoming increasingly sophisticated, endangering the stability of critical infrastructures and the protection of sensitive data.

Against this backdrop, the Legislative Decree implementing the NIS 2 directive stands as a milestone in strengthening cybersecurity, both for Italy and the European Union.

The measure primarily aims to protect essential infrastructure by introducing new obligations for companies considered crucial to the economy and society. These measures are designed to increase resilience and reduce vulnerability to growing cyber threats.

Technical Requirements

One of the main objectives of the regulation is to ensure that entities subject to the NIS 2 Directive take proportionate technical and methodological measures to manage cyber risks. These measures must be tailored to the specific risks to which entities are exposed, considering factors such as their size, likelihood of incidents, and severity of incidents, including economic and social impacts. The technical requirements are based on recognized international standards, such as ISO/IEC 27001 and ETSI EN 319, and must be tailored to the operational characteristics of each entity.

The regulation requires the adoption of a systematic approach to risk management, including policies dedicated to network and information system security. Recommended measures include access management and network segmentation to ensure that only authorized individuals and systems can access critical resources.

One relevant aspect concerns small and medium-sized enterprises (SMEs), which can take compensatory measures if they have difficulty fully meeting technical or methodological requirements. However, such measures need to be documented and alternative solutions implemented to mitigate risks.

Significant incidents

A central point of the regulation is the definition of “significant incident” (Art. 3), which occurs when at least one of the following criteria is met:

  • Direct economic damage exceeding 500,000 euros or 5 percent of the entity's total annual turnover (whichever is less);

  • Exfiltration of trade secrets within the meaning of Directive (EU) 2016/943;

  • Death of an individual;

  • Significant damage to the health of an individual.

Excluded are planned events, such as planned outages, which do not fall into the category of significant incidents.

To assess the impact of incidents, the regulation requires entities to consider the number of users directly affected, including both end customers and entities that use the services provided.

The regulation also introduces the concept of recurring incidents (Article 4). If multiple minor incidents with a common cause occur within a six-month period and together meet the criteria of a significant incident, they are treated as one major incident. This approach aims to identify systemic deficiencies in risk management and strengthen overall safety.

Risk management

Entities must develop a risk management plan that includes the identification, analysis, and treatment of network and information system security risks. This plan should be reviewed at least annually or when significant operational changes occur.

A key aspect is the adoption of basic cyber hygiene practices, such as:

  • Network segmentation;

  • Multifactor authentication;

  • Regular software updates;

  • Protection against phishing and other social engineering techniques.

In addition, entities should promote awareness and training programs for employees and vendors, with periodic updates to account for evolutions in the threat landscape. Their effectiveness should be verified through regular testing.

To ensure operational resilience, entities are required to have business continuity and disaster recovery plans in place. These must include business impact analysis, recovery goals, and roles and responsibilities in the event of a disaster. Plans should be tested and updated regularly to ensure their effectiveness.

The supply chain

Risk management also extends to suppliers and supply chain partners. The regulation requires entities to establish specific policies for supply chain security, including criteria for selecting and contracting suppliers. These criteria must evaluate cybersecurity practices and suppliers' ability to meet the requirements.

Entities should continuously monitor suppliers and update contracts to ensure compliance with security specifications. The use of cybersecurity certifications is encouraged to ensure that products and services meet appropriate standards of protection.

In summary, the regulation aims to build a more secure and resilient ecosystem by strengthening cybersecurity at all levels, from individual entities to entire supply chains, promoting effective risk prevention and management.

EU General Court confirms invalidity of Chiquita trade mark: lack of distinctiveness


Gianpaolo Todisco - Partner

The General Court of the European Union has upheld the decision of the European Union Intellectual Property Office (EUIPO) to invalidate the trademark registered by Chiquita Brands, represented by a blue and yellow oval, for fresh fruit, including bananas. The ruling states that the mark does not possess sufficient distinctiveness to identify the commercial origin of the goods and, therefore, cannot benefit from exclusive legal protection.

The background of the case

Chiquita Brands had registered the trade mark with the EUIPO for a wide range of food products. However, in 2020, the French company Compagnie financière de participation filed an application for cancellation, claiming that the blue and yellow oval lacked distinctiveness for products related to fresh fruit.

In May 2023, the EUIPO partially granted the request, invalidating the mark for fresh fruit, including bananas. The decision was based on the inability of the mark to distinguish itself effectively in the marketplace and the insufficiency of the evidence provided by Chiquita to prove that the symbol had acquired distinctiveness through prolonged use.

The grounds for the judgment

The EU General Court dismissed Chiquita's appeal, confirming the invalidity of the fresh fruit trade mark on the basis of three main arguments:

1. Form and characteristics of the mark

The mark consists of a simple oval, a common geometric shape with no significant distinctive elements.

In the banana sector, oval labels are widely used for practical reasons, such as easy application on curved fruits, thus reducing the possibility of considering them a unique element.

2. Colours used

The colour combination blue and yellow, while visually recognisable, is commonly used in the fresh fruit sector and does not possess a unique or distinctive character.

3. Insufficient evidence of acquired distinctiveness

Most of the evidence submitted by Chiquita concerned only four EU Member States, without demonstrating uniform EU-wide recognition of the mark.

In much of the evidence provided, the oval mark was always associated with the word ‘Chiquita’ or other graphic elements, making it difficult to attribute actual distinctiveness to the blue and yellow oval alone.

Implications of the decision

The ruling reaffirms a fundamental principle: a trade mark, in order to be protected, must be clearly and unambiguously distinguishable on the market through unique features that make it immediately recognisable from competitors. Common elements, such as geometric shapes or standard colour combinations, are not sufficient without solid evidence of acquired distinctiveness throughout the European Union.

Consequences for Chiquita Brands

Although Chiquita may continue to use the blue and yellow oval in its logo, it will lose exclusive trademark protection for the ‘fresh fruit’ category. This means that other companies could use similar graphics without incurring intellectual property infringement.

The decision is a warning to companies aiming to register trademarks based on generic or widely used elements, emphasising the importance of demonstrating distinctive value through broad and documented consumer perception at the European level.

How the Fashion Industry Protects Handbags.

Gianpaolo Todisco - Partner

Designer handbags have long been iconic symbols, representing not only the prestige of a brand but also reflecting the status and individuality of their owners. These bags bear the names of some of the most influential fashion houses and celebrities, such as Beyoncé, who elevate their style with these luxurious accessories. However, with their popularity comes the challenge of counterfeiting, which—although widespread—cannot be condoned.

Renowned brands like Hermès, Chanel, and Louis Vuitton rely on a combination of intellectual property rights to protect their brand identities and safeguard their market position. At the same time, handbags provide an essential platform for emerging designers, offering them an opportunity to capture attention quickly and make a name for themselves.

A single handbag can benefit from multiple layers of intellectual property protection. For example, consider the 2017 collaboration between artist Jeff Koons and Louis Vuitton. In this case, the artwork featured on the handbag is protected by copyright, the brand name and logo are covered by trademarks, and the bag's overall shape is safeguarded by industrial design rights. If the handbag incorporates innovative materials or features a novel production process, these elements might also qualify for patent protection. This multi-faceted approach is particularly appealing to younger generations, including Millennials and Gen Z, who frequently showcase their fashion choices on social media platforms like Instagram, often using brands to express their identity.

1. Trademarks

Trademarks are one of the most vital forms of protection in the fashion industry, safeguarding distinctive brand names, logos, and symbols that indicate the source of the product. Fashion houses heavily rely on trademarks because they can be renewed indefinitely, provided they remain in use. Over time, their value increases, making them invaluable assets for these companies. Louis Vuitton’s logo, for instance, is one of the most recognized and powerful trademarks in the world. Founded in 1854, Louis Vuitton secured protection for its iconic "monogram toile" in 1896. Given its longstanding reputation, the brand adopts a strict zero-tolerance stance on counterfeiting, viewing the protection of designer creativity and intellectual property as fundamental to its longevity.

Trademark infringement, particularly in the form of counterfeiting, leads to consumer confusion and can significantly damage a designer's reputation, making it a contentious issue in the fashion world. To register a trademark, the brand must prove that it is distinctive. In cases of infringement, the burden falls on the brand to demonstrate that the counterfeit mark creates a likelihood of confusion regarding the product’s origin.

2. Copyright

Copyright protection can be applied to a handbag, but its coverage is limited. It safeguards original creations, including artistic designs, motifs, and decorative elements incorporated into the bag. However, functional aspects like shape or construction are not protected by copyright and must be defended through other legal mechanisms. One of the key advantages of copyright is that, in many jurisdictions, it does not require formal registration. Designers can enforce their rights if necessary, without going through a lengthy registration process.

3. Patents

Patents offer protection for specific components or innovations in handbag design, but obtaining them can be a complex and time-consuming process. Brands like Hermès and Louis Vuitton, with significant financial and legal resources, are capable of securing patent protection, even when the outcome of enforcement efforts may be uncertain. To qualify for a patent, the product must be novel, useful, and non-obvious to experts in the field. For example, a newly developed clasp or an innovative fabric might be eligible for patent protection. Louis Vuitton, for instance, obtained its first patent for a lock in 1890, and more recently, patented a handbag featuring a flexible OLED screen.

4. Industrial Design Rights

Industrial design rights (or design patents) are particularly effective in protecting the aesthetic aspects of handbags. These rights cover the visual elements of a product, including its shape, patterns, and colors. Industrial design rights can often bypass the need to prove distinctiveness or likelihood of confusion, making them a strategic choice for fashion houses like Hermès, Chanel, and even up-and-coming designers such as Victoria Beckham.

5. Unfair Competition

In addition to the specific intellectual property protections outlined above, fashion companies can also invoke unfair competition laws to guard against imitation. By filing claims for unfair competition, brands can target competitors that produce items mimicking the overall look and feel of their products. To prevail, the company must demonstrate that the design is distinctive and that the imitation has caused consumer confusion or damaged the company’s reputation.

Conclusion

By applying a combination of intellectual property rights, fashion designers and brands gain exclusive rights to produce and market their creations. Intellectual property not only turns seasonal products like handbags into timeless, iconic pieces but also strengthens the brand identity of the companies behind them. In this way, intellectual property plays a critical role in protecting innovation, preserving brand reputation, and sustaining the fashion industry as a whole.

The Court of Bologna rules on photographer's authorial rights and photographs posted on social networks.

Gianpaolo Todisco - Partner

The Court of Bologna recently ruled on the publication of a photograph in newspapers, stating that when there is a public interest, it limits the exclusive rights of the author. While the latter cannot oppose the reproduction and dissemination of the image, he is still entitled to receive fair compensation. However, the newspaper wishing to publish a photograph depicting a news personality must obtain the author's permission in advance, if the author is known.

It is not sufficient for the owner of the social profile on which a digital content was posted to assume that he or she holds the copyright to the photograph. If the photo was initially shared on a third party's Facebook profile, and not by the person who took it, this presumption has no value.

Bad faith cannot be equated with negligence, as it implies intentionally malicious behavior. Accordingly, bad faith cannot be said to exist in the case of downloading a photograph posted on a third party's Facebook profile without a digital watermark, unless it can be proven that the person who reproduced the photo was already aware of the author's identity at the time of publication. Such proof is the responsibility of the author of the photograph.

Furthermore, for the purposes of proving the reproducer's bad faith, the fact that the content was downloaded without first seeking permission from the owner of the social profile on which it was posted is irrelevant. Nor can acceptance of the risk of infringing the rights of third parties (as in the case of the Facebook profile holder) be considered bad faith against the author of the photograph.

Finally, any subsequent agreements reached between the reproducer and other news outlets that published the same photograph without consent do not constitute evidence of bad faith.

Recent legislative proposals on AI and Copyright.

Gianpaolo Todisco - Partner

Recently the Senate proposed to insert in Article 171, paragraph 1, of Law No. 633 of April 22, 1941 (Copyright Law), a letter a-ter, under which the following shall be punished

anyone who, without having the right to do so, for any purpose and in any form, reproduces or extracts text or data from works or other materials available on the Internet or in databases in violation of Articles 70-ter and 70-quater, including through artificial intelligence systems.

Artificial intelligence system” is defined as ”an automated system designed to operate with varying levels of autonomy and which may exhibit adaptability after deployment and which, for explicit or implicit purposes, deduces from theinput it receives how to generate output such as predictions, content, recommendations or decisions that may affect physical or virtual environments.”

It should, by the way, be added that the d.d.l. inserts Article 70-septies into the L.D.A., according to which the reproduction and extraction of works or other materials through artificial intelligence models and systems, including generative ones, are allowed in accordance with Articles 70-ter and 70-quater.

The bill also proposes to introduce the crime of “Unlawful dissemination of content generated or manipulated with artificial intelligence systems” (Article 612-quater of the Criminal Code):

Whoever causes unjust damage to a person by giving, publishing, or otherwise disseminating, without his or her consent, images, videos, or voices that have been falsified or altered through the use of artificial intelligence systems and are likely to mislead as to their genuineness, shall be punished by imprisonment from one to five years.

The crime is punishable on complaint by the offended person.

However, it is prosecuted ex officio if the act is connected with another crime for which it is to be prosecuted ex officio, or if it is committed against a person who is incapacitated by age or infirmity, or a public authority because of the functions exercised

Nothing is provided regarding the liability of the entity under Legislative Decree 231/2001.

Again: the “having committed the act through the use of artificial intelligence systems” (as such, regardless of insidious use) will constitute an aggravating circumstance for the following crimes:

  • Substitution of person (art. 494, Criminal Code)

  • Fraudulent raising and lowering of prices in the public market or on trading exchanges (art 501 criminal code)

  • Fraud (art 640 c.p.)

  • Computer fraud (art 640-ter c.p.)

  • Money laundering (art 648-bis c.p.)

  • Money laundering (art 648-ter c.p.)

  • Self-laundering (art 648-ter.1)

  • Agiotage (art 2637 c.c.)

  • Market manipulation (art 185 T.U.F.)

Finally, the government is delegated to adopt one or more legislative decrees to organically define the regulation of cases of use of artificial intelligence systems for illicit purposes.

Investigation launched against Shein for alleged misleading advertising on environmental sustainability.

Gianpaolo Todisco - Partner

The Competition and Market Authority has launched an investigation against Infinite Styles Services CO. Limited, the Dublin-based company that operates Shein's Italian website. The investigation concerns the possible deceptiveness of some environmental claims in the “#SHEINTHEKNOW,” “evoluSHEIN” and “Social Responsibility” sections of the shein.com website.

According to the Authority, promotional messages regarding the sustainability of Shein's garments could be vague, confusing or misleading. In particular, reference is made to the use of terms such as “circularity” and the “sustainable” quality of the evoluSHEIN collection, which could lead consumers to believe that the products contain more environmentally friendly fibers than is actually the case. In addition, information on the limited recyclability of the garments themselves would be omitted.

The Authority also points out that Shein would vaguely emphasize its commitment to the decarbonization process, despite the fact that its 2022 and 2023 sustainability reports indicate an increase in greenhouse gas emissions, contradicting its claims.

The investigation aims to assess whether the company has adopted potentially misleading communication practices regarding environmental sustainability, with a focus on the impact of the “fast fashion” sector in which it operates.

The Privacy Guarantor's Measure of June 6, 2024: Implications for Italian and Multinational Enterprises on the Retention of Employee Post@ Metadata

Andrea Antognini - Of Counsel

Introduction

On June 6, 2024, the Garante per la Protezione dei Dati Personali (Garante for the Protection of Personal Data) issued an important measure regarding the use of computer programs and services to manage employee email and the processing of related metadata. This policy document aims to provide guidelines for Italian and foreign companies to ensure compliance with personal data protection regulations.

So the Guarantor's document at first glance would seem non-binding, but that is not really the case, as will be seen below.

Regulatory Context

The measure is based on a number of key normative references, including:

  • The Regulation (EU) 2016/679 (GDPR)

  • The Legislative Decree 196/2003 (Privacy Code)

  • Law No. 300 of May 20, 1970 (Workers' Statute)

In particular, the GDPR and the Privacy Code establish the conditions for the lawful processing of personal data, while the Workers' Statute regulates the use of remote control tools in the work context.

Objectives of the Measure

The policy document aims to:

  1. Draw attention to the risks associated with the prior and widespread collection of e-mail metadata by computer programs.

  2. Provide guidance to employers on the management of metadata to ensure proper operation of the e-mail system and computer security, without violating workers' rights.

  3. Promote awareness of employers' technical and organizational choices in accordance with data protection regulations.

Risks and Critical Issues

The Garante found that many email programs and services, especially those offered in cloud mode, collect metadata by default, storing it for extended periods of time. Such metadata may include information such as e-mail addresses, IP addresses, sending and receiving times, message size, and in some cases even the subject line of messages. This preemptive and blanket processing of metadata poses significant privacy risks to employees, as it can lead to indirect monitoring of their activity.

Guidance for Employers

The Guarantor has provided specific recommendations for employers, including:

  • Limit the collection and retention of metadata to only the data necessary for the proper operation and security of the e-mail system.

  • Adopt short retention periods, preferably not exceeding 21 days, except in exceptional cases that are adequately justified.

  • Clearly inform workers about the manner and purpose of processing their personal data.

  • Ensure that e-mail service providers adopt data protection measures by design and by default.

Profiles of Interest for Foreign and Multinational Enterprises

For foreign companies and multinational groups that operate in Italy or process data of Italian citizens, this measure is particularly relevant. Indeed, such companies, whether based in or targeting Italian citizens, must ensure that their data management practices comply not only with the GDPR but also with Italian regulations and practices.

Supplier Management

Another crucial aspect concerns the management of cloud and software service providers. Enterprises must verify that their suppliers comply with Italian and European data protection regulations. This includes the need to select suppliers that implement adequate security measures and are willing to comply with the specific data retention requirements of the Garante's order.

Impact on Employment Contracts

Companies may need to review privacy policies and related company policies to ensure that employees are adequately informed about the processing of their personal data and their data processed lawfully. This is essential not only for regulatory compliance, but also to maintain a climate of trust and transparency within the company.

Conclusions

The Garante's measure is a significant step toward greater protection of workers' privacy in the digital environment. Companies, both Italian and multinational, must comply with the new guidance to avoid penalties and ensure that employee rights are respected. Proper management of metadata not only protects privacy but also helps create a more transparent and secure work environment.

Although the Privacy Guarantor's document is non-binding, discoursing from the guidance it contains, without a coherent rationale, could be interpreted by the Guarantor himself (for example, during an audit) as a lack of accountability for companies and public administrations.

For further details, please consult the full document available on the official website of the Data Protection Authority.

AGCOM'S Decision against Google: Violation of the rules on the prohibition of advertising online gaming.

The Communications Guarantee Authority (AGCOM), following the performance of the ex officio monitoring activity aimed at verifying compliance with the prohibition of advertising relating to games or bets with cash winnings enshrined in Article 9 of the ‘Dignity Decree’, has taken steps to charge Google Ireland Limited with committing an offence by using the ‘Google ADS’ service.

The AGCOM found, between 14 and 15 November 2019, that by typing the keywords “ Casinò Online”, a link with the following description appeared on Google Web Search, in the form of an advertisement: “Join Now To The Brand New Italian Online Casino. Play Over 400 Games Now - Join Now And Register In Less Than 30 Seconds! No downloads. Safe and Secure”. In addition, that site contained a list of links to further websites that, in some cases, allowed paid online gaming.

As a result, the Authority declared a violation of Article 9 of the aforementioned Decree, the aim of which was to combat gambling disorder. The notice of objection was served on 7 January 2020.

After reading the acts, several defence issues were raised and one in particular deserves attention: qualifying Google as an active or passive hosting provider. The former carries out an active conduct, participating with others in the commission of the offence by enriching the use of content in a non-passive manner: filtering, selection, indexing, organisation. The second, on the other hand, is liable for failing to immediately remove the illicit content once he has legal knowledge of the offence. The distinction is relevant to the more favourable liability regime recognised for the latter.

According to the companies belonging to the group, including Google Ireland, they cannot be accused of wrongdoing for the following reason. Considering the description of the functioning of the Google Ads platform, the advertiser chooses the keywords of his ad in complete freedom and is directly responsible for the content. For this reason, Google Ireland can be a passive hosting provider and, pursuant to Article 16 of Legislative Decree No. 70/2003, is not responsible for the information hosted at the request of the recipient of the service as long as it does not have actual knowledge that the activity or information is unlawful or as soon as it becomes aware of such facts, upon notification by the competent authorities, it acts immediately to remove the information or to disable access to it. Moreover, Article 17 does not provide for a general obligation to monitor the information hosted or a general obligation to actively search for facts/circumstances relating to unlawful activities: the company cannot carry out a generalised check on all the content that descends from the ad page. In fact, it would have been the advertiser who wanted to circumvent the verification system set up by Google by engaging in a conduct known as ‘cloaking’, which consists in showing the software an ad destination page that complies with the law, and then showing users a different one.

On the other hand, AGCOM considers, instead, that Google Ads qualifies as a service, for consideration, of indexing and promotion of websites and, therefore, that Google Ireland (as owner of the Google Ads service) undoubtedly falls within the subjects addressed by the prohibition of Article 9 of the ‘Dignity Decree’, as ‘owner of the broadcasting medium’ and ‘provider of paid indexing services.

Therefore, a specific content, the subject of a contract between the platform and the operator of the activity on the web, is contested to the company; this allows it to be affirmed that this stipulation generates an assumption of responsibility by Google. In fact, it is not acceptable, for the same reasons, the assertion that the company exercises the role of merely passive hosting provider, since, in this case, it is not a trivial upload in which the company merely makes available the mere space, but here the space is sold, becoming the object of promotion, thanks to the privileged indexing that sees the site ‘rise’, in order to allow more views by users.

Finally, even if in theory the more favourable regime applied to passive hosting providers were applicable, the conditions would not be met in the present case, since Google was aware of the unlawfulness of the advertising message, having approved it in advance, and did not remove it in a timely manner, given that the same sites could subsequently be reached by typing the same keyword ‘online casino’ on Google Search.

An initial challenge to this measure, on Google's part, was lodged with the Regional Administrative Court in 2021, which, also dwelling on the distinction between active and passive providers, ruled out the existence of the unlawful act ascribed to the companies.

Subsequently, however, with a very recent ruling (13/05/24), the Council of State overturned the thesis of the TAR and the now granitic jurisprudence: Google would not fall within the position of passive hosting provider, but rather active. According to the College, the distinction must be made between Google Web Search and Google ADS, where the former allows users to search for content published by third parties. On the other hand, as regards Google ADS, through which the ad contested by AGCOM was published, it is an online advertising positioning service that allows economic operators to publish “sponsored links” to so-called “destination sites”, which are associated with certain words or search keys, which Google deduces to be chosen by the advertiser.

The Council of State held that this advertising service does not see Google as a mere passive hosting provider, since the company performs a service of indexing and promoting third-party content, thus not remaining ‘neutral’ with respect to that content but promoting it on the market and having its own economic interest in the success of that promotion. Google, in the aforementioned sense, thus achieves ‘control’ over the information published and enables its customers to ‘optimise their online sales’. In the light of this, it therefore found that the conditions required by Community and national case law to qualify an operator as an active hosting provider were fulfilled.

Therefore, the alternative might not be to claim exemption always and in any case, but rather to give up (or reduce the number of) advertisers.

 

Directive 825/2024 on Greenwashing

THE GREENWASHING PHENOMENON

The above-mentioned phenomenon, i.e. window-dressing environmentalism, is a form of communication that many companies, organisations or political institutions risk putting into practice by providing a misleading image, in terms of positive environmental impact. Consequently, the effect of such conduct is precisely to divert public attention from the negative environmental effects generated by the activities or products of the companies themselves. This development, however, jeopardises the accuracy of companies' ecological claims, either by making untruthful or misleading claims about consumers, investors and other market participants (e.g. by presenting a product that is more sustainable than it really is) or by omitting relevant information. This phenomenon is a symptom of competition between entities, the absence of rules and controls, deficiencies in the entity's structures, ethics, corporate governance, etc.

THE DIRECTIVE 824/2024

The aim of this directive is to improve the labelling and durability of products, thus putting an end to misleading claims being made. This approach is intended to help not only consumers in their commercial choices, but also companies, so that they can offer better quality, especially in terms of sustainability. It is important to mention the presence of the following text within the first circular economy package, along with other documents already present.

In addition, this provision places several prohibitions and generic transparency obligations on environmental and sustainability claims. In fact, it will lead to the inclusion of new specific rules in the Consumer Code, thus making it easier for authorities to detect and challenge misleading practices and curbing the phenomenon of Greenwashing.

The best-known AGCM measure on this topic is certainly the one of 20 December 2019 No. 28060 for the implementation of an unfair commercial practice to the detriment of consumers for a fuel advertising campaign.

As of today, the directive has entered into force and Italy is granted until March 2026 as the deadline for implementation.

THE OBJECT OF THE DIRECTIVE

Taking a more specific look, the European Union intends to make product labelling clearer and more reliable by banning the use of misleading and generic environmental claims (e.g. environmentally friendly, animal friendly or terms such as green, natural, biodegradable, eco), at least if they are not supported by evidence.

The main new developments can be summarised as follows:

Regarding “commercial practices considered unfair in any case”, as defined in Annex I of Directive 2005/29/EC, the new Directive 825/2024 adds additional problematic marketing strategies to the already existing list. For instance, it is considered an unfair practice to make environmental claims that contain ‘untruthful’ or generic information about the existence of characteristics attributed to products or, more simply, it is also unfair to make statements about properties pertaining to the entire product, when these are in fact true only about a part of it.

In particular, among the new conduct included in this blacklist, it is worth mentioning the conduct, therefore considered unlawful, of “displaying a sustainability mark that is not based on a certification system or is not established by public authorities”.

A sustainability label is any public or private, voluntary trust mark, quality label or equivalent, which aims to distinguish and promote a product, process or company by reference to its environmental or social characteristics or both, excluding compulsory labels required under EU or national law. Considering the Greenwashing Directive, only sustainability labels based either on certification schemes approved by public authorities or on standards with transparent, fair, and non-discriminatory conditions will be authorised.

Furthermore, about zero impact and climate neutrality, the directive places an absolute ban on companies claiming a neutral, reduced or positive impact on the environment in terms of greenhouse gas emissions, including CO2, because of offsetting. This does not mean preventing companies from advertising their investments in environmental initiatives, including carbon credit projects, as long as they provide this information in a way that is not misleading and complies with the requirements of EU law.

Finally, the directive addresses further points. Firstly, the focus of consumers on the durability of products: in future, warranty information will have to be more visible and a new harmonised label will be created to give more prominence to products with a longer warranty period. Secondly, the new rules prohibit unsubstantiated durability claims, false statements about the reparability of a product and the invitation to replace consumer goods earlier than necessary.

A SPECIAL FOCUS ON THE TEXTILE SECTOR

The Commission will ask the fashion industry to replace hazardous substances in textile products placed on the European market and to adopt responsible and innovative fibre-to-fibre recycling. In the light of this, manufacturers will have to take responsibility for products along their ‘value chain’, urgently defining European End of Waste legislation and harmonising rules for extended textile producer responsibility and economic incentives to make products more sustainable.

DECISIONAL DEADLOCK IN CORPORATIONS

DECISIONAL DEADLOCK IN CORPORATIONS

What is a decision deadlock?

Decisional deadlock occurs when the governing bodies of a company fail to make decisions due to lack of necessary majorities. This can occur due to disagreement among shareholders or directors, or due to their inertia in corporate activities. Conflicts can arise for various reasons, such as divergent visions or different economic interests. Such a scenario is even more possible and evident in the presence of equal partners (50%-50%). Stalemate situations ultimately result in the unfeasibility of the objectives of the business activity.

What are the possible solutions

  • The best way to avoid deadlock situations is to anticipate them through the adoption of some preventive measures. The first remedy is the introduction of deadlock clauses in the statute or in shareholders' agreements. The latter aim to stabilize ownership structures or govern the company. Deadlock clauses come in various forms, such as those that provide for mechanisms of consultation and preventive conciliation, up to the casting vote, which allows a shareholder to have the decisive vote in the event of a deadlock, often not easily predictable, as it implies the subordinate position of one or more shareholders towards others. It is more complicated to foresee that the deadlock decision is delegated to third parties outside the company. Sometimes the best solution has been found in granting one or more shareholders a put option, i.e., the right to sell their shares at a predetermined (or determinable) price, or a call option whereby one or more shareholders have the right to purchase the shares of others. There is also the so-called Russian roulette clause, which envisages that in the event of a deadlock, one shareholder may require the other to choose between buying the offering shareholder's stake at the price proposed by him or selling his own stake to him at the same price. Another possible deadlock solution is related to the statutory discipline of the right of withdrawal, with the provision of additional withdrawal scenarios, in addition to those provided by law, taking into account possible conflicts among shareholders.

A practical example of employing the Russian roulette clause

* In the last few days, the press has reported on a corporate deadlock situation involving a well-known Italian singer and his partner in the management of the company that publishes a popular podcast. One of the two equal partners offered to take over the shares of the other partner, thus activating the Russian roulette clause. The partner who received the offer, by refusing to sell his shares, found himself in a position to buy the shares of the bidder who, in turn, refused to sell them. The matter resulted in precautionary proceedings. This demonstrates that the Russian roulette clause is a rather complex mechanism to manage, both in the preventive phase and, in some cases, in the enforcement phase.

Conclusions

  • In the lifetime of a company, it is more frequent than people think to be facing deadlock situations. In such cases, the activity may have negative implications both in terms of results and internal relations. Therefore, before starting an activity in company form, it would be worthwhile investing time in the design and planning phase of the best possible set-up

Piracy Shield: Introduction to AGCOM Regulation

Piracy Shield

The recent implementation of the Piracy Shield represents a significant development in the landscape of measures to counter online piracy, with particular reference to illegal IPTV broadcasts. The initiative, carried out in accordance with Law No. 93 of July 14, 2023, and the AGCOM regulation on the protection of online copyright (resolution No. 680/13/CONS, amended by resolution No. 189/23/CONS), offers an automated approach to managing copyright infringement reports.

Efficiency and Promptness in Law Enforcemen

  • Through the Piracy Shield, reports from rights holders can be transmitted to Internet service providers, who are required to respond within thirty minutes, by blocking the reported pirate sites. This prompt response aims to minimize the period of time during which illegal content is accessible to the public, in accordance with Article 9-bis, paragraph 4-bis of the AGCOM regulation.

A Collaborative Approach

  • The implementation of the Piracy Shield is the result of a close collaboration between various entities, including the Competition and Market Authority (AGCM), the Authority for Communications Guarantees (AGCOM), the National Anti-Corruption Authority (ANAC), and the National Cybersecurity Agency (ACN). Furthermore, the involvement of major associations of Internet service providers and numerous other operators has ensured an inclusive and representative approach.

Consequences and Future Outlooks

  • The introduction of the Piracy Shield represents a significant step forward in the fight against online piracy in the context of illegal IPTV broadcasts. However, it is essential to also consider the long-term implications of such an initiative. For example, it is necessary to assess the effectiveness of the Piracy Shield in reducing the spread of illegal content and deterring pirate operators. Furthermore, it is important to monitor any regulatory and technological developments that may affect the effectiveness of the Piracy Shield over time.

  • In conclusion, the implementation of the Piracy Shield represents a significant progress in the realm of online copyright protection, but it requires continuous monitoring and critical evaluation to ensure its long-term success.

Introduction to the EU Data Act: Revolution in the non-personal data market

Introduction to the EU Data Act: Revolution in the non-personal data market: Innovation and business in the IoT market

Last January 11, 2024, the long-awaited and heralded EU Regulation, known as the "Data Act" (Regulation (EU) 2023/2854), entered into force. It is scheduled to apply from September 12, 2025 for most provisions and from September 12, 2026 for specific provisions related to the design of new related products and services. This large timeframe is intended -as is often the case with EU Regulations with major impacts on business organization (see, for example, GDPR) -to allow companies to adapt their procedures and business models to the new and stringent requirements dictated by the legislation.

To give an initial general background, we point out that the Data Act:

  • fits into the 2020 "European Data Strategy," which aims to create a single market allowing data to circulate freely within the EU and across all sectors, for the benefit of businesses, researchers and public administrations;
  • follows the publication -and subsequent effectiveness from September 2023- of the "Data Governance Act," which in turn aims to establish a regulatory framework for the enabling,** sharing and use of data** within the European Union, promoting access to and reuse of data, while respecting data protection and privacy rules;
  • pursues the goal of enabling, promoting and regulating the sharing and commercialization of non-personal data generated by Internet of Things (IoT) devices among enterprises and with government agencies. Given its nature and context, the Data Act will need to be applied with due consideration of all related EU regulations on privacy (GDPR), e-commerce and digital services (Digital Service and Market Acts), and Artificial Intelligence (AI Act, forthcoming).

The innovative scope of the legislation can already be understood by reading some specific provisions of this legislation:

  • Article 3: Requires IoT products to be designed to provide end users with access to the data generated in a simple, secure and free way. Enterprises will have to incorporate appropriate data access mechanisms into their technical solutions, ensuring that the data is provided in standardized and easily usable formats. Enterprises must then review the design of their products to ensure compliance with the principles of accessibility and transparency.
  • Article 4.3: requires service providers related to IoT products to inform users about the nature of the data generated and how it can be accessed and shared. This calls for a transparent communication approach, where companies will have to develop and share clear and understandable documentation on how users can retrieve and use their data, thus stimulating greater trust and collaboration with end users.
  • Article 8.1: requires parties who, by contract or regulatory obligation, will have to make data available to third parties to do so on fair, reasonable, non-discriminatory terms and in a transparent manner, promoting fair competition and preventing monopolistic or restrictive practices in the data market.
  • Article 9.1: specifies that the compensation agreed upon between the owner and recipient of data for making data available in business-to-business relationships shall be non-discriminatory and reasonable and may include a margin. Thus, parties involved in data-based transactions must negotiate and establish fair agreements that reflect the value of the shared data, ensuring a fair distribution of the benefits derived from its commercialization.

These predictions make us realize that the legislation not only establishes obligations but also opens up new avenues for data monetization and innovation. Sharing data according to principles of fairness and transparency will promote a more collaborative and competitive digital ecosystem, where companies will be able to develop new services or improve existing ones through access to previously inaccessible data. Business development will also be able to be fostered by providers of “intermediation services” (a figure already envisioned by the Data Governance Act) who will carry out economic activity aimed at creating business relationships based on data sharing between users and third parties.

In this area, some studies on the operational application of the Data Act are already available, such as the "Study for developing criteria for assessing 'reasonable compensation' in the case of statutory data access right" prepared for the European Commission to better understand the assumptions on the basis of which it will be possible to establish the fairness of compensation arising from the buying and selling of data. Through the analysis of case studies and the application of economic models, it proposes an approach for establishing compensation that reflects the true value of shared data, promoting a balanced market environment that incentivizes collaboration and innovation.

Further of note is that the Data Act establishes minimum requirements for agreements between customers and providers of data processing services, such as cloud services, making it easier for customers to switch to other providers and providing for the phasing out of data exit fees, and requiring transparent measures regarding jurisdiction and strategies to prevent unauthorized government access to non-personal data, avoiding conflicts with EU or member state laws.

In conclusion

The Data Act is a significant step toward realizing Europe's vision of an open, secure and competitive digital single market. By facilitating the sharing and commercialization of non-personal data, it introduces new rules of the game for producers, consumers and data intermediaries, spurring innovation and creating new business opportunities.** Companies are being called upon to adapt to these changes**, preparing to navigate an evolved regulatory landscape that places the value of data at its core in an ethical and sustainable manner. As implementation dates approach, it is critical that all stakeholders actively engage to understand the implications and take full advantage of the potential offered by the Data Act.

For further discussion, David Ottolenghi, Senior Counsel, Clovers.

AI Act: New scenarios in the regulation of artificial intelligence

The AI ACT, the European Regulation on Artificial Intelligence, was approved by the European Parliament on June 14, will be submitted for consideration by EU countries in the Council, with the aim of becoming law by the end of 2023.  The proposed AI Act takes a risk-based approach and provides for penalties of up to €30,000,000 or up to 6 percent of the previous year's total annual worldwide turnover in the event of infringement.

The proposed EU Regulation on Artificial Intelligence aims to create a reliable legal framework for AI, based on the EU’s fundamental values and rights, with the goal to ensure the safe use of AI, and prevent risks and negative consequences for people and society.

The proposal establishes harmonized rules for the development, marketing, and use of AI systems in the EU through a risk-based approach with different compliance obligations depending on the level of risk (low, medium, or high) that software and applications may pose to people's fundamental rights: The higher the risk, the greater the compliance requirements and responsibilities of developers.

In particular, the AI Act proposes a fundamental distinction between:

-          "Prohibited Artificial Intelligence Practices", that create an unacceptable risk, for example, for the violation of EU fundamental rights. This includes systems that:

o   Use subliminal techniques that act without a person's knowledge or that exploit physical or mental vulnerabilities and are such as to cause physical or psychological harm;

o   Used by public authorities, such as, social scoring, real-time remote biometric identification in public spaces, predictive policing based of indiscriminate collection, and facial recognition unless there is a specific need or judicial authorization.

-          "High-Risk AI Systems" that pose a high risk to the health, safety or fundamental rights of individuals, such as systems that enable biometric Identification and categorization of individuals, to determine access to educational and vocational training institutions, to score admission tests or conduct personnel selection activities, to be used for political elections, etc. The placing on the market and use of this type of systems, therefore, is not prohibited but requires compliance with specific requirements and the performance of prior conformity assessments.

In particular, these systems must comply with a number of specific rules, including:

-          Establishment and maintenance of a risk management system: it is mandatory to establish and maintain an active risk management system for artificial intelligence (AI) systems.

-          Quality criteria for data and models: AI systems must be developed according to specific qualitative criteria for the data used and the models implemented to ensure the reliability and accuracy of the results produced.

-          Documentation of development and operation: Adequate documentation of the development of a given AI system and its operation in required, including the systems’ compliance with applicable regulations.

-          Transparency to users: it is mandatory to provide users with clear and understandable information on how AI systems work, to make them aware about how data are used and how results are generated.

-          Human oversight: AI systems must be designed so that they can be supervised by human beings.

-          Accuracy, robustness and cybersecurity: it is imperative to ensure that AI systems are reliable, accurate and secure. This includes taking steps to prevent errors or malfunctions that could cause harm or undesirable outcomes.

In some cases, conformity assessment can be carried out independently by the manufacturer of AI systems, while in other cases it may be necessary to involve an external conformity assessment body.

-          "Limited Risk AI Systems" that do not pose significant risks and for which there are general requirements for information and transparency to the user. For example, systems that interact with humans (e.g., virtual assistant), that are used to detect emotions, or that generate or manipulate content (e.g., Chat GPT), must adequately disclose the use of automated systems, including for the purpose of enabling informed choices or opting out of certain solutions.

The Regulation is structured in a flexible way so that it can be applied or adapted to different cases that may arise as a result of technological developments. The Regulation also takes into account and ensures the application of complementary rules, such as those on data protection, consumer protection and the Internet of Things (IoT).

The Regulation provides for fines of up to 30 million euros or up to 6 percent of the total annual worldwide turnover of the preceding year in case of violation.

As mentioned above, the text approved by the European Parliament will be submitted to the Council for consideration, with the aim of being adopted by the end of 2023. If so, it will be the first legislation in the world to address in such a comprehensive and detailed manner the potential issues arising from placing AI systems on the market.

We will provide updates on future regulatory developments

For details and information, please contact David Ottolenghi of Clovers.

 

The Milan Court rules on a dispute concerning the protection of the "Love" bench

It is from the end of December that the Court of Milan (in complaint) recognized the tort of unfair competition for slavish imitation against the "Amore" bench produced by Slide S.r.l., created by Slide's founder, Giuseppe Colonna Romano, and commercialized by Slide for more than 10 years.

Slide is specialized in the creation and production of furniture elements, mainly for outdoor use, including special polyethylene objects, and in 2021 Slide had noticed the commercialization and promotion by a Venetian company, its competitor, of a bench highly similar to the "Amore" bench called "Welcome."

Slide then promptly sued the Court of Milan so that, in the face of the unlawful conduct of the Venetian company, it would inhibit the latter from producing and commercializing the imitative product.

The Court of Milan, in its complaint, upheld Slide's claims, recognizing first of all the market accreditation of the "Amore" bench product, as an iconic product that is widely known and appreciated by the public, as well as the unlawful takeover of the essential and individualizing features of the AMORE bench by a competing company.

In particular, the Court ruled that the "distinctive sign imitated is, here, given by the external form of the product and consists of a three-dimensional sign, of which the complainant has suitably demonstrated, according to the College, on the one hand, all the requirements necessary for the invoked protection, namely, distinctive capacity, renown and novelty, as well as, on the other hand, the confusability between the two products." In order to appreciate the existence of these requirements of distinctiveness, renown and novelty with respect to Panca Amore, the Court then confirmed that:

  • the Love Bench is "a bench composed by a word consisting of letters of the alphabet, and it is precisely the outward form that has the individualizing and diversifying efficacy of the complainant's product, compared to other benches on the market. Moreover, in all logical evidence, having regard to the function properly and commonly performed by a bench, it is, here, a matter of a merely arbitrary and whimsical form, and not of a functional form, indispensable or mandatory for the achievement of a certain technical result, nor even useful, even if not strictly necessary to a certain result (here, the seat);
  • Slide "has provided suitable documentary evidence that it has started commercializing "Amore" bench since 2015-unlike the "Welcome" bench, which was first presented on the market only at the end of October 2021-and also that, "thanks to the promotional investments put in place by the complainant, as well as to the extensive marketing, in Italy and abroad, of the Amore bench, it has become so accredited on the market as to be immediately recognizable by the public [. .] through press reviews, the number of pieces sold and the relative turnover achieved, exhibition uses, sponsored promotions, and displays in furniture salons."
  • in relation to the form, "there is no suitable evidence that, before Slide, or even at the same time, other companies in the sector have produced and offered for sale manufactured goods with the peculiar characteristics peculiar to the Amore bench."

In conclusion, in relation to the above-mentioned products, the Court found that both all the requirements for protection of the imitated form and the danger of confusion by slavish imitation were met, on the basis of the general impression derived from their overall appearance, with respect to which the differential elements consist of mere individual details, incapable of impressing themselves on the consumer's mind in such a way as to enable him to distinguish the origin from entrepreneur other than Slide.

This is an important measure that, in addition to recognize the value of the design conceived and produced by Giò Colonna Romano for Slide, will allow it to protect a unique product such as Panca Amore from any further copies and imitations.

IDEAS POWERED FOR BUSINESS – THE 2023 FUND FOR SMES

Laura Bussoli - Senior Associate

Eleonora Carletti - Associate

Also for 2023, the European Union is once again making available a fund to provide financial support to small and medium-sized enterprises (“SMEs”) based within the European Union that want to invest in the protection of their intellectual property assets, in particular, trademarks and designs/models.

The Ideas Powered for Business Fund, with an endowment of about 25 million euros, aims to prevent the economic crisis for small and medium-sized enterprises that would otherwise be forced to give up the protection of their industrial property assets.

The funds made available to companies will be provided, in the form of vouchers that will be issued, upon the application of the interested party, following the EUIPO's examination of the existence of the subjective and objective requirements provided by the Fund.

EU SMEs are classified as illustrated in the following table:

Vouchers can only be used for activities after they are issued and can only cover the following activities:

  • Voucher 1: IP pre-diagnosis services (so-called “IP Scan”). This is a tool available to SMEs, using the aid of IP experts to develop a business strategy with reference to the protection of their IP assets. The planned subsidy is for a maximum amount of 1,350 euros for each company.
  • Voucher 2: applications for registration of trademarks, designs and models up to a maximum amount of 1,000 euros for each enterprise. In more detail, it will be possible to obtain a refund of:

a. 75% refund on fees for EU trademark and/or design applications, fees for additional classes, and fees for examination, registration, publication and deferment of publication.

b. 75% refund on national or regional fees for trademark and/or design applications, fees for additional classes, and fees for examination, registration, publication, and deferment of publication.

c. 50% refund on basic fees for trademark and/or design applications, designation fees, and subsequent designation fees outside the EU. Designation fees from EU countries are excluded, as are handling fees charged by the office of origin.

Thus, vouchers can be used to obtain refund of fees in relation to trademarks and designs filed directly with EUIPO and/or member state intellectual property offices (reimbursement until 75 percent), as well as for trademarks filed through the Madrid International System and designs filed through the Hague International System (up to 50 percent reimbursement). Legal fees are excluded from voucher coverage.

You can apply from January 23, 2023, to December 8, 2023, keeping in mind that funds are limited and disbursed on a first-come, first-served basis.

The grant application must be submitted online, using the template (eForm) available at https://euipo.europa.eu/ohimportal/it/help-sme-fund-2023 and attaching documents to demonstrate the necessary subjective requirements.

Before starting the application process for the SME Fund, it is necessary to have already defined a clear IP protection strategy. Therefore, it is necessary to have all information and designs related to your IP assets (e.g., trademarks and logos, inventions, new technologies, original software, new designs, unique processes, etc.).

Clovers Law Firm is available for any additional assistance or information you may wish to have regarding the procedure to obtain EU funding.

New ransomware campaign: companies with outdated software are under attack

The attack now in progress is a ransomware attack, in which cybercriminals enter systems through an infected link or phishing email and encrypt data of the enterprise. VMWare ESXi virtualization systems are very popular and used by many companies, and a compromise of these systems could have disruptive impacts on critical services such as banking or healthcare. That's because virtualization systems underpin most enterprise information systems, bypassing downstream application protections and entering directly into upstream systems.

Ransomware is a type of malware that prevents access to data on a computer using encryption. The goal is to obtain a ransom payment in exchange for decrypting data. These attacks are purely extortionate and do not aim to erase or disseminate data, but simply to prevent access to it. However, they can have serious consequences for businesses and individual users, as their personal data (common and sensitive) could be resold to third parties, disseminated, lost forever, or held hostage for a long time, causing economic and reputational damage, as well as the risk of facing penalties provided by law.

The current attack is directed against VMware ESXi servers and is targeting companies in Europe and North America. The National Agency for Information Security (ACN) in Italy has invited companies using these VMware products to upgrade immediately in order to avoid becoming victims of this cybercrime campaign.

According to ANSA, in addition to servers in Italy, hackers have also targeted those located in France, Finland, the United States and Canada. In Italy, entities in the public and private sectors have already been affected.

In the United States, cybersecurity authorities are also analyzing incoming reports. The Cybersecurity and Infrastructure Security Agency (CISA) is working with its public and private partners to assess the impacts of these incidents and provide assistance where needed.

A VMware representative confirmed that hackers are exploiting a vulnerability discovered in early 2021 and corrected in February of the same year. The company has also asked its customers to immediately apply the "patch", which have been available for years.

According to a report published by The Stack, more than 500 companies were affected by this campaign, which was effectively a ransomware attack. Companies in France have been the hardest hit, with the French government's cybersecurity incident response team, CERT-FR, describing the attack as semi-automated and targeting servers vulnerable to CVE-2021-21974.

The vulnerability, described as an OpenSLP HeapOverflow vulnerability, allows cybercriminals to execute code remotely. It is currently unknown which ransomware group initiated the attack and which encoder was used, but it is estimated that about 20 servers are affected every hour.

In this context, it is of paramount importance that companies take the right precautions to protect the security of their data and computer systems. A first measure is to monitor any vulnerabilities in the software used, and then promptly apply available security patches.

But there is more. In order to have an adequate protection, it is also important to rely on experienced cybersecurity consultants who can provide an assessment of the risks and vulnerabilities, as well as any measures to be taken to prevent them, as well as having qualified legal support to assist these processes.

In case companies suffered a ransomware attack, they should immediately seek the help of competent technicians and a lawyer specialized in cyber law to assess their options.

Firstly, it is important to check if there has been a data breach and, if so, follow the appropriate legal procedures to protect their own data and customer information.

Second, it is necessary to understand whether there are any legal obligations related to reporting the data breach to third parties, such as customers or relevant authorities.

In addition, it will be important to determine if there are any policies governing the use of data and how such contracts or policies may affect the legal situation.

Finally, the company will have to consider whether or not to accept paying the requested ransom, taking into account the legal risks and potential long-term effects on corporate reputation.

Thom Browne wins against adidas in stripes war

New York designer Thom Browne's company (part of the Ermenegildo Zegna Group since 2018) recently prevailed in a dispute brought by adidas before the District Court for the Southern District of New York to protect its famous trademark consisting of the characteristic three parallel stripes. The U.S. Court recognised that Thom Browne, a designer known for his high-end tailored clothing, had not infringed the German multinational company's trademark rights by affixing a motif consisting of four parallel stripes to his clothing and footwear models.

In reality, the trademark dispute between the two companies had already been pending for a few years. Indeed, as early as 2018, adidas had filed an opposition before the European Union intellectual property office (EUIPO) against a Community trademark application filed by Thom Browne to protect a sign consisting of four parallel stripes. That opposition was followed in 2020 by other oppositions before the United States Patent and Trademark Office in which adidas challenged three trademark applications for red, white and blue stripes to distinguish the footwear produced by the New York designer. adidas considered that all of the above-mentioned trademarks applied for by Thom Browne were confusingly similar with its own earlier registrations claiming the famous three stripes.

Returning to the current decision of the Southern District Court of New York, the German sportswear giant had filed a lawsuit against Thom Browne in June 2021, claiming that Thom Browne's use of a sign consisting of parallel stripes infringed its trademark rights and constituted confusingly unfair competition in the sportswear sector.

In fact, the German company claimed that Thom Browne's use of a mark similar to its own famous three-stripe mark used by adidas for over fifty years caused confusion among consumers as to the origin of the goods themselves, or otherwise led them to believe that there was some collaboration or affiliation between the two companies. In particular, adidas challenged Thom Browne's use of the stripes in a manner similar to its own three-stripes sign, thereby creating confusion in both the aesthetic appearance and the overall commercial impression that such products provided. adidas claimed that, in particular, the products in the category of sportswear and sports shoes manufactured by the American company were identical to the same categories of products that had long been marked with its own three-stripe mark.

In addition to the obvious similarities between the trademarks of the parties, adidas' accusation was also strongly focused on the element of competition because, in order to ground its claim for damages of approximately $8 million, the German company had pointed out to the U.S. judge that Thom Browne was not only using the four stripes in its core business, i.e. high fashion clothing, but was invading in an increasingly aggressive manner the sportswear segment and in general the sectors where adidas is market leader. And this not only with the expansion of its sportswear range, but also through promotional agreements such as the one concluded by Thom Browne with the famous Spanish club F.C. Barcelona.

Arguing the total difference between the respective distribution channels of luxury and sportswear, as well as the wide gap between the prices of the respective products, the American company's defensive argument was obviously centred on the absence of any risk of confusion for consumers. Perhaps more interesting and less obvious is what Thom Browne's defence also argued in noting how adidas waited a long time before taking legal action against its own use of the stripes. As already did in other jurisdictions, also before of the New York Court Thom Browne pointed out that adidas had already objected to Thom Browne's use of three horizontal stripes on his garments as early as 2007, but then tolerated for a long time the use of four parallel horizontal stripes on his apparel products, which Thom Browne had begun on purpose in order to distance himself as far as possible from the German company's trademarks.

In essence, Thom Browne thus argued that adidas' delay in taking action to prevent him from using its own four-stripe trademark was unreasonably long because the German sportswear giant knew, or reasonably should have known, that Thom Browne was using a four horizontal stripes design. For the New York designer's counsel, this would also have constituted implicit proof that the respective striped brands had in fact co-existed on the market for a long time without adidas having suffered any damage.

While Thom Browne obviously welcomed his own acquittal, pointing out that for over twenty years his company has been an innovative brand in the luxury fashion segment, where it offers a completely unique and distinctive design that combines classic tailoring with American sportswear sensibilities. On the other hand, adidas has already declared that it will appeal the New York District Court ruling, a decision that not surprisingly comes on top of other negative ones suffered by the German multinational in the EUIPO and that have already called into question the distinctive character of its three-stripe brand.

The Supreme Court takes stock of the concept of parody in our legal system

Laura Bussoli - Senior Associate

Eleonora Carletti - Junior Associate

By Dec. 30, 2022, in ruling No. 38165, the Supreme Court ruled, among other things, on the legitimacy of an advertisement starring the fictional character Zorro. In this context, the Supreme Court addressed some issues particularly relevant to copyright, such as the protection of fictional characters regardless of the work in which they appear as well as the protection, under certain conditions and within certain limits, of the parody work in our legal system. The issue on which the Supreme Court ruled starts from the broadcasting of an advertising campaign for a well-known mineral water ("Brio Blu") featuring as its protagonist the famous character of Zorro, created by the writer Johnston McCulley in 1919 and on which the U.S. company Zorro Productions Inc. claims copyrights, in addition to other Intellectual Property rights that has been claimed.

In the “infringing” advertising spot, Zorro was used, in a comic and satirical key, in order to advertise a product (water). As a result of this use of the Zorro character, which allegedly took place without authorization, the American company sued the mineral water company, claiming infringement of its copyright on the Zorro character, as well as a long series of breaches related specifically to the protection of its intellectual property rights.

After the first instance, in which the Court of Rome condemned the defendant company to indemnify Zorro production Inc. for the infringement of its copyright, and the second instance, while the Court of Appeal, had denied such damages, on the basis that - according to the judges – the Zorro character is now in the public domain (and, therefore, there would be no valid copyright to protect), the Supreme Court fixed some very important points on copyright, and in particular on the parodistic use of a work (or character) on which - evidently - copyrights are still valid and existing.

First of all, therefore, the Supreme Court excludes the fall into the public domain of copyrights on the work and on the character of Zorro, deeming applicable the Article 25 of our copyright law (L. 633/1941 “LDA”), which provides the copyright protection until the seventieth year after the author’s death.

Secondly, and this is the main issue of this decision, the Court pointed out the content and limits of parody in our legal system. Since our legal system does not expressly provide among the so-called “exceptions” to the copyright protection, the hypothesis of “parody”, according to the Supreme Court the latter finds, instead, full recognition in our legal system pursuant to art. 70 LDA, “as an expression of thought”: according to the Supreme Court in fact, “the lawfulness of the parody of the work or character created by other people finds its basis in the free use referred to in the above mentioned Art. 70, paragraph 1, L. No. 633/1942”. In fact, this article allows the summary, citation or reproduction of extracts or parts of works and their communication to the public, “made for critical use or discussion, within the limits justified by such purposes and as long as they do not constitute competition to the economic use of the work.”

According to the Supreme Court in the very first place, for the purpose of the recognition of the lawfulness of parody, it is not required that the parody acts as a “creative elaboration” or original of the original work in accordance with Article 4 LDA, since the association to the main work is a congenital and fundamental element of the parody itself. Moreover, if this were the case, the Supreme Court points out, it would be necessary from time to time to obtain the authorization of the author of the original work, who would hardly consent to the “comic misrepresentation of it.”

Moreover, and this is the second very important point of this decision, the reference contained in Article 70 LDA “provided that they do not constitute competition to the economic use of the work” by no means should be interpreted, as the Rome Court of Appeals erroneously did, in the sense of "commercial or profit-making purpose."

Therefore, uses allowed by Article 70 LDA - including parody – now seem to be not excluded if there is a profit or commercial purpose the author of the parody may pursue, even incidentally: they are excluded only in the case of a competitive relationship between the original work and the parody itself.

In conclusion, according to the Supreme Court, the lawfulness of parody reposes, in addition to the free expression of thought, both in the functionality of it with respect to its parodistic and satirical purpose (i.e., it must not have purposes and contents that are merely denigrating and depreciating of the main work or of one of its characters) and in the absence of a competition relationship with the protected work that would instead make the parody descend from an unlawful exploitation of the work itself.

This important interpretation of parody in our legal system fits perfectly into the interpretative groove of the Court of Justice, which argued its conclusion by stating that it is necessary to make a balance between opposing interests, namely, from one hand the exclusive rights of reproduction and communication to the public of the work, and on the other hand, the user’s freedom of expression of a protected work, which benefits of the parody exception (EU Court of Justice, C-201/13, cited above, 34).

Pandemic, hackers, and corporate protection

Recent smart working habits, ushered in 2020 with the arrival of COVID, have subverted the cyber boundaries of our companies, and what was once a corporate LAN, located in a distinct geographic area and therefore more easily surveilled, is now instead open to all those, employees and contractors alike, who employ corporate devices either to connect remotely to the corporate office or for personal use.

The increase in cyber iterations has thus created more hackable points for skilled hackers who, for example, send e-mail attachments that look secure and come from verified senders, but instead conceal malware, i.e., programs designed to harm the host operating system, undetectable even by up-to-date antivirus software.

In order to corroborate what has just been said, let us add some numbers capable of explaining better than any words how much our safety is in danger.

July 2021: Il Sole 24ore estimates that the advent of smart working has led, since the beginning of the pandemic, to an increase in the number of cyber-attacks up to the percentage of 238%.

The 2022 CLUSIT report, the Italian Association for Information Security, records that cyber-attacks worldwide have increased by 10%. In that ranking, Italy represents the 4th most affected country behind the US, Germany and Colombia.

The three most commonly used types of attacks are as follows:

  1. Malware (use of malicious software)
  2. Targeted data breaches (theft of confidential information using unknown techniques)
  3. Security vulnerabilities real Achilles’ heel on which the first two forms of attack rest.

In 2001, hacker Kevin Mitnick prophesied in one sentence what would happen just twenty years later, "A secure computer is an off computer."

We believe that with the adoption of appropriate tools and specific procedures - human resource training remains a central point of the system - it is possible to have truly adequate security measures.

In addition to classic hardware and software protections, more advanced and synergistically deployable protection tools are now available to companies:

  • VA - Vulnerability Assessment: continuous monitoring and identification of all known vulnerabilities both within the corporate perimeter and on the web, including corporate devices connected with the premises remotely. Vulnerabilities that if not remediated can be easily exploited by criminal hackers (preventive action).
  • SOC - Security Operation Center: continuous monitoring, detection, analysis and management, with related blocking, of all external and internal threats to the company and unauthorized intrusions (proactive action).

We are available to support companies and professionals in choosing advanced software solutions and setting up simple and effective procedures to protect business operations and data, compliant with GDPR.

Contact us for more information: info@clovers.law