Photo of Laura Somaini

Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.

On May 13, 2025, the European Commission issued its draft Guidelines on the protection of minors online under the DSA (“the Guidelines”).  The Guidelines aim to support providers of online platforms that are “accessible to minors” with meeting their obligation to ensure “a high level of privacy, safety, and security” for minors under Article 28(1) of the Digital Services Act (“DSA”).

Below we provide an overview of the Guidelines and key takeaways.Continue Reading European Commission Publishes Draft Guidelines on the Protection of Minors under the DSA

On April 29, 2025, the Italian data protection authority (“Garante”) launched a public consultation to collect feedback from stakeholders about the so-called “Pay or Ok” model. 

“Pay or Ok” refers to the concept of making access to a website’s content or service conditional on the website visitor performing one of

Continue Reading Italian Garante Launches Public Consultation on the Implementation of “Pay or Ok” Models

On May 30, 2024, the Court of Justice of the EU (“CJEU”) handed down its rulings in several cases (C-665/22Joined Cases C‑664/22 and C‑666/22C‑663/22, and Joined Cases C‑662/22 and C‑667/22) concerning the compatibility with EU law of certain Italian measures imposing obligations on providers of online platforms and search engines.  In doing so, the CJEU upheld the so-called “country-of-origin” principle, established in the EU’s e-Commerce Directive and based on the EU Treaties principle of free movement of services.  The country-of-origin principle gives the Member State where an online service provider is established exclusive authority (“competence”) to regulate access to, and exercise of, the provider’s services and prevents other Member States from imposing additional requirements.

We provide below an overview of Court’s key findings.Continue Reading CJEU Upholds Country-of-Origin Principle for Online Service Providers in the EU

On May 20, 2024, a proposal for a law on artificial intelligence (“AI”) was laid before the Italian Senate.

The proposed law sets out (1) general principles for the development and use of AI systems and models; (2) sectorial provisions, particularly in the healthcare sector and for scientific research for healthcare; (3) rules on the national strategy on AI and governance, including designating the national competent authorities in accordance with the EU AI Act; and (4) amendments to copyright law. 

We provide below an overview of the proposal’s key provisions.Continue Reading Italy Proposes New Artificial Intelligence Law

On May 9, 2024, the Italian data protection authority (“Garante”) published a decision identifying the safeguards that controllers must put in place when processing health data for medical research purposes, in cases where data subjects’ consent cannot be obtained for ethical or organizational reasons.

The Garante’s decision follows a recent legislative development, enacted by Law n. 56 of April 29, 2024, and effective as of May 1, 2024, which amended, among other things, Article 110 of the Italian Privacy Code.  The amendment removes the obligation to submit a research program and related data protection impact assessment (“DPIA”) for prior consultation to the Garante, in cases where it is impossible or disproportionately burdensome to contact the concerned individuals.  

We provide below an overview of the legal framework and the safeguards identified by the Garante.Continue Reading Italian Legislator and Regulator Update Rules on Processing of Health Data for Medical Research

On February 13, 2024, the European Data Protection Board (“EDPB”) adopted an opinion on the notion of “main establishment” of a controller in the context of Article 4(16)(a) of GDPR.  The opinion aims to clarify (i) the relevant conditions for the determination of whether a controller has a “main establishment” in the EU, for controllers that have more than one establishment in the EU; and (ii) the application of the so-called “one-stop-shop” mechanism in these scenarios.  

We provide below an overview of the EDPB’s opinion.Continue Reading EDPB Clarifies the Notion of “Main Establishment” under the GDPR

On January 15, 2024, the European Commission released its report on the first review of the functioning of the existing eleven adequacy decisions adopted under the pre-GDPR framework.  

The Commission concluded that personal data transferred from the European Economic Area to any of Andorra, Argentina, Canada (for PIPEDA-regulated entities), the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to receive an adequate level of protection.Continue Reading European Commission Retains Adequacy Decisions for Data Transfers to Eleven Countries

On November 27, 2023, the Council of the EU formally adopted the Data Act, following the European Parliament’s endorsement of November 9, which concludes the EU legislative process.  As noted below, the Data Act will shortly be published in the Official Journal and become enforceable in 2025.

The Data Act is designed to require entities to make data, including non-personal data, accessible to other parties, so that it can be re-used for new purposes.  The Data Act’s obligations are broad  and may require significant engineering work to re-design products to ensure compliance.  

We provide below a brief overview of key takeaways and timelines.Continue Reading Data Act Becomes Law: What Next?

On October 12, 2023 the Italian Data Protection Authority (“Garante”) published guidance on the use of AI in healthcare services (“Guidance”).  The document builds on principles enshrined in the GPDR, national and EU case-law.  Although the Guidance focuses on Italian national healthcare services, it offers considerations relevant to the use of AI in the healthcare space more broadly.

We provide below an overview of key takeaways.Continue Reading Italian Garante Issues Guidance on the Use of AI in the Context of National Healthcare Services

On June 27, 2023, the European Parliament and the Council of the EU reached a political agreement on the Data Act (see our previous blog post here), after 18 months of negotiations since the tabling of the Commission’s proposal in February 2022 (see our previous blog post here).  EU lawmakers bridged their differences on a number of topics, including governance matters, territorial scope, protection of trade secrets, and certain defined terms, among others.

The Data Act is a key component of the European strategy for data. Its objective is to remove barriers to the use and re-use of non-personal data, particularly as it relates to data generated by connected products and related services, including virtual assistants. It also seeks to facilitate the ability of customers to switch between providers of data processing services.

We’ve outlined below some key aspects of the new legislation.Continue Reading European Parliament and Council Release Agreed Text on Data Act