AI versus AE: lesson on the connection between AI and Authors and Editors according to the AI Act
Nicola Tilli will be addressed to have a lesson on the connection between Publishing sector and Artificial Intelligence
In Milan at University IULM on May 4th 2026 at Master of the professions oriented to literature, publishing, novelists, authors in general and linked arts
Croatia: Bank Fined €1.5 Million for GDPR Violations in Its Mobile Banking App.
The Croatian Personal Data Protection Authority (AZOP) has imposed a fine of €1.5 million on a bank for serious GDPR violations committed through its mobile banking app, which is used by over 400,000 customers.
The decision, dated December 18, 2025, and pertaining to the Erste Bank case, concerns the indiscriminate collection of the list of apps installed on customers’ smartphones, without a valid legal basis and without adequate notice.
AZOP’s investigation was launched following a report from a customer who had noticed unusual access to data on their device. The investigation found that the bank processed the personal data of 433,922 customers, violating the principles of lawfulness, transparency, and purpose limitation set forth in the GDPR. AZOP also ordered the cessation of the unlawful practices and the adoption of corrective measures, emphasizing the seriousness of the conduct that compromised users’ privacy.
Whistleblowing: 2025 Guidelines Balancing Substantive Protections and Objective Rigor.
The year 2025 marks the end of whistleblowing as a mere formality: three rulings—by the Court of Milan, the Court of Bergamo, and the Court of Cassation—have transformed Legislative Decree 24/2023 into a substantive tool for rebalancing workplace relationships.
With Judgment No. 1680/2025, the Court of Milan applied the relative presumption of retaliation for the first time: when dismissal follows the report in time, the burden of proof shifts, and it is up to the employer to demonstrate that the termination is entirely unrelated to the report. The Court of Bergamo, in judgment no. 951/2025, awarded presumed moral damages (€25,000) to a whistleblower exposed to a hostile environment, without requiring forensic medical evaluations, thereby recognizing the existential impact of isolation.
Finally, the Court of Cassation, in judgment no. 1880/2025, reaffirmed the objective limit of protection: the prohibition on retaliatory measures does not apply when the report is used for essentially personal purposes or for claims related solely to the employment relationship. A typical example is the case of an employee who, facing dismissal for poor performance or a legitimate transfer, files a “report” based solely on internal conflicts to effectively make themselves untouchable. If the content concerns only interpersonal dynamics or unwelcome management decisions, without reporting illegal acts provided for by law or violations of the 231 Model, whistleblower protection does not apply: the objective prerequisite of defending legality is lacking.
Legislative Decree 231/2001: Requirement to Update Following Legislative Decree 211/2025.
Between late 2025 and early 2026, the regulations governing corporate liability under Legislative Decree 231/2001 underwent a significant strengthening, requiring companies to promptly update their organizational, management, and control models. Legislative Decree No. 211 of December 30, 2025, effective as of January 24, 2026, introduced the new Article 25-octies.2 into the list of predicate offenses, dedicated to violations of European Union restrictive measures, transposing Directive (EU) 2024/1226. Conduct such as making funds or economic resources available to sanctioned entities, failing to freeze assets, carrying out prohibited commercial transactions, the import/export of prohibited goods, the provision of restricted services, and the violation of reporting obligations related to European sanctions regimes now fall within the scope of 231 risk. As of January 2026, therefore, international sanctions, export controls, frozen assets, and counterparty checks no longer concern only commercial, banking, or customs compliance, but constitute a full-fledged 231 risk, requiring enhanced controls over customers, suppliers, beneficial owners, cross-border payments, authorizations, exports, and relations with “sensitive” countries. Of particular note is the new sanctions system: for specific violations, monetary penalties are no longer calculated using the traditional quota system, but as a percentage of the entity’s total annual revenue (generally between 1% and 5%), with fixed thresholds of up to 40 million euros when revenue cannot be determined. This makes a substantial update of the 231 Models essential, including a detailed mapping of EU sanction risks, enhanced due diligence procedures on counterparties, and continuous control mechanisms throughout the entire operational chain.
Cybersecurity: The weakest link is still the password.
Today, cybersecurity fails not only in the face of sophisticated attacks, but above all due to human predictability. Even the most advanced infrastructure becomes vulnerable if access is protected by weak or easily guessed credentials.
The password is not a technical detail, but a front-line legal and organizational safeguard, also relevant for the purposes of Article 32 of the GDPR. Proper names, dates of birth, trivial sequences such as “123456,” or references easily reconstructed from social networks remain among the most exploited keys in attacks today, facilitating system intrusions, identity theft, and corporate compromises.
Added to this is the evolution of phishing, enhanced by artificial intelligence: emails and messages with impeccable language and credible context, even deepfake voices and videos capable of imitating colleagues and executives.
The risk no longer concerns only the individual user, but the operational continuity of businesses, organizations, and critical infrastructure.
This is why cybersecurity cannot remain the domain of specialists alone: it is a culture of prevention, continuous training, robust password policies, multi-factor authentication, and daily vigilance for warning signs.
The real question is not whether we are connected, but whether we are truly prepared to protect what we entrust to the digital realm.
Digital Omnibus: Regulatory Simplification or a Redefinition of Digital Rights in the EU?
On November 19, 2025, the European Commission officially presented the proposal for the “Digital Omnibus” regulation, a legislative package aimed at simplifying, harmonizing, and making the European Union’s complex framework of digital rules more consistent. The proposal, currently under review by the European Parliament and the Council, has a cross-cutting impact on several key pieces of legislation, including the GDPR, the ePrivacy Directive, the Data Act, the NIS2 Directive, and the AI Act, with the stated goal of reducing regulatory overlap, compliance costs, and uncertainty regarding application for businesses and public administrations.
The Digital Omnibus comprises at least two main proposals:
■ Digital Omnibus Regulation Proposal — technical provisions to amend and streamline digital regulations, with impacts on the GDPR, ePrivacy, Data Governance, Data Act, NIS2, and other acts.
■ Digital Omnibus on AI Regulation Proposal — more specific measures designed to refine the AI Act and coordinate it with the rest of the digital regulatory framework.
Key Issues and Critical Points in Personal Data Regulation
Among the most significant and critical aspects of the Digital Omnibus proposal is the issue of the definition of “personal data”. The initiative aims to redefine and contextualize this concept for the purposes of the GDPR, introducing criteria that are more functional and tied to the concrete context of identifying the data subject, emphasizing “means reasonably likely to be used.” Such an approach, if adopted, could affect the subjective scope of application of the GDPR, influencing the classification of certain information as protected personal data.
The proposal also addresses certain specific obligations, particularly regarding automated decision-making and cookie management, with the aim of reducing administrative burdens and simplifying compliance. However, these changes raise interpretative doubts, especially regarding the preservation of the protection standards enshrined in the Charter of Fundamental Rights of the European Union.
The package has sparked a wide-ranging debate: some fear a weakening of the GDPR’s safeguards, while others, on the contrary, see an opportunity for a more coherent and certain digital framework. The proposal is still under review by the European Parliament and the Council and remains subject to significant changes.