BYOD and GDPR: when the use of a personal device becomes unlawful
Data protection
On 13 April 2026, the Agencia Española de Protección de Datos (AEPD) imposed a fine of EUR 200,000 on Ares Capital, a private hire vehicle (PHV) company, for requiring its workers to adopt the so-called BYOD („bring your own device“) model, namely the use of their personal mobile phones as work tools. Although the decision was issued by the Spanish authority, it is also relevant under Italian law, as it applies GDPR provisions that are fully in force in Italy, where the additional protection afforded by Article 4 of the Workers‘ Statute on remote monitoring also applies.
The complaint had been filed by a driver who objected to being required to use his personal device and to install apps that monitored his location, messages and activity even outside working hours. The applications collected wholly excessive data – continuous geolocation, photos, videos, contacts, voice recordings, and even information about physical condition – and the worker was unable to modify the app permissions without company authorisation.
The Authority identified three grounds of infringement. The first, and most significant, concerns the legal basis for processing: in line with the EDPB’s position, consent in an employment relationship is almost never freely given. Where BYOD is presented as voluntary but no real company alternatives are available, the choice becomes effectively compulsory and consent cannot constitute a valid legal basis.
The second ground concerns the principle of data minimisation: Article 5(1)(c) GDPR requires that data be limited to what is strictly necessary, while Article 25 requires privacy by design and by default measures. The AEPD found that the apps accessed excessive information – continuous tracking, contacts, photos, videos, audio recordings and private messages – without any operational justification. The third ground concerns the infringement of Article 13 GDPR: the employer had failed to provide a clear privacy notice covering the data processed, the purposes, the methods and the retention periods, contrary also to the principle of fairness under Article 5(1)(a).
A BYOD model structured in this way would infringe, in Italy, not only the GDPR but also Article 4 of the Workers‘ Statute: tools from which even the mere possibility of remote monitoring may arise require, save for specific exceptions, a trade union agreement or authorisation from the Labour Inspectorate, as well as a complete and transparent privacy notice. BYOD involving geolocation or tracking falls squarely within this scope.
The issue is not to prohibit BYOD, but to govern it through appropriate technical, organisational and legal measures: genuinely optional use of personal devices, with company-issued alternatives available; applications and data processed limited to what is strictly necessary, without continuous or out-of-hours tracking; a clear privacy notice and an up-to-date BYOD policy; compliance with the requirements under Article 4 of the Workers‘ Statute; and a clear separation between personal and professional spheres, ensuring that personal photos, contacts and messages remain inviolable.
Artificial intelligence and affective computing in the workplace: the Italian Data Protection Authority issues a warning to an italian start-up
Artificial Intelligence
The Italian Data Protection Authority (Garante), by means of decision no. 342 of 14 May 2026, addressed the multi-regulatory compliance issues arising from the use of so-called sentiment analysis systems (as a form of affective computing) applied to employees‘ communications.
The intervention concerned a plug-in component developed by an Italian start-up, designed to analyse the semantics of messages exchanged by workers on Slack and Teams platforms in order to estimate their level of psychological wellbeing or stress. The investigation revealed that the system operates as a service purchased by the employer for the benefit of its staff and provided by the start-up directly to individual employees who freely choose to activate it, under an autonomous data controllership arrangement: employees‘ personal data are not shared with the purchasing entity, except in statistical and aggregated form through a dedicated report.
To mitigate data protection risks and prevent the identification of workers by the employer, the start-up implemented specific measures, including: (i) activation of the plug-in via a unique identifier (ID) that would not allow tracing back to the user’s real identity; (ii) generation of company-level stress reports conditional on a minimum of 10 active users per week, to avoid the risk of singling out, i.e. the isolation and re-identification of individuals by inference; (iii) provision of the report to the employer in view-only mode, without access to raw data capable of identifying individual workers.
Notwithstanding the technical architecture being designed to operate on aggregated and statistical data vis-à-vis the employer, the Garante recalled that compliance with data protection law must be ensured from the design stage (privacy by design), including through measures preventing the employer from accessing information on employees‘ stress levels and in accordance with the rules protecting workers. In this regard, the prohibition on collecting information that is not relevant to the worker, pursuant to Article 113 of the Italian Privacy Code and Article 8 of the Workers‘ Statute – a prohibition that fully encompasses information relating to the emotional sphere and psychological stress – is particularly relevant, as is the prohibition on conducting autonomous health assessments, since such activities are reserved by law exclusively to the occupational health physician acting as an independent data controller. Also relevant is Article 5(1)(f) of Regulation (EU) 2024/1689 (the AI Act), which expressly prohibits the use of AI systems designed to infer the emotions of a natural person in the workplace context, having regard also to the related concerns of bias, algorithmic opacity and inadequate fitting.
The Garante, while finding no actual ongoing infringement, identified a potential future risk: the specific size or organisational characteristics of certain companies, combined with the potentially unpredictable effects of machine learning systems, could enable – even indirectly – the identification of individuals using the plug-in. The Authority therefore warned the start-up of a likely breach of the regulatory framework should reports be made available to employers that would allow – even by inference – access to data derived from the system.
High-risk AI systems: the European Commission publishes draft guidelines on classification under article 6 of the AI Act
Artificial Intelligence
On 19 May 2026, the European Commission published for stakeholder consultation the draft guidelines on the classification of high-risk artificial intelligence systems (the „Guidelines„) under Article 6 of Regulation (EU) 2024/1689 (the AI Act). The Guidelines – prepared pursuant to Article 6(5) of the AI Act and non-binding in nature – are published on the AI Act Single Information Platform and are structured in three sections:
- Document no. 1 – General Principles. The first document clarifies that an AI system qualifies as high-risk in two scenarios: (i) where it is a safety component of, or itself constitutes, a product subject to the harmonisation legislation listed in Annex I of the AI Act (Article 6(1)); or (ii) where it falls within one of the use cases set out in Annex III (Article 6(2)). A common prerequisite is that the system qualifies as an „AI system“ within the meaning of Article 3(1) of the AI Act. Central to the analysis is the intended purpose of the system (Article 3(12)), as ascertainable from instructions for use, promotional materials and technical documentation: for multi-purpose and general-purpose systems, a broad presentation that does not clearly and consistently delimit high-risk uses may result in classification as such, as a mere exclusion in the terms of service is not sufficient.
- Document no. 2 – Annex I of the AI Act. The second document elaborates on Article 6(1) on the basis of two cumulative conditions: the system must be a product regulated under Annex I, or a safety component thereof, and the product must be subject to third-party conformity assessment. The notion of „safety component“ (Article 3(14)) is autonomous and operates according to two alternative criteria: (i) the safety function, based on the purpose defined by the provider; or (ii) the risk arising from failure or malfunction that could endanger health, safety or property. The Commission further clarifies that most smart home appliances fall outside this scope.
- Document no. 3 – Annex III of the AI Act. The third document applies Article 6(2) across the eight areas of Annex III (including biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration and justice), within which only the exhaustively listed use cases are relevant. Of particular significance is the filtering mechanism under Article 6(3), which allows a provider, following a self-assessment, to exclude high-risk classification where one of the four prescribed conditions is met (narrow procedural task, improvement of a previously completed human activity, detection of decision-making patterns without replacing human review, preparatory task), provided the system does not carry out profiling and subject to a strict interpretation of the exception.
The Commission is collecting stakeholder contributions until 23 June 2026 through the AI Act Single Information Platform, ahead of the adoption of the final version. Reference is also made to the new timelines arising from the so-called „AI Omnibus“: the rules applicable to high-risk systems under Article 6(2) of the AI Act will apply from 2 December 2027, while those relating to systems under Article 6(1) will apply from 2 August 2028.
Digital Services Act infringement: European Commission imposes EUR 200 million fine on Temu
Digital Services & Platforms
On 28 May 2026, the European Commission announced a fine of EUR 200 million against the e-commerce platform Temu. The decision constitutes one of the most significant enforcement precedents under the Digital Services Act (DSA) and is based on the established inadequacy of the risk assessment carried out by the platform with regard to the presence and spread of illegal or non-compliant products within its marketplace, resulting in European consumers being exposed to potential harm to their safety and rights.
The significance of the case derives from the nature of the obligations imposed by the DSA on Very Large Online Platforms (VLOPs), the category to which Temu belongs by virtue of the number of active users in the European Union. For such operators, the Regulation establishes a system of enhanced accountability, grounded in the prevention and management of systemic risks connected to the operation of digital services. The dispute centres on the obligations laid down in Articles 34 and 35 DSA: the former requires platforms to identify and concretely assess the risks arising from their activities, taking into account the likelihood and severity of potential negative effects; the latter requires the adoption of effective and proportionate mitigation measures, which may also concern the architecture of the service, digital interfaces and algorithmic recommendation systems.
According to the Commission, the risk assessment prepared by Temu in 2024 was found to be inadequate, as it was based primarily on general data relating to the e-commerce sector rather than on the actual operation of the platform, resulting in an underestimation of the risk of illegal or non-compliant products being offered for sale. Checks carried out in the course of the investigation, including through the practice of so-called mystery shopping (undercover purchases), revealed significant issues across several product categories: examples identified included battery chargers failing to meet essential safety requirements and toys presenting serious risks, such as the presence of chemicals exceeding permitted limits or choking hazards for young children. The Commission also highlighted the role of algorithmic recommendation systems and affiliate influencer promotion programmes, which were considered potentially capable of amplifying the visibility and spread of non-compliant products.
The decision, adopted pursuant to Articles 73 and 74 DSA, confirms that the Regulation is not limited to the regulation of online content, but extends to the risks associated with the circulation of illegal goods through digital marketplaces, and clarifies that risk assessment does not constitute a mere formal compliance exercise, but rather the essential prerequisite for the entire governance system designed to prevent systemic risks. The architecture of platforms‘ software and algorithmic mechanisms also acquire legal relevance where they contribute to creating or perpetuating risk situations.
Under Article 74 DSA, VLOPs may be fined up to 6% of total worldwide turnover: the amount imposed on Temu corresponds to approximately 0.25% of that threshold. The fine represents, moreover, only the beginning of the compliance process: Temu must submit an action plan by 28 August 2026 pursuant to Article 75 DSA, setting out the measures to remedy the infringement. Within the following month, the European Board for Digital Services – the body established by the DSA, composed of the Digital Services Coordinators of the Member States and chaired by the Commission – must issue an opinion, on the basis of which the Commission will adopt the final decision with which Temu must comply to avoid further sanctions.
The Court of Justice of the EU confirms the compatibility of publishers‘ right to fair remuneration with the european regulatory framework
Intellectual Property & Technology
By its judgment of 12 May 2026 in Case C-797/23, the Court of Justice of the European Union confirmed that the Italian legislation on the right to fair remuneration for press publishers in respect of the online use of their publications is compatible with Directive (EU) 2019/790 (the „Directive„).
The case arose from an action brought by Meta Platforms Ireland Limited challenging AGCOM decision no. 3/23/CONS (the „Decision„) which, in implementation of Article 43-bis of Law no. 633/1941 (the „LDA„), established the criteria for determining fair remuneration for publishers and regulated AGCOM’s related powers. The Regional Administrative Court for Lazio, seised of the action, referred the matter to the Court of Justice for a preliminary ruling on the compatibility of the Italian implementing legislation with (i) Article 15 of the Directive, which establishes exclusive rights but does not expressly provide for a right to remuneration, and (ii) contractual freedom and the freedom to conduct a business protected by Articles 16 and 52 of the Charter of Fundamental Rights of the European Union.
As regards the obligations provided for under Article 43-bis LDA – in particular the obligation on information society service providers to enter into negotiations with publishers, the obligation not to restrict the visibility of publications in search results during such negotiations, and the obligation to disclose the data necessary for determining fair remuneration – the Court held these to be compatible with EU law, as they ensure that publishers are able to decide freely, and on the basis of all relevant information, whether and on what remuneration terms to grant authorisation to service providers, in line with the objective of protecting publishers pursued by Article 15 of the Directive.
As regards the powers conferred on AGCOM by the Decision – including the determination of remuneration criteria, the fixing of the amount in the absence of an agreement, and the imposition of fines of up to 1% of turnover – the Court held these implementing arrangements to be fully compatible with the Directive, given that the parties (publishers and service providers) remain free not to enter into a contract authorising the use of press publications. While acknowledging that such obligations and sanctioning powers constitute a restriction on the freedom to conduct a business, the Court held the restriction to be justified and proportionate, following a balancing exercise with intellectual property rights and the right to freedom and pluralism of the media, the latter being expressly characterised as an essential foundation of a democratic society.
