Gameplay vs. highlights: the ruling of the Genoa Court

Sports IP & Digital Content

With the ruling of November 3, 2025, the Genoa Court addressed for the first time the use of video games for the virtual reconstruction of real football actions, excluding that such practice violates the audiovisual rights of Lega Serie A or constitutes unfair competition. The Court stated that the exclusive rights under Legislative Decree No. 9/2008 protect the image of the real sports event, not its abstract dynamics, and that protection applies only when the digital representation recognizably reproduces the development of the original action.

The League’s appeal concerned a content creator who, through EA Sports FC25, reconstructed key actions from Serie A matches. According to the League, these works constituted «highlight images» under Article 2 of the Melandri Decree and represented a substitute for the official highlights. The defendant, however, emphasized the creative nature of his works, which were the result of gameplay, reworkings, and social commentary.

Accepting this argument, the Court found that the videos presented significant deviations from the actual action—field positions, number of players, trajectories, dynamics—that prevented the public from perceiving them as a reproduction of the event. As a result, the video game works were classified as independent creations, not infringing on the audiovisual exclusivity.

The judge also noted that extending the notion of «highlight images» to include any representation inspired by the sports event would lead to an excessive restriction of freedom of expression and user creativity, protected by Articles 21 of the Italian Constitution and 10 of the ECHR.

This ruling represents an important precedent at the intersection of sports law and digital content: the non-faithful video game reconstruction of real actions constitutes an independent work and does not violate the audiovisual rights of the event.

For further insights or assistance on audiovisual rights, video games, and digital creations, the LEXIA D&TI Team is available.

Digital Omnibus

Digital Regulation – EU Policy & Compliance

On November 19, 2025, the European Commission published the final version of the regulation proposals COM(2025) 836 and COM(2025) 837, which make up the «Digital Omnibus» package. This initiative stems from the need to simplify and streamline the European Union’s digital regulatory ecosystem, reducing administrative burdens, increasing legal certainty, and strengthening the competitiveness of the internal market. The ICT sector, despite being a cornerstone of the EU economy, is affected by regulatory fragmentation that has complicated the operational implementation of rules in recent years.

The proposal COM(2025) 837 introduces a comprehensive technical revision of the current regulatory framework, structured around four main areas.

1. Consolidation of data legislation
The Commission proposes to unify the regulations concerning non-personal data into a single legal framework. The Data Act (Reg. 2023/2854) thus becomes the reference regulation, absorbing the Free Flow of Non-Personal Data Regulation, the Data Governance Act, and the Open Data Directive. The goal is to reduce fragmentation, duplication, and compliance burdens for businesses and public administrations.

2. GDPR and ePrivacy: clarifications and simplifications
A significant part of the package involves harmonizing and clarifying definitions and concepts under the GDPR and the ePrivacy Directive, aiming to resolve numerous application uncertainties that have emerged in practice and simplify compliance for data controllers and processors.

3. Cybersecurity: the «Report Once, Share Many» Principle
To overcome the multiple notification obligations currently required by NIS 2, GDPR, DORA, eIDAS, and CER, the Omnibus introduces – via a new Article 23a of the NIS 2 Directive – a European single reporting mechanism, managed by ENISA as a single entry point. Competent authorities will then share information with each other, reducing costs and duplication for essential operators and digital service providers.

4. Rationalization of rules on online platforms
The P2B Regulation (EU Reg. 2019/1150) is repealed, as it has largely been superseded by the Digital Services Act (Regulation (EU) 2022/2065) and the Digital Markets Act (Regulation (EU) 2022/1925). The Commission aims to eliminate regulatory overlaps and ensure greater clarity for operators, thereby reducing compliance costs.

In addition to the horizontal revision of the digital framework, the proposal COM(2025) 836 (“Digital Omnibus on AI”) addresses the AI Act (Reg. 2024/1689), introducing technical adjustments primarily aimed at facilitating the initial implementation phase of the regulation. The changes aim to make the obligations for AI system providers more sustainable, clarify aspects that remained uncertain in the initial application, and ensure that deadlines for high-risk systems can be met without compromising innovation, competitiveness, and the functioning of the internal market.

Thus, the Digital Omnibus package represents the first major legislative overhaul of the new European digital framework: an attempt to transform a rapidly growing regulatory body into a more coherent, readable, and, most importantly, applicable system.

Whistleblowing and privacy: new guidelines from the Data Protection Authority on ANAC’s Guidelines

Data protection

With Provision No. 581 of October 9, 2025, the Data Protection Authority expressed its opinion on ANAC’s draft Guidelines on whistleblowing, addressing both external reporting procedures and internal channels. The Authority reaffirms the need for a balance between the effectiveness of reports and the protection of the personal data of the individuals involved.

The Authority highlighted concerns related to the use of email – including certified email (PEC) – as a reporting channel, as transmission logs could potentially identify the whistleblower. It suggests prioritizing dedicated platforms with encryption and mechanisms that ensure access traceability is not possible, subject to a mandatory impact assessment (DPIA) for each activated channel. The DPIA must identify appropriate technical and organizational measures, including support from technical providers, who are also required to carry out assessments in line with their role as Data Processors.

The Authority also reminds that personnel handling reports must be specifically trained in data protection.

For corporate groups, when the parent company manages the channel, it assumes the role of Data Processor pursuant to Article 28 of the GDPR. The Authority also confirms the retention limits: data related to a report should not be kept longer than necessary for its management, and in any case, no more than five years from the final outcome, unless further legal requirements exist.

Finally, even when the report does not fall under the scope of whistleblowing, the confidentiality of the whistleblower must be ensured, based on the legitimate expectation of protection.

The opinion confirms that whistleblowing compliance requires an integrated approach and data protection by design. The Data & Technology Innovation team at LEXIA is available to support the adaptation of procedures to the requirements of ANAC and the Data Protection Authority.

Control over company IT tools: the importance of the IT policy according to the Court of Cassation

Data protection

A recent ruling by the Court of Cassation (No. 28365 of 27/10/2025) established that an IT and company asset usage policy, as long as it is clear, widely disseminated, and updated, is a necessary condition for the legitimacy of employer controls over employees, in accordance with Article 4 of the Workers’ Statute (Law No. 300/1970).

The Court confirmed the disciplinary dismissal of an employee who had made massive and unauthorized accesses to the company’s systems, as well as transmitted sensitive customer data externally and sent numerous emails to personal addresses, considering the evidence collected by the company from the employee’s computer to be admissible. The employer’s control was deemed legitimate because the workers had been adequately informed through a policy on the use of IT tools, which indicated the possibility of checks in case of anomalies and the related disciplinary consequences (including dismissal).

In light of the Cassation ruling, the IT policy is not just a formal requirement but also the condition that legitimizes employer control over employees. To this end, the policy must: (i) be accessible; (ii) be effectively communicated to employees; (iii) be calibrated to the purposes of the controls, the scope of the tools, the methods and times of retention, measures for minimization, traceability, procedures, and disciplinary sanctions, acting also as a deterrent and a guide for employee behavior.

The ruling does not address other relevant aspects, such as the need to conduct a data protection impact assessment (DPIA)—which may be appropriate given the vulnerable nature of the employees subject to monitoring—and the opportunity to conduct a balancing test between conflicting rights and interests (LIA). These requirements therefore necessitate further in-depth analysis and evaluations by employers.

In summary, a comprehensive, disseminated, and adequately accessible IT policy ensures the legitimacy of controls and serves as a defense in legal proceedings, as well as a tool for cybersecurity and data protection.

The Data & Technology Innovation team at LEXIA is available to assist in the review and drafting of updated corporate policies and information on the use of IT tools, in line with regulatory and jurisprudential developments.

Meta AI on WhatsApp: the AGCM accelerates the first major European case of AI integrated into dominant platforms

Digital Platforms & AI

In November 2025, the AGCM expanded and intensified the investigation initiated against Meta regarding the integration of «Meta AI» into WhatsApp, challenging a potential violation of Article 102 TFEU and Article 3 of Law No. 287/1990. The investigation concerns two practices considered potentially capable of producing exclusionary effects: the pre-installation of the AI assistant within the app and the new conditions applied to WhatsApp Business services, which limit interoperability with third-party chatbots and digital assistants.

From the Authority’s perspective, the integration of the assistant directly into the search bar and other central sections of the WhatsApp interface—an application where Meta holds a dominant position—could constitute a form of tying that artificially directs users’ choices. At the same time, the contractual restrictions on the Business channel could prevent competitors from developing or distributing alternative conversational AI solutions, thereby distorting the natural competitive process in an emerging and highly innovative market.

The decision to pursue precautionary measures under Article 14-bis of Law 287/1990 signals a perceived “grave and irreparable” risk to competition. This is an unusual choice, aligning Italian analysis with established European jurisprudence in the Microsoft and Google Shopping cases, where the privileged integration of additional services within dominant ecosystems was deemed capable of hindering the efficiency and technical development of competitors.

The procedure represents an important test for the coordination between antitrust, platform regulation, and artificial intelligence governance: a case that anticipates the European debate on the conditions for integrating generative models into services that already control access to millions of users. For industry operators, the case highlights the need to assess ex ante the competitive impact of design, interoperability, and AI service distribution choices.