Italy's New AI Laws: Balancing Innovation and Oversight

On Wednesday, the Italian government marked a significant milestone by adopting two preliminary implementing decrees on artificial intelligence (AI). These decrees further develop a law initially approved last September, with the first focusing on training both in educational institutions and professional environments, while the second outlines the use of AI systems in police activities and the civil and criminal liabilities associated with them. Although the decrees have not been formally published, the government released an enthusiastic press statement summarizing their content. Informally circulated texts suggest that these decrees align with the AI Act, the comprehensive regulation approved by the European Union in 2024. Among the two, the second decree, pertaining to AI and police activities, has generated considerable interest and concern, particularly regarding the regulation of facial recognition systems. The Italian government has adopted a human-centered approach, emphasizing that no AI system should make significant decisions without human oversight. The legislation stipulates that all AI applications impacting workers—such as performance evaluation software—must be understandable, verifiable, and attributable to a human decision-maker. Thus, any dismissal based solely on AI-driven decisions, devoid of human intervention, is deemed illegitimate. The first decree fulfills the EU's AI Act request for member states to specify responsibilities within the AI sector. It designates the Agency for Digital Italy (AgID) as the authority responsible for overseeing the use of AI products, while the National Cybersecurity Agency (ACN) will serve as the market surveillance authority. The Bank of Italy, the National Commission for Companies and the Stock Exchange (Consob), and the Institute for the Supervision of Insurance (Ivass) will oversee AI systems in financial services. Additionally, the Personal Data Protection Authority is tasked with regulating high-risk AI systems for activities like crime prevention and immigration management. In terms of training, the decree mandates basic literacy programs for all public employees and more extensive training for managers overseeing digital transitions. It also allocates €100 million for a teacher training plan aimed at mitigating risks associated with digital dependencies and algorithmic opacity, particularly to protect minors from potential harm. The second decree specifically regulates AI usage in police activities, particularly concerning biometric data collection such as fingerprints or facial features. Currently, AI software is employed for real-time facial recognition, which will now be permitted under strict circumstances—limited to significant security threats, terrorism suspects, and searches for missing persons, with authorization valid for only 15 days. Retrospective facial recognition will only be permissible once a crime is committed, based on objective evidence as defined by EU regulations. Furthermore, biometric data collection for public safety at events is allowed, although critics express concern that these measures could easily lead to broader surveillance practices. The timing of the decrees coincides with the introduction of a more conservative and restrictive migration and asylum pact within the EU, prompting experts like Giovanni Zaccaroni from the University of Milan Bicocca to suggest that the new law may specifically facilitate increased AI tool usage within law enforcement. Additionally, modifications to criminal procedure code mean prosecutors now need authorization from an investigating judge for real-time biometric identification, with provision for urgent decisions by prosecutors, outlining strict notification requirements. The approval of the new AI laws also introduces serious criminal penalties, imposing a prison sentence of one to five years for neglecting required safety measures in high-risk AI systems, and up to ten years if state security is endangered. For individuals harmed by AI systems, civil procedural tools are anticipated, emphasizing a presumption of causality that assumes a direct link between AI violations and resultant damages unless proven otherwise by the AI service provider or user. These regulations illustrate a vigorous effort from the Italian government to navigate a complex landscape in AI legislation, presenting both potential advances and new regulatory hurdles. They also highlight the challenges of being early adopters, lacking established models from other nations and complicating an already intricate regulatory environment, especially as seen with Spain's recent AI law focusing on sanctions for deepfakes and other AI abuses. In conclusion, while Italy's pioneering moves in AI regulation could set the stage for responsible innovation, they also raise significant questions about the balance between technological advances and safeguarding civil freedoms. Related Sources: • Source 1 • Source 2