Data Law and Digital Society
A.Y. 2025/2026
Learning objectives
The course aims to provide students with a critical and systematic understanding of the legal regulation of the digital society within the European legal framework. It explores the normative model established by the General Data Protection Regulation (GDPR), considered the foundational act of EU digital regulation, and examines the more recent legislative framework concerning digital services, online markets, data governance, and cybersecurity.
A significant part of the course is dedicated to the study of the Artificial Intelligence Act (AI Act), with particular focus on its risk-based approach, the classification of AI systems and models, and the protection of fundamental rights.
The course also seeks to develop students' legal interpretation skills, critical analysis of normative texts, and autonomous reasoning, including in relation to real-world cases and the multilevel dimension of rights protection.
A significant part of the course is dedicated to the study of the Artificial Intelligence Act (AI Act), with particular focus on its risk-based approach, the classification of AI systems and models, and the protection of fundamental rights.
The course also seeks to develop students' legal interpretation skills, critical analysis of normative texts, and autonomous reasoning, including in relation to real-world cases and the multilevel dimension of rights protection.
Expected learning outcomes
At the end of the course, the student will be able to acquire and master an in-depth knowledge of the European regulatory framework governing the digital society, personal data protection, digital platforms, and artificial intelligence, with particular attention to its multilevel dimension and the protection of fundamental rights in today's technological environment.
The students will be capable of applying the legal knowledge acquired in a conscious and autonomous manner to the analysis of concrete situations, critically interpreting relevant EU legislation (such as the GDPR, DSA, DMA, DGA, and AI Act), and assessing its practical impact across different institutional and regulatory contexts.
They will be able to develop critical thinking and formulate independent evaluations through the study and discussion of case law, policy papers, and legal materials, producing well-reasoned reflections on the ethical, social, and constitutional implications of technological regulation.
The students will express themselves with clarity and precision, using legally accurate terminology and adapting their communication to different audiences, including in comparative and supranational contexts.
Finally, they will be able to develop autonomous learning skills, essential for the continuation of their studies and for keeping pace with the rapid evolution of legal and jurisprudential developments in the field of digital innovation.
The students will be capable of applying the legal knowledge acquired in a conscious and autonomous manner to the analysis of concrete situations, critically interpreting relevant EU legislation (such as the GDPR, DSA, DMA, DGA, and AI Act), and assessing its practical impact across different institutional and regulatory contexts.
They will be able to develop critical thinking and formulate independent evaluations through the study and discussion of case law, policy papers, and legal materials, producing well-reasoned reflections on the ethical, social, and constitutional implications of technological regulation.
The students will express themselves with clarity and precision, using legally accurate terminology and adapting their communication to different audiences, including in comparative and supranational contexts.
Finally, they will be able to develop autonomous learning skills, essential for the continuation of their studies and for keeping pace with the rapid evolution of legal and jurisprudential developments in the field of digital innovation.
Lesson period: First trimester
Assessment methods: Esame
Assessment result: voto verbalizzato in trentesimi
Single course
This course can be attended as a single course.
Course syllabus and organization
Single session
Responsible
Lesson period
First trimester
Course syllabus
The course is structured into three modules, providing a comprehensive overview of the European legal framework on data regulation and the digital society, with a particular focus on fundamental rights and emerging technologies.
Module I - The European regulatory model and personal data protection
This module introduces the EU digital regulatory framework, focusing on the General Data Protection Regulation (GDPR) as the foundation of digital law in Europe. Key topics include legal bases for data processing, data subject rights, the accountability principle, the role of data protection authorities, and enforcement mechanisms. The GDPR is examined both as a standalone instrument and as a foundation for broader digital regulation.
Module II - Digital society regulation: platforms, data governance, and cybersecurity
This module analyzes the recent EU legislative instruments on digital platforms, data sharing, and cybersecurity:
- the Digital Services Act (DSA) and the Digital Markets Act (DMA), addressing obligations for large digital platforms, user protection, platform governance, and competition;
- the Data Governance Act (DGA), focused on trustworthy data sharing mechanisms and the development of the data economy;
- the cybersecurity framework, especially the NIS2 Directive, its requirements for essential and important entities, and the role of ENISA.
Module III - The Artificial Intelligence Act (AI Act)
The final module focuses on the Artificial Intelligence Act, the EU's comprehensive legal framework for AI. Topics include:
- the regulation's scope and architecture;- its risk-based approach and classification of AI systems (prohibited, high-risk, limited-risk, and minimal-risk) and AI models;
- obligations for providers and users;
- transparency, documentation, conformity assessments, and market surveillance;
- the impact on fundamental rights and the use of AI in both public and private sectors.
Module I - The European regulatory model and personal data protection
This module introduces the EU digital regulatory framework, focusing on the General Data Protection Regulation (GDPR) as the foundation of digital law in Europe. Key topics include legal bases for data processing, data subject rights, the accountability principle, the role of data protection authorities, and enforcement mechanisms. The GDPR is examined both as a standalone instrument and as a foundation for broader digital regulation.
Module II - Digital society regulation: platforms, data governance, and cybersecurity
This module analyzes the recent EU legislative instruments on digital platforms, data sharing, and cybersecurity:
- the Digital Services Act (DSA) and the Digital Markets Act (DMA), addressing obligations for large digital platforms, user protection, platform governance, and competition;
- the Data Governance Act (DGA), focused on trustworthy data sharing mechanisms and the development of the data economy;
- the cybersecurity framework, especially the NIS2 Directive, its requirements for essential and important entities, and the role of ENISA.
Module III - The Artificial Intelligence Act (AI Act)
The final module focuses on the Artificial Intelligence Act, the EU's comprehensive legal framework for AI. Topics include:
- the regulation's scope and architecture;- its risk-based approach and classification of AI systems (prohibited, high-risk, limited-risk, and minimal-risk) and AI models;
- obligations for providers and users;
- transparency, documentation, conformity assessments, and market surveillance;
- the impact on fundamental rights and the use of AI in both public and private sectors.
Prerequisites for admission
No specific prior knowledge is required. The course is open to all students enrolled in the degree programs of the University of Milano. A basic understanding of public law is nevertheless recommended.
Teaching methods
The course is based on lectures and in-class discussions, combining theoretical analysis with the examination of case law, regulatory frameworks, and policy documents related to data governance and digital technologies. The aim is to encourage critical engagement between students and the instructor on contemporary and interdisciplinary issues. Slides and supplementary materials will be made available on the Ariel platform.
Teaching Resources
The course is based on two mandatory textbooks, each corresponding to specific modules.
For Modules I and II:
- F. Pizzetti, S. Calzolaio, A. Iannuzzi, E. Longo, M. Orofino, La regolazione europea della società digitale, Giappichelli, Turin, 2024.
For Module III:
- F. Pizzetti, S. Calzolaio, A. Iannuzzi, E. Longo, M. Orofino, La regolazione europea dell'intelligenza artificiale nella società digitale, Giappichelli, Turin, 2025.
Additional legal texts, institutional reports, policy documents, and case law discussed during the course will be made available through the Ariel platform in the dedicated course section.
For Modules I and II:
- F. Pizzetti, S. Calzolaio, A. Iannuzzi, E. Longo, M. Orofino, La regolazione europea della società digitale, Giappichelli, Turin, 2024.
For Module III:
- F. Pizzetti, S. Calzolaio, A. Iannuzzi, E. Longo, M. Orofino, La regolazione europea dell'intelligenza artificiale nella società digitale, Giappichelli, Turin, 2025.
Additional legal texts, institutional reports, policy documents, and case law discussed during the course will be made available through the Ariel platform in the dedicated course section.
Assessment methods and Criteria
Learning will be assessed through a single oral examination. The exam will evaluate knowledge of fundamental concepts of data law and the legal challenges of the digital society, including multilevel and supranational perspectives; ability to critically interpret legal sources, case law, and key issues discussed during the course; appropriate use of legal terminology and argumentative skills; level of autonomy in reasoning and case analysis.
Professor(s)