What the Implant Files Are Not Telling

The investigation.  The “Implant Files” is a global investigation carried out by reporters in 36 countries under the lead of the International Consortium of Investigative Journalists (https://www.icij.org/investigations/implant-files/). The project, which attracted significant worldwide attention over the last few weeks as articles and reports were published, purported to show how the medical device industry failed to place on the market safe products and ultimately harmed a significant number patients.

Regrettably the way the investigation has been reported by several media outlets and the conspiracy theories underlying certain articles leave the readers without a clear understanding of the issues on the table and the policies behind the current regulatory framework.

The approval process.  For instance,  while the investigation was conducted globally, many articles published by European consortium members focused their attention on the lack of a centralized authorization procedure for the marketing of medical devices in the EU and argued that a loose regulatory framework enabled manufacturers to sell unsafe devices on the European market.

The absence of a centralized marketing authorization procedure for medical devices in Europe is depicted as a failure of European lawmakers, influenced by the medical device lobby. However, none of the articles reporting on the investigation provides readers – who may not be familiar with the authorization process – a clear and complete picture of the rationale and public healthcare policies behind the current regulatory framework. Most notably, the Implant Files investigation fails to explain the benefits for patients of a faster launch of innovative devices on the market. Neither they show any meaningful and documented difference in terms of patient safety between the EU and the US, where a centralized authorization procedure administered by the FDA is in force. The fact that the investigation concerns the US as much as the rest of the world is probably a good indication that the type of approval procedure does not per se guarantee patients’ safety and an effective healthcare system.

The new regulation.  As to the timing of the investigation, it comes at a moment of transition when the new EU medical device regulation has already been enacted but has not yet begun to unfold its innovative potential in the industry.  Yet, the Implant Files investigation seems to assume that the new regulation will have no impact on the industry and the approval/vigilance system as a whole. The investigation does not really delve into the changes and improvements brought by the new regulation, which has in fact already addressed many of the issues raised by the Implant Files. Among such innovations, new and improved vigilance measures and an increased accountability for notified bodies should be certainly taken into consideration.

Further, the investigation neglects the public discussions and exchanges that occurred throughout the EU (and the world) in the years that preceded the enactment of the new regulation, when the truth is that its provisions have been at the center of the public healthcare discourse for years, have been debated among experts, stakeholders and lawmakers in full transparency, have been reported by newspapers and specialized media. The alleged “scoop” seems a few years late.

The current vigilance system.  Lastly, one of the major flaws of many articles reporting on the investigation is that they give readers the idea that no meaningful vigilance system exists today. This is of course not correct. Italy, for instance, has a long-standing nation-wide register of approved medical devices marketed in its territory kept by the Ministry of Health. The same Ministry transparently shows on its website all safety notices and field actions carried out in Italy. The tool is easily searchable and can be found on the very first page of the medical device directorate’s site. 

Not only the Implant Files investigation failed to accurately report the existing vigilance and transparency measures, but created their own medical device database, allegedly aimed at providing the public with full access to data submitted by patients and reporters. 

Does the Implant Files investigation really benefit patients?  At the moment one cannot but wonder if this project really does provide patients with complete, accurate and independent information that can be useful for their health and wellbeing.

Is a public database, entirely managed by a private consortium, really empowering patients? How the database is managed, how the uploaded information is vetted and updated, for which purposes the uploaded information can be used by patients? Shouldn’t we work on improving a public, transparent system, managed by officers and professionals who have the scientific and regulatory expertise that is needed to address all issues involved, rather than building on a new, uncontrolled and unaccountable tool that could potentially distort patients’ behavior? The media would do a better service to the public opinion by giving a balanced, informative and articulate picture of the facts, rather than spreading sensationalistic news that would make anyone with an implanted device panic (and click on the article!).

 

Therapeutic cannabis in Italy: business opportunities

Italy’s only authorized medical cannabis facility is currently controlled by the military. However, the production site, located in the Florence area, cannot keep up with the increasing demand, creating shortages for patients and barriers to its prescription by physicians (whose patients are unlikely to be able to obtain the quantities needed).

As Colonel Modica of the Italian Military recognizedThe health ministry and the defense ministry are trying to fix the shortfall because there’s been a huge increase in cannabis prescriptions and the number of patients who need them”.

Meanwhile, pressed by the patients’ associations, the Italian Health Care Ministry Giulia Grillo announced not only the increase of import of therapeutic cannabis products from the Netherlands (to cover the short-term shortages), but also the start of a longer-term project, eventually leading to the creation of a public-private partnership for the production of cannabis. “An invitation to present expressions of interest will be published in order to increase the production of therapeutic cannabis“, Ministry said. Although underlining that an appropriate time frame will be needed in order to implement the project, the Ministry confirmed that the cannabis production activity is “of great interest for both the Defense and the Public Health Care” and crucial in order to satisfy the increasing needs of both domestic and foreign markets.

The increase in the domestic production of therapeutic cannabis, along with the overall demand for it, appears to be inevitable.

On the other hand, the boom of “light cannabis” products in Italy (i.e., containing THC in a percentage lower than 0.2 and, therefore, expressly declared legal in Italy starting from January 2017) seems to have encountered some obstacles lately.

The Advisory Board of the Italian Health Care Ministry (Consiglio Superiore di Sanità) issued a report last spring, recommending the adoption of measures aimed at prohibiting the sale of light cannabis products.

In addition to that, an internal note of the Ministry of Home Affairs, recently made public, promoted a zero-tolerance approach and a strict application of the relevant laws and regulations. Such steps have caused great uncertainty and concerns amongst those who have invested in what came to the media’s attention in 2017 as a State-backed business.

Hence, the latest developments relating to therapeutic cannabis in Italy indicate that new business opportunities for both exporters and producers of cannabis-based prescriptions are likely to be offered in the Italian market. Conversely, serious questions can be raised in connection to the light-cannabis boom, in view of the inconsistent approach recently taken by Italian authorities.

Tax Crimes Will Trigger Criminal Liability of Corporate Entities

As a result of the so called “PIF Directive”, starting from July 2019 criminal corporate liability under Italian law 231 may be triggered by tax crimes, too.

(If you are not overly familiar with the principles of Italian 231 legislation on criminal liability of corporate entities, perhaps you may start here.)

Under Italian 231 law, corporations are subject to criminal (rather, quasi-criminal) liability when certain specific crimes are committed in their interest or to their advantage. So far, such crimes have never included tax crimes, although the issue had been widely debated and several court decisions had attempted to combine other types of crimes with tax crimes (the Supreme Court had always disagreed, though).

Now, the PIF Directive, which Member States must implement by July 6, 2019, “establishes minimum rules concerning the definition of criminal offences and sanctions with regard to combatting fraud and other illegal activities affecting the Union’s financial interests, with a view to strengthening protection against criminal offences which affect those financial interests.” Liability of legal entities must be foreseen by national legislation and serious offenses against the common VAT system must be punished.

The Italian legislator will thus need to introduce such serious VAT crimes (i.e., having a value in excess of 10 million euros) in the list of crimes triggering corporate liability. This, in fact, may open the door to other tax crimes as a basis of 231 liability of corporate entities.

ECJ on the Applicability of Public Procurement Rules

I have been asked to comment on the European Court of Justice decision of October 18 relating to the application of public procurement rules to a drug supply arrangement between a privately owned hospital and a public hospital.

The decision can be found here and the full article here.

 

 

French Court of Cassation Orders Retrial of PIP Case

Last week the PIP legal saga took another unexpected turn.

On October 10, 2018 the French Court of Cassation overturned the decision of the Appeal Court, which had cleared from liability TUV Rheinland, the notified body involved in the PIP case, and sent the case back to the Appeal Court.

Breast implants made by the French firm Poly Implant Prothèse (also known as “PIP”) had been marketed for years until, in 2010, it was discovered that silicone used for such breast implants was industrial, rather than biomedical. The investigation found that employees of PIP removed evidence of the industrial silicone gel before inspections by TUV Rheinland, the notified body who was in charge of audits on the manufacturing of the breast implants.

Breast implants are medical devices that may be marketed in the European Union if they are granted a CE marking, which is based on the certification by a notified body that the device satisfies legal requirements. The scandal, although linked to a criminal scheme, showed certain weaknesses of the medical device legislation and ultimately led to the adoption of the EU Medical Device Regulation in 2017.

PIP closed down in 2010 and, although its founder was jailed and fined, the many thousands of affected women could not be compensated by PIP. TUV Rheinland was initially condemned for negligence in 2013 and ordered to pay damages of 5.7 million euros, but was later cleared from liability by a French Appeal Court in 2015.

The Court of Cassation has now sent back the case to the Court of Appeals in order to shed light on two issues. TUV’s press release on the decision can be read here. According to Maître Cécile Derycke, Counsel for the TÜV Rheinland companies: “The TÜV Rheinland companies are serene. […] We are confident that the Court of Appeal to which the case has been referred back will confirm that TÜV Rheinland LGA Products GmbH performed its mission as a notified body diligently and in total compliance with the applicable regulations and TÜV Rheinland France SAS committed no fault.”.

Stay tuned to find out if TUV Rheinland’s is found to be a victim or a perpetrator in the PIP scandal… and if affected patients are entitled to compensation by TUV.

Copyright European Legislation: Getting Ready for the Digital Era.

On September 12th the European Parliament approved amendments to the controversial Proposal for a Copyright Directive, the Directive of the European Parliament and of the Council on Copyright in the Digital Single Market, which aims at updating copyright rules.

Not many topics have polarized opinions in recent years in Europe. While supporters claim to have protected artists and to have inflicted a blow to the American tech giants, critics have talked about the “death of the internet”.

For clarity, even if the Directive passed the European Parliament vote, the changes are not yet definitive and it may be too early to conclude on what this decision entails. The Directive text shall be further reviewed in subsequent negotiations and there is still a slight chance that it may be rejected at another vote by the European Parliament in 2019. In addition, the Directive, even if (and when) definitely approved, should be implemented by single Member States.

But which results does the Directive aim to achieve?

Its scope and purpose appear based on the evolution of digital technologies, which has changed the way copyright works and other protected material are created, produced, distributed and exploited, with the consequence that new uses, new payers and new business models have emerged. The digital environment has given birth to new opportunities for customers to access copyright-protected content. In this new framework, right-holders face difficulties to be remunerated for the online distribution of their works. So, even if the objectives and principles laid down by the EU copyright framework remain valid, there is an undeniable need to adapt them to the new reality.

The Directive also intends to avoid the risk of fragmentation of rules in the internal market. In fact, the Digital Single Market Strategy1 adopted in May 2015 identified the need «to reduce the differences between national copyright regimes and allow for wider online access to works by users across the EU». The idea expressed in the 2015 by the European Commission was to «move towards a modern, more European copyright framework». The EU legislation purports to harmonize exceptions and limitations to copyright and connected rights, however some of these exceptions, which aim at achieving public policy objectives, such as research or education, remain regulated on national level, with the consequence that legal certainty around cross-border uses is not guaranteed.

As to the content of the Directive, we note the following points:

  • With specific regard to the scientific research, recital number 9 of the Directive says that the Union has already provided certain exceptions and limitations (even if optional and not fully adapted to the use of technology in the scientific research) covering uses for scientific research purposes which may apply to acts of text and data mining. Where researcher have lawful access to content, for example through subscription to publication or open access licenses, the term of the licenses may exclude text and data mining.
  • Article 11, called “link tax”, gives publishers a right to ask for paid licenses when online platforms share their stories. The amended version clarifies that this new rights «shall not prevent legitimate private and non-commercial use of press publications by individual users». The amendment tries also to clarify what can be considered as “sharing a story”, indicating that the mere hyperlinks cannot be taxed, nor can individual words.
  • Article 13, called by the critics as “upload filter”, sets forth that platforms storing and giving access to large amounts of works uploaded by their users shall conclude licensing agreements that include liability for copyright infringement, thus putting a large responsibility on platforms and copyright holders that must «cooperate in good faith» to stop this infringement by carefully monitoring every upload.

The Directive has been designed with the intent to rebalance the core problem of contemporary web: big platforms like Facebook and Google are making huge amounts of money providing access to material made by other people. Nevertheless critics object that this intent could lead to serious collateral effects.

We will see what the future of this Directive will be, and which consequences will entail. The path seems to be still long, but, at least, it has started.

 

Who’s Who Legal 2018: Our Life Sciences Practice in the Top Three!

Who’s Who Legal just published its 2018 rankings, highlighting the leading practitioners recognized “for their excellent work across the full spectrum of life sciences law”.

Our very own Paola Sangiovanni has been recognized among the top three most highly regarded practitioners in the life sciences legal industry in Italy. Here’s what Who’s Who Legal says about Paola:

«The “fantastic” Paola Sangiovanni at Gitti and Partners is “a truly dedicated life sciences expert”, who is considered “a great deal-maker”. Her transactional expertise in the life sciences space is in high demand, thanks to her “client-focused approach and excellent service”».

We are very proud to share such a terrific achievement with our clients and friends, and we would like to thank you all for your continued support!

Italian Data Protection Legislation Is Enacted

Finally (!), the Italian government has enacted a legislative decree that amends the existing Data Protection Code in order to ensure its compliance with the GDPR. Additionally, the Italian legislator has filled the gaps that the GDPR had left to Member States.

Here are the main takeaways in the health area:

  • Processing of health data, genetic data or biometric data requires compliance with specific protection measures (“misure di garanzia”) that will be issued by the Italian Data Protection Authority bi-annually in light of guidelines of the European Committee, of technological developments and in the interest of data circulation within the European Union.
  • Under section 9.2.g) of the GDPR, personal data relating to health can be processed when processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law. The Italian legislator has listed the circumstances under which such substantial public interest exists, i.e., inter alia:
    • administrative activities connected to those of diagnosis, assistance or health or social therapy;
    • obligations of the national health service and of subjects operating in the health area;
    • hygiene and safety tasks to be carried out on the workplace and for safety and health of the population, for protection of the population and to safeguard life and physical integrity;
    • management and assessment of health assistance;
    • social protection of maternity and abortion, addictions, assistance, social integrations and rights of disabled individuals.
  • Data protection rights of deceased individuals may be exercised by those who have act on the basis of an own interest, in protection of the interested person, or for family reasons that are worth of protection, unless – with respect of services of information society – the interested person has expressly prohibited through a written statement the exercise of such rights by third parties. Such statement must be unequivocal, specific, informed and free, and may also relate only to some of the rights. The prohibition must not prejudice the exercise by third parties of patrimonial rights arising from death of the interested person nor the right to judicial defense.
  • The prescription of drugs that do not require the indication of the name of the interested person will be subject to specific measures (misure di garanzia) also in order to control the correctness of the prescription, for administrative purposes and for the purpose of scientific research in public health.
  • Reuse of personal data for purposes of scientific research or for statistical purposes must be previously authorized by the Data Protection Authority, who can set forth conditions for the processing. Reuse of genetic data cannot be authorized. However, processing of personal data collected for clinical activity for the purpose of research by research hospitals (IRCCS, both private and public) is not deemed to be reuse.
  • Processing of health personal data for the purpose of scientific research in the medical, biomedical or epidemiological field without the patient consent is in any case subject to a favorable opinion by the competent ethics committee and a consultation with the Data Protection Authority.
  • Criminal sanctions continue to apply in case of illegal data processing and can be up to 6 years of imprisonment.
  • The Data Protection Authority has 90 days to indicate which of the measures contained in the general authorizations it already adopted are compatible with the GDPR. The ones which are not will cease to apply.

GDPR from Down Under: an Australian Perspective

We have interviewed Dr. Peytee Grusche, special counsel at the Australian law firm Russell Kennedy, to ask about her view on GDPR. Peytee assists clients in the areas of research and development, commercialisation of intellectual property, patent, trade mark and design registration and enforcement.

Do Australian companies care about GDPR, and why?

Yes, Australian companies do care about the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.  Also, if Australian businesses are recipients of personal data, then they will be caught by the provisions of the GDPR.

Have you seen significant compliance efforts?

We have had clients request advice on their privacy policies in order to update them to include compliance with the GDPR. In particular, where AU businesses are recipients of personal data advice, on standard data protection clauses and binding corporate rules.  Also, we have received instructions for advice on compliance with GDPR in respect of direct marketing practices (mailouts, newsletters etc).

How would you compare the GDPR to Australian data protection legislation?

The GDPR and the Australian Privacy Act 1988 have much in common including the requirement to show that businesses comply with the privacy principles. However, there are some differences under the GDPR which do not appear in the Australian Privacy Act 1988 including a number of rights for individuals.

Under the GDPR, individuals have the rights to erasure, right to data portability and right to restriction of processing.  The Australian Privacy Act does not include the equivalent rights to these new rights. However, it specifies that business must take reasonable steps to destroy or de-identify personal information that is no longer needed for a permitted purpose.  Additionally, where access is given to an individual’s personal information, it must generally be given in the manner requested by the individual.

What is the preferred strategy of Australian companies who face different standards in data protection legislations around the world?

In our experience, Australian companies will try to comply by adopting  an appropriate privacy policy and/or by contractual provisions to include provisions relating to relevant countries.

Thank you, Peytee!

May 25, 2018: Did You Survive the GDPR D-Day?

Last May 25 the GDPR came into force. It was hard not to notice given the inundation of emails that everyone received, as well as the clear signs of burnout in the eyes of GDPR experts.

Here are my personal top 3 takeaways from that experience:

  • The flood of data protection emails received on May 25 showed me how my data had been disseminated all over the place and archived for a really long time. I had some recollection of only a few of those who wrote me to share their most recent privacy policy (and remind me how they deeply, deeply care about privacy!), since many may have bought, inherited or just collected my data a long time ago. It reminded me that those data subjects’ rights are an empowering tool, which I intend to use more frequently in the future.

 

  • The Law (capital “L”) showed its full might and power on May 25, something which surprised even those, like me, who work with legal requirements all day every day. Look at what companies do when you threaten a 4% fine on their worldwide turnover! (Incidentally, this reminded me why politics is important and why people who are indifferent to politics are wrong: this stuff does make a difference in our lives).

 

  • The Italian authorities (mostly the government and parliament) lost yet another opportunity to be helpful to citizens. We had been waiting for a national data protection law for months, but no such law was enacted before May 25. Until that happens, Italians are supposed to assess, for each and every provision of the Data Protection Code, whether or not it conflicts with the GDPR. How practical.