CAN COMPLIANCE BE AUTOMATED?

If you are working in the field of compliance, you know how grueling the compliance process can be. Rules need to be decided, written, communicated to employees and third parties, who need to be trained on such rules. Then, the company needs to find out if the rules have been breached and sanction those who breached them. This is how law works in general, so the various phases of the process are not surprising. It is also a largely imperfect method, which can become overly complicated in companies where internal rules are pervasive and complex.

Wouldn’t it be wonderful if the whole process could be governed by digital means? And I am not talking about placing all your compliance material in one big digital repository (something obviously useful, but not inherently changing the nature of the process). Imagine a company built on the principle of compliance-by-design, where the behavior of employees is limited by external tools that simply do not allow non-compliant conducts. (For example, if you place digital limits on banking payments, you will not need to convince employees that they cannot exceed certain payment limits, since the digital code would directly enforce such payment thresholds and the only way to circumvent them would be to hacker the banking program.)

Certain Scholars have seen in blockchains an opportunity for compliance programs and organizational models pursuant to legislative decree 231/2001. Under 231 Italian legislation an entity is punished for not having set up sufficient organizational measures to prevent the commission of a certain crime: in theory, a digital prevention system may be an ideal tool to prevent crime commission with the utmost diligence. If you look for automated solutions online, you will find heaps of offers that promise that compliance will be made easy: the RegTech phenomenon is already well established and generating huge revenues.

I am generally a fan of innovative solutions, but I question how much effort is required in translating compliance information into digital rules. As anyone who deals with artificial intelligence may confirm, the process is generally neither quick nor cheap.

I also wonder whether the field of compliance, based on ethical principles, and therefore inherently human centric, can benefit from a full digitalization. Some have warned against the risk of “brutalization of a workplace relations and worry that digital compliance systems “imitate predictive policing”.

Compliance requires sophisticated human judgment, and 0/1 binary codes are not always appropriate to automate complex decisions on human interactions based on ethical principles.

An Update on the Latest Amendments to the Italian Pharma Industry Association’s Code of Ethics

Amendments to the Italian pharmaceutical industry association’s (Farmindustria) Code of Ethics have been introduced on January 19, 2022 https://www.farmindustria.it/app/uploads/2018/06/2022-GENNAIO-19.pdf.

One of the most important changes concerns section 4.7, which defines Patient Support Programs (PSP) as initiatives implemented by pharmaceutical companies aimed at making available additional services for the direct benefit of patients. Such services are not intended to replace the services of hospitals and other healthcare organizations. For more information on PSP, check out our previous blog post https://lawhealthtech.com/2022/02/07/new-guidelines-on-patient-support-programs-adopted-by-italian-pharma-industry-association/ .

Besides, other important amendments have been introduced:

  • Training and Information to Non-Prescribers: new section 3.25 (i) allows pharmaceutical companies to carry out training and information activities aimed at healthcare professionals who are not authorized to prescribe medicines, but are involved in the treatment management, provided that such activities do not have any promotional purpose and that the information provided is linked to their roles in patients’ treatment management; and (ii) extends to such professionals the possibility to attend events, courses and congresses, as long as such events do not concern topics relating to medicines;
  • Information to the Public: new section 3.26 (i) allows pharmaceutical companies to provide unsolicited information to the public, through personnel not belonging to commercial or marketing areas, relating to products and diseases pertaining to the relevant therapeutical area, provided that such information does not have a commercial nature and matches the information set forth in the package leaflet or institutional information channels; and (ii) confirms that a full literal reproduction of the package leaflet information may be published on the companies’ websites available to the public;
  • Interactions Other than Medicines Promotion: new section 3.28 (i) allows pharmaceutical companies to provide information on medicines to various stakeholders such as institutions, professionals, organizations, etc., without this falling within the scope of medicines promotion; and (ii) specifically regulates the possibility to carry out, during the medicine’s life cycle, institutional and market access activities or other non-promotional interactions towards institutions and health care professionals, as well as account management activities aimed at ensuring the application of commercial policies through interactions with public or private counterparties involved in the medicines procurement processes and activities aimed at the mutual sharing of non-promotional information and data.

The above new provisions of the industry Code of Ethics undoubtedly aim at regulating several aspects of the day-to-day promotional and educational activities of pharmaceutical companies that have been so far ignored by the industry association regulations. However, the new previsions are quite vague in their scope and it remains to be seen whether they will have any meaningful impact on the market practices in the pharmaceutical sector.

New Rules on Non-Profit Studies

Non-profit clinical studies have a new source of regulation: the Ministry of Health November 30, 2021 decree (“Non-Profit Decree”), repealing the December 17, 2004 decree.

The Non-Profit Decree applies to:

  • low-intervention clinical trials;
  • observational trials;
  • non-profit clinical trials provided that the following conditions apply:
    • The trial is not aimed at industrial or commercial developments of drugs;
    • The sponsor is a non-profit entity (if non-profit and profit sponsors coexist, then the trial falls outside the scope of the Non-Profit Decree);
    • The sponsor does not have title to the marketing authorization of the trial drug, nor has any economic relationships (cointeressenze) with the marketing authorization holder;
    • Data and results of the trial, as well as decisions over their publication, are exclusively of the sponsor.

The main novelty of the Non-Profit Decree is the possibility that sponsors of non-profit trials transfer the relating data and results, both in the trial phase and once the trial is completed, for registration purposes. Such transfer must be governed by a contract between the promoter and the transferee, the consideration of which is identified by a patent consultant jointly identified by the parties.

In the event of a transfer:

  • The transferee becomes the data controller of the trial data;
  • Costs associated with the trial, as well as fees due to AIFA and the competent ethics committees, which were waived in light of the non-profit status of the trial, must be paid; and
  • The proceeds of the transfer are allocated in favor of the sponsor (50%), a non-profit trial fund (25%) and a an AIFA fund (25%).

The transfer must be notified by the promoter to AIFA, the competent Ethics Committee and the trial centers involved.

The Non-Profit Decree also sets forth that observational studies require prior approval by the competent ethics committee and that AIFA will adopt new guidelines for the classification and conduct of observational studies on drugs.

In case of any non-profit trial on a study drug, the pharmaceutical company having title to the drug must share with the sponsor an updated copy of the drug dossier and any safety data on the trial drug must be shared between the pharmaceutical company and the sponsor.

The Non-Profit Decree opens new opportunities for non-profit sponsors: it remains to be seen if there will be an appetite to purchase data by private entities and if a price set forth by an independent expert will be an effective mechanism.

Whistleblowing Directive: What You Need To Know

Whistleblowing, or reporting of breaches of the law, is often regulated in a fragmented and non-comprehensive fashion. This is about to change thanks to Directive 2019/1937 of October 23, 2019 “on the protection of persons who report breaches of Union law” (the “Directive”), aimed at harmonizing and broadening the protection of whistleblowers and of reported entities.

In Italy whistleblowing is currently governed by Legislative Decree no. 165/2001 (for public employees) and by Legislative Decree no. 231/2001 (for private employees). With regard to the private sector, whistleblowing provisions are only applicable to companies who have adopted a “231 Organizational Model”.

The Directive should have been implemented by December 17, 2021. The Italian government has been delegated by the Parliament to adopt the necessary implementing measures but, as many other EU countries, the legislative process has already exceeded the December 17 deadline.

While the details of the national law that will implement the Directive are still unknown, certain basic principles can already be envisaged:

  • In principle, the Directive applies to public entities and to private entities with at least 50 employees or with an annual turnover of more than Euro 10 million, with two caveats: (i) the Directive is applicable, regardless of the number of employees, if your company operates within the scope of EU legislation preventing money laundering and terrorist financing (e.g., financial services); and (ii) Member States may decide to apply new whistleblowing provisions also to companies below the 50-employees threshold;
  • The Directive broadens the concept of reporting person: among others, also self-employed workers, shareholders, members of the key company’s bodies, (sub)contractors and suppliers will be covered by the protection afforded by whistleblowing legislation (such as the protection of their identity), even if their work relationship has ended or has yet to begin;
  • The Directive also broadens the subject matter of the report: to be covered by the Directive, reports have to relate to breaches of EU law in specific sectors. However, the Directive provides for the possibility to broaden the subject matter as to include violation of domestic legislation;
  • The Directive provides for three reporting channels:
    • Internal channel: if you have adopted a 231 Model, you are surely already equipped with an internal whistleblowing channel, which however will require to be upgraded as to cover the new definition of reporting person and the strict reporting and follow-up requirements established by the Directive;
    • External channel, which will be set up by the government and will likely allow to blow the whistle to public authorities, such as the Italian Anticorruption Authority. (If you have an IT provider which helps you run a whistleblowing channel, that’s an internal one);
    • Public disclosure: reporting persons may “go public” only if other channels have not been successful.
  • In relationto groups of companies, the European Commission has clarified the matter with two opinions, dated June 2, 2021 and June 29, 2021: each legal entity with 50 or more workers is required to set up its own channels and procedures for internal reporting. Entities with 50 to 249 employees, may “share resources” with their parent companies (but also with non-linked companies) and may also, but not exclusively, rely on their channels;
  • Data collection and processing activities under whistleblowing provisions must be carried out in compliance with the GDPR: as an example, personal data which are manifestly not useful for the purposes of a specific report must not be collected or, if collected accidentally, deleted.

While we wait for the Italian law implementing the Directive, the above basics already give you an idea of what is to come.

Recent Amendments to Legislative Decree no. 231/2001 on Corporate Liability: Is Your Company Impacted?

New Crimes under Legislative Decree no. 231/2001. The list of crimes triggering corporate liability under Legislative Decree no. 231/2001 was recently expanded by Legislative Decree no. 184/2021, implementing Directive (EU) 2019/713 “on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA”. As a result, Section 25-octies.1 on “Crimes related to non-cash payment instruments” was introduced. Such crime arises in case of:

  • Unlawful use and forgery of non-cash payment instruments;
  • Possession and dissemination of equipment, devices or computer programs aimed at committing offences concerning non-cash payment instruments; and
  • Computer fraud, provided for by Article 24 of Legislative Decree No. 231/2001, for which an aggravating circumstance has been introduced in case the conduct results in the transfer of money, monetary value or virtual currency.

Sanctions for committing such crimes are monetary fines up to 800 quotas and the application of blacklisting sanctions.

Amendments to the Italian Criminal Code. Legislative Decree No. 195/2021, implementing Directive (EU) 2018/1673 “on combating money laundering by criminal law”, introduced several amendments to Sections 648, 648-bis, 648-ter and 648-ter.1 of the Italian Criminal Code, providing for the offences of receiving stolen goods, use of goods of unlawful origin, money laundering and self-laundering, all already included in the catalogue of predicate offences under Section 25-octies of the Legislative Decree No. 231/2001. More specifically, the above-mentioned Legislative Decree amended the provisions:

  • By extending the scope of the crime of receiving stolen goods also to contraventions and by providing for an aggravating circumstance in case the offence is committed in the exercise of a professional activity;
  • By extending the scope of the crimes of money laundering and self-laundering also to culpable offences and contraventions;
  • By extending the scope of the crime of use of goods of unlawful origin crime also to contraventions.

Further Proposed Legislative Amendments. Draft law No. 2427 provides for the inclusion of agri-food crimes the list of predicate offences under Legislative Decree No. 231/2001, with the aim of safeguarding public health, with a focus on the traceability of raw materials and products, hygiene violations, and combating fraud in trade, from agro-piracy to Italian sounding. However, the bill has been submitted to Parliament but has not been approved yet.

Any Impacts for Your Company? If your company has not yet adopted an organizational model pursuant to Legislative Decree no. 231/2001, then it will obviously need to consider all the above crimes, in addition to those previously existing. If, instead, your company has already adopted a 231 model, it will be necessary to check if it is at risk of committing such new offences. It would be advisable to carry out a new risk assessment aimed at ensuring that the model is duly updated.

Check Your Website’s Compliance with New Rules on Cookies

The Italian Data Protection Authority’s new guidelines for the processing of cookies are in force. Does your website comply? Find out if the answer is yes (or if you need adjustments) through the Q&A below.

On January 9, 2022, the new guidelines for processing of cookies and other online tracking instruments issued by the Italian DPA have officially entered into force. Take this test to check if you are already compliant.

Q: What kind of cookies are you currently using on your website?

A: The Italian DPA has divided the cookies currently in use in 3 categories:

  • Technical cookies: these cookies are the ones strictly necessary to a service provider for the dispensing of a service requested by users.
  • Profiling cookies: these cookies are the ones used to create clusters of users, by associating them with specific actions or behavioral patterns. Such cookies are mainly aimed at modulating the delivery of services provided to the user in an increasingly personalized way, as well as to carry out targeted advertising activity.
  • Analytic cookies: these cookies are the ones which are aimed at evaluating the effectiveness of the services offered or to measure user “traffic” on the website, by memorizing users’ online activities within the website. These cookies are mainly provided by third party suppliers.

Q: What should I do in case I use TECHNICAL COOKIES?

A: Technical cookies are not subject to any prior consent by the users. This means that you just need to provide the users with a specific cookie policy information, having the details set forth by article 13 of the GDPR. Such policy may also be contained on a specific section of your general privacy policy information.

Q: What should I do in case I use PROFILING COOKIES?

A: Profiling cookies may be used only upon prior consent by the users. You may obtain users’ consents by implementing a cookie banner that will pop up on your website as soon as users log your online page.

Q: What should I do in case I use ANALYTIC COOKIES?

A: Analytic cookies can be processed without any consent by users only if they do not allow any identification (direct identification – i.e. “singling out” – of the person concerned should not be achieved), and if they are used for the production of aggregate data only. Otherwise, they need to be expressly authorized.

Usually, analytical cookies are provided by third parties. In such case, you must provide, within your cookie policy notice, an updated list of all the third party cookies that are implemented within your website.

Q: How do I collect consent by users, when mandatory?

A: You may set up a cookie bannerthat will pop up on your website when users log your online page.

Q: How to draft a cookie banner?

A: First and foremost, cookie banners must be user-friendly and immediately visible. The dimensions of the banner must be neither too small nor too big, if compared with the kind of device used. Their wording must also be simple and easy to understand. In addition, cookie banners must contain a link to the cookie policy notice. No profiling cookies can be implemented before consent by the user. Only technical cookies may be pre-implemented.

Q: Do I have to grant users the possibility to modify their choices?

A: Yes, a specific section on the website must always be included to the end of consenting users to modify their first decisions.

Q: Can I obtain consent by users in other ways?

A: Consent by the user must be free and unambiguous, but there is no mandatory way to obtain consent by the users: you may implement your own system, in accordance with accountability principles set forth by the GDPR so long as consent is unambiguous and through a positive act of the user (“opt in”). No form of implicit consent is acceptable.

Q: Can I propose the banner again in case the user has declined consent?

A: The excessive and redundant use of banners requesting consent is not allowed – except for certain specific exceptions – since this may bring the user to give consent for the sole purpose of interrupting the pop-up of the banner.

Q: What about “cookie walls” and “scroll down”?

A: Don’t use them! A “cookie wall” is a mechanism by virtue of which the denial of the consent by users prevents them from accessing the website entirely. A “scroll down” system assumes the implied consent of the user when browsing of the website without expressing any choice with regard to cookies consent is continued. Neither cookie walls nor scroll down systems are compliant, since they are not aimed at obtaining an express consent by the user.

All clear? If not, reach out to us!

New Guidelines on Patient Support Programs Adopted by Italian Pharma Industry Association

New guidelines on patient support programs have been adopted by the Italian pharmaceutical industry association (Farmindustria) on January 19, 2022. The new guidelines have been incorporated in a new release of the industry ethical code, where also several provisions regarding educational activities, market access and scientific data exchange have been updated.

Patient support programs are not expressly regulated under Italian law and, for such reason, the guidelines issued by Farmindustria are particularly helpful in identifying the best market practices. The new guidelines define patient support programs as initiatives implemented by pharmaceutical companies aimed at making available additional services for the direct benefit of patients. Such services are not intended to replace the services of hospitals and other healthcare organizations.

Patient support programs can only be implemented in connection with medicinals that have received a marketing authorization, for the sole purpose of providing information on the correct use of the medicinal product and to foster patients’ compliance with its administration. They can never have a promotional purpose.

The new Farmindustria guidelines expressly acknowledge that patient support programs may be implemented by pharmaceutical companies through a third party service provider, which may carry out services in favour of patients by means of adequately qualified professionals. The pharmaceutical companies, however, continue to have overall responsibility for the program.

A noteworthy innovation has been adopted with regard to the processing of patients’ personal data. In fact, the new guidelines provide that pharmaceutical companies must not directly process the data of patients enrolled in a patient support program, and should rather only access aggregated data for statistical purposes on the use of the services. 

This latter provision is particularly troublesome from a data protection standpoint, as it may be interpreted as preventing pharmaceutical companies from acting as data controllers in connection with the deployment of patient support programs, even if they remain responsible for the programs themselves. Therefore, new mechanisms shall be implemented to segregate identifiable data and prevent their processing by pharmaceutical companies unless they are previously de-identified.

Re-Use of Research Data

It may now be easier for private companies to re-use research data generated by the public sector. Thanks to Italian legislative decree no. 200 of 2021 implementing Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information, re-use of research data – whether for commercial or non-commercial purposes – may be carried out so long as intellectual property rights and privacy rights are respected.

In other words, if research data is anonymized and does not include intellectual property, free re-use is possible whenever such research data is generated from public funding and made available by researchers or research institutions through public data bases. Research data must comply with Findability, Accessibility, Interoperability, Reusability (FAIR) principles.

What is “research data”? Research data means “documents in a digital form, other than scientific publications, which are collected or produced in the course of scientific research activities and are used as evidence in the research process, or are commonly accepted in the research community as necessary to validate research findings and results”.

Are you in need of an example? “Research data includes statistics, results of experiments, measurements, observations resulting from fieldwork, survey results, interview recordings and images. It also includes meta-data, specifications and other digital objects. Research data is different from scientific articles reporting and commenting on findings resulting from their scientific research” (whereas no. 27 of the 2019/1024 Directive).

Certain scholars have pointed out how the principle of scientific open data is framed in terms that are too restrictive and continue to clash with intellectual property rights, database and algorithm protection.

While the push for reuse of research data may appear timid at this point in time, the EU seems in any case determined to continue its open data agenda through the Data Governance Act.

Only 1 Week until Go Live of EU-Wide Clinical Trials Information System

Remember the Clinical Trials Regulation? Much time has passed since its publication in 2014. No worries if your memory fails you: we have discussed the Clinical Trial Regulation at length in this article appeared on the Indian Law Journal of Law and Technology. If you prefer a shorter summary, you may read here what the European Medicines Agency has prepared for you.

The actual entry into force of the Clinical Trials Regulation depended on confirmation of full functionality of the Clinical Trials Information System (CTIS) through an independent audit, which occurred on April 21, 2021. Now, the go-live date for the CTIS will be on January 31, 2022. Information on the go live planning can be found here.

The Clinical Trials Regulation was born to address the prior directive’s shortcomings, and particularly to target the goals of harmonization and simplification in this field, also with a view of making Europe a competitive region in the global clinical trials market. Good luck to the CTIS: we hope the Clinical Trials Regulation keeps its promises!

Can the Medical Device and Pharma Italian Sectors Be “Influenced”?

Influencers are everywhere these days. Are they allowed to influence patients and doctors in the healthcare sector?

Pharmaceuticals. With regard to pharmaceutical products, the answer appears to be no. In fact, according to section 117 of Legislative Decree No. 219/2006, advertising of medicinal products must not include recommendations from scientists, healthcare professionals or persons widely known to the public.

A minor and partial derogation was allowed by the administrative court of the Lazio Region, which stated that the sole presence of a well-known person, who does not show any preference for a certain medicine nor gives advice, in an advertising message, does not per se trigger the violation of the legislative prohibition.

Medical Devices. A different conclusion can be reached in connection with medical devices.

In fact, the guidelines issued in connection with advertising of medical devices, expressly allow the use of testimonials, provided that (i) the advertisement is authorized by the Italian Ministry of Health, and (ii) the influencer does not express any advice or recommendation, also implicitly, in connection with the device itself.

But what about an influencer, who shares details of a health treatment by posting photos or videos? Is that advertising or freedom of expression?

The IAP (Institution of Advertising Self-Discipline) is starting to reflect upon the borders between advertising messages and private user’s content. A case-by-case analysis should be carried out, taking into account the context, the form of the presentation and the absence of commercial elements, such as trademarks.

Our conclusion. While our entire life seems to be easily influenced, the Italian legislation and case law is committed to shield us from such influence, at least in connection with our health.

Valeria Ramponi / Giulia Titola