Clarifications on the Processing of Health Data by the Italian Data Protection Authority

The Italian Data Protection Authority has provided clarifications on the processing of health data by means of a note issued on March 7, 2019.

On the basis of section 9.2 letter h) and section 3 of GDPR, the Authority has indicated that healthcare professionals who are subject to a duty of confidentiality (or other professionals also subject to confidentiality obligations) will no longer require consent of the patient in order to process data for the purpose of providing healthcare services.

Processing of personal data beyond what is necessary to provide healthcare services will, instead, continue to require the patient’s express consent. Consent is required, for example, for the use of medical apps, for any use of personal data for marketing purposes and for the inclusion of data in electronic health records.

In any case, the patient must receive information about how her/his data will be processed (including the duration of the data processing). The Data Protection Authority clarified that such information must be concise, transparent, intelligible and easily accessible, using simple and clear language. For hospitals processing data in complex ways, the Authority suggests that information is given to interested data subjects and when necessary (mass information to all is not a good idea).

Lastly, the Authority notes that the appointment of a Data Protection Officer is required in case of large scale processing of health data, which occurs in hospitals (regardless of their public or private nature), but does not apply to individual medical professionals, pharmacies or orthopedic firms. The keeping of a register of processings, instead, remains a key requirement and a basic element of accountability and risk management in any case of health data processing.

A summary of the Authority’s clarifications can be found here.

New Grounds for Exclusion of Contractors from Public Tender Procedures

Italian Law Decree no. 135 of December 14, 2018, titled “Urgent provisions on support and simplification for businesses and public administration” (so called “Decreto Semplificazioni”), which this blog already discussed here, has also an impact on the Public Contracts Code (Legislative Decree No. 50/2016).

Inter alia, section 80 of the Public Contracts Code on “Grounds for exclusion” has been amended and three new type of circumstances triggering exclusion have been established:

  • exclusion from participation in the tender procedure when “the contracting authority demonstrates by appropriate means that the economic operator has been guilty of serious professional offenses, such as to make his integrity or reliability questionable “; (letter c)
  • exclusion from the tender when “the economic operator has attempted to unduly influence the decision-making process of the contracting authority or obtain confidential information for the purpose of its own benefit or provided, even by negligence, false or misleading information likely to influence the decisions on exclusion, selection or award, or omitted the information required for the proper conduct of the selection procedure“; (letter c-bis)
  • exclusion also in the further case where “the economic operator has demonstrated significant or persistent deficiencies in the execution of a previous public contract that have caused the termination of the contract due to non-compliance or a judgment ordering damages or other comparable sanctions ” (letter c-ter).

With specific reference to this latter c-ter), we note that it has modified the previous provision according to which among the serious professional offenses there are “significant deficiencies in the execution of a previous public contract that have caused the termination of the contract, not challenged in court, or confirmed as a result of a judgment (..)“.

Therefore, according to the new art. 80, par. 5, let. c-ter) of the Public Contract Code, a candidate may be excluded from the public tender in the presence of a previous contractual termination with a public authority, even if challenged in court and still pending before the judge. The point has also been recently confirmed by the sentence of the T.A.R. Marche-Ancona, January 15, 2019, n. 32.

Agreement Reached on the European Copyright Directive

An agreement has been reached on the much discussed European Directive on copyright. http://europa.eu/rapid/press-release_IP-19-528_en.htm. In a race against time to close the dossier by the end of the legislature, in the late evening of February 13, the Parliament, the Commission and the Council of the European Union have finally found an agreement on the copyright directive, which this blog already illustrated https://lawhealthtech.com/2018/09/24/copyright-european-legislation-getting-ready-for-the-digital-era/ .

The vice president of the European Commission immediately tweeted «Europeans will finally have modern copyright rules fit for digital age!». Supporters insist that the new provision will guarantee rights for users, fair remuneration for creators and clarity of rules for platforms. On the other hand, the opposition, stronger than ever before, wants to prevent the imminent change of the internet as we know it.

The highest expectations, placed on the trilogue, concerned the much debated articles 11 and 13, and these have reported to be the outcomes:

  • With regard to the publishers rights, the new version of article 11 sets forth a general need to get a license for the online use of publishers’ press publications, with the only exception for the use of «individual words or very short extracts». According to the Commission, mere hyperlinks and snippets are, therefore, not included in the reform. However, how short should be a “very short extracts” is still to be understood.
  • With regard to the use of protected content by online content sharing services provider, online platforms should obtain a preemptively authorization from the right holders, concluding licensing agreements (where online platform is defined as «a provider of an information society service whose main or one of the main purposes is to store and give the public access to a large amount of works or other subject-matter uploaded by its users which it organizes and promotes for profit-making purposes»). Indeed, an exception has been created for small online platforms, which will not be subject to the abovementioned obligation if they: have been available to the public for less than three years; have an annual turnover below 10 million of euro; and have less than 5 million of visitors.

In the other cases, if no authorization is granted, sharing services providers shall be liable for unauthorized acts of communication unless they demonstrate not only to have made the best efforts to obtain the authorization, but also, in accordance with high industry standards of professional diligence, to have made the best efforts to ensure the unavailability of specific works, as well as to have acted expeditiously to remove the content, after receipt of a notice from the right holders.

We will see if the agreement will survive until the finishing line or if the vote of the European Parliament, scheduled for March-April, will block the text once again, as, unfortunately, already happened.

Italy Recognizes Legal Effects to Documents Based on Blockchain Technologies.

Under Italian law a document saved through blockchain technologies can have legal effects.

According to Law Decree 135/2018 (“Decreto Semplificazioni”), which was recently confirmed into law by Law 12/2019, technologies based on distribuited records can have the same legal effects as electronic time stamps under section 41 of EU Regulation 910/2014. Such effects will be obtained if certain technical standards are met and the regulatory body Agenzia per l’Italia Digitale is entrusted with the task of setting forth such standards within 90 days.

Technologies based on distributed records are defined as “technologies and information protocols that use a shared register that is distributed, replicable, simultaneously accessible, architectural decentralized on cryptographic basis, such as to allow the recording, validation, updating and archiving of data both in accessible format and further protected by cryptography verified by each member, not alterable and not modifiable”. The scope of the definition is wide and intends to include blockchain technologies, which can be varied.

Similarly, technologies based on distributed records will also allow so called “smart contracts” to have legal effects. Smart contracts will be presumed to have legal effects when the contractual parties have been previously identified on the basis of technologies based on distributed records. Again, details will be up to the Agenzia per l’Italia Digitale.

Italy’s effort to pioneer the embrace of new technologies in the legal field is commendable, but there is a risk that standards set forth by the Agenzia will not be the same as other national or international standards that may be emerging in the near future.

Sunshine Act, Transparency and Ethics: a Seminar Hosted by Gitti and Partners

Do you have a “Sunshine Act” in your jurisdiction? Any other piece of legislation that mandates that all interactions between the industry and health care professionals are made public?

Italy is about to enact one. You may find the proposed bill here.

In our seminar, which will be held on January 31 at 5 p.m. at our offices in via Dante 9, Milano (the full program can be found here) we will discuss how transparency and ethics interact. We will also ask ourselves how the behaviour of doctors, patients and life sciences’ companies may change following the introduction of the Sunshine Act, which promises disclosure of any exchange of value over €10. We will also ponder upon the use of the data rendered public by the media (see an interesting point of view here).

The topic of conflicts of interest seems especially “hot” these days, since Advamed just revised its code of ethics on interactions with US healthcare professionals and stories about conflicts of interest between doctors and industry continue to be in the media.

We look forward to this interesting opportunity of dialogue on a crucial aspect of healthcare.

What the Implant Files Are Not Telling

The investigation.  The “Implant Files” is a global investigation carried out by reporters in 36 countries under the lead of the International Consortium of Investigative Journalists (https://www.icij.org/investigations/implant-files/). The project, which attracted significant worldwide attention over the last few weeks as articles and reports were published, purported to show how the medical device industry failed to place on the market safe products and ultimately harmed a significant number patients.

Regrettably the way the investigation has been reported by several media outlets and the conspiracy theories underlying certain articles leave the readers without a clear understanding of the issues on the table and the policies behind the current regulatory framework.

The approval process.  For instance,  while the investigation was conducted globally, many articles published by European consortium members focused their attention on the lack of a centralized authorization procedure for the marketing of medical devices in the EU and argued that a loose regulatory framework enabled manufacturers to sell unsafe devices on the European market.

The absence of a centralized marketing authorization procedure for medical devices in Europe is depicted as a failure of European lawmakers, influenced by the medical device lobby. However, none of the articles reporting on the investigation provides readers – who may not be familiar with the authorization process – a clear and complete picture of the rationale and public healthcare policies behind the current regulatory framework. Most notably, the Implant Files investigation fails to explain the benefits for patients of a faster launch of innovative devices on the market. Neither they show any meaningful and documented difference in terms of patient safety between the EU and the US, where a centralized authorization procedure administered by the FDA is in force. The fact that the investigation concerns the US as much as the rest of the world is probably a good indication that the type of approval procedure does not per se guarantee patients’ safety and an effective healthcare system.

The new regulation.  As to the timing of the investigation, it comes at a moment of transition when the new EU medical device regulation has already been enacted but has not yet begun to unfold its innovative potential in the industry.  Yet, the Implant Files investigation seems to assume that the new regulation will have no impact on the industry and the approval/vigilance system as a whole. The investigation does not really delve into the changes and improvements brought by the new regulation, which has in fact already addressed many of the issues raised by the Implant Files. Among such innovations, new and improved vigilance measures and an increased accountability for notified bodies should be certainly taken into consideration.

Further, the investigation neglects the public discussions and exchanges that occurred throughout the EU (and the world) in the years that preceded the enactment of the new regulation, when the truth is that its provisions have been at the center of the public healthcare discourse for years, have been debated among experts, stakeholders and lawmakers in full transparency, have been reported by newspapers and specialized media. The alleged “scoop” seems a few years late.

The current vigilance system.  Lastly, one of the major flaws of many articles reporting on the investigation is that they give readers the idea that no meaningful vigilance system exists today. This is of course not correct. Italy, for instance, has a long-standing nation-wide register of approved medical devices marketed in its territory kept by the Ministry of Health. The same Ministry transparently shows on its website all safety notices and field actions carried out in Italy. The tool is easily searchable and can be found on the very first page of the medical device directorate’s site. 

Not only the Implant Files investigation failed to accurately report the existing vigilance and transparency measures, but created their own medical device database, allegedly aimed at providing the public with full access to data submitted by patients and reporters. 

Does the Implant Files investigation really benefit patients?  At the moment one cannot but wonder if this project really does provide patients with complete, accurate and independent information that can be useful for their health and wellbeing.

Is a public database, entirely managed by a private consortium, really empowering patients? How the database is managed, how the uploaded information is vetted and updated, for which purposes the uploaded information can be used by patients? Shouldn’t we work on improving a public, transparent system, managed by officers and professionals who have the scientific and regulatory expertise that is needed to address all issues involved, rather than building on a new, uncontrolled and unaccountable tool that could potentially distort patients’ behavior? The media would do a better service to the public opinion by giving a balanced, informative and articulate picture of the facts, rather than spreading sensationalistic news that would make anyone with an implanted device panic (and click on the article!).

 

Therapeutic cannabis in Italy: business opportunities

Italy’s only authorized medical cannabis facility is currently controlled by the military. However, the production site, located in the Florence area, cannot keep up with the increasing demand, creating shortages for patients and barriers to its prescription by physicians (whose patients are unlikely to be able to obtain the quantities needed).

As Colonel Modica of the Italian Military recognizedThe health ministry and the defense ministry are trying to fix the shortfall because there’s been a huge increase in cannabis prescriptions and the number of patients who need them”.

Meanwhile, pressed by the patients’ associations, the Italian Health Care Ministry Giulia Grillo announced not only the increase of import of therapeutic cannabis products from the Netherlands (to cover the short-term shortages), but also the start of a longer-term project, eventually leading to the creation of a public-private partnership for the production of cannabis. “An invitation to present expressions of interest will be published in order to increase the production of therapeutic cannabis“, Ministry said. Although underlining that an appropriate time frame will be needed in order to implement the project, the Ministry confirmed that the cannabis production activity is “of great interest for both the Defense and the Public Health Care” and crucial in order to satisfy the increasing needs of both domestic and foreign markets.

The increase in the domestic production of therapeutic cannabis, along with the overall demand for it, appears to be inevitable.

On the other hand, the boom of “light cannabis” products in Italy (i.e., containing THC in a percentage lower than 0.2 and, therefore, expressly declared legal in Italy starting from January 2017) seems to have encountered some obstacles lately.

The Advisory Board of the Italian Health Care Ministry (Consiglio Superiore di Sanità) issued a report last spring, recommending the adoption of measures aimed at prohibiting the sale of light cannabis products.

In addition to that, an internal note of the Ministry of Home Affairs, recently made public, promoted a zero-tolerance approach and a strict application of the relevant laws and regulations. Such steps have caused great uncertainty and concerns amongst those who have invested in what came to the media’s attention in 2017 as a State-backed business.

Hence, the latest developments relating to therapeutic cannabis in Italy indicate that new business opportunities for both exporters and producers of cannabis-based prescriptions are likely to be offered in the Italian market. Conversely, serious questions can be raised in connection to the light-cannabis boom, in view of the inconsistent approach recently taken by Italian authorities.

Tax Crimes Will Trigger Criminal Liability of Corporate Entities

As a result of the so called “PIF Directive”, starting from July 2019 criminal corporate liability under Italian law 231 may be triggered by tax crimes, too.

(If you are not overly familiar with the principles of Italian 231 legislation on criminal liability of corporate entities, perhaps you may start here.)

Under Italian 231 law, corporations are subject to criminal (rather, quasi-criminal) liability when certain specific crimes are committed in their interest or to their advantage. So far, such crimes have never included tax crimes, although the issue had been widely debated and several court decisions had attempted to combine other types of crimes with tax crimes (the Supreme Court had always disagreed, though).

Now, the PIF Directive, which Member States must implement by July 6, 2019, “establishes minimum rules concerning the definition of criminal offences and sanctions with regard to combatting fraud and other illegal activities affecting the Union’s financial interests, with a view to strengthening protection against criminal offences which affect those financial interests.” Liability of legal entities must be foreseen by national legislation and serious offenses against the common VAT system must be punished.

The Italian legislator will thus need to introduce such serious VAT crimes (i.e., having a value in excess of 10 million euros) in the list of crimes triggering corporate liability. This, in fact, may open the door to other tax crimes as a basis of 231 liability of corporate entities.

ECJ on the Applicability of Public Procurement Rules

I have been asked to comment on the European Court of Justice decision of October 18 relating to the application of public procurement rules to a drug supply arrangement between a privately owned hospital and a public hospital.

The decision can be found here and the full article here.

 

 

French Court of Cassation Orders Retrial of PIP Case

Last week the PIP legal saga took another unexpected turn.

On October 10, 2018 the French Court of Cassation overturned the decision of the Appeal Court, which had cleared from liability TUV Rheinland, the notified body involved in the PIP case, and sent the case back to the Appeal Court.

Breast implants made by the French firm Poly Implant Prothèse (also known as “PIP”) had been marketed for years until, in 2010, it was discovered that silicone used for such breast implants was industrial, rather than biomedical. The investigation found that employees of PIP removed evidence of the industrial silicone gel before inspections by TUV Rheinland, the notified body who was in charge of audits on the manufacturing of the breast implants.

Breast implants are medical devices that may be marketed in the European Union if they are granted a CE marking, which is based on the certification by a notified body that the device satisfies legal requirements. The scandal, although linked to a criminal scheme, showed certain weaknesses of the medical device legislation and ultimately led to the adoption of the EU Medical Device Regulation in 2017.

PIP closed down in 2010 and, although its founder was jailed and fined, the many thousands of affected women could not be compensated by PIP. TUV Rheinland was initially condemned for negligence in 2013 and ordered to pay damages of 5.7 million euros, but was later cleared from liability by a French Appeal Court in 2015.

The Court of Cassation has now sent back the case to the Court of Appeals in order to shed light on two issues. TUV’s press release on the decision can be read here. According to Maître Cécile Derycke, Counsel for the TÜV Rheinland companies: “The TÜV Rheinland companies are serene. […] We are confident that the Court of Appeal to which the case has been referred back will confirm that TÜV Rheinland LGA Products GmbH performed its mission as a notified body diligently and in total compliance with the applicable regulations and TÜV Rheinland France SAS committed no fault.”.

Stay tuned to find out if TUV Rheinland’s is found to be a victim or a perpetrator in the PIP scandal… and if affected patients are entitled to compensation by TUV.