New 231 Crimes Introduced

New tax crimes that may trigger corporate liability have been introduced by the Italian budget law, namely by section 39 of law decree no. 124 of 2019 relating to fiscal measures (decreto fiscale).

The new section “25-quinquiesdecies” (sic!) applies to crimes of fraudulent tax statements through invoices or other inexistent transactions, invoicing inexistent transactions, fraudulent avoidance of tax payment and destruction of accounting documents.

As a result, companies that commit such fraudulent tax crimes are not only subject to tax liability, but also to “231” liability and punished with a monetary sanction up to 774,500 Euros. Such “231” liability may be in addition to the personal criminal liability of their directors. Additionally, in many cases the confiscation of money, goods or other benefits resulting from the tax crime also applies.

The new crimes will be in force starting from the publication on the Official Gazette of the law converting the above mentioned law decree, which must be converted by the Italian Parliament before Christmas Day.

Companies must therefore act in order to ensure that their 231 organizational models include sufficient provisions aimed at preventing such crimes, such as controls on the veracity of transactions, on the keeping of accounting documents and on the contractual counterparty indicated by the company’s tax documentation. Of course, we at Gitti and Partners can help!

The European Data Protection Board’s Revised Guidelines on the Territorial Scope of GDPR Are Out (With Some Interesting Examples). Check Them Out!

One of many innovations introduced by GDPR is its territorial scope.

In fact, the two main criteria defining the territorial scope of the GDPR – the establishment criterion (Art. 3.1 of GDPR) and the targeting criterion (Art. 3.2 of GDPR) – have been drafted in such a way to avoid easy way outs when it comes to the protection of individuals and their personal data.

Last November, the European Data Protection Board (“EDPB”) published a revised version of its Guidelines 3/2018 on the territorial scope of the GDPR, which provide some interesting remarks and examples on both the establishment and the targeting criteria. We will concentrate on a selection of a few of them.

THE ESTABLISHMENT CRITERION

EDPB suggests a threefold approach in determining whether or not certain processing of personal data falls within the scope of the GDPR on the basis of the establishment criterion.

1) Is there an establishment in the EU?

This is, of course, an answer that must be given having regard to the effective and real exercise of activities through stable arrangements, rather than to other formal circumstances, such as the legal form of a certain entity.

It is worth noting that, on the issue, the EDPB made sure to remind – by making reference to the Weltimmo case – that the threshold to be applied in determining whether or not an arrangement can be deemed as stable can be quite low, for example, when it comes to the provision of online services. Even a single employee may be sufficient to constituting a stable arrangement, if that employee acts with a sufficient degree of stability.

2) Is processing carried out in the context of the activities of the establishment?

The EDPB points out two factors that must be taken into consideration: (i) the relationship between a controller or processor outside the EU and its local establishment in the Union; and (ii) revenue raising in the EU.

3) There is no need that the processing takes place in the EU!

The place of processing is irrelevant, if processing takes place in the context of the activities of the establishment. So is the geographical location of the data subjects in question.

In addition to the threefold approach, the EDPB offers some hints on how the application of the establishment criterion me be affected by the relationship between the controller and the processor. To such regard, the first thing to note is that the relationship between a controller and a processor does not per se trigger the application of GDPR to both. Furthermore, it is more likely that the establishment within the EU of the controller will lead to the application of GDPR to the processor located abroad than vice versa. In fact, on one hand, when a controller subject to GDPR chooses a processor located outside the EU, the processor located outside the EU will become indirectly subject to the obligations imposed by GDPR by virtue of contractual arrangements under Art. 28 of GDPR. On the other hand, unless other factors are at play, the processor’s EU establishment will not per se trigger the application of GDPR to the non-EU controller, because by instructing the EU processor the non-EU controller is not carrying out any processing in the context of the activities of the processor in the EU.

THE TARGETING CRITERION

The first thing to which EDPB draws our attention to is a simple, yet important, fact. Whenever the targeting criterion leads to the application of GDPR to controllers or processors which are not EU-established, such controllers or processor will not benefit from the one-stop shop mechanism, allowing them to interact with only one Lead Supervisory Authority. That is an important factor to be taken into consideration when assessing the opportunity to establish an entity within the EU to offer services or monitor data subjects.

Having said that, the EDPB recommends a twofold approach for the targeting criterion.

1) Are data subjects “in the Union”?

Under the targeting criterion, GDPR will be applied to controllers or processors not established in the EU insofar as processing is related to the offering of goods and services to / monitoring of data subjects in the EU.

With regard to the presence of the data subject in the EU, no reference is made to any formal legal status of the data subject (e.g. residence or citizenship): it is sufficient that data subject are physically located in the EU at the moment of offering  goods or services or at the moment when their behaviors are being monitored.

Nevertheless, that will not be sufficient to extend the application of GDPR to such activities that are only inadvertently or incidentally targeting individuals in the EU. Hence, whenever processing relates to a service offered only outside the EU – which is not withdrawn by individuals entering the EU – the relevant processing will not be subject to GDPR.

2) Offering of goods or service / monitoring of data subjects’ behavior, yes or no?

The first activity triggering the application of the targeting criterion is the offering of goods or services. It is interesting to note, to such regard, how the EDPB recalls the CJEU case law on Council Regulation 44/2001 on jurisdiction. Although underlining some differences, the notion of “directing an activity” can be applied to assess the presence of a goods or services offer by non-EU controllers/processor.

The factors that the EDPB lists, considering them a good indication, especially in combination with one another, of an offer in the UE of goods and services, are taken from the Pammer case and they include:

  • The EU or at least one Member State is designated by name with reference to the good or service offered;
  • The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
  • The international nature of the activity at issue, such as certain tourist activities;
  • The mention of dedicated addresses or phone numbers to be reached from an EU country;
  • The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
  • The description of travel instructions from one or more other EU Member States to the place where the service is provided;
  • The mention of international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
  • The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
  • The data controller offers the delivery of goods in EU Member States.

With reference to monitoring activities, the EDPB first reminds us that not only data subjects must be in the EU but, as a cumulative criterion, the monitored behavior must take place within the territory of the EU.

It then offers a fairly comprehensive list of examples of monitoring activities, including:

  • Behavioral advertisement;
  • Geo-localization activities, in particular for marketing purposes;
  • Online tracking through the use of cookies or other tracking techniques such as fingerprinting;
  • Personalized diet and health analytics services online;
  • CCTV;
  • Market surveys and other behavioral studies based on individual profiles;
  • Monitoring or regular reporting on an individual’s health status.

EDPB EXAMPLES SUMMARIZED

Based on the above, here’s a summary of some interesting examples (with some not-so-obvious outcomes):

WITHIN THE TERRITORIAL SCOPE OF GDPR OUTSIDE THE TERRITORIAL SCOPE OF GDPR
Case Why? Case Why?
An e-commerce website is operated by a company based in China. The personal data processing activities of the company are exclusively carried out in China. The Chinese company has established a European office in Berlin in order to lead and implement commercial prospection and marketing campaigns towards EU markets. The processing is indeed inextricably linked to the activities of the European office in Berlin relating to commercial prospection and marketing campaign towards EU market. A hotel and resort chain in South Africa offers package deals through its website, available in English, German, French and Spanish. The company does not have any office, representation or stable arrangement in the EU. Absence of any representation or stable arrangement of the hotel and resort chain within the territory of the Union.
A French company has developed a car-sharing application exclusively addressed to customers in Morocco, Algeria and Tunisia. The service is only available in those three countries but all personal data processing activities are carried out by the data controller in France. Processing of personal data is carried out in the context of the activities of an establishment of a data controller in the Union. An Australian company offers a mobile news and video content service, based on users’ preferences and interest. Users can receive daily or weekly updates. The service is offered exclusively to users located in Australia, who must provide an Australian phone number when subscribing. An Australian subscriber of the service travels to Germany on holiday and continues using the service. The service is not targeting individuals in the Union, but targets only individuals in Australia.
A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, Paris and Rome. The US start-up, via its city mapping application, is specifically targeting individuals in the Union. A US company, without any establishment in the EU, processes personal data of its employees that were on a temporary business trip to France, Belgium and the Netherlands for human resources purposes, in particular to proceed with the reimbursement of their accommodation expenses and the payment of their daily allowance, which vary depending on the country they are in. While the processing activity is specifically connected to persons on the territory of the Union (i.e. employees who are temporarily in France, Belgium and the Netherlands) it does not relate to an offer of a service to those individuals, but rather is part of the processing necessary for the employer to fulfil its contractual obligation and human resources duties related to the individual’s employment. The processing activity does not relate to an offer of service.

Paola Sangiovanni to Speak on Artificial Intelligence

Our firm will be attending the EMEA Regional Meeting of Ally Law in Malta next week and on Friday November 15th I will be speaking at a panel discussion titled “Keeping an Eye on AI: Ethical and Regulatory Considerations.” 

Artificial intelligence is a hot topic, also in the med-tech field, and poses exciting legal, ethical and regulatory questions. I am sure this will be an interesting opportunity to discuss them with legal and technical experts. 

 

Is Your Cookie Policy Right?

In a recent decision by the Court of Justice of the European Union in case C-673/17 against Planet49 GmbH, the issue of consent was analyzed on the basis of the ePrivacy Directive and the GDPR.

The case regarded a preliminary question by the German Federal Court of Justice on the validity of consent given through a pre-ticked checkbox, which the user must deselect to refuse his or her consent.

The Court analyzed the features of consent under the ePrivacy Directive (“freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” by reference to the Data Protection Directive) and in the GDPR (“any freely given, specific, informed and unambiguous indication of the data subject’s wishes”).

The Court concluded that the user is required to “give” consent and to provide an “indication”, which “points to active, rather than passive, behavior.” Therefore, an opt-out consent is not validly given.

You may want to check if your website has a passive mechanism to accept cookies (including a mechanism whereby “continuing to browse the website means acceptance of these cookies”): under the Court’s decision described above, it is possible that such a passive consent would be regarded invalid.

This conclusion would appear to contradict the previous guideline by the Italian Data Protection Authority providing that “if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies.”

Further, the Court set forth that “the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.

Recent Data Protection Developments

There are a few interesting developments in the area of data protection that you may have missed and we can recap for you:

  • CONDITIONS TO PROCESS CERTAIN DATA ISSUED BY THE ITALIAN DATA PROTECTION AUTHORITY. According to section 9 paragraph 4 of the GDPR, Member States are entitled to introduce additional conditions for the processing of genetic, biometric or health data. On July 29, 2019 the final version of such conditions issued by the Italian Data Protection Authority has been published on the Official Journal. Such conditions apply to processing of data (i) in employment relationships, (ii) by associations, (iii) by private investigators, (iv) that are genetic or (v) for purposes of scientific research.
  • RIGHT TO BE FORGOTTEN. On September 24, 2019 the European Court of Justice has issued a judgment on the right to be forgotten in case C‑507/17 against Google Inc. The Court has ruled that “there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.” While the right to be forgotten must be enforced in all Member States, there is no obligation to do that in all national search engines. The Court, however, added that a supervisory or judicial authority, after balancing all rights concerned, would be able to order de-referencing on all search engines in the world since “EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice.” Given the reaction to the judgment by the Chairperson of the Italian Garante (the data protection authority) Mr. Antonello Soro, it cannot be excluded that that the Garante may issue a universal, rather than EU-wide, dereferencing order.
  • PROCESSING FOR “OWN PURPOSES”. A med-tech company has been sanctioned for having used patient data (medical scans) in a public tender process and in a subsequent litigation in an anonymized form. The company had been appointed by the hospital as a data processor but, the Garante ruled, had further processed such patient data for an own purpose rather than for the purposes mandated by the data controller (i.e., maintenance of equipment generating scans for patients).
  • AGAIN ON THE RIGHT TO BE FORGOTTEN. In a decision by the Italian Garante dated July 24, 2019 Google LLC has been ordered to de-reference from its search engine news about criminal facts occurred in 2007 for which an individual, without any public role, had been condemned, but who had been fully rehabilitated.
  • CONSUMER CREDIT CODE OF CONDUCT. On September 19, 2019 the Italian Garante approved a new code of conduct for companies operating in the areas of consumer credit, credit worthiness analysis and payment punctuality.

 

EU Commission Factsheet on MDR and IVDR

Still confused about the regulatory changes affecting medical devices and in vitro devices? The EU Commission has published a useful factsheet, which you can find here.

Through the factsheet, the Commission warns health institutions and healthcare professionals that the upcoming changes may have consequences on the availability of medical devices because manufacturers may decide to stop their production or because products may not get their certificates on time.

Some notified bodies have also decided to drop off and only two notified bodies have been MDR designated so far, so this will create additional bottlenecks. A short grace period until 2025 is granted, but it does not apply to class I devices.

The path to an enhanced regulatory framework will be complicated and manufacturers, healthcare institutions and healthcare professionals need to know what to expect.

Clinical Trial Regulation: Another Piece of the Puzzle

Another piece of the puzzle that will become the Italian clinical trials regulatory framework has been completed last week through the publication of Legislative Decree no. 52 of 2019. We had already talked about changes to clinical trials legislation in this previous post and some of the current changes had already been foreseen in such bill.

Here are the major changes:

  • The Italian pharmaceutical agency (AIFA) will be called to issue requirements for trial centers and specific weight will be given to the involvement of patients’ associations by the center in the protocol definition;
  • Patients associations will be involved also in the process of evaluation and authorization of clinical trials;
  • AIFA will publish data on authorized trial centers, along with curricula vitae of individuals involved in the conduct of the study;
  • AIFA will also need to set forth rules to guarantee the independence of the clinical trials and the absence of conflicts of interest in furtherance of section 9 of EU Regulation 536/2014;
  • In case of breach of terms and procedures relating to clinical trials, or of rules on independence and transparency, an ethical committee may be suspended;
  • New rules aimed at facilitating non-profit trials and observational studies (also post-market) will be introduced, which will allow the assignment of study data and their use for registration purposes.
  • Research methodologies and clinical trials conduct will be the subject matter of specific training courses offered, also as continuing medical education.

In conclusion, we need to wait for further rules before the puzzle is complete.

New Rules on Public Procurement

On June 12, following a confidence vote, the lower chamber of the Italian Parliament has approved a law that will bring quite a few changes to the Public Procurement Code.

The new law, which has not been published in the Italian Official Gazette yet, has been enthusiastically announced as a way to accelerate governmental contracts, in line with the nickname of the act (“Sblocca Cantieri“, which could be translated as “Unlocking Building Sites”).

By way of example, the act allows subcontracting up to 40% (the previous threshold was 30%) and sets forth that only three competing offers will be required for contracts with a value between 40 and 150 thousand Euros. It also includes rather odd provisions, such as the increase in spending for close circuit tv cameras in public structures’ premises where small children and old people are cared for (see section 5 septies). 

The law has been bitterly criticized by the head of the Italian Anti-Corruption Authority, who pointed out that the aggregate value of public procurement contracts is at its highest (139.5 billions in 2018) and that criminal infiltration in companies bidding for public works is also very significant. Many fear that de-regulation of the sector will not bring positive results.

Others simply point out that this body of law has been subject to too many changes in the past years, which makes it difficult for helpful case law to develop and confuses operators.

Why the European Union Whistleblower Laws Are All Doomed To Failure – BY GUEST BLOGGERS MARC RASPANTI AND PAM BRECHT

Today we are hosting a blog post by the US attorneys Marc Stephen Raspanti and Pamela Coyle Brecht.

Marc is the name partner of the US law firm Pietragallo Gordon Alfano Bosick & Raspanti, LLP located in Philadelphia, Pennsylvania, the founder of the firm’s White Collar Criminal Defense Practice Group, as well as the firm’s global Qui Tam/False Claims Act Practice Group (msr@pietragallo.com).

Pam serves as the firm’s Practice Chair for the firm’s global Qui Tam/False Claims Act Practice Group (pcb@pietragallo.com). Their firm websites are:  http://www.pietragallo.com and http://www.falseclaimsact.com

Member States of the European Union, over the last several years, have passed a series of so-called “Whistleblower Laws.”  These laws are being implemented allegedly to bolster anti-corruption efforts throughout Europe.  While corruption is no stranger to either side of the Atlantic, the European Union would advance their fraud fighting efforts exponentially by taking a focused look at the highly successful American False Claims Act.

France, Ireland, Italy, Greece, Germany, Netherlands, Sweden, Hungary, Lithuania, Malta, Slovakia, the United Kingdom, as well as others, have passed or amended some type of a putative whistleblower law.  Here is the issue.  None of these whistleblower statutes, in our opinion, contain the basic tenents of a strong and effective whistleblower program.  The development of the whistleblower statutes within the United States of America illustrates the bedrock elements of an effective and successful whistleblower law.

In 1986, the U.S. Congress amended the existing whistleblower statute, the False Claims Act, which was passed during the American Civil War by President Abraham Lincoln.  The 1986 Amendments to the False Claims Act included provisions that finally gave the law real fraud combatting teeth. Examining these 1986 Amendments (and even more recent Amendments) illustrates the changes needed in the European Union member States’ whistleblowing statutes.  Without such robust amendments the European Union laws will never have a real and palpable impact on fraud, waste and abuse.

The American statute, known as federal False Claims Act, or the Qui Tam Law, has at its heart the following key provisions:

  • The United States has what is known as a “qui tam[4] or whistleblower provision.
  • A whistleblower who comes forward and meets the statutory requirements is authorized by the statute to bring an action on behalf of the government and is entitled to receive a set amount of any settlement or judgment the government receives from the defendant from 15% to 30%. This strong financial incentive has, singlehandedly, made the American statute the most successful fraud, waste and abuse statute in the world.  Of this fact there is no debate.
  • The United States’ Congress has provided strong protections against professional retaliation against whistleblowers. In contrast, the European statutes contain weak non-existent or watered down versions of this protection.  In fact, some of the European laws actually put the whistleblower at risk if he or she is incorrect in their allegations. 
  • The American whistleblower statute attracts skilled lawyers who take these cases on a contingent-fee basis, award legal fees and costs to whistleblowers and their counsel, if they prevail in their claims against a defendant.
  • The American statute provides government attorneys with muscular investigative powers. For example, while the case is under seal, the government can issue document requests, written interrogatories, take depositions of key individuals, etc.  These broad investigative tools are lacking in most of the current European statutes.
  • As a result of the key amendments in 1986, the American whistleblower statute has returned more than $62 billion to the U.S. Treasury. No other whistleblower law in Europe (or anywhere) has had such success.

The European legislative bodies still do appear to be committed (culturally or legally) to the type of whistleblowing legislation that will not make a real difference for their respective countries.  Here are some of the reasons why the statutes in Europe shall continue to be as ineffective as the pre-1986 American Whistleblower Law:

  • The European statutes do not truly embrace the concept that whistleblowers need to be encouraged to come forward to expose corruption inside large, well regarded institutions. The majority of the European laws do not contain any financial reward for successful whistleblowers.  Most importantly, none of the European statutes have a strong financial reward that would balance the risks against the rewards.  The European laws seem to go through the motions of supporting, yet not incentivizing, whistleblowers.
  • There is no clear and distinct prosecutorial entity in charge of effectively enforcing the individual European statutes.
  • Many of the European statutes lack strong protections for whistleblowers who come forward and risk their careers and livelihood. While there is a lot of “lip service,” there is no economic insurance that they will be protected.

While Americans and Europeans have shared and adopted approaches to governance over the centuries, their differences in efforts to curtail fraud, waste and abuse through whistleblower statutes is considerable.  Europe need look no further than its young sister state across the Atlantic for lessons that may be worth billions of dollars in recoveries.

WHO Pushes towards Transparency of Prices of Health Products

Yesterday the World Health Organization announced a resolution encouraging Member States to “enhance public sharing of information on actual prices paid by governments and other buyers for health products, and greater transparency on pharmaceutical patents, clinical trial results and other determinants of pricing along the value chain from laboratory to patient.” The resolution also urged Member States to “work collaboratively to improve the reporting of information by suppliers on registered health products, such as reports on sales revenues, prices, units sold, marketing costs, and subsidies and incentives”.

The Italian Ministry of Health reported the adoption of this resolution with triumphant tones since the resolution was proposed by Italy and co-sponsored by Algeria, Andorra, Botswana, Brazil, Egypt, Eswatini, Greece, India, Indonesia, Kenya, Luxembourg, Malesia, Malta, Portugal, Russian Federation, Serbia, Slovenia, South Africa, Spain, Sri Lanka, Uganda and Uruguay.

Many hope that transparency of prices of health products will result in greater fairness in health systems and will ultimately drive prices down. On the other hand, representatives of the industry claim that the focus on price will not shed light on the complexities of costs linked to research and manufacturing of health products. Instead, Gaelle Krikorian of Medecins Sans Frontieres believes that the resolution marks only a first step and that more disclosure is necessary.