On June 10, 2021 the Italian DPA has officially issued new guidelines for the processing of cookies and other online tracking instruments. Such newly-issued guidelines are aimed at compliance with principles set forth by the GDPR, as well as by the recently issued contributions of the European Data Protection Board. The new guidelines complement and update the previous ones issued in 2014.
New provisions mainly regard how consent is acquired and information to be provided to interested subject. In fact:
- consent by the user must be given in accordance with principles of freedom and unambiguousness. Accordingly, the use of methods that do not comply with such principles, such as the “scrolling-down” and the “cookie-wall”, are unlawful and void;
- the “cookie banner” must comply with the “privacy by design” and “privacy by default” principles, as resulting from article 25 of the GDPR. Consequently, simplified manners for the obtainment of the consent are allowed only to the extent that they comply with some pre-determined requirements;
- “analytic cookies” can be processed without any consent by users only if they do not allow any identification (direct identification of the person concerned should not be achieved), and if they are used for the production of aggregate data only. Otherwise, they need to be expressly authorized;
- information to be provided to the users must be specific and comply with articles 12 and 13 of the GDPR.
Data controllers now have a 6-months term (expiring on December 2021) for the adoption of the measures necessary to comply with such giudelines.
The full text of the measure can be found at the following link: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9677876.
We are happy to announce that our article on “Drug Clinical Trials Legislation in the European Union” has been published on the Indian Journal of Law and Technology (https://www.ijlt.in/).
You may read it here or here.
The purpose of the article is to illustrate the basic tenets of European Union law on clinical trials. Such body of law has been progressively harmonized in the European Union over the years with the aim of subjecting interventional clinical trials conducted in any of the 27 European Union Member States to identical rules.
The article initially describes the reasons why clinical trials are important to measure the safety, efficacy and cost-effectiveness of innovative medical treatment. It then continues by illustrating the scope and basic principles of the current EU Regulation, as well as its main changes over the previous legislation. Further, the article explains the requirements of the scientific and the ethical approvals of a clinical trial application. Lastly, the authors focus
on the patients’ consent to the enrollment in a clinical trial, as well as to the patients’ separate consent to the processing of their personal data
Flavio Monfrini and I are very proud to be recognized as “excellent” counsels in the life sciences sector by Leaders League.
That’s what we strive for all day and every day, and it’s great when others notice!
Join us in (modest and distanced) celebrations of this achievement.
On June 4, 2021 the EU Commission approved new standard contractual clauses (“SCC“), which are regarded to provide appropriate safeguards within the meaning of Article 46(1) and (2) (c) of the GDPR.
The new SCC are updated with GDPR, the opinions expressed during the course of the consultation phase (including those of the European Data Protection Board and the European Data Protection Supervisor), as well as take into account the recent Schrems II judgement of the Court of Justice.
There are two different sets of SCC: (i) for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) and (ii) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).
The new SCC promise “more flexibility for complex processing chains, through a ‘modular approach’ and by offering the possibility for more than two parties to join and use the clauses“.
If you or your company are using the old SCC, you have a transition period of 18 months.
Last Friday I spoke at an interesting event, dedicated to lessons learned during the pandemic, sponsored by the association Women&Tech.
My plan was to illustrate the international aspects of intellectual property and, in particular, the possibilities afforded by article 31 of the TRIPS agreement to obtain a license to use vaccines’ patents without consent of the patent holder. There had also been a proposal by India and South Africa to waive IP rights on vaccines altogether, but it had been rejected. The discussion seemed largely theoretical.
Only a few hours before the event, the scenario completely changed when the US announced that it was backing the idea of a waiver of IP rights on Covid vaccines’ patents. Reactions by EU leaders were varied, and it is still unclear if the waiver proposal will receive the required three fourths of the votes at the WTO level.
You may find my slides (in Italian) below, but in my view the clearest explanation of the issues at stake is in the position paper by the Max Planck Institute for Innovation and Competition, which can be found here.
EU Regulations on Clinical Trials number 536/2014 will enter into force 6 months after the publication of a notice by the EU Commission confirming that the clinical trial portal and databases have achieved full functionality in accordance with the required specifications.
Such clinical trial portal and database, where all information submitted through the portal will be stored, supposedly one of the high points of the Regulation, is probably its worst enemy so far. In fact, due to technical difficulties with the development of the IT systems (aka “CTIS”), the portal’s go-live date had to be postponed for years. Therefore, so far, the Directive continues to apply, while some argue that the Regulation – that appeared cutting edge in 2014 – already shows the signs of age.
Now things are finally moving ahead.
On April 21, 2021 the European Medicines Agency’s Extraordinary Management Board confirmed that “CTIS is fully functional and meets the functional specifications, following an independent, successful audit“.
The ball is now in the European Commission’s court: once the Commission confirms the same conclusions on CTIS, a notice will be published in the Official Journal of the European Union. “Six months after this notice, the Regulation will start to apply and CTIS will go live. The aim is that CTIS goes live on 31 January 2022.” says the EMA.
Access to personal data concerning deceased people may represent an issue and a necessity, especially for their heirs. How is such kind of access to personal data currently regulated under the Italian Law (Legislative Decree n. 196/2003), as amended after GDPR?
The Italian Data Protection Authority, in its efforts to combine data protection legislation and clarity, recently issued an outline of article 2-terdecies of the Legislative Decree n. 196/2003.
- Who is entitled to such right to access? Whoever (i) has a vested interest; (ii) acts in the interest of the deceased person (who is the “interested party” pursuant to data protection laws); (iii) acts as mandatary; or (iv) acts for worthwhile reasons of family protection.
- To whom should the request to access data be addressed? The request should be addressed to the relevant Data Controller (i.e., the natural or legal person, public authority, agency or other body, either private or public, which determines the purposes and means of the processing of personal data), also through the Data Processor (i.e., the natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller), where appointed.
- Which information may be requested? (i) Access to personal data of the deceased person; (ii) the purpose of processing data; (iii) which data have been communicated and the related addressees; (iv) the retention period; (v) the origin of such data and (vi) whether data are subject to an automatic decisional processing (Sections 15-22 of GDPR).
- Do you have to pay to access data? No, it is free (unless the request is manifestly unfounded or excessive).
- Are there any exceptions or limits? Yes, it is not possible to access data in the event it is forbidden (i) by the law or (ii) by the interested party, who released an express and unequivocal declaration addressed to the Data Controller. However, even in the latter hypothesis, third parties exercising their patrimonial rights originating from the death of the interested party cannot be prejudiced in their rights.
- Do you have to motivate your request? No.
- How long does it take to get a feedback on your request? Maximum one monthsince your request, except in some particular cases, as provided by GDPR.
- What can you do if your request is refused or in lack of any feedback? You may address the Italian Data Protection Authority or the relevant court.
Access to data concerning deceased people seems to be quite easy in theory. However, balancing patrimonial rights of heirs and assessing “express and unequivocal” declarations of the deceased may prove to be more complex in practice.
With a law decree decided yesterday, the Italian Government enacted two interesting new rules aimed at health care professionals (“HCPs“):
- Criminal liability of HCPs administering vaccines for the crimes of manslaughter and personal injuries is excluded, provided that the vaccinations follow the indications of the authorization of the specific vaccine and the decisions of the Ministry of Health;
- The obligation of HCPs to be vaccinated is introduced: HCPs refusing to undergo vaccination may be assigned to different duties or her/his remuneration may be suspended. The constitutionality of this obligation has been often discussed, but most scholars believe that – on the basis of the Constitutional Court jurisprudence (especially decision no. 5 of 2018, drafted by Ms. Cartabia, who is now part of the government) – there is no doubt about compliance of this provision with the Italian Constitution. Vaccination is in fact aimed at not only preserving health for the individual who is vaccinated, but also other people’s health, and consequences of vaccination are tolerable.
Hopefully the above provisions will help the vaccination campaign move faster. I certainly cannot wait to roll up my sleeve!
As the vaccine campaign continues with few cornerstones and many unknows, several interesting questions regarding protection and processing of vaccine-related data are starting to arise.
One of these came to the attention of the Italian Data Protection Authority (“Authority”) and concerns the legitimacy of instruments of vaccine tracking such as electronic passes or Apps. These instruments – yet to be discussed officially by the Italian Parliament – would allow only vaccinated individuals to access certain areas (airports, cinemas, restaurants) and services (public transport, circulation in general). The Authority has underlined, through a memo dated March 1, 2021, how such tools should not be considerate legitimate from a data protection standpoint unless a national law regulates the whole subject matter. In fact, an inappropriate treatment of vaccine-related data – according to the Authority – may cause extremely dangerous consequences in terms of risks for discrimination and unjustified compression of constitutional freedoms. Given the non-mandatory nature of vaccine themselves – as reminded by the Resolution of the Parliamentary Assembly of the Council of Europe on January 27 – it would be unreasonable to punish, in fact, those who freely decide not to get vaccinated, by preventing them the access to the almost all public spaces and services. Considering that such balance between public needs and individual freedoms can (and must) only be stroke by the national legislator, also to avoid fragmented rules, the Authority submitted a notice to the Italian Parliament to promptly address the matter.
The issue is relevant also on a European level: the official proposal of the “Green Pass” is expected to be unveiled on March 17, 2021. This Pass – according to the remarks by the President of the European Commission Ursula von der Leyen – should substantially be a European passport including information on vaccination and, for those who are not vaccinated, the results of the Covid-19 tests. Such instrument would hopefully facilitate international mobility. It is still to be seen whether European countries will reach consensus on the matter, as some of them (France and Belgium, among others) already pointed out the unfairness of a mechanism that would facilitate the mobility of only those who are vaccinated, in prejudice of others.
Another related issue which the Authority has addressed, with FAQs on its website, concerns the processing of vaccination-related data in the workplace. In particular, the employer is not entitled to have access to the information on whether his/her employees are vaccinated or not, being the competent doctor the only subject able to process and assess data concerning vaccination. Even if the employee, due to the fact that he/she is not vaccinated, must be considered as non-suitable for specific duties (for example in the healthcare sector, where vaccinated workers would be preferable), the employer will only be able to have access to the information on the total or partial non-suitability, while only the competent doctor would be able to process information regarding vaccination of single employees.
It seems quite evident the need for a step in of the national legislator to address these matters.
This year’s celebrations for Data Protection Day may have been a bit toned down. But you still may have been so busy celebrating that you may have missed a couple of news from the (data privacy) world.
First, the EDPB’s Guidelines 01/2021 on Examples regarding Data Breach Notification are out and open for comments until March 2nd. The document can be used as a very practical guide for whoever is involved in data processing activities. It is aimed at helping data controllers in deciding how to handle data breaches and what factors to consider during risk assessment. The Guidelines reflect the experiences of the European supervisory authorities since the GDPR became applicable and they are full of cases and examples which make them, admittedly, a practice-oriented, case-based guide for controllers and processors. So, are you curious to know what to do in case of a ransomware attack with backup but without exfiltration in a hospital? Or perhaps in case of a credential stuffing attack on a banking website? Or you’re “just” trying to figure out what to do in case of mistakes in post and mail? Then, check out the guidelines!
Meanwhile, in Italy, the Italian Data Protection Authority gave its favourable opinion to the proposed reform of the Italian Registro Pubblico delle Opposizioni, a service designed for the protection of data-subjects, whose telephone number is publicly available but who wish not to receive unsolicited direct marketing calls from an operator. Nevertheless, the Italian Data Protection Authority specified that such service, essentially based on a list of express dissents, only applies to marketing activities carried out by human operators and cannot be extended to automated calls. The Italian Data Protection Authority, by doing so, confirms that marketing activities carried out through automated systems must be subject to stricter measures and always require express consent, given their highly invasive nature. So: Humans 1, Automated Calling Machines: 0.