GDPR from Down Under: an Australian Perspective

We have interviewed Dr. Peytee Grusche, special counsel at the Australian law firm Russell Kennedy, to ask about her view on GDPR. Peytee assists clients in the areas of research and development, commercialisation of intellectual property, patent, trade mark and design registration and enforcement.

Do Australian companies care about GDPR, and why?

Yes, Australian companies do care about the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.  Also, if Australian businesses are recipients of personal data, then they will be caught by the provisions of the GDPR.

Have you seen significant compliance efforts?

We have had clients request advice on their privacy policies in order to update them to include compliance with the GDPR. In particular, where AU businesses are recipients of personal data advice, on standard data protection clauses and binding corporate rules.  Also, we have received instructions for advice on compliance with GDPR in respect of direct marketing practices (mailouts, newsletters etc).

How would you compare the GDPR to Australian data protection legislation?

The GDPR and the Australian Privacy Act 1988 have much in common including the requirement to show that businesses comply with the privacy principles. However, there are some differences under the GDPR which do not appear in the Australian Privacy Act 1988 including a number of rights for individuals.

Under the GDPR, individuals have the rights to erasure, right to data portability and right to restriction of processing.  The Australian Privacy Act does not include the equivalent rights to these new rights. However, it specifies that business must take reasonable steps to destroy or de-identify personal information that is no longer needed for a permitted purpose.  Additionally, where access is given to an individual’s personal information, it must generally be given in the manner requested by the individual.

What is the preferred strategy of Australian companies who face different standards in data protection legislations around the world?

In our experience, Australian companies will try to comply by adopting  an appropriate privacy policy and/or by contractual provisions to include provisions relating to relevant countries.

Thank you, Peytee!

Advertisements

May 25, 2018: Did You Survive the GDPR D-Day?

Last May 25 the GDPR came into force. It was hard not to notice given the inundation of emails that everyone received, as well as the clear signs of burnout in the eyes of GDPR experts.

Here are my personal top 3 takeaways from that experience:

  • The flood of data protection emails received on May 25 showed me how my data had been disseminated all over the place and archived for a really long time. I had some recollection of only a few of those who wrote me to share their most recent privacy policy (and remind me how they deeply, deeply care about privacy!), since many may have bought, inherited or just collected my data a long time ago. It reminded me that those data subjects’ rights are an empowering tool, which I intend to use more frequently in the future.

 

  • The Law (capital “L”) showed its full might and power on May 25, something which surprised even those, like me, who work with legal requirements all day every day. Look at what companies do when you threaten a 4% fine on their worldwide turnover! (Incidentally, this reminded me why politics is important and why people who are indifferent to politics are wrong: this stuff does make a difference in our lives).

 

  • The Italian authorities (mostly the government and parliament) lost yet another opportunity to be helpful to citizens. We had been waiting for a national data protection law for months, but no such law was enacted before May 25. Until that happens, Italians are supposed to assess, for each and every provision of the Data Protection Code, whether or not it conflicts with the GDPR. How practical.

GDPR: do’s and dont’s

Seminario GDPR 03052018

Paola Sangiovanni will be speaking at a seminar on GDPR on May 3, 2018 at Gitti and Partners’ office in Brescia.

The seminar, followed by a reception, will focus on DOs and DONTs for small and medium enterprises in the field of data protection.

While Italians are still awaiting the enactment of a national data protection law that will clarify the relationship between GDPR and the previous privacy legislation, GDPR compliance efforts must nonetheless continue.

Join us in this interesting seminar to find out what should be done and what should be avoided!

Weekend Reading Recommendations

Ready for the weekend? I have these article on my reading list: perhaps you, too, may enjoy some food for thought on some of the hottest topics in the fields of law and innovation:

  • A Layered Model for AI Governance”: https://cyber.harvard.edu/node/100108, on governance for artificial intelligence aimed at ensuring transparency and accountability and addressing massive information asymmetries between the developers of artificial intelligence systems and consumers and policymakers;

 

 

 

Whatever you will be reading, have a great weekend!

Presentation on GDPR and scientific research at the Paperless Lab Academy

Paola Sangiovanni will be speaking at the Paperless Lab Academy event (http://www.paperlesslabacademy.com/) on March 20, 2018 in Baveno (NO), Italy, on the topic of the impact of the new GDPR for science.

Sofie van der Meulen, Senior Supervision Officer at Dutch Data Protection Authority, will offer a special introduction titled “Why Privacy Matters”.

This promises to be an interesting event. See you there!

 

 

New Rules on Continuing Medical Education

The rules on continuing medical education (“CME”) have changed since a new agreement between the Italian government, the Italian Regions and the autonomous provinces of Trento and Bolzano has come into force on February 2, 2018. You may find the new agreement here or here (only in Italian, sorry).

The agreement is an “upgraded version” of the previous principles, which remain largely unchanged, but are now better defined, stricter and hopefully more effective.

  • THE RIGHT TO CME. Health care professionals (“HCPs”) have the right to obtaining CME and regulators will need to remove impediments in order to allow the exercise of such right.
  • ACCREDITATION OF PROVIDERS. As before, providers of CME need to be accredited, but accreditation will be subject to stricter rules, which particularly focus on avoiding any conflicts of interest. Providers will also need to adopt an internal regulation setting forth how to prevent and exclude (even potential) conflicts of interest.
  • SPONSORSHIP OF EVENTS. Sponsorship of CME events will be possible by private companies, provided that the principles of transparency, objectivity, impartiality and independence are complied with. No advertisement of medicinal products or medical devices can be carried out during the CME event, but only before, after and outside the event. No direct payments or reimbursements are allowed to speakers or moderators of the CME events.
  • NO ACCESS TO PERSONAL DATA OF HCPs. On the data protection front, note that sponsors of CME cannot have access to lists and addresses of participants, speakers or moderators.
  • SPONSORSHIP OF HCPs. Lastly, HCPs may be sponsored by commercial firms operating in the health industry, but cannot fulfil more than one third of their CME requirement through such sponsorship. This is bound to change how CME has been handled before, forcing HCPs to bear the cost of at least two thirds of their CME requirements.

Have a great weekend!

Vaccines: the Italian Constitutional Court rules in favor of mandatory vaccination imposed by national law

The polarized debate over vaccines sees the Italian Constitutional Court taking an important step into the discussion, shortly before the last notable rebellion against compulsory vaccination in Italy. Only a few days ago, in fact, the Mayor of Rome, Ms. Raggi (together with the members her Council, unanimously), approved a motion contradicting the mandatory nature of the 10 (originally 12) vaccinations, made compulsory for school-age children by a recently enacted Italian law. Nevertheless, the “rebels” in Rome probably did not take into the appropriate account the decision of the Italian Constitutional Court, which ruled in favor of the vaccines imposition under Italian law.

The Court – in deciding a constitutional challenge brought by the Veneto Region against the imposition of vaccination by the State – explains its views in a straightforward way.

First of all, the Court makes it very clear that, when it comes to vaccines, fundamental health care rights are involved and, to such regard, no difference is constitutionally acceptable between different areas of the Italian territory. In other words, when a healthcare measure is imposed by a national law in the public interest, Regions and local authorities do not have a say about it.

Furthermore, and most importantly, the Court clarifies that – also taking into account the worrisome drop in vaccination rates in recent years – the choice of tightening up legislation to compel vaccinations is not unreasonable.

True, persuasive techniques – such as the ones that Veneto Region would like to implement – can, ideally, represent a better option, but only when the herd immunity result is somehow guaranteed. Conversely, when vaccination rates drop, obligations and sanctions by law – as the California example showed – are not only reasonable (and constitutional), but much more effective.

Well, when the going gets tough, the law gets going. And that’s reasonable, Italian Constitutional Court says.

Take our Quiz on the New MoH Guidelines on Medical Device Advertisement!

On December 20, 2017, the Italian Ministry of Health has issued interesting guidelines on medical device advertisement to the general public, which you can download here (scroll to the bottom of the page).

The new rules describe DOs and DONTs in advertisement on Instagram, YouTube and Facebook and offer interesting indications on the use of a celebrity in the ads.

The basic principle remains the same: advertisement of medical devices that are subject to medical prescription (or may be used only with the assistance of medical personnel) is prohibited by Italian law. When allowed, advertisement of medical devices to the public is subject to authorization by the Ministry of Health.

Take our medical device advertisement quiz to check if you know (or can guess!) what’s new in the guidelines!

  • Can a doctor recommend a medical device in an advertisement to the general public?

No, the Ministry of Health will not authorize such advertisement.

  • What about a celebrity appearing in an advertisement message?

While the mere presence of such individual may be tolerated, no express or implied endorsement of the medical device will be authorized.

  • Can authorized medical advertisement be shared through Instagram?

Yes, but only in the “Stories” section and if users’ comments are de-activated.

  • What about Facebook?

As comments cannot be de-activated, a special disclaimer must be used in order to clarify that the Ministry of Health authorization of advertisement solely covers advertisement, while any further comments are the responsibility of users.

  • Is a medical device company allowed to email advertisement to patients?

Yes, but only if the Ministry of Health has authorized the advertisement and if the patient has expressed his/her consent (always revocable).

Holiday Reading Selection

Dear Readers and Friends,

With Christmas and Boxing days behind, you should have had your share of party time with your family and friends (if not, New Year’s is a good time to catch up).

If you are ready for some quiet time to read some interesting articles in the areas of innovation, health and the law, here is a selection of holiday reading that our life sciences group has prepared for you.

We wish you a 2018 filled with good health, great technology and interesting law!

Warm wishes from

Paola Sangiovanni, Flavio Monfrini, Marco Bertucci and Miriam Postiglione

a.k.a. the GITTI and Partners life sciences team.

**********************************************************************************

New Whistleblowing Legislation Approved in Italy

Whistleblowers will be granted a higher level of protection under new legislation passed earlier this week in Italy.

The new provisions apply to civil servants as well as employees in the private sector. Whistleblowing protection will shield individuals who submit a good faith report concerning unlawful conduct, provided that such report is based on a reasonable belief and factual elements.

The new legislation prohibits any retaliation or other discriminatory measures against good faith whistleblowers, including termination, demotion, transfer or other organizational action.

In the private sector, the new legislation has a significant impact on organizational models adopted to prevent corporate criminal liability pursuant to Legislative Decree 231 of 2001. In fact, all organizational models will need to set up appropriate channels for the confidential reporting of criminal conduct and violations of the organizational models themselves.  Measures aimed at protecting the identity of the whistleblowers and the confidentiality of the reports, as well as disciplinary sanctions against retaliatory or discriminatory measures against whistleblowers, will also need to be included in such organizational models.

The new legislation is expected to enter into force shortly, upon publication in the official gazette.