All posts by Flavio Monfrini

New Whistleblowing Legislation Adopted in Italy

Legal news, , , ,

Italy has implemented today the EU whistleblowing directive (UE) 2019/1937. The new legislative decree no. 24/2003 has in fact been published on the official journal and is scheduled to enter into force on March 30, 2023.

The final published version of the decree, which had been previously leaked in an unofficial draft, can be found here: https://www.gazzettaufficiale.it/eli/id/2023/03/15/23G00032/sg.

The new legislation is certain to affect private companies and public entities alike when it comes to managing whistleblowing reports and new measures may need to be adopted to comply with the new requirements.

For additional information on this subject, materials from our February webinar can be freely accessed here: https://lawhealthtech.com/2023/02/09/our-whistleblowing-webinar/.

Google Analytics under Scrutiny by Italian Data Protection Authority

Legal news, , , , , , , ,

The second issue of our summer series focuses on the recent decision by the Italian Data Protection Authority, which affects all users of the Google Analytics services in Italy, as well as other similar services that entail the transfer of users’ personal data to the United States.

Read our slides to understand what actions are available to you.

New Guidelines on Patient Support Programs Adopted by Italian Pharma Industry Association

Legal news, , ,

New guidelines on patient support programs have been adopted by the Italian pharmaceutical industry association (Farmindustria) on January 19, 2022. The new guidelines have been incorporated in a new release of the industry ethical code, where also several provisions regarding educational activities, market access and scientific data exchange have been updated.

Patient support programs are not expressly regulated under Italian law and, for such reason, the guidelines issued by Farmindustria are particularly helpful in identifying the best market practices. The new guidelines define patient support programs as initiatives implemented by pharmaceutical companies aimed at making available additional services for the direct benefit of patients. Such services are not intended to replace the services of hospitals and other healthcare organizations.

Patient support programs can only be implemented in connection with medicinals that have received a marketing authorization, for the sole purpose of providing information on the correct use of the medicinal product and to foster patients’ compliance with its administration. They can never have a promotional purpose.

The new Farmindustria guidelines expressly acknowledge that patient support programs may be implemented by pharmaceutical companies through a third party service provider, which may carry out services in favour of patients by means of adequately qualified professionals. The pharmaceutical companies, however, continue to have overall responsibility for the program.

A noteworthy innovation has been adopted with regard to the processing of patients’ personal data. In fact, the new guidelines provide that pharmaceutical companies must not directly process the data of patients enrolled in a patient support program, and should rather only access aggregated data for statistical purposes on the use of the services. 

This latter provision is particularly troublesome from a data protection standpoint, as it may be interpreted as preventing pharmaceutical companies from acting as data controllers in connection with the deployment of patient support programs, even if they remain responsible for the programs themselves. Therefore, new mechanisms shall be implemented to segregate identifiable data and prevent their processing by pharmaceutical companies unless they are previously de-identified.

Facial Recognition Technology: Are We Close to a Turning Point?

Legal news, , , , ,

When people think about facial recognition technology (“FRT”), they immediately imagine the use of their faces to unlock their smartphones. But this technology is far more complicated, useful and potentially dangerous.

First, it is important to understand the difference among “facial detection”, “facial characterization”, “facial identification” and “facial verification”. Such terms have been defined by the non-profit organization Future of Privacy Forum (https://fpf.org/wp-content/uploads/2019/03/Final-Privacy-Principles-Edits-1.pdf) as follows:

  • Facial detection simply distinguishes the presence of a human face and/or facial characteristics without creating or deriving a facial template.
  • In facial characterization the system uses an automated or semi-automated process to discern a data subject’s general demographic information or emotional state, without creating a unique identifier tracked over time.
  • Facial Identification is also known as “one-to-many” matching because it searches a database for a reference matching a submitted facial template and returns a corresponding identity.
  • The last one, facial verification, is called “one-to-one” verification because it confirms an individual’s claimed identity by comparing the template generated from a submitted facial image with a specific known template generated from a previously enrolled facial image.

There are many possible uses of facial recognition. In the private sector FRT may be used to keep track of employees’ time and attendance, identify shoppers’ patterns inside stores, implement smart homes, etc. In the public sector, FRT may be used to monitor protests, identify suspects in security footage, check claimed identities at borders, etc.

This relatively new technology brings, besides a wide range of possible implementations, significant concerns regarding privacy, accuracy, race and gender disparities, data storage and security, misuse. For instance, depending on the quality of images compared, people may be falsely identified. In addition to that, in its current state, FRT is less accurate when identifying women compared to men, young people compared to older people, people of color compared to white people. Privacy is certainly another concern: without strong policies it is unclear how long these images might be stored, who might gain access to them or what they can be used for; not to mention that this technology makes far easier for government entities to surveil citizens and potentially intrude into their lives (see “Early Thought & Recommendations Regarding Face Recognition Technology”, First report of the AXON AI and policing technology Ethics Board https://www.policingproject.org/axon-fr).

Once the possible implementations and the related risks are understood, the worldwide lack of regulation becomes even more surprising.

Within the European Union, the General Data Protection Regulation obviously applies to FRT. Furthermore, “Guidelines on Facial Recognition” have been released on January 28, 2021 by the Consultative Committee of the Council of Europe with regard to automatic processing of personal data (https://rm.coe.int/guidelines-on-facial-recognition/1680a134f3). This latter document includes:

  • Guidelines for legislators and decision-makers;
  • Guidelines for developers, manufacturers and service providers;
  • Guidelines for entities using FRT;
  • Rights of data subject.

When it comes to Italy, particular attention has been drawn by several decisions of the Italian Data Protection Authority on the topic. Recognizing the innovative potential of FRT as well as its riskiness for individual rights, the Authority adopted a more permissive approach regarding the private sector’s use of FRT, while issuing stricter decisions with regard to the use of FRT by public authorities. For instance, the Authority allowed the use of FRT by police forces for purposes of identifying individuals among archived images, but prohibited real-time surveillance using the same technology (see https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9040256 and https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9575877). On the other hand, the Authority allowed one airport to implement FRT for purposes of improving efficiency in the management of the flow of passengers, so long as images of individuals were not stored (see https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/8789277).

The European Commission, in light of the complexity of the situation and the necessity of a strong and harmonised legislative action, presented on April 21, 2021 its “Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence” (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0206). This Proposal was already the subject, on June 18, 2021, of a EDPB and EDPSs’ joint-opinion (https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-52021-proposal_en), in which they called for a general ban on the use of FRT for:

  • Automated recognition of human features in publicly accessible spaces;
  • Categorization of individuals into clusters according to ethnicity, gender, etc., based on biometric features;
  • Inference of individuals’ emotions.

What the European Commission is doing is an example of a more globally widespread legislators’ attitude towards artificial intelligence in general and FRT in particular. These technologies are more and more in our lives and are constantly evolving. Consequently, there is an increasing request, both from public and private subjects, for clear rules to govern this new technology and ensure that individual rights are safeguarded. Hopefully in the next months/years the situation will become clearer.

Flavio Monfrini / Michele Galluccio

The European Court of Justice Strikes Down the EU-US Privacy Shield

Legal news

Yesterday, on July 16, 2020, in a landmark decision, the Court of Justice of the European Union ruled that the key data-sharing mechanism, the EU-US Privacy Shield, is invalid, as it failed to protect privacy and data protection rules.

The case behind the decision.

Maximillian Schrems, an Austrian national residing in Austria, who has been a Facebook user since 2008, lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit the transfer of his personal data by Facebook Ireland to servers belonging to Facebook Inc., located in the United States. In its recent decision, the Court expressed the view that «the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union» are «not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary» (the full Court press release is available here: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf.

According to the BBC, Max Schrems called it a win for privacy, stating that «it is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market» he said, while the US Secretary of Commerce Wilbur Ross said his department was “deeply disappointed” by the decision and said he hoped to «limit the negative consequences to transatlantic trade worth $7.1 trillion (£5.6tn)» https://www.bbc.com/news/technology-53418898.

Impact and remedies.

The Court held that standard contractual clauses will continue to be a valid means for the transfer of data outside the European Union.

Therefore, companies currently benefitting from the EU-US Privacy Shield will likely transition to standard contractual clauses. Microsoft, for example, has issued a statement saying it already uses them and is unaffected by the recent Court decision (the full statement is available here: https://blogs.microsoft.com/eupolicy/2020/07/16/assuring-customers-about-cross-border-data-flows/.

While we are slightly surprised by the decision, we must confess it has been years since we last suggested a client to use the Privacy Shield: standard contractual clauses have always been an easier and more flexible tool.

MDR: the Postponement to 2021 is Official

Legal news, , , , , , , , ,

On April 24, 2020 the new Regulation (EU) 2020/561 officially entered into force, postponing the date of application of most Medical Devices Regulation (MDR) provisions to May 26, 2021. The final text of the regulation can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32020R0561&from=EN.

The postponement was approved unanimously and was considered unavoidable since the outbreak of the covid-19 pandemic in early 2020 made it very clear that businesses, notified bodies and regulators would not be ready in time for the entry into force of the MDR requirements in May 2020.

The European Commission noted, with some relief, that  “this postponement takes the pressure off national authorities, notified bodies, manufacturers and other actors so they can focus fully on urgent priorities related to the coronavirus crisis” (https://ec.europa.eu/growth/sectors/medical-devices_nn).

While the postponement might have been triggered by the covid-19 pandemic, there is no doubt it now gives regulators and the industry alike the chance to remedy the delays that have accumulated over the past few years, with the hope that they will come prepared to the new deadline of May 2021.

No CE Marking Required for Surgical Masks and Personal Protective Equipment

Legal news, , , , , ,

In the wake of the COVID-19 pandemic, the Italian Government lifted regulatory requirements for the manufacturing, importing and placement on the market of surgical masks and other personal protective equipment.

The measures were prompted by a failure of existing manufacturers and importers to meet the demands of hospitals, healthcare professionals and individual citizens alike, and are seen as generally in line with the Commission Recommendation (EU) 2020/403 of 13 March 2020 on conformity assessment and market surveillance procedures within the context of the COVID-19 threat (https://eur-lex.europa.eu/legal-content/GA/TXT/?uri=CELEX:32020H0403).

The new emergency regulations (law decree 18/2020 – http://www.governo.it/it/articolo/decreto-legge-17-marzo-2020/14333) provide that manufacturers, importers and other businesses who intend to commercialize surgical masks and personal protective equipment, are required to submit a self-certification to the National Health Institute (“Istituto Superiore di Sanità” – https://www.iss.it/) or to the National Workers Insurance Agency (“INAIL”) respectively, whereby they describe the technical specifications of the devices/equipment and declare that the devices/equipment meet the safety requirements set forth in applicable legislation. The competent authorities are then required issue a compliance decision within 3 days from the submission.

The technical procedures for the submission to the authorities have now also been implemented and, with reference to surgical masks, they require an additional certification from the applicants concerning the compliance of the devices with quality standards UNI EN 14683:2019 and UNI EN ISO 10993-1:2010. A quality system should also be implemented, but such system does not need to be certified: the implementation of adequate procedures and traceability measures would be sufficient to meet the applicable requirements.

While certain regulatory requirements are meant to remain place in order to ensure the reliability of products placed on the market, the authorities are hopeful that the new emergency measures will provide relief to hospitals and healthcare operators operating under the current extraordinary circumstances.

Five Key Takeaways from Our Seminar on Clinical Trials

Events, Legal news, , , , , , , , , , , , , ,

If you missed our seminar on clinical trials on January 16, here are five key takeaways to help you understand the changing regulatory environment in Europe and Italy.

  1. Be ready for a new regulatory landscape

The recent clinical trials regulatory overhaul within the EU aims at fostering research and facilitating the tasks of all actors involved in this area. However, delays in the implementation of such new legislation are posing an actual risk for the entire sector throughout the EU, while competition from emerging economies is getting stronger.

  1. Harmonized, but not enough

In several areas, such as observational studies or ethical committee’s assessments, a unified approach at European level is yet to be adopted. This leaves a lot of fragmentation among the various countries and a lot of work to be done at local level in order to ensure compliance with applicable regulations. Be prepared to deal with such inconveniences, in particular in the pharmaceutical sector.

  1. Changes in data protection laws offer new opportunities but challenges remain

GDPR brought new harmonized provisions to improve and support the use of data for the purpose of conducting research. However, guidance from national data protection and regulatory authorities in areas such as legal grounds for processing and secondary use is far from established. Moreover, different EU countries continue to adopt opposite approaches when it comes to consent and legitimate interest as valid legal grounds for data processing in the framework of clinical research. Data protection compliance will therefore continue to require local check-ups.

  1. New opportunities for independent research

Recent regulatory changes in Italy are being implemented to foster independent not-for-profit research in the clinical area. The new regulations, which are about to be adopted, envisage new opportunities for the participation of private actors in independent research and allow not-for-profit research institutions to better exploit the results of their research. The potential for conflicts remain and caution should be exercised within public-private relationships, but there is hope that new paradigms of collaboration will see the light.

  1. A new world of evidence is out there

More and more projects in the clinical research field involve real world data and real world evidence, gathered in a number of different ways outside the rigid protocols of a controlled study, whether through medical devices or other data collection instruments. Real world data are key to understanding how treatments work in reality and developing new healthcare paths. However, both clinicians and private actors are operating in uncharted territories and the line between studies and alternative research projects is thinner than you may expect. Be mindful of the regulatory and compliance ramifications of these new powerful tools.

What the Implant Files Are Not Telling

Legal news, , , , , , , , , , , ,

The investigation.  The “Implant Files” is a global investigation carried out by reporters in 36 countries under the lead of the International Consortium of Investigative Journalists (https://www.icij.org/investigations/implant-files/). The project, which attracted significant worldwide attention over the last few weeks as articles and reports were published, purported to show how the medical device industry failed to place on the market safe products and ultimately harmed a significant number patients.

Regrettably the way the investigation has been reported by several media outlets and the conspiracy theories underlying certain articles leave the readers without a clear understanding of the issues on the table and the policies behind the current regulatory framework.

The approval process.  For instance,  while the investigation was conducted globally, many articles published by European consortium members focused their attention on the lack of a centralized authorization procedure for the marketing of medical devices in the EU and argued that a loose regulatory framework enabled manufacturers to sell unsafe devices on the European market.

The absence of a centralized marketing authorization procedure for medical devices in Europe is depicted as a failure of European lawmakers, influenced by the medical device lobby. However, none of the articles reporting on the investigation provides readers – who may not be familiar with the authorization process – a clear and complete picture of the rationale and public healthcare policies behind the current regulatory framework. Most notably, the Implant Files investigation fails to explain the benefits for patients of a faster launch of innovative devices on the market. Neither they show any meaningful and documented difference in terms of patient safety between the EU and the US, where a centralized authorization procedure administered by the FDA is in force. The fact that the investigation concerns the US as much as the rest of the world is probably a good indication that the type of approval procedure does not per se guarantee patients’ safety and an effective healthcare system.

The new regulation.  As to the timing of the investigation, it comes at a moment of transition when the new EU medical device regulation has already been enacted but has not yet begun to unfold its innovative potential in the industry.  Yet, the Implant Files investigation seems to assume that the new regulation will have no impact on the industry and the approval/vigilance system as a whole. The investigation does not really delve into the changes and improvements brought by the new regulation, which has in fact already addressed many of the issues raised by the Implant Files. Among such innovations, new and improved vigilance measures and an increased accountability for notified bodies should be certainly taken into consideration.

Further, the investigation neglects the public discussions and exchanges that occurred throughout the EU (and the world) in the years that preceded the enactment of the new regulation, when the truth is that its provisions have been at the center of the public healthcare discourse for years, have been debated among experts, stakeholders and lawmakers in full transparency, have been reported by newspapers and specialized media. The alleged “scoop” seems a few years late.

The current vigilance system.  Lastly, one of the major flaws of many articles reporting on the investigation is that they give readers the idea that no meaningful vigilance system exists today. This is of course not correct. Italy, for instance, has a long-standing nation-wide register of approved medical devices marketed in its territory kept by the Ministry of Health. The same Ministry transparently shows on its website all safety notices and field actions carried out in Italy. The tool is easily searchable and can be found on the very first page of the medical device directorate’s site. 

Not only the Implant Files investigation failed to accurately report the existing vigilance and transparency measures, but created their own medical device database, allegedly aimed at providing the public with full access to data submitted by patients and reporters. 

Does the Implant Files investigation really benefit patients?  At the moment one cannot but wonder if this project really does provide patients with complete, accurate and independent information that can be useful for their health and wellbeing.

Is a public database, entirely managed by a private consortium, really empowering patients? How the database is managed, how the uploaded information is vetted and updated, for which purposes the uploaded information can be used by patients? Shouldn’t we work on improving a public, transparent system, managed by officers and professionals who have the scientific and regulatory expertise that is needed to address all issues involved, rather than building on a new, uncontrolled and unaccountable tool that could potentially distort patients’ behavior? The media would do a better service to the public opinion by giving a balanced, informative and articulate picture of the facts, rather than spreading sensationalistic news that would make anyone with an implanted device panic (and click on the article!).

 

Who’s Who Legal 2018: Our Life Sciences Practice in the Top Three!

Legal news, , , , , , ,

Who’s Who Legal just published its 2018 rankings, highlighting the leading practitioners recognized “for their excellent work across the full spectrum of life sciences law”.

Our very own Paola Sangiovanni has been recognized among the top three most highly regarded practitioners in the life sciences legal industry in Italy. Here’s what Who’s Who Legal says about Paola:

«The “fantastic” Paola Sangiovanni at Gitti and Partners is “a truly dedicated life sciences expert”, who is considered “a great deal-maker”. Her transactional expertise in the life sciences space is in high demand, thanks to her “client-focused approach and excellent service”».

We are very proud to share such a terrific achievement with our clients and friends, and we would like to thank you all for your continued support!