All posts by Marco Bertucci

Medical Malpractice in Italy: New Promises for Old Issues

On February 28, 2017, the Italian Parliament approved a long-awaited act, aimed at providing new tools to improve the quality of health care services and to fight the downsides of the so-called defensive medicine.

The act has been proposed and announced as a historical step for Italian health care legislation by Federico Gelli, head of the health care committee of the Italian Democratic Party.

The bill, in its 18 articles, offers a new comprehensive regulation of major aspects of medical malpractice and related issues, such as litigation management and insurance.

  • Article 2 and 3 introduce new administrative authorities: the health protection authority and the national observatory on health care good practices;
  • Article 5 formalizes and regulates the publication of guidelines and good practices for better visibility and increased certainty;
  • Articles 6 and 7 (re-)define the nature and limits of criminal, contractual and tortious liability of health care professionals and hospitals;
  • Article 8 introduces compulsory ADR mechanisms to reduce (discourage?) court litigation;
  • Article 10 establishes insurance obligations for public and private hospitals and health care professionals;
  • Article 12 allows direct compensation from insurance companies to victims of medical malpractice;
  • Article 14 creates a guarantee fund for medical malpractice victims.

Everything looks very promising, at first, but medical malpractice is a too delicate and too complicated subject to think that a simple act could really solve all the outstanding issues.

For example, Italian lawyers and health care professionals certainly remember the goofy attempt to limit health care professionals’ liability by the Italian legislator in 2012 that was not upheld by Italian courts’ decisions, thus nullifying the legislator’s intentions.

From another angle, compulsory ADR mechanisms and insurance obligations always carry the risk to become an obstacle to the effectiveness of the rights of individuals, if not a gift to insurance companies.

Lastly, it is worth noting that the ambitious goals set forth by the Italian legislator would have to be achieved without any additional public investment, as article 18 of the act expressly prohibits such spending. Indeed, it is hard to predict whether a true improvement of health care safety is achievable – automatically and free of costs – just because of a new bill.

In order to have a better understanding of the true potential of the new legislation, stay tuned for more reflections, which will appear on this blog.

2017 New Year’s Privacy Resolution: Road to Compliance with the New European Privacy Framework

Year 2017 already brought to us some exciting change. The beginning of the year is also the perfect time for appraisals of the past and resolutions for the near future. Whether we see it as a welcome enhancement of personal data rights or simply as another burdensome European set of requirements, 2016 delivered the new European General Data Protection Regulation (Regulation EU 2016/679, “GDPR”). Already 233 days passed since GDPR entered into force and 498 days are left until the new Regulation will start to apply on May 25, 2018. Roughly, one third of the time given to comply with the new regulatory framework has already gone by. Then, perhaps, the beginning of 2017 can be a good chance to ask ourselves what has already been done in the first 233 days and what still needs to be done in the future 498 days in order not to miss May 2018’s deadline.

The GDPR imposes a much more burdensome level of compliance requirements to companies acting as data controllers and data processors.

Some of them require the assessment and preparation of organizational and implementing measures that need to be put in place well in advance of May 2018.

  • Data controllers and data processors must appoint a data protection officer (“DPO”). The controller and the processor shall ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. The controller and processor shall support the DPO in performing his/her tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his/her expert knowledge. The controller and processor shall also ensure that the DPO does not receive any instructions regarding the exercise of those tasks. Furthermore, the DPO shall not be dismissed or penalized by the controller or the processor for performing his tasks and shall directly report to the highest management level of the controller or the processor.
  • Data protection by design and by default will have to be implemented. The data controller: (i) both at the time of the determination of the means for processing and at the time of the processing itself, must “implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of [the GDPR] and protect the rights of data subjects” and (ii) “to implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.
  • A data protection impact assessment must be carried out. Such impact assessment must contain: a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data subjects; the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR.
  • Data controllers must guarantee the effectiveness of the data subject’s right to be forgotten and right to portability. This requires an assessment of the adequacy of the technical and organizational instruments currently available and, possibly, their improvement. More specifically, data controllers must be able to fulfill: (i) in relation to the right to be forgotten, their obligation to “take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”; (ii) as regards to the right to portability, their obligation to allow the data subjects to effectively exercise their right to “receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller”.
  • Data controllers shall notify personal data breaches to the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. This imposes on controllers the preparation of appropriate notification forms, as well as organizational measures to guarantee adequate resources to complete such task.
  • The mandatory content of the written contract between the data controller and the data processor requires a revision of all such contracts. They shall include, inter alia, the obligations of the processor to: process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization; ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; delete or return all the personal data to the controller after the end of the provision of services relating to processing, including copies; make available to the controller all information necessary to demonstrate compliance with the obligations under GDPR; allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
  • Information notice forms currently in use will need to be revised. In fact, information to be provided to data subjects must include, inter alia: the contact details of the DPO; the legal basis for the processing; the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission; the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; the existence of the right to data portability; the existence of the right to withdraw consent at any time for processing based on consent; the existence of the right to lodge a complaint with a supervisory authority; the existence of automated decision-making, including profiling.
  • Data controllers and data processors must keep record of processing activities under their responsibility. Records to be kept by data controllers shall contain all of the following information: the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the DPO; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations; where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards; where possible, the envisaged time limits for erasure of the different categories of data; where possible, a general description of the technical and organizational security measures. Records to be kept by data processors shall include: the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the DPO; the categories of processing carried out on behalf of each controller; where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards; where possible, a general description of the technical and organizational security measures. Data controllers and data processors shall therefore dedicate and organize resources to be able to start keeping such records.

All this may appear daunting. Nevertheless, 498 days are more than enough to take all necessary steps, if we let one of our New Year’s resolutions be to timely walk the road to compliance with the GDPR.

Legal Issues 4.0: what approach suits innovation better?

The fourth industrial revolution is undoubtedly on the bull’s eye of international and domestic economic discussions. To name just one of the major events that recently focused on the Industry 4.0 debate, one could mention the World Economic Forum 2016 Annual Meeting held in Davos on January 20-23 2016, together with its ambitious title: Mastering the Fourth Industrial Revolution.

Indeed, starting from Germany’s Industrie 4.0, European governments have been trying to master the demanding challenges that the fourth industrial revolution brought, taking co-ordinate actions with companies and research institutions in order to attract investments and be more competitive in the global manufacturing scene.

At a glance, Industry 4.0 consists in the transformation – or rather the evolution – of industrial manufacturing based on the new possibilities offered by:

  • The ability of machines, devices and sensors to connect and communicate with each other and analyze/process large amounts of data;
  • The ability of information systems to create a virtual copy of the physical world by enriching digital plant models with sensor data;
  • The ability of assistance systems to support humans by aggregating and visualizing information comprehensibly for making informed decisions and solving urgent problems on short notice;
  • The ability of cyber physical systems to physically support humans by conducting a range of tasks that are unpleasant, too exhausting, or unsafe for humans;
  • The ability of cyber physical systems to make decisions on their own and to perform their tasks as autonomous as possible.

The phenomenon hence embraces many fast-evolving fields such as Robotics, Internet of Things, Big Data and Smart Data.

After Germany, other European as well as oversea governments took actions aimed at exploiting, promoting and fueling with investments the research and development driven by such innovations. The United States started Manufacturing USA and France announced Industrie du Futur, to name just a few of such governmental programs.

Lastly, here in Italy, only a few days ago the Italian government announced the main features of its national Industria 4.0. The plan will make available public investments up to ten billion euro between 2017 and 2020, providing for tax incentives, as well as support for venture capital, ultra-broadband development, education and innovative research centers.

A number of legal issues are raised by the fourth industrial revolution.

  • The first and – one would say – more obvious one, is related to data protection. Intelligent and multi-linked objects continuously collect, generate and transmit data (including personal data) that are processed and analyzed, often across State’s boundaries, by both automated and manual means. It is hence fundamental that data protection laws and regulations offer appropriate legal instruments to control and limit what can potentially become an uncontrolled and automated leakage of personal data.
  • Property law is also at stake. In particular, in relation to non-personal data produced by machines and objects, ownership of such “products” seem to be mainly unregulated, with the exception of some specific instruments subject to database’s Moreover, moving towards more typical IP issues, it is clear that enhanced digitalization and connectivity both bring the risk of not being able to effectively keep trade and industrial secrets, as well as not being able to protect undisclosed know-how and business information.
  • Labour law will have to find instruments in order to manage the potential job loss deriving from automatization and innovation.
  • Product liability and, more in general, the legal framework of civil (and criminal) wrongs will have to face the fact that machines are more and more able to communicate, act and, in a way, “think” autonomously.

Can these challenges be tackled with existing legal instruments or do they require the adoption of tailor-made, brand new solutions?

The legal fields that have been mentioned here are, indeed, varied and do not allow one straightforward answer. Nevertheless, it may be worth noting that pushing for over-specific and unrealistically always-up-to-date legal instruments can be very risky. It can result, in fact, in a never-ending (but always late) frantic chase of fast-pacing technological developments, which can be more effectively tackled by adapting traditional flexible tools.

As it has been recently underlined by a study led by the European Parliament, “many of these issues have a cross-border and even pan-European element, e.g. migration of skilled labour, completing the digital single market and cybersecurity, cross-border research, standards etc”.

Perhaps, the success of the fourth industrial revolution from a legal point of view will largely depend on the ability and willingness to find harmonized and common solutions to global challenges, rather than create over-particular and specific new instruments. From this perspective, the new European Regulation on Data Protection can be seen as an encouraging legislative action providing for flexible but effective tools (such as, for example, data protection by design and data protection by default provisions) within the framework of the harmonizing strength of the European Regulation legal instrument.

The Italian Administrative Supreme Court Opens New Perspectives for Therapeutic Equivalents

By rejecting an appeal from Novartis, the Italian Administrative Supreme Court, with its decision n. 1306 of April 1st, 2016, focused on the notion of therapeutic equivalence under Italian law. Having underlined the difference with the concept of bioequivalence and having broadened its possible future application, the decision is likely to push forward the trend of public health care institutions to increase competition between pharmaceutical companies in the context of public tender offers, possibly for the benefit of taxpayers and patients.

The controversy arose from an opinion issued by the Italian Medicines Agency (“AIFA”) which, in a tender procedure held by Tuscany region, evaluated the drug Lucentis by Novartis (active ingredient ranibizumab) as a therapeutic equivalent to Eylea by Bayer (active ingredient aflibercept). This allowed the regional public administration to have the said drugs compete against each other in the same tender offer.

Debates as to whether Lucentis and Eylea are equivalent in terms of functions are not indeed new in the pharmaceutical scene and have caused many headaches to Novartis, let alone the critical issues raised in relation to Lucentis by the Italian Antitrust Authority.  Not a surprise, then, that Novartis tried to defend its product, alleging the illegitimacy and erroneousness of AIFA’s evaluation, which stated that the cheaper option by Bayer (Euro 780) is equally safe and effective in the treatment of macular degeneration as it is its more expansive (Euro 902) drug.

Novartis, nevertheless, failed in its claims. The Italian Administrative Supreme Court confirmed the validity and correctness of AIFA’s evaluation, together with the decision of the lower court, affirming, inter alia, that:

  • therapeutic equivalence is different from bioequivalence because the latter implies the identity of the active ingredient whether the former does not (indeed, FDA’s indications on the issue are rather similar);
  • the authority of AIFA in determining therapeutic equivalence is legitimate under Italian law;
  • evaluations regarding therapeutic equivalence cannot be based exclusively on the products’ leaflet: they are instead well motivated if they verify that (i) the drugs belong to the same Anatomical Therapeutic Chemical class; (ii) the drugs are subject to a similar route of administration and (iii) the drugs release the active ingredient in comparable ways.

Therapeutic equivalence, as it has recently emerged from Italian legislation and case law (in particular, from the decision discussed herein), is seen as a threat by pharmaceutical companies, unnerved by the increased competition effects.

Indeed, the debate has been escalated to a more general level by the Italian association of pharmaceutical companies, which challenged in many ways AIFA’s guidelines on therapeutic equivalence. As a consequence, a few days ago AIFA precautionary suspended for ninety days the said guidelines.

It looks like the match has just begun. Nevertheless, pharmaceutical companies should consider carefully on which side they should play. In fact, the expansion of the application of therapeutic equivalence, as a general trend, does not seem to be stoppable in a constant spending review context. Perhaps pharmaceutical companies should positively contribute to shape, rather than to stop, therapeutic equivalence and exploit its potential for the business in terms of new opportunities to access tender offer procedures.

Art. 29 Working Party on EU-US Privacy Shield: Trust Not Yet Restored For Transatlantic Data Flows

Only few months after the 2015 Court of Justice of the European Union (CJEU) landmark decision that put an end to the Safe Harbour system, the EU Commission proudly announced a new framework agreement with the US authorities, allegedly providing strong safeguards, sufficient to “enable Europe and America to restore trust in transatlantic data flows” (Commissioner Věra Jourová).

According to the Commission’s press release, the Privacy Shield’s guarantees include:

  • strong obligations on companies and robust enforcement;
  • clear safeguards and transparency obligations on US government access;
  • a redress possibility through an independent Ombudsperson mechanism;
  • effective protection of EU citizens’ rights through various measures (a specific timeline for resolving complaints , a free of charge alternative dispute resolution solution, as well as the possibility for EU citizens to lodge complaints with their national Data Protection Authorities, who will work with the Federal Trade Commission to solve them).

Nevertheless, the newly issued opinion of the Art. 29 Working Party (“WP29”) already raised strong criticism against the Privacy Shield, tempering the Commission’s enthusiasm. Although WP29 did not abstain from underlining the improvements the Privacy Shield offers in comparison to the invalidated Safe Harbour decision, its concerns seem to eclipse those positive features, leading to the overall negative assessment of the new framework. Moreover, the impression is that the Privacy Shield led to more uncertainty, leaving everyone frustrated, with the exception of those authorities that negotiated it.

But what are, then, according to WP29, the improvements offered by the Privacy Shield? On the other hand, what major concerns does it raise? Finally, does it provide for adequate answers to post-Safe Harbour issues?

Firstly, it must be recognized, as WP29 certainly does, that the Privacy Shield represents a large step forward from Safe Harbour in terms of data protection. And, one could argue, it couldn’t be otherwise, since the Safe Harbour decision dates back sixteen years ago, before Facebook, the social network, big data era and the emergence of encryption vs. surveillance-like debates.

However, WP29 welcomes the additional recourses made available to individuals to exercise their rights, together with the extensive attention dedicated to data accessed for purposes of national security and law enforcement. Increased transparency measures are also appreciated by WP29: both those offered by the US administration on the legislation applicable to intelligence data collection and those provided through the introduction of two Privacy Shield Lists on the US Department of Commerce website (one containing the records of those organizations adhering to the Privacy Shield and one containing the records of those that have adhered in the past, but no longer do so).

Unfortunately, it seems that, these (few), general, positive notes are by far neutralized by the much more incisive negative remarks made by the WP29. WP29 points out the inadequate safeguards set forth to protect some key data protection principles under European law: the data retention principle is not expressly mentioned by Privacy Shield instruments (nor it can be clearly construed from their current wording) and onward transfers of EU personal data to third Countries are insufficiently framed. Despite the EU Commission’s enthusiastic press releases, WP29 underlines how, from the documents signed  by US authorities, it cannot be fully excluded that US administrations will continue the collection of massive and indiscriminate data. And one cannot abstain from noting how crucial the latter aspect is, being one of the main reasons that led the CJEU to invalidate the Safe Harbour decision. Moreover , WP29, while recognizing the effort to create additional oversight mechanisms, considers those efforts not satisfactory: the new redress mechanisms, in practice, may prove to be too complex and difficult to use and, more specifically, the capability of the Ombudsperson mechanism to be truly independent from US governmental authorities is strongly questioned. The lack of clarity of the new framework is also stigmatized by the WP29 by calling for a glossary of terms to be included in the negotiated instruments, in order to ensure that the key data protection notions of the Privacy Shield will be defined and applied in a consistent way. Lastly, the WP29 points out, rightly, how the newly issued Privacy Shield documents already appear out-of-date, considering the approval and forthcoming enter into force of the EU data protection reform, which will bring important improvements on the level of data protection offered to individuals, not at all reflected in the Privacy Shield.

The adequacy of the Privacy Shield to address the issues raised after the CJEU decision invalidating Safe Harbour is hence, at least, arguable. The significant uncertainty created after the fall of Safe Harbour is not only far from being clarified but, possibly, worsened. The major concerns raised by the CJEU have not been adequately tackled, especially if one considers the absence of clear-cut undertakings of the US authorities on mass surveillance programs by security intelligence agencies. Regulatory costs on companies and governmental agencies will not therefore be balanced by stability, certainty and higher levels of fundamental rights protection, leaving everyone dissatisfied.

So, what’s next for Privacy Shield? Another advisory decision is awaited from Article 31 Committee after the second half of May. Then, different options are available but, basically, the implementation of Privacy Shield could take place with or without addressing WP29’s most important concerns. In any case, legal challenges before the CJEU, as well as claims brought to national data protection authorities, will always be open and much likely to happen, given the overall uncertainty characterizing transatlantic data flows: trust is, indeed, very far from being restored.