The perception of digital innovation is changing. The initial enthusiasm is now being replaced with a more cautious, at times skeptical, approach. If you are familiar with Shoshana Zuboff’s views on Surveillance Capitalism or, more locally, the concerns voiced by Antonello Soro, Chairman of the Italian Data Protection Authority, on the use of data, you may now be starting to question how much actual good will humanity derive from unbridled innovation.
The good news is that the European Union continues to be at the forefront of a human-centric approach to technology so that innovation can be responsible and sustainable. The GDPR, which came into force about a year ago, has brought the focus to the fundamental right to data privacy, reminding all stakeholders that the human being remains at the center of any digital innovation.
Last month the Independent High-Level Expert Group in Artificial Intelligence set up by the European Commission has issued interesting Ethics Guidelines for Trustworthy AI. The document clearly indicates that AI should lawful, ethical and robust in order to be trusted, and trustworthy. AI systems must be based on fundamental rights such as respect for human dignity, freedom of the individual, respect for democracy, justice and the rule of law, equality, non-discrimination and solidarity, and citizens’ rights. Ethical principles of respect for human autonomy, prevention of harm, fairness and explicability must be respected and any tensions between them must be duly balanced. Privacy and data governance, transparency, diversity, non-discrimination and fairness are also important requirements of the realization of trustworthy AI systems.
In conclusion, the guidelines state that “AI systems will continue to impact society and citizens in ways that we cannot yet imagine. […] Our goal is to create a culture of “Trustworthy AI for Europe” whereby the benefits of AI can be reaped by all in a manner that ensures respect for our foundation values: fundamental rights, democracy and the rule of law.”
I really enjoyed attending and speaking at the EU Pharmaceutical Law Forum in Brussels this week. The event offered a number of insights into the legal challenges faced by the life sciences industry in an ever-evolving regulatory landscape. These are the main takeaways from the conference:
#1: Clearly, the political climate is not favorable to pharma and med-tech companies. A number of measures have been proposed at various levels that would significantly decrease the incentives to innovation that companies currently enjoy. Such proposed measures range from halving the term of protection for orphan drugs exclusivity to compulsory licensing of drug patents, from incentives to drug compounding by pharmacies to mandatory price reductions. The general public and the media continue to have a negative perception of the industry and the regulatory framework appears to be evolving in a restrictive way.
#2: Despite the uniform letter of GDPR throughout the Member States, interpretation of data protection rules continues to be very different throughout Europe. This is especially clear in the field of clinical trials, where there is a patchwork of legal solutions that makes it impossible to multinational corporations to adopt a consistent approach. The recent EDPB opinion on the legal basis for processing of data deriving from clinical trials has further shown that there has been a shift away from consent as the legal basis for the processing, but some countries (like Germany, Italy and Spain, for example) continue to find it hard to accept such a shift.
#3: EU harmonization is expected to occur in the coming years in a number of areas, such as off-label use, artificial intelligence and health technology assessment.
#4: Compliance efforts must be continued, but it is clear that formal compliance is not sufficient to shield a company from risks, especially reputational risks. Even when compliance safeguards are in place, the approach to reputational risks must be perfectionist, as pointed out by Ms. Alice Cabrio, compliance officer at Roche S.p.A.
Enjoy your weekend, and do not forget to celebrate the GDPR’s first birthday!
The Institut du Risk & Compliance is hosting a conference in Paris in mid May that promises to be very interesting for life sciences companies. The program will give an overview of the current legislation on anti-corruption and transparency per country.
Paola Sangiovanni will be leading a workshop titled “Ethical needs of life sciences: between statutory obligations and self-regulation“.
Have a great start of the week!
The Italian Data Protection Authority has provided clarifications on the processing of health data by means of a note issued on March 7, 2019.
On the basis of section 9.2 letter h) and section 3 of GDPR, the Authority has indicated that healthcare professionals who are subject to a duty of confidentiality (or other professionals also subject to confidentiality obligations) will no longer require consent of the patient in order to process data for the purpose of providing healthcare services.
Processing of personal data beyond what is necessary to provide healthcare services will, instead, continue to require the patient’s express consent. Consent is required, for example, for the use of medical apps, for any use of personal data for marketing purposes and for the inclusion of data in electronic health records.
In any case, the patient must receive information about how her/his data will be processed (including the duration of the data processing). The Data Protection Authority clarified that such information must be concise, transparent, intelligible and easily accessible, using simple and clear language. For hospitals processing data in complex ways, the Authority suggests that information is given to interested data subjects and when necessary (mass information to all is not a good idea).
Lastly, the Authority notes that the appointment of a Data Protection Officer is required in case of large scale processing of health data, which occurs in hospitals (regardless of their public or private nature), but does not apply to individual medical professionals, pharmacies or orthopedic firms. The keeping of a register of processings, instead, remains a key requirement and a basic element of accountability and risk management in any case of health data processing.
A summary of the Authority’s clarifications can be found here.
Under Italian law a document saved through blockchain technologies can have legal effects.
According to Law Decree 135/2018 (“Decreto Semplificazioni”), which was recently confirmed into law by Law 12/2019, technologies based on distribuited records can have the same legal effects as electronic time stamps under section 41 of EU Regulation 910/2014. Such effects will be obtained if certain technical standards are met and the regulatory body Agenzia per l’Italia Digitale is entrusted with the task of setting forth such standards within 90 days.
Technologies based on distributed records are defined as “technologies and information protocols that use a shared register that is distributed, replicable, simultaneously accessible, architectural decentralized on cryptographic basis, such as to allow the recording, validation, updating and archiving of data both in accessible format and further protected by cryptography verified by each member, not alterable and not modifiable”. The scope of the definition is wide and intends to include blockchain technologies, which can be varied.
Similarly, technologies based on distributed records will also allow so called “smart contracts” to have legal effects. Smart contracts will be presumed to have legal effects when the contractual parties have been previously identified on the basis of technologies based on distributed records. Again, details will be up to the Agenzia per l’Italia Digitale.
Italy’s effort to pioneer the embrace of new technologies in the legal field is commendable, but there is a risk that standards set forth by the Agenzia will not be the same as other national or international standards that may be emerging in the near future.
Do you have a “Sunshine Act” in your jurisdiction? Any other piece of legislation that mandates that all interactions between the industry and health care professionals are made public?
Italy is about to enact one. You may find the proposed bill here.
In our seminar, which will be held on January 31 at 5 p.m. at our offices in via Dante 9, Milano (the full program can be found here) we will discuss how transparency and ethics interact. We will also ask ourselves how the behaviour of doctors, patients and life sciences’ companies may change following the introduction of the Sunshine Act, which promises disclosure of any exchange of value over €10. We will also ponder upon the use of the data rendered public by the media (see an interesting point of view here).
The topic of conflicts of interest seems especially “hot” these days, since Advamed just revised its code of ethics on interactions with US healthcare professionals and stories about conflicts of interest between doctors and industry continue to be in the media.
We look forward to this interesting opportunity of dialogue on a crucial aspect of healthcare.
As a result of the so called “PIF Directive”, starting from July 2019 criminal corporate liability under Italian law 231 may be triggered by tax crimes, too.
(If you are not overly familiar with the principles of Italian 231 legislation on criminal liability of corporate entities, perhaps you may start here.)
Under Italian 231 law, corporations are subject to criminal (rather, quasi-criminal) liability when certain specific crimes are committed in their interest or to their advantage. So far, such crimes have never included tax crimes, although the issue had been widely debated and several court decisions had attempted to combine other types of crimes with tax crimes (the Supreme Court had always disagreed, though).
Now, the PIF Directive, which Member States must implement by July 6, 2019, “establishes minimum rules concerning the definition of criminal offences and sanctions with regard to combatting fraud and other illegal activities affecting the Union’s financial interests, with a view to strengthening protection against criminal offences which affect those financial interests.” Liability of legal entities must be foreseen by national legislation and serious offenses against the common VAT system must be punished.
The Italian legislator will thus need to introduce such serious VAT crimes (i.e., having a value in excess of 10 million euros) in the list of crimes triggering corporate liability. This, in fact, may open the door to other tax crimes as a basis of 231 liability of corporate entities.
I have been asked to comment on the European Court of Justice decision of October 18 relating to the application of public procurement rules to a drug supply arrangement between a privately owned hospital and a public hospital.
The decision can be found here and the full article here.
Last week the PIP legal saga took another unexpected turn.
On October 10, 2018 the French Court of Cassation overturned the decision of the Appeal Court, which had cleared from liability TUV Rheinland, the notified body involved in the PIP case, and sent the case back to the Appeal Court.
Breast implants made by the French firm Poly Implant Prothèse (also known as “PIP”) had been marketed for years until, in 2010, it was discovered that silicone used for such breast implants was industrial, rather than biomedical. The investigation found that employees of PIP removed evidence of the industrial silicone gel before inspections by TUV Rheinland, the notified body who was in charge of audits on the manufacturing of the breast implants.
Breast implants are medical devices that may be marketed in the European Union if they are granted a CE marking, which is based on the certification by a notified body that the device satisfies legal requirements. The scandal, although linked to a criminal scheme, showed certain weaknesses of the medical device legislation and ultimately led to the adoption of the EU Medical Device Regulation in 2017.
PIP closed down in 2010 and, although its founder was jailed and fined, the many thousands of affected women could not be compensated by PIP. TUV Rheinland was initially condemned for negligence in 2013 and ordered to pay damages of 5.7 million euros, but was later cleared from liability by a French Appeal Court in 2015.
The Court of Cassation has now sent back the case to the Court of Appeals in order to shed light on two issues. TUV’s press release on the decision can be read here. According to Maître Cécile Derycke, Counsel for the TÜV Rheinland companies: “The TÜV Rheinland companies are serene. […] We are confident that the Court of Appeal to which the case has been referred back will confirm that TÜV Rheinland LGA Products GmbH performed its mission as a notified body diligently and in total compliance with the applicable regulations and TÜV Rheinland France SAS committed no fault.”.
Stay tuned to find out if TUV Rheinland’s is found to be a victim or a perpetrator in the PIP scandal… and if affected patients are entitled to compensation by TUV.
Finally (!), the Italian government has enacted a legislative decree that amends the existing Data Protection Code in order to ensure its compliance with the GDPR. Additionally, the Italian legislator has filled the gaps that the GDPR had left to Member States.
Here are the main takeaways in the health area:
- Processing of health data, genetic data or biometric data requires compliance with specific protection measures (“misure di garanzia”) that will be issued by the Italian Data Protection Authority bi-annually in light of guidelines of the European Committee, of technological developments and in the interest of data circulation within the European Union.
- Under section 9.2.g) of the GDPR, personal data relating to health can be processed when processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law. The Italian legislator has listed the circumstances under which such substantial public interest exists, i.e., inter alia:
- administrative activities connected to those of diagnosis, assistance or health or social therapy;
- obligations of the national health service and of subjects operating in the health area;
- hygiene and safety tasks to be carried out on the workplace and for safety and health of the population, for protection of the population and to safeguard life and physical integrity;
- management and assessment of health assistance;
- social protection of maternity and abortion, addictions, assistance, social integrations and rights of disabled individuals.
- Data protection rights of deceased individuals may be exercised by those who have act on the basis of an own interest, in protection of the interested person, or for family reasons that are worth of protection, unless – with respect of services of information society – the interested person has expressly prohibited through a written statement the exercise of such rights by third parties. Such statement must be unequivocal, specific, informed and free, and may also relate only to some of the rights. The prohibition must not prejudice the exercise by third parties of patrimonial rights arising from death of the interested person nor the right to judicial defense.
- The prescription of drugs that do not require the indication of the name of the interested person will be subject to specific measures (misure di garanzia) also in order to control the correctness of the prescription, for administrative purposes and for the purpose of scientific research in public health.
- Reuse of personal data for purposes of scientific research or for statistical purposes must be previously authorized by the Data Protection Authority, who can set forth conditions for the processing. Reuse of genetic data cannot be authorized. However, processing of personal data collected for clinical activity for the purpose of research by research hospitals (IRCCS, both private and public) is not deemed to be reuse.
- Processing of health personal data for the purpose of scientific research in the medical, biomedical or epidemiological field without the patient consent is in any case subject to a favorable opinion by the competent ethics committee and a consultation with the Data Protection Authority.
- Criminal sanctions continue to apply in case of illegal data processing and can be up to 6 years of imprisonment.
- The Data Protection Authority has 90 days to indicate which of the measures contained in the general authorizations it already adopted are compatible with the GDPR. The ones which are not will cease to apply.