All posts by Paola Sangiovanni

About Paola Sangiovanni

Partner of GITTI and Partners. Seasoned transactional and regulatory legal counsel with a thorough understanding of the life sciences industry.

New Intellectual Property Scenarios in the Age of Covid-19

IP DONATIONS.  Many life sciences companies have made generous donations to alleviate the difficulties arisen in these dire pandemic times (Roche Italia, for example, has donated medicinal products, devices, cash and services).

Some of them, instead, have donated intellectual property: Medtronic, for example, has publicly posted design specifications for its Puritan BennettTM560 (PB560) ventilator “to allow innovators, inventors, start-ups, and academic institutions to leverage their own expertise and resources to evaluate options for rapid ventilator manufacturing”. More than 90,000 people were interested.

IP VOLUNTARY LICENSES.  Momentum is also building in favor of the Open Covid-19 Pledge, a program, now also sponsored by the Creative Commons, where patent holders pledge to make their intellectual property available free of charge for uses against Covid-19. The pledge, rather than a donation, takes the form of a royalty-free, non-exclusive, worldwide license under which the intellectual property is made available. Such license may be standard or can be adapted by licensors in various ways.

While many research institutions and private companies are working on a Covid-19 vaccine, the World Health Organization has warned that “it will be important that vaccines go where they are most needed, not simply to the countries that can afford them.” Critical issues not only affect the development of a vaccine, but will also affect its mass production and worldwide distribution. A similar request has been voiced by the European Parliament in its Motion for Resolution dated April 14, 2020, where it “calls on the Commission to ensure that, when EU public money is spent on research, the results of that research are not protected by intellectual property rights and price accessibility to patients is guaranteed for the products developed; stresses the importance of public research and development activities and institutions and of cooperation at international level, while expressing concerns over the dominant role of multinationals in the pharmaceutical sector; urges all pharmaceutical companies to pool their data and knowledge in a collective effort to identify, test, develop and manufacture treatments to curb the disease”.

IP MANDATORY LICENSES.  Such voluntary licenses are completely different from the mandatory licenses that section 31 of the TRIPS agreement allows in case of a “national emergency or other circumstances of extreme urgency”. While the right holder would need to receive “adequate remuneration”, this instrument would allow governments to obtain a non-exclusive and non-assignable license to use the patent without the authorization of the right holder.

It is thus possible that the extreme circumstances in which we are living may also bring completely new scenarios in the intellectual property landscape.

EDPB on Privacy & Covid-19 Today

You may have heard that Israel has started processing cellphone data in order to track contacts and movements of individuals who are positive to Covid-19 in order to trace other people with whom they have come into contact. 

The European Data Protection Board has just issued an opinion on data protection and Covid-19 stating that:

 Insofar as possible, processing of data should be anonymous;
 When it is not possible to only process anonymous data, Art. 15 of the ePrivacy Directive enables the member states to introduce legislative measures pursuing national security and public security. This emergency legislation is possible under the condition that it constitutes a necessary, appropriate and proportionate measure within a democratic society. If such measures are introduced, a Member State is obliged to put in place adequate safeguards, such as granting individuals the right to judicial remedy.

If you have some time to reflect on the privacy aspects of the coronavirus, you may be interested in checking the varied approach of different EU Data Protection Authorities. 

Stay safe!

Italian Data Protection Authority Plans to Inspect Life Sciences Companies in 2020

The Italian Data Protection Authority has recently issued its inspection plan for the first half of 2020. The Authority plans about 80 inspections through the fiscal police. 

Inter alia, the Authority plans to inspect health data processing carried out by multinational companies operating in the pharma and health sector. In case that’s what you do, make sure your GDPR documents are in order.

Other industries will also be impacted, such as whistleblowing software, marketing, online banking, food delivery and call center services.

In 2019 the Italian Data Protection Authority has issued sanctions amounting to Euro 15,910,390.

Clinical Trials Seminar at Gitti and Partners

On January 16 our firm Gitti and Partners will be hosting a seminar on clinical trials legislation and its related opportunities and risks. The seminar will look at drug trials and medical devices investigations from various angles, including regulatory, data processing and criminal law perspectives.

Ms. Alice Cabrio and Ms. Giulia Corti, Corporate & Compliance Managers at Roche S.p.A., will focus on the challenges of reconciling GDPR and trials.

Dr. Eleonora Ferretti will bring the perspective of the trial unit of a large public hospital that is also a research center.

Ms. Elisa Tacconi and Ms. Elisa Corleto of Medtronic Italia S.p.A. will dive into real world evidence and will explore the limits of trials’ regulations.

Our Fabrizio Sardella and Ms. Castagno and Mr. Stigliano of Orrick will highlight criminal risks linked to clinical trials.

The seminar promises to be very interesting and you are welcome to join us.

The full program can be found here: http://grplex.com/en/conferences/download/765/clinical-trials–risks-and-opportunities-in-a-new-regulatory-environment

Don’t Forget to Close E-mail Accounts of Employees who Leave. And Happy Holidays!

The Italian Data Protection Authority has recently reiterated what to do when an employee leaves the company, i.e.:

  • Close down email accounts attributable to the former employee;
  • Adopt automatic response systems indicating alternative addresses to those who contact the mailbox; and
  • Introduce technical measures to prevent the display of incoming messages to unauthorized subjects.

The automatic forwarding of emails to colleagues of the former employee amounts to a breach of principles of data protection, which impose on the employer the protection of confidentiality even of the former worker.

In the case decided by the Authority the e-mail account had remained active for over a year and a half after the end of the employment relationship and before its elimination, which took place only after a formal complaint filed by the worker.

Our life sciences team at Gitti and Partners wishes you a relaxing Christmas break and a 2020 full of happy innovation, useful technology and interesting legal developments!

New 231 Crimes Introduced

New tax crimes that may trigger corporate liability have been introduced by the Italian budget law, namely by section 39 of law decree no. 124 of 2019 relating to fiscal measures (decreto fiscale).

The new section “25-quinquiesdecies” (sic!) applies to crimes of fraudulent tax statements through invoices or other inexistent transactions, invoicing inexistent transactions, fraudulent avoidance of tax payment and destruction of accounting documents.

As a result, companies that commit such fraudulent tax crimes are not only subject to tax liability, but also to “231” liability and punished with a monetary sanction up to 774,500 Euros. Such “231” liability may be in addition to the personal criminal liability of their directors. Additionally, in many cases the confiscation of money, goods or other benefits resulting from the tax crime also applies.

The new crimes will be in force starting from the publication on the Official Gazette of the law converting the above mentioned law decree, which must be converted by the Italian Parliament before Christmas Day.

Companies must therefore act in order to ensure that their 231 organizational models include sufficient provisions aimed at preventing such crimes, such as controls on the veracity of transactions, on the keeping of accounting documents and on the contractual counterparty indicated by the company’s tax documentation. Of course, we at Gitti and Partners can help!

Paola Sangiovanni to Speak on Artificial Intelligence

Our firm will be attending the EMEA Regional Meeting of Ally Law in Malta next week and on Friday November 15th I will be speaking at a panel discussion titled “Keeping an Eye on AI: Ethical and Regulatory Considerations.” 

Artificial intelligence is a hot topic, also in the med-tech field, and poses exciting legal, ethical and regulatory questions. I am sure this will be an interesting opportunity to discuss them with legal and technical experts. 

 

Is Your Cookie Policy Right?

In a recent decision by the Court of Justice of the European Union in case C-673/17 against Planet49 GmbH, the issue of consent was analyzed on the basis of the ePrivacy Directive and the GDPR.

The case regarded a preliminary question by the German Federal Court of Justice on the validity of consent given through a pre-ticked checkbox, which the user must deselect to refuse his or her consent.

The Court analyzed the features of consent under the ePrivacy Directive (“freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” by reference to the Data Protection Directive) and in the GDPR (“any freely given, specific, informed and unambiguous indication of the data subject’s wishes”).

The Court concluded that the user is required to “give” consent and to provide an “indication”, which “points to active, rather than passive, behavior.” Therefore, an opt-out consent is not validly given.

You may want to check if your website has a passive mechanism to accept cookies (including a mechanism whereby “continuing to browse the website means acceptance of these cookies”): under the Court’s decision described above, it is possible that such a passive consent would be regarded invalid.

This conclusion would appear to contradict the previous guideline by the Italian Data Protection Authority providing that “if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies.”

Further, the Court set forth that “the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.

Recent Data Protection Developments

There are a few interesting developments in the area of data protection that you may have missed and we can recap for you:

  • CONDITIONS TO PROCESS CERTAIN DATA ISSUED BY THE ITALIAN DATA PROTECTION AUTHORITY. According to section 9 paragraph 4 of the GDPR, Member States are entitled to introduce additional conditions for the processing of genetic, biometric or health data. On July 29, 2019 the final version of such conditions issued by the Italian Data Protection Authority has been published on the Official Journal. Such conditions apply to processing of data (i) in employment relationships, (ii) by associations, (iii) by private investigators, (iv) that are genetic or (v) for purposes of scientific research.
  • RIGHT TO BE FORGOTTEN. On September 24, 2019 the European Court of Justice has issued a judgment on the right to be forgotten in case C‑507/17 against Google Inc. The Court has ruled that “there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.” While the right to be forgotten must be enforced in all Member States, there is no obligation to do that in all national search engines. The Court, however, added that a supervisory or judicial authority, after balancing all rights concerned, would be able to order de-referencing on all search engines in the world since “EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice.” Given the reaction to the judgment by the Chairperson of the Italian Garante (the data protection authority) Mr. Antonello Soro, it cannot be excluded that that the Garante may issue a universal, rather than EU-wide, dereferencing order.
  • PROCESSING FOR “OWN PURPOSES”. A med-tech company has been sanctioned for having used patient data (medical scans) in a public tender process and in a subsequent litigation in an anonymized form. The company had been appointed by the hospital as a data processor but, the Garante ruled, had further processed such patient data for an own purpose rather than for the purposes mandated by the data controller (i.e., maintenance of equipment generating scans for patients).
  • AGAIN ON THE RIGHT TO BE FORGOTTEN. In a decision by the Italian Garante dated July 24, 2019 Google LLC has been ordered to de-reference from its search engine news about criminal facts occurred in 2007 for which an individual, without any public role, had been condemned, but who had been fully rehabilitated.
  • CONSUMER CREDIT CODE OF CONDUCT. On September 19, 2019 the Italian Garante approved a new code of conduct for companies operating in the areas of consumer credit, credit worthiness analysis and payment punctuality.