All posts by Paola Sangiovanni

GDPR from Down Under: an Australian Perspective

We have interviewed Dr. Peytee Grusche, special counsel at the Australian law firm Russell Kennedy, to ask about her view on GDPR. Peytee assists clients in the areas of research and development, commercialisation of intellectual property, patent, trade mark and design registration and enforcement.

Do Australian companies care about GDPR, and why?

Yes, Australian companies do care about the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.  Also, if Australian businesses are recipients of personal data, then they will be caught by the provisions of the GDPR.

Have you seen significant compliance efforts?

We have had clients request advice on their privacy policies in order to update them to include compliance with the GDPR. In particular, where AU businesses are recipients of personal data advice, on standard data protection clauses and binding corporate rules.  Also, we have received instructions for advice on compliance with GDPR in respect of direct marketing practices (mailouts, newsletters etc).

How would you compare the GDPR to Australian data protection legislation?

The GDPR and the Australian Privacy Act 1988 have much in common including the requirement to show that businesses comply with the privacy principles. However, there are some differences under the GDPR which do not appear in the Australian Privacy Act 1988 including a number of rights for individuals.

Under the GDPR, individuals have the rights to erasure, right to data portability and right to restriction of processing.  The Australian Privacy Act does not include the equivalent rights to these new rights. However, it specifies that business must take reasonable steps to destroy or de-identify personal information that is no longer needed for a permitted purpose.  Additionally, where access is given to an individual’s personal information, it must generally be given in the manner requested by the individual.

What is the preferred strategy of Australian companies who face different standards in data protection legislations around the world?

In our experience, Australian companies will try to comply by adopting  an appropriate privacy policy and/or by contractual provisions to include provisions relating to relevant countries.

Thank you, Peytee!

Advertisements

May 25, 2018: Did You Survive the GDPR D-Day?

Last May 25 the GDPR came into force. It was hard not to notice given the inundation of emails that everyone received, as well as the clear signs of burnout in the eyes of GDPR experts.

Here are my personal top 3 takeaways from that experience:

  • The flood of data protection emails received on May 25 showed me how my data had been disseminated all over the place and archived for a really long time. I had some recollection of only a few of those who wrote me to share their most recent privacy policy (and remind me how they deeply, deeply care about privacy!), since many may have bought, inherited or just collected my data a long time ago. It reminded me that those data subjects’ rights are an empowering tool, which I intend to use more frequently in the future.

 

  • The Law (capital “L”) showed its full might and power on May 25, something which surprised even those, like me, who work with legal requirements all day every day. Look at what companies do when you threaten a 4% fine on their worldwide turnover! (Incidentally, this reminded me why politics is important and why people who are indifferent to politics are wrong: this stuff does make a difference in our lives).

 

  • The Italian authorities (mostly the government and parliament) lost yet another opportunity to be helpful to citizens. We had been waiting for a national data protection law for months, but no such law was enacted before May 25. Until that happens, Italians are supposed to assess, for each and every provision of the Data Protection Code, whether or not it conflicts with the GDPR. How practical.

GDPR: do’s and dont’s

Seminario GDPR 03052018

Paola Sangiovanni will be speaking at a seminar on GDPR on May 3, 2018 at Gitti and Partners’ office in Brescia.

The seminar, followed by a reception, will focus on DOs and DONTs for small and medium enterprises in the field of data protection.

While Italians are still awaiting the enactment of a national data protection law that will clarify the relationship between GDPR and the previous privacy legislation, GDPR compliance efforts must nonetheless continue.

Join us in this interesting seminar to find out what should be done and what should be avoided!

Weekend Reading Recommendations

Ready for the weekend? I have these article on my reading list: perhaps you, too, may enjoy some food for thought on some of the hottest topics in the fields of law and innovation:

  • A Layered Model for AI Governance”: https://cyber.harvard.edu/node/100108, on governance for artificial intelligence aimed at ensuring transparency and accountability and addressing massive information asymmetries between the developers of artificial intelligence systems and consumers and policymakers;

 

 

 

Whatever you will be reading, have a great weekend!

Presentation on GDPR and scientific research at the Paperless Lab Academy

Paola Sangiovanni will be speaking at the Paperless Lab Academy event (http://www.paperlesslabacademy.com/) on March 20, 2018 in Baveno (NO), Italy, on the topic of the impact of the new GDPR for science.

Sofie van der Meulen, Senior Supervision Officer at Dutch Data Protection Authority, will offer a special introduction titled “Why Privacy Matters”.

This promises to be an interesting event. See you there!

 

 

New Rules on Continuing Medical Education

The rules on continuing medical education (“CME”) have changed since a new agreement between the Italian government, the Italian Regions and the autonomous provinces of Trento and Bolzano has come into force on February 2, 2018. You may find the new agreement here or here (only in Italian, sorry).

The agreement is an “upgraded version” of the previous principles, which remain largely unchanged, but are now better defined, stricter and hopefully more effective.

  • THE RIGHT TO CME. Health care professionals (“HCPs”) have the right to obtaining CME and regulators will need to remove impediments in order to allow the exercise of such right.
  • ACCREDITATION OF PROVIDERS. As before, providers of CME need to be accredited, but accreditation will be subject to stricter rules, which particularly focus on avoiding any conflicts of interest. Providers will also need to adopt an internal regulation setting forth how to prevent and exclude (even potential) conflicts of interest.
  • SPONSORSHIP OF EVENTS. Sponsorship of CME events will be possible by private companies, provided that the principles of transparency, objectivity, impartiality and independence are complied with. No advertisement of medicinal products or medical devices can be carried out during the CME event, but only before, after and outside the event. No direct payments or reimbursements are allowed to speakers or moderators of the CME events.
  • NO ACCESS TO PERSONAL DATA OF HCPs. On the data protection front, note that sponsors of CME cannot have access to lists and addresses of participants, speakers or moderators.
  • SPONSORSHIP OF HCPs. Lastly, HCPs may be sponsored by commercial firms operating in the health industry, but cannot fulfil more than one third of their CME requirement through such sponsorship. This is bound to change how CME has been handled before, forcing HCPs to bear the cost of at least two thirds of their CME requirements.

Have a great weekend!

Take our Quiz on the New MoH Guidelines on Medical Device Advertisement!

On December 20, 2017, the Italian Ministry of Health has issued interesting guidelines on medical device advertisement to the general public, which you can download here (scroll to the bottom of the page).

The new rules describe DOs and DONTs in advertisement on Instagram, YouTube and Facebook and offer interesting indications on the use of a celebrity in the ads.

The basic principle remains the same: advertisement of medical devices that are subject to medical prescription (or may be used only with the assistance of medical personnel) is prohibited by Italian law. When allowed, advertisement of medical devices to the public is subject to authorization by the Ministry of Health.

Take our medical device advertisement quiz to check if you know (or can guess!) what’s new in the guidelines!

  • Can a doctor recommend a medical device in an advertisement to the general public?

No, the Ministry of Health will not authorize such advertisement.

  • What about a celebrity appearing in an advertisement message?

While the mere presence of such individual may be tolerated, no express or implied endorsement of the medical device will be authorized.

  • Can authorized medical advertisement be shared through Instagram?

Yes, but only in the “Stories” section and if users’ comments are de-activated.

  • What about Facebook?

As comments cannot be de-activated, a special disclaimer must be used in order to clarify that the Ministry of Health authorization of advertisement solely covers advertisement, while any further comments are the responsibility of users.

  • Is a medical device company allowed to email advertisement to patients?

Yes, but only if the Ministry of Health has authorized the advertisement and if the patient has expressed his/her consent (always revocable).

Holiday Reading Selection

Dear Readers and Friends,

With Christmas and Boxing days behind, you should have had your share of party time with your family and friends (if not, New Year’s is a good time to catch up).

If you are ready for some quiet time to read some interesting articles in the areas of innovation, health and the law, here is a selection of holiday reading that our life sciences group has prepared for you.

We wish you a 2018 filled with good health, great technology and interesting law!

Warm wishes from

Paola Sangiovanni, Flavio Monfrini, Marco Bertucci and Miriam Postiglione

a.k.a. the GITTI and Partners life sciences team.

**********************************************************************************

New crimes triggering criminal corporate liability introduced.

Starting from November 19, 2017 and following an amendment of the Anti-Mafia Code, additional criminal conducts will trigger corporate criminal liability pursuant to Legislative Decree no. 231 of 2001. (If you are not yet familiar with “231”, i.e., the Italian law setting forth criminal corporate liability, you may refer to our previous blog post for an overview of such legislation).

Section 25-duodecies of Legislative Decree no. 231 of 2001 has been amended by the introduction of three new paragraphs (1-bis, 1-ter and 1-quater) relating to the following crimes in the area of illegal immigration:

• Procured illegal entry into the State; and
• Favoring illegal permanence into the State.

The full list of crimes and sanctions can be found here.

The idea is to punish companies who take advantage of illegal immigration, as well as to provide an incentive to companies to organize their activities in order to prevent such corporate crimes (in fact, companies are exempt from liability if they set up and actively pursue organizational models aimed at preventing corporate crimes). It is, however, unclear if continuously increasing the list of crimes that companies must prevent is an efficient way to do that.

Clinical Trials in Italy: Changes Announced.

On October 25, 2017 the lower chamber of the Italian Parliament (Camera dei Deputati) has approved a bill, which – inter alia – promises to change how clinical trials of pharmaceuticals are regulated by national law.  The bill requires that the changes follow these directions:

  • Requirements for trial centers will be issued and monitored yearly;
  • There will be greater involvement of patients’ associations in the protocol definition, especially in areas of rare diseases;
  • The name of the authorized trial centers, as well as of names and curricula vitae of all subjects involved in clinical trials, of the relevant financing arrangements and the relating contracts, will be published;
  • Measures aimed at protecting the independence of clinical trials and the absence of conflict of interests will be strengthened;
  • Minimum contents of clinical trial agreements will be set forth;
  • Formal requirements for the requests of opinions to the Ethical Committees will be simplified;
  • The possibility to use biologic or clinical residual material from previous diagnostic or therapeutic activities, under whichever title possessed, for clinical research purposes (subject to the patient’s informed consent) will be made easier;
  • Proceeds arising from clinical trials will be allocated between the trial center and research funds managed by the Ministry of Health;
  • Sanctions for breaches of legislation will be rationalized (and will include suspension of Ethical Committees, who breach procedures or miss deadlines).

According to the bill, the following changes would instead affect independent or non-profit clinical research, which in Italy continues to be based on a Ministerial Decree of 2004:

  • Revision of legislation in order to facilitate non-profit and observational clinical studies;
  • Private companies, who support such studies, will be allowed to purchase the relating data and use them for registration purposes.

The road to an actual change of legislation is still tortuous, as it requires a favorable vote of the exact same bill by the Senate, as well as a governmental legislative decree that would set forth detailed regulations along the aforementioned directions. Surely it is too early to predict the results of any such change.

In any event, given the room that EU Regulation 536/2014 still leaves to Member States’ legislation and how generic, old and fraught with issues the current Italian legislative framework is, reforming Italian clinical trial legislation is definitely a good idea.