All posts by Paola Sangiovanni

Unknown's avatar

About Paola Sangiovanni

Partner of GITTI and Partners. Seasoned transactional and regulatory legal counsel with a thorough understanding of the life sciences industry.

Will the Sunshine Act and the Whistleblowing Act change life sciences companies?

Legal news,

Although not revolutionary, these two new pieces of legislation are certainly of great interest to life sciences companies operating in Italy. They may, in fact, entirely change the quantity and quality of information available on and to life sciences companies, and perhaps even impact the cultural landscape in which such companies operate.

–> INFORMATION IN: the Whistleblowing Act is designed to encourage a flow of information to the company;

<– INFORMATION OUT: the Italian Sunshine Act will ensure that interactions with HCPs or HCOs are publicly disclosed, which will generate information from companies out to the public.

THE SUNSHINE ACT.

  • Not yet applicable.  The Italian Sunshine Act (law number 62 of 2022) is not yet applicable because the website of the Italian Ministry of Health where data should be published is not yet ready.
  • Aim.  The purpose of the Sunshine Act is to enhance transparency of relationships between companies and healthcare operators. Also, in the intention of the legislator, it also aims at fighting corruption even though the subject matters of the disclosure are entirely legitimate transactions.
  • Reportable interactions.  Under the Sunshine Act, agreements and delivery of money, goods, services or other benefits to an healthcare professional (HCP) having a value above €100 or an annual aggregate value of more than €1,000 trigger the obligation to report the transaction. The threshold is higher if an healthcare organization (HCO) is involved, as the value must be above €1,000 individually or above €2,500 annually. Additionally, any agreements with HCPs or HCOs regarding the attendance to congresses, trainings, events, or any consultancy, research and teaching relationship must also be reported, as well as any equity or bonds in life science companies granted to HCPs or HCOs (even if granted for free) and any consideration for intellectual property licenses. Reporting must occur every 6 months and the information on the registry will be available for 5 years. Consent to disclosure by HCPs is (supposedly) implied.

THE WHISTLEBLOWING ACT.

  • In force. The Whistleblowing Act (legislative decree no. 24 of 2023) is already in force for all companies to which it applies (including, but not limited to, life sciences’ companies). This means companies which have adopted a “231” model, as well as companies with more than 50 employees, or less if they are active in specific sectors.
  • Aim.  The purpose of whistleblowing legislation is to protect the reporting person by prohibiting any retaliation against him or her, while ensuring confidentiality and compliance with data protection legislation. This should encourage reports, also anonymous, on any illicit activity happening within or outside the company. Companies must appoint a specific body or person to manage the reports so that they can be properly investigated (when relevant), and feedback can be provided to the reporting person.

Both laws rest on the assumption that corruption is inherent in businesses, especially in life sciences’ companies, and should be unearthed, even in an industry that is heavily regulated, self-regulated, and closely monitored by regulators and authorities.

Will the Sunshine Act and the Whistleblowing Act change the perception of life sciences companies? Will their efforts in terms of transparency and accountability be rewarded with a more positive reputation? That’s hard to predict, and probably unlikely.

Life sciences companies must balance the tensions between health and profit, the needs of buyers, users and patients, their products’ innovation and safety. They must do that ethically and generally invest a lot of resources into their compliance efforts. The two new laws may further strengthen such commitment.

Quick Guide on Legislation In Force and Legislation Stalled

Legal news, , , , , , , ,

Just a quick blog post to align our readers on which legislation is in force and which is stalled at the moment:

  • The Ultimate Beneficial Owners register (discussed here), which companies strived to populate by December 11, 2023, is currently on hold due to administrative litigation that currently blocks the application of the register.
  • The European Regulation on Artificial Intelligence, which we already discussed here, is now final. It will enter into force in 2 years.
  • Legislation on payback for medical devices will be scrutinized by the Italian Constitutional Court thanks to decisions of the Lazio Administrative Court issued on November 24, 2023.
  • The Italian Sunshine Act (Law no. 62 of 2022), which we illustrated here, is in force but not yet applicable since the transparency website is not yet live.
  • Next week the Whistleblowing Law (analyzed here and here) will be mandatory for all companies in scope.
  • The Digital Services Act and the Digital Markets Act are in force.

AI and Healthcare: Recommendations by the Italian Data Protection Authority

Legal news, , , , , ,

The use of Artificial Intelligence in healthcare continues to grow and it is poised to reach 188 billion by 2030. It also raises many concerns.

The Italian data protection authority (Garante) has recently issued recommendations based on 10 points, which can be found here.

The Garante particularly insists on:

  1. Human in the loop: a human being must be involved in the control, validation or change of the automatic decision;
  2. No algorithmic discrimination: trustworthy AI systems should reduce mistakes and avoid discrimination due to inaccurate processing of health data;
  3. Data quality: health data must be correct and updated. Representation of interested subjects must correctly reflect the population.
  4. Transparency: the interested subject must be able to know the decisional processes based on automated processes and must receive information on the logic adopted so as to be able to understand it (easier said than done!). The Garante also requires that at least an excerpt of the Data Protection Impact Assessment is published.

Other recommendations are not surprising for anyone familiar with the GDPR:

  • Profiling and decisions based on automated processes must be expressly allowed by Member State’s laws.
  • The principles of privacy by design and privacy by default obviously play a big role in healthcare AI systems.
  • Roles of controller and processor must be correctly allocated: in particular, the public administration must ensure that external entities processing data are appointed as data processors.
  • A Data Protection Impact Assessment must be carried out and any risks must be evaluated.
  • Integrity, security and confidentiality of data must be ensured.

Striving for genuine transparency in connection with very complex and rapidly evolving algorythms is not going to be an easy task for the data controller. Similarly, understanding how AI works in a healthcare setting is not going to be simple for patients.

GDPR Turns 5, and Trans-Atlantic Data Flow Remains a Headache

Legal news, , , ,
Happy birthday to the GDPR, who has turned 5 years old on May 25, 2023! Is the European Union (and, given the Brussels effect, perhaps the entire world) a better place than pre-GDPR? This is a difficult question. Surely there has been a lot more focus on data protection by companies. And one of the reasons why companies have attempted to comply (100% compliance appears to be an unachievable goal!) is the possibility of being sanctioned with “administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher“. Clearly, while the very same GDPR language applies throughout the EU, data protection legislation is not yet harmonised, not even 5 years after its entry into force. About 30 articles of the GDPR allow Member States to depart from it. Interpretations of the Regulation also vary, so in many areas uniformity has given way to diversity (which, in this case, is not ideal).     Additionally, enforcement of the GDPR is entirely decentralized and data protection authorities have different views, differing resources and different strategies. A list of GDPR sanctions is regularly updated and since the Meta decision of May 22, 2023, the Irish Data Protection Commission has emerged as the champion. While it was previously criticized for “being too cozy to Big Tech”, it has issued the highest ever sanction, along with strong measures ordering Meta to stop further transfers of personal data from the EU to the US and to bring its processing operations of data already transferred to the US into compliance with the GDPR. The problem, once again, stems from the trans-Atlantic data flow from the EU to the US, and from the concerns that such EU personal data is subject to surveillance in the US, without any redress system for EU citizens. (Incidentally, thousands of companies, like Meta, may have the same problem).  The US and EU have yet to reach an agreement that would allow a safe flow of data (although there are hopes that progress will be achieved by July). Further, there is no guarantee that the European Court of Justice will not strike down any such new arrangement, like it did in the past (twice). Meanwhile, the post-GDPR world appears to strongly push towards data localization (or “sovereign cloud”), making data flows out of the EU to non-“adequate” countries very scary. 

Focus on Med-Tech Prices

Legal news

A new body dedicated to reviewing prices of medical devices in Italy has been established by the January 23, 2023 decree of the Ministry of Health, which has been recently published (and you may find here). This new “Osservatorio nazionale dei prezzi dei dispositivi medici” will be aided by the Health Technology Assessment group and other entities within the national healthcare service.

The outcome of the Osservatorio’s analysis will be published in a dedicated section of the Ministry of Health website.

The med-tech industry association has welcomed a better focus on prices, but warned against confusion among the 1.5 million+ med-tech goods and related services offered in Italy, as well as pointed out that Italy does not suffer from a problem of overspending in medical devices (the prices of which are substantially lower than the EU average), but of underfunding of the national health service.

AI Liability Directive: Key Takeaways

Legal news, , , ,

We have already illustrated the new proposed rules for a product liability directive on this blog. We now analyze the proposal for a AI Liability Directive, which offers interesting insights on how liability rules will be tweaked when Artificial Intelligence is concerned. In fact, as noted by the Commission’s explanatory memorandum to the AI Liability Directive, “the ‘black box’ effect can make it difficult for the victim to prove fault and causality and there may be uncertainty as to how the courts will interpret and apply existing national liability rules in cases involving AI“.

These slides may help understanding the AI Liability Directive. If you have questions or doubts, do not hesitate to reach out to us.