With a law decree decided yesterday, the Italian Government enacted two interesting new rules aimed at health care professionals (“HCPs“):
- Criminal liability of HCPs administering vaccines for the crimes of manslaughter and personal injuries is excluded, provided that the vaccinations follow the indications of the authorization of the specific vaccine and the decisions of the Ministry of Health;
- The obligation of HCPs to be vaccinated is introduced: HCPs refusing to undergo vaccination may be assigned to different duties or her/his remuneration may be suspended. The constitutionality of this obligation has been often discussed, but most scholars believe that – on the basis of the Constitutional Court jurisprudence (especially decision no. 5 of 2018, drafted by Ms. Cartabia, who is now part of the government) – there is no doubt about compliance of this provision with the Italian Constitution. Vaccination is in fact aimed at not only preserving health for the individual who is vaccinated, but also other people’s health, and consequences of vaccination are tolerable.
Hopefully the above provisions will help the vaccination campaign move faster. I certainly cannot wait to roll up my sleeve!
As the vaccine campaign continues with few cornerstones and many unknows, several interesting questions regarding protection and processing of vaccine-related data are starting to arise.
One of these came to the attention of the Italian Data Protection Authority (“Authority”) and concerns the legitimacy of instruments of vaccine tracking such as electronic passes or Apps. These instruments – yet to be discussed officially by the Italian Parliament – would allow only vaccinated individuals to access certain areas (airports, cinemas, restaurants) and services (public transport, circulation in general). The Authority has underlined, through a memo dated March 1, 2021, how such tools should not be considerate legitimate from a data protection standpoint unless a national law regulates the whole subject matter. In fact, an inappropriate treatment of vaccine-related data – according to the Authority – may cause extremely dangerous consequences in terms of risks for discrimination and unjustified compression of constitutional freedoms. Given the non-mandatory nature of vaccine themselves – as reminded by the Resolution of the Parliamentary Assembly of the Council of Europe on January 27 – it would be unreasonable to punish, in fact, those who freely decide not to get vaccinated, by preventing them the access to the almost all public spaces and services. Considering that such balance between public needs and individual freedoms can (and must) only be stroke by the national legislator, also to avoid fragmented rules, the Authority submitted a notice to the Italian Parliament to promptly address the matter.
The issue is relevant also on a European level: the official proposal of the “Green Pass” is expected to be unveiled on March 17, 2021. This Pass – according to the remarks by the President of the European Commission Ursula von der Leyen – should substantially be a European passport including information on vaccination and, for those who are not vaccinated, the results of the Covid-19 tests. Such instrument would hopefully facilitate international mobility. It is still to be seen whether European countries will reach consensus on the matter, as some of them (France and Belgium, among others) already pointed out the unfairness of a mechanism that would facilitate the mobility of only those who are vaccinated, in prejudice of others.
Another related issue which the Authority has addressed, with FAQs on its website, concerns the processing of vaccination-related data in the workplace. In particular, the employer is not entitled to have access to the information on whether his/her employees are vaccinated or not, being the competent doctor the only subject able to process and assess data concerning vaccination. Even if the employee, due to the fact that he/she is not vaccinated, must be considered as non-suitable for specific duties (for example in the healthcare sector, where vaccinated workers would be preferable), the employer will only be able to have access to the information on the total or partial non-suitability, while only the competent doctor would be able to process information regarding vaccination of single employees.
It seems quite evident the need for a step in of the national legislator to address these matters.
This year’s celebrations for Data Protection Day may have been a bit toned down. But you still may have been so busy celebrating that you may have missed a couple of news from the (data privacy) world.
First, the EDPB’s Guidelines 01/2021 on Examples regarding Data Breach Notification are out and open for comments until March 2nd. The document can be used as a very practical guide for whoever is involved in data processing activities. It is aimed at helping data controllers in deciding how to handle data breaches and what factors to consider during risk assessment. The Guidelines reflect the experiences of the European supervisory authorities since the GDPR became applicable and they are full of cases and examples which make them, admittedly, a practice-oriented, case-based guide for controllers and processors. So, are you curious to know what to do in case of a ransomware attack with backup but without exfiltration in a hospital? Or perhaps in case of a credential stuffing attack on a banking website? Or you’re “just” trying to figure out what to do in case of mistakes in post and mail? Then, check out the guidelines!
Meanwhile, in Italy, the Italian Data Protection Authority gave its favourable opinion to the proposed reform of the Italian Registro Pubblico delle Opposizioni, a service designed for the protection of data-subjects, whose telephone number is publicly available but who wish not to receive unsolicited direct marketing calls from an operator. Nevertheless, the Italian Data Protection Authority specified that such service, essentially based on a list of express dissents, only applies to marketing activities carried out by human operators and cannot be extended to automated calls. The Italian Data Protection Authority, by doing so, confirms that marketing activities carried out through automated systems must be subject to stricter measures and always require express consent, given their highly invasive nature. So: Humans 1, Automated Calling Machines: 0.
Today the European Medicines Agency (specifically, its human medicines committee or CHMP) has recommended granting a conditional marketing authorisation to the vaccine developed by BioNTech and Pfizer to prevent COVID-19 in people from 16 years of age.
In the words of the EMA press release, “EMA’s scientific opinion paves the way for the first marketing authorisation of a COVID-19 vaccine in the EU by the European Commission, with all the safeguards, controls and obligations this entails.”
The CHMP has concluded that data on the quality, safety and efficacy of the vaccine are sufficient, given the results of a trial on 44,000 people so far. The process of data collection will in any case continue for at least 2 more years.
It is still unclear who, when and how we will have access to the vaccine, but certainly a vaccine is coming our way. After a 2020 filled with lives lost, fear, confinement and social deprivation, this is absolutely great news. What a few months back seemed wildly optimistic, is now happening.
We want to end 2020 on a high note and wish you relaxing holidays and a new happy, healthy and social year!
Unless you are exclusively devoting this lockdown to following webinars on the Schrems II decision (there is an impressive offering out there), you may have missed a couple of interesting developments in the area of data protection:
- the European Data Protection Board adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, which can be found here. In short, the EDPB sets forth a to-do-list for data controllers exporting data composed of 6 steps:
- 1. map your transfers outside the EU;
- 2. verify the transfer tool you are using;
- 3. assess the law or practice of the country of destination (refer to the EDPB European Essential Guarantees recommendation);
- 4. identify and adopt supplementary measures;
- 5. take any formal step to introduce any supplementary measures; and
- 6. re-evaluate periodically.
- The Italian Data Protection Authority is increasingly worried by threats to privacy posed by apps (not just TikTok). It has issued a presentation to warn users about the use and misuse of personal data by various apps.
Have you ever struggled to pinpoint the roles, and subsequent responsibilities, of controllers, joint controllers and processors in the context of the GDPR? Have you found yourself in negotiations where it was discussed who acted in which role? Help is coming your way.
The European Data Protection Board (or EDPB), a body composed of – inter alia – representatives of EU national data protection authorities, has provided helpful guidance in that regard. Guidelines 07/2020 on the concepts of controller and processor in the GDPR (adopted on September 2, 2020 but more recently made available) offer clarifications on such respective roles.
Generally speaking, such GDPR roles have a functional nature and call for a factual rather than formal analysis.
- The controller can be any type of entity. It determines the purpose (the why) and the means (the how) of the data processing. Certain aspects of the processing may be determined by the processor, but they have to be “non-essential”.
- Joint controllers jointly participate to the determination of the purpose and means of processing, either through a common decision, or as a result of converging decisions. There is no joint controllership when different entities use a shared database or a common infrastructure, if each entity independently determines its own purposes.
- Data processors act on behalf of data controllers and must be separate entities from data controllers. Data processors must follow the instructions of the data controller, with a limited decree of discretion in their execution.
- The same entity may act, at the same time, as controller for certain processing operations and as processor for others: each data processing activity must be separately assessed.
Comments on the Guidelines can be sent to the EDPB until October 19.
New criteria for reimbursement of medicinal products by the national healthcare system will apply as a result of publication of Ministerial Decree of August 2, 2019 occurred on July 24, 2020.
The new criteria focus on the clinical value of the medicinal product and on its added therapeutic value compared to other available medicinal products, while, before such Ministerial Decree, the emphasis was on the advantageous cost-effectiveness of the drug. Unless a clinical superiority of the drug compared to similar drugs can be established, the outcome of the reimbursement negotiations will be negative. AIFA has summarized here the changes introduced.
Negotiations can be either started by the pharmaceutical company or by AIFA. Guidelines on the documentation, to be submitted by the pharmaceutical company, are currently subject to public consultation until September 30, 2020.
Under the new Ministerial Decree the pharma company must disclose information regarding reimbursement conditions already negotiated in other countries, estimates of expenditure on the basis of estimated market quotas, patent status, and economic/financial impacts on public expenditure. Sales data and marketing data must also be provided to AIFA throughout the validity of the reimbursement arrangement. Confidentiality obligations covering the reimbursement agreement, however, are not expressly prohibited.
Innovative reimbursement models, as well as traditional schemes, are possible.
Italian corporations are subject to criminal liability arising from legislative decree 231 of 2001: more on the topic can be found here.
“231 crimes” triggering such liability are already a vast and varied list of crimes. They are not limited to corruption crimes, but range from manslaughter due to breach of safety on the workplace provisions to corporate crimes and tax crimes.
Nonetheless, the list of “231 crimes” continues to grow.
Effective on July 30, 2020 new crimes will be added, as law 75 of 2020 will come into force. The new crimes are mostly further nuances of the tax crimes, as well as new crimes (fraud in public supplies, fraud in agriculture and smuggling, misappropriation and abuse of office).
It’s time for companies to update their organizational models again! (Perhaps enjoy your well deserved summer vacation first: it has been quite a year).
Yesterday, on July 16, 2020, in a landmark decision, the Court of Justice of the European Union ruled that the key data-sharing mechanism, the EU-US Privacy Shield, is invalid, as it failed to protect privacy and data protection rules.
The case behind the decision.
Maximillian Schrems, an Austrian national residing in Austria, who has been a Facebook user since 2008, lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit the transfer of his personal data by Facebook Ireland to servers belonging to Facebook Inc., located in the United States. In its recent decision, the Court expressed the view that «the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union» are «not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary» (the full Court press release is available here: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf.
According to the BBC, Max Schrems called it a win for privacy, stating that «it is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market» he said, while the US Secretary of Commerce Wilbur Ross said his department was “deeply disappointed” by the decision and said he hoped to «limit the negative consequences to transatlantic trade worth $7.1 trillion (£5.6tn)» https://www.bbc.com/news/technology-53418898.
Impact and remedies.
The Court held that standard contractual clauses will continue to be a valid means for the transfer of data outside the European Union.
Therefore, companies currently benefitting from the EU-US Privacy Shield will likely transition to standard contractual clauses. Microsoft, for example, has issued a statement saying it already uses them and is unaffected by the recent Court decision (the full statement is available here: https://blogs.microsoft.com/eupolicy/2020/07/16/assuring-customers-about-cross-border-data-flows/.
While we are slightly surprised by the decision, we must confess it has been years since we last suggested a client to use the Privacy Shield: standard contractual clauses have always been an easier and more flexible tool.
On April 24, 2020 the new Regulation (EU) 2020/561 officially entered into force, postponing the date of application of most Medical Devices Regulation (MDR) provisions to May 26, 2021. The final text of the regulation can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32020R0561&from=EN.
The postponement was approved unanimously and was considered unavoidable since the outbreak of the covid-19 pandemic in early 2020 made it very clear that businesses, notified bodies and regulators would not be ready in time for the entry into force of the MDR requirements in May 2020.
The European Commission noted, with some relief, that “this postponement takes the pressure off national authorities, notified bodies, manufacturers and other actors so they can focus fully on urgent priorities related to the coronavirus crisis” (https://ec.europa.eu/growth/sectors/medical-devices_nn).
While the postponement might have been triggered by the covid-19 pandemic, there is no doubt it now gives regulators and the industry alike the chance to remedy the delays that have accumulated over the past few years, with the hope that they will come prepared to the new deadline of May 2021.