Category Archives: Legal news

Facial Recognition Technology: Are We Close to a Turning Point?

When people think about facial recognition technology (“FRT”), they immediately imagine the use of their faces to unlock their smartphones. But this technology is far more complicated, useful and potentially dangerous.

First, it is important to understand the difference among “facial detection”, “facial characterization”, “facial identification” and “facial verification”. Such terms have been defined by the non-profit organization Future of Privacy Forum (https://fpf.org/wp-content/uploads/2019/03/Final-Privacy-Principles-Edits-1.pdf) as follows:

  • Facial detection simply distinguishes the presence of a human face and/or facial characteristics without creating or deriving a facial template.
  • In facial characterization the system uses an automated or semi-automated process to discern a data subject’s general demographic information or emotional state, without creating a unique identifier tracked over time.
  • Facial Identification is also known as “one-to-many” matching because it searches a database for a reference matching a submitted facial template and returns a corresponding identity.
  • The last one, facial verification, is called “one-to-one” verification because it confirms an individual’s claimed identity by comparing the template generated from a submitted facial image with a specific known template generated from a previously enrolled facial image.

There are many possible uses of facial recognition. In the private sector FRT may be used to keep track of employees’ time and attendance, identify shoppers’ patterns inside stores, implement smart homes, etc. In the public sector, FRT may be used to monitor protests, identify suspects in security footage, check claimed identities at borders, etc.

This relatively new technology brings, besides a wide range of possible implementations, significant concerns regarding privacy, accuracy, race and gender disparities, data storage and security, misuse. For instance, depending on the quality of images compared, people may be falsely identified. In addition to that, in its current state, FRT is less accurate when identifying women compared to men, young people compared to older people, people of color compared to white people. Privacy is certainly another concern: without strong policies it is unclear how long these images might be stored, who might gain access to them or what they can be used for; not to mention that this technology makes far easier for government entities to surveil citizens and potentially intrude into their lives (see “Early Thought & Recommendations Regarding Face Recognition Technology”, First report of the AXON AI and policing technology Ethics Board https://www.policingproject.org/axon-fr).

Once the possible implementations and the related risks are understood, the worldwide lack of regulation becomes even more surprising.

Within the European Union, the General Data Protection Regulation obviously applies to FRT. Furthermore, “Guidelines on Facial Recognition” have been released on January 28, 2021 by the Consultative Committee of the Council of Europe with regard to automatic processing of personal data (https://rm.coe.int/guidelines-on-facial-recognition/1680a134f3). This latter document includes:

  • Guidelines for legislators and decision-makers;
  • Guidelines for developers, manufacturers and service providers;
  • Guidelines for entities using FRT;
  • Rights of data subject.

When it comes to Italy, particular attention has been drawn by several decisions of the Italian Data Protection Authority on the topic. Recognizing the innovative potential of FRT as well as its riskiness for individual rights, the Authority adopted a more permissive approach regarding the private sector’s use of FRT, while issuing stricter decisions with regard to the use of FRT by public authorities. For instance, the Authority allowed the use of FRT by police forces for purposes of identifying individuals among archived images, but prohibited real-time surveillance using the same technology (see https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9040256 and https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9575877). On the other hand, the Authority allowed one airport to implement FRT for purposes of improving efficiency in the management of the flow of passengers, so long as images of individuals were not stored (see https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/8789277).

The European Commission, in light of the complexity of the situation and the necessity of a strong and harmonised legislative action, presented on April 21, 2021 its “Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence” (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0206). This Proposal was already the subject, on June 18, 2021, of a EDPB and EDPSs’ joint-opinion (https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-52021-proposal_en), in which they called for a general ban on the use of FRT for:

  • Automated recognition of human features in publicly accessible spaces;
  • Categorization of individuals into clusters according to ethnicity, gender, etc., based on biometric features;
  • Inference of individuals’ emotions.

What the European Commission is doing is an example of a more globally widespread legislators’ attitude towards artificial intelligence in general and FRT in particular. These technologies are more and more in our lives and are constantly evolving. Consequently, there is an increasing request, both from public and private subjects, for clear rules to govern this new technology and ensure that individual rights are safeguarded. Hopefully in the next months/years the situation will become clearer.

Flavio Monfrini / Michele Galluccio

Repeal of Patent Linkage in Italy is on the Horizon

The patent linkage is the practice of linking the marketing authorisation of medicinal products, their pricing or reimbursement, or any other generic drug approval, to the patent status of the original reference product.

On 4 November 2021 the Italian Council of Ministers approved the draft law for the market and competition for the year 2021 (the “Draft Law”), by means of which by the end of this year the Italian Government intends to modify, update and renovate the regulatory framework of several critical sectors of the economic life of the country, amongst which energy, transportation, entrepreneurship and healthcare.

With the aim of removing barriers to market entry for generic medicines, the Draft Law inter alia provides for the abolition of the patent linkage, finally bringing Italy, on this point, in line with the EU law and the other European countries.

Indeed, the Draft Law repeals article 11, paragraph 1, of Law no. 189/2012 (the “Balduzzi Decree”), pursuant to which generic drugs cannot be included in the list of the medicines reimbursed by the Italian National Health Service before the expiry date of the patent or of the supplementary protection certificate of the corresponding originator’s product.

Because it establishes a patent linkage, said provision of the Balduzzi Decree is generally held in breach of the EU law, according to which regulatory bodies, when granting a marketing authorisation for a medicine, setting its price, and determining its class of reimbursement, cannot consider the patent coverage, but only the quality, safety, and efficacy of medicines.

In the last decade the Italian association of generic drug manufacturers (Assogenerici), several patient advocacy groups and even the Italian Competition Authority had tried to push the Italian Government to repeal article 11, paragraph 1, of the Balduzzi Decree, but without success. Now, probably also under the EU Commission’s pressures to comply with the requirements it set in the framework of the aids given to Italy to face the economic and social consequences of the Covid-19 pandemic, the Italian Government decided to finally remove the patent linkage.

The purpose of the measure provided by the Draft Law is to allow manufacturers of generic medicines to carry out all the negotiation procedures for price and reimbursement to be ready to enter the market as soon as the patent expires, and so to increase the competition in the healthcare sector.

The Draft Law will be soon submitted to the Italian Parliament, where it will be discussed and where it might be subject to several and significant amendments. We will see whether the abolition of the patent linkage will be eventually approved and will therefore become law.

Web Cookies’ Processing: New Guidelines by the Italian DPA

On June 10, 2021 the Italian DPA has officially issued new guidelines for the processing of cookies and other online tracking instruments. Such newly-issued guidelines are aimed at compliance with principles set forth by the GDPR, as well as by the recently issued contributions of the European Data Protection Board. The new guidelines complement and update the previous ones issued in 2014.

New provisions mainly regard how consent is acquired and information to be provided to interested subject. In fact:

  • consent by the user must be given in accordance with principles of freedom and unambiguousness. Accordingly, the use of methods that do not comply with such principles, such as the “scrolling-down” and the “cookie-wall”, are unlawful and void;
  • the “cookie banner” must comply with the “privacy by design” and “privacy by default” principles, as resulting from article 25 of the GDPR. Consequently, simplified manners for the obtainment of the consent are allowed only to the extent that they comply with some pre-determined requirements;
  • “analytic cookies” can be processed without any consent by users only if they do not allow any identification (direct identification of the person concerned should not be achieved), and if they are used for the production of aggregate data only. Otherwise, they need to be expressly authorized;
  • information to be provided to the users must be specific and comply with articles 12 and 13 of the GDPR.

Data controllers now have a 6-months term (expiring on December 2021) for the adoption of the measures necessary to comply with such giudelines.

The full text of the measure can be found at the following link: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9677876.

Our Article on Clinical Trial Legislation Is Out

We are happy to announce that our article on “Drug Clinical Trials Legislation in the European Union” has been published on the Indian Journal of Law and Technology (https://www.ijlt.in/).

You may read it here or here.

The purpose of the article is to illustrate the basic tenets of European Union law on clinical trials. Such body of law has been progressively harmonized in the European Union over the years with the aim of subjecting interventional clinical trials conducted in any of the 27 European Union Member States to identical rules.

The article initially describes the reasons why clinical trials are important to measure the safety, efficacy and cost-effectiveness of innovative medical treatment. It then continues by illustrating the scope and basic principles of the current EU Regulation, as well as its main changes over the previous legislation. Further, the article explains the requirements of the scientific and the ethical approvals of a clinical trial application. Lastly, the authors focus
on the patients’ consent to the enrollment in a clinical trial, as well as to the patients’ separate consent to the processing of their personal data

New Data Transfer Standard Contractual Clauses Approved by the EU Commission

On June 4, 2021 the EU Commission approved new standard contractual clauses (“SCC“), which are regarded to provide appropriate safeguards within the meaning of Article 46(1) and (2) (c) of the GDPR.

The new SCC are updated with GDPR, the opinions expressed during the course of the consultation phase (including those of the European Data Protection Board and the European Data Protection Supervisor), as well as take into account the recent Schrems II judgement of the Court of Justice.

There are two different sets of SCC: (i) for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) and (ii) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).

The new SCC promisemore flexibility for complex processing chains, through a ‘modular approach’ and by offering the possibility for more than two parties to join and use the clauses“.

If you or your company are using the old SCC, you have a transition period of 18 months.

Patents on Covid Vaccines: the Plot Thickens

Last Friday I spoke at an interesting event, dedicated to lessons learned during the pandemic, sponsored by the association Women&Tech.

My plan was to illustrate the international aspects of intellectual property and, in particular, the possibilities afforded by article 31 of the TRIPS agreement to obtain a license to use vaccines’ patents without consent of the patent holder. There had also been a proposal by India and South Africa to waive IP rights on vaccines altogether, but it had been rejected. The discussion seemed largely theoretical.

Only a few hours before the event, the scenario completely changed when the US announced that it was backing the idea of a waiver of IP rights on Covid vaccines’ patents. Reactions by EU leaders were varied, and it is still unclear if the waiver proposal will receive the required three fourths of the votes at the WTO level.

You may find my slides (in Italian) below, but in my view the clearest explanation of the issues at stake is in the position paper by the Max Planck Institute for Innovation and Competition, which can be found here.

Entry into force of EU Regulation on Clinical Trials is Getting Closer

EU Regulations on Clinical Trials number 536/2014 will enter into force 6 months after the publication of a notice by the EU Commission confirming that the clinical trial portal and databases have achieved full functionality in accordance with the required specifications.

Such clinical trial portal and database, where all information submitted through the portal will be stored, supposedly one of the high points of the Regulation, is probably its worst enemy so far. In fact, due to technical difficulties with the development of the IT systems (aka “CTIS”), the portal’s go-live date had to be postponed for years. Therefore, so far, the Directive continues to apply, while some argue that the Regulation – that appeared cutting edge in 2014 – already shows the signs of age.

Now things are finally moving ahead.

On April 21, 2021 the European Medicines Agency’s Extraordinary Management Board confirmed that “CTIS is fully functional and meets the functional specifications, following an independent, successful audit“. 

The ball is now in the European Commission’s court: once the Commission confirms the same conclusions on CTIS, a notice will be published in the Official Journal of the European Union. “Six months after this notice, the Regulation will start to apply and CTIS will go live. The aim is that CTIS goes live on 31 January 2022.says the EMA.

Personal Data of Deceased People: Clear Indications by the Italian Data Protection Authority

Access to personal data concerning deceased people may represent an issue and a necessity, especially for their heirs. How is such kind of access to personal data currently regulated under the Italian Law (Legislative Decree n. 196/2003), as amended after GDPR?

The Italian Data Protection Authority, in its efforts to combine data protection legislation and clarity, recently issued an outline of article 2-terdecies of the Legislative Decree n. 196/2003.

  • Who is entitled to such right to access? Whoever (i) has a vested interest; (ii) acts in the interest of the deceased person (who is the “interested party” pursuant to data protection laws); (iii) acts as mandatary; or (iv) acts for worthwhile reasons of family protection.
  • To whom should the request to access data be addressed? The request should be addressed to the relevant Data Controller (i.e., the natural or legal person, public authority, agency or other body, either private or public, which determines the purposes and means of the processing of personal data), also through the Data Processor (i.e., the natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller), where appointed.
  • Which information may be requested? (i) Access to personal data of the deceased person; (ii) the purpose of processing data; (iii) which data have been communicated and the related addressees; (iv) the retention period; (v) the origin of such data and (vi) whether data are subject to an automatic decisional processing (Sections 15-22 of GDPR).
  • Do you have to pay to access data? No, it is free (unless the request is manifestly unfounded or excessive).
  • Are there any exceptions or limits? Yes, it is not possible to access data in the event it is forbidden (i) by the law or (ii) by the interested party, who released an express and unequivocal declaration addressed to the Data Controller. However, even in the latter hypothesis, third parties exercising their patrimonial rights originating from the death of the interested party cannot be prejudiced in their rights.
  • Do you have to motivate your request? No.
  • How long does it take to get a feedback on your request? Maximum one monthsince your request, except in some particular cases, as provided by GDPR.
  • What can you do if your request is refused or in lack of any feedback? You may address the Italian Data Protection Authority or the relevant court.

Access to data concerning deceased people seems to be quite easy in theory. However, balancing patrimonial rights of heirs and assessing “express and unequivocal” declarations of the deceased may prove to be more complex in practice.