Category Archives: Legal news

Data Protection: What You May Have Missed

Unless you are exclusively devoting this lockdown to following webinars on the Schrems II decision (there is an impressive offering out there), you may have missed a couple of interesting developments in the area of data protection:

  • the European Data Protection Board adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, which can be found here. In short, the EDPB sets forth a to-do-list for data controllers exporting data composed of 6 steps:
  • 1. map your transfers outside the EU;
  • 2. verify the transfer tool you are using;
  • 3. assess the law or practice of the country of destination (refer to the EDPB European Essential Guarantees recommendation);
  • 4. identify and adopt supplementary measures;
  • 5. take any formal step to introduce any supplementary measures; and
  • 6. re-evaluate periodically.
  • The Italian Data Protection Authority is increasingly worried by threats to privacy posed by apps (not just TikTok). It has issued a presentation to warn users about the use and misuse of personal data by various apps.

Guidelines on Concepts of Controller and Processor in the GDPR

Have you ever struggled to pinpoint the roles, and subsequent responsibilities, of controllers, joint controllers and processors in the context of the GDPR? Have you found yourself in negotiations where it was discussed who acted in which role? Help is coming your way.

The European Data Protection Board (or EDPB), a body composed of – inter alia – representatives of EU national data protection authorities, has provided helpful guidance in that regard. Guidelines 07/2020 on the concepts of controller and processor in the GDPR (adopted on September 2, 2020 but more recently made available) offer clarifications on such respective roles.

Generally speaking, such GDPR roles have a functional nature and call for a factual rather than formal analysis.

In short:

  • The controller can be any type of entity. It determines the purpose (the why) and the means (the how) of the data processing. Certain aspects of the processing may be determined by the processor, but they have to be “non-essential”.
  • Joint controllers jointly participate to the determination of the purpose and means of processing, either through a common decision, or as a result of converging decisions. There is no joint controllership when different entities use a shared database or a common infrastructure, if each entity independently determines its own purposes.
  • Data processors act on behalf of data controllers and must be separate entities from data controllers. Data processors must follow the instructions of the data controller, with a limited decree of discretion in their execution.
  • The same entity may act, at the same time, as controller for certain processing operations and as processor for others: each data processing activity must be separately assessed.

Comments on the Guidelines can be sent to the EDPB until October 19.

New Reimbursement Criteria for Medicinal Products

New criteria for reimbursement of medicinal products by the national healthcare system will apply as a result of publication of Ministerial Decree of August 2, 2019 occurred on July 24, 2020.

The new criteria focus on the clinical value of the medicinal product and on its added therapeutic value compared to other available medicinal products, while, before such Ministerial Decree, the emphasis was on the advantageous cost-effectiveness of the drug. Unless a clinical superiority of the drug compared to similar drugs can be established, the outcome of the reimbursement negotiations will be negative. AIFA has summarized here the changes introduced.

Negotiations can be either started by the pharmaceutical company or by AIFA. Guidelines on the documentation, to be submitted by the pharmaceutical company, are currently subject to public consultation until September 30, 2020.

Under the new Ministerial Decree the pharma company must disclose information regarding reimbursement conditions already negotiated in other countries, estimates of expenditure on the basis of estimated market quotas, patent status, and economic/financial impacts on public expenditure. Sales data and marketing data must also be provided to AIFA throughout the validity of the reimbursement arrangement. Confidentiality obligations covering the reimbursement agreement, however, are not expressly prohibited.

Innovative reimbursement models, as well as traditional schemes, are possible.

Further Crimes Triggering “231” Liability

Italian corporations are subject to criminal liability arising from legislative decree 231 of 2001: more on the topic can be found here.

“231 crimes” triggering such liability are already a vast and varied list of crimes. They are not limited to corruption crimes, but range from manslaughter due to breach of safety on the workplace provisions to corporate crimes and tax crimes.

Nonetheless, the list of “231 crimes” continues to grow.

Effective on July 30, 2020 new crimes will be added, as law 75 of 2020 will come into force. The new crimes are mostly further nuances of the tax crimes, as well as new crimes (fraud in public suppliesfraud in agriculture and smuggling, misappropriation and abuse of office).

It’s time for companies  to update their organizational models again! (Perhaps enjoy your well deserved summer vacation first: it has been quite a year).

The European Court of Justice Strikes Down the EU-US Privacy Shield

Yesterday, on July 16, 2020, in a landmark decision, the Court of Justice of the European Union ruled that the key data-sharing mechanism, the EU-US Privacy Shield, is invalid, as it failed to protect privacy and data protection rules.

The case behind the decision.

Maximillian Schrems, an Austrian national residing in Austria, who has been a Facebook user since 2008, lodged a complaint with the Irish supervisory authority seeking, in essence, to prohibit the transfer of his personal data by Facebook Ireland to servers belonging to Facebook Inc., located in the United States. In its recent decision, the Court expressed the view that «the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union» are «not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary» (the full Court press release is available here: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf.

According to the BBC, Max Schrems called it a win for privacy, stating that «it is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role in the EU market» he said, while the US Secretary of Commerce Wilbur Ross said his department was “deeply disappointed” by the decision and said he hoped to «limit the negative consequences to transatlantic trade worth $7.1 trillion (£5.6tn)» https://www.bbc.com/news/technology-53418898.

Impact and remedies.

The Court held that standard contractual clauses will continue to be a valid means for the transfer of data outside the European Union.

Therefore, companies currently benefitting from the EU-US Privacy Shield will likely transition to standard contractual clauses. Microsoft, for example, has issued a statement saying it already uses them and is unaffected by the recent Court decision (the full statement is available here: https://blogs.microsoft.com/eupolicy/2020/07/16/assuring-customers-about-cross-border-data-flows/.

While we are slightly surprised by the decision, we must confess it has been years since we last suggested a client to use the Privacy Shield: standard contractual clauses have always been an easier and more flexible tool.

MDR: the Postponement to 2021 is Official

On April 24, 2020 the new Regulation (EU) 2020/561 officially entered into force, postponing the date of application of most Medical Devices Regulation (MDR) provisions to May 26, 2021. The final text of the regulation can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32020R0561&from=EN.

The postponement was approved unanimously and was considered unavoidable since the outbreak of the covid-19 pandemic in early 2020 made it very clear that businesses, notified bodies and regulators would not be ready in time for the entry into force of the MDR requirements in May 2020.

The European Commission noted, with some relief, that  “this postponement takes the pressure off national authorities, notified bodies, manufacturers and other actors so they can focus fully on urgent priorities related to the coronavirus crisis” (https://ec.europa.eu/growth/sectors/medical-devices_nn).

While the postponement might have been triggered by the covid-19 pandemic, there is no doubt it now gives regulators and the industry alike the chance to remedy the delays that have accumulated over the past few years, with the hope that they will come prepared to the new deadline of May 2021.

New Intellectual Property Scenarios in the Age of Covid-19

IP DONATIONS.  Many life sciences companies have made generous donations to alleviate the difficulties arisen in these dire pandemic times (Roche Italia, for example, has donated medicinal products, devices, cash and services).

Some of them, instead, have donated intellectual property: Medtronic, for example, has publicly posted design specifications for its Puritan BennettTM560 (PB560) ventilator “to allow innovators, inventors, start-ups, and academic institutions to leverage their own expertise and resources to evaluate options for rapid ventilator manufacturing”. More than 90,000 people were interested.

IP VOLUNTARY LICENSES.  Momentum is also building in favor of the Open Covid-19 Pledge, a program, now also sponsored by the Creative Commons, where patent holders pledge to make their intellectual property available free of charge for uses against Covid-19. The pledge, rather than a donation, takes the form of a royalty-free, non-exclusive, worldwide license under which the intellectual property is made available. Such license may be standard or can be adapted by licensors in various ways.

While many research institutions and private companies are working on a Covid-19 vaccine, the World Health Organization has warned that “it will be important that vaccines go where they are most needed, not simply to the countries that can afford them.” Critical issues not only affect the development of a vaccine, but will also affect its mass production and worldwide distribution. A similar request has been voiced by the European Parliament in its Motion for Resolution dated April 14, 2020, where it “calls on the Commission to ensure that, when EU public money is spent on research, the results of that research are not protected by intellectual property rights and price accessibility to patients is guaranteed for the products developed; stresses the importance of public research and development activities and institutions and of cooperation at international level, while expressing concerns over the dominant role of multinationals in the pharmaceutical sector; urges all pharmaceutical companies to pool their data and knowledge in a collective effort to identify, test, develop and manufacture treatments to curb the disease”.

IP MANDATORY LICENSES.  Such voluntary licenses are completely different from the mandatory licenses that section 31 of the TRIPS agreement allows in case of a “national emergency or other circumstances of extreme urgency”. While the right holder would need to receive “adequate remuneration”, this instrument would allow governments to obtain a non-exclusive and non-assignable license to use the patent without the authorization of the right holder.

It is thus possible that the extreme circumstances in which we are living may also bring completely new scenarios in the intellectual property landscape.

Italian Government’s Golden Power Reformed: Towards Nationalization of Strategic Sectors? Not exactly.

As announced in our previous blog post, the broadest powers to the Italian government in relation to M&A deals became fully effective as of yesterday.

The extension of the Golden Power regime has been approved together with other emergency measures to face the current COVID19 emergency, including massive injections of liquidity into companies that risk bankruptcy as a consequence of the continuing lockdowns (keep checking our website for the upcoming client alerts).

The declared goal of the new legislation is to protect the national strategic sectors from predatory acquisitions, which may be favored by the current market values, affected by the ongoing emergency.

In light of the European Commission guidelines of March 26, 2020 (providing guidance to the Member States on foreign investments, ahead of the application of EU Regulation 2019/452)  and in line with what is happening in other countries (e.g. Spain, France, Australia, Germany and the United States), the Law Decree of April 8, 2020, introduced:

1. The extension of the Golden Power regime to:

  • supply of critical inputs (including energy or raw materials, as well as food security);
  • access to sensitive information (including personal data) or the ability to control such information;
  • the freedom and pluralism of the media;
  • the financial and insurance sectors.

2. The obligation to notify relevant acquisitions also when the purchaser is a EU entity.

3. The specification of the thresholds triggering notification: for EU companies, a controlling participation (within the meaning of Section 2359 of the Italian Civil Code), while for extra EU companies, a participation of at least 10%.

4. The power of the Government to start on its own the Golden Power procedure, if the relevant entities do not comply with the notification obligations.

The extensions under numbers 1 to 3 above are temporary (the first one until a further decree is adopted and the second and third ones until December 31, 2020), while the one under number 4 has no deadline (so far).

No doubt that the above reform considerably increases State intervention in the economy. One could ask if – in short – the response to the virus would be the nationalization of the strategic sectors. Nevertheless, when asked, the Cabinet Undersecretary Riccardo Fraccaro stressed thatthe intervention must be temporary and urged by an emergency. This is not a nationalization of the entire economy but a public intervention to protect specific areas”.

More Powers to the Government on M&A Deals Announced as a Response to the Italian COVID-19 Outbreak

The Italian Government, through its Cabinet Undersecretary Riccardo Fraccaro, announced that stricter measures – that will impact on the acquisitions of Italian targets -are ready to be enacted within days, as a countermeasure to the feared speculative attacks to Italian businesses operating in strategic sectors.

The measures will be introduced through a reform of the Italian Golden Power regulatory framework.

Effective since 2012 – and very recently amended to face new challenges relating to the introduction of 5G technology – the Italian Golden Power rules essentially provide the Italian Government with the power to impede certain acquisitions and extraordinary transactions to protect Italian’s interests in strategic industries, through a system based on prior mandatory notifications to the Italian Prime Minister’s Office.

The reform announced in the past few days aims at avoiding that, on account of the economic crisis brought by the COVID-19 emergency, speculations and hostile takeovers will harm Italian interests in strategic industries.

The stricter measures announced include:

  • The possibility to exercise the Golden Power also in relation to transactions within the European Union.
  • The introduction of new industries to be considered as strategic, for the purposes of the Golden Power regulatory framework.
  • The possibility for the Italian Government to autonomously intervene and exercise the Golden Power, regardless of any previous notification to the Authorities.

Details and wording of the announced reform are likely to be officially presented and enacted within days, if not hours, and updates will follow (both on our blog and website).

Only then, a first assessment on their potential impact on what is likely to be a troubled market will be possible.

For now, let us just hope that what has been defined by the Italian Cabinet Undersecretary as a “vaccine for the hostile takeover virus” will not cause severe side effects on the Italian M&A market.

No CE Marking Required for Surgical Masks and Personal Protective Equipment

In the wake of the COVID-19 pandemic, the Italian Government lifted regulatory requirements for the manufacturing, importing and placement on the market of surgical masks and other personal protective equipment.

The measures were prompted by a failure of existing manufacturers and importers to meet the demands of hospitals, healthcare professionals and individual citizens alike, and are seen as generally in line with the Commission Recommendation (EU) 2020/403 of 13 March 2020 on conformity assessment and market surveillance procedures within the context of the COVID-19 threat (https://eur-lex.europa.eu/legal-content/GA/TXT/?uri=CELEX:32020H0403).

The new emergency regulations (law decree 18/2020 – http://www.governo.it/it/articolo/decreto-legge-17-marzo-2020/14333) provide that manufacturers, importers and other businesses who intend to commercialize surgical masks and personal protective equipment, are required to submit a self-certification to the National Health Institute (“Istituto Superiore di Sanità” – https://www.iss.it/) or to the National Workers Insurance Agency (“INAIL”) respectively, whereby they describe the technical specifications of the devices/equipment and declare that the devices/equipment meet the safety requirements set forth in applicable legislation. The competent authorities are then required issue a compliance decision within 3 days from the submission.

The technical procedures for the submission to the authorities have now also been implemented and, with reference to surgical masks, they require an additional certification from the applicants concerning the compliance of the devices with quality standards UNI EN 14683:2019 and UNI EN ISO 10993-1:2010. A quality system should also be implemented, but such system does not need to be certified: the implementation of adequate procedures and traceability measures would be sufficient to meet the applicable requirements.

While certain regulatory requirements are meant to remain place in order to ensure the reliability of products placed on the market, the authorities are hopeful that the new emergency measures will provide relief to hospitals and healthcare operators operating under the current extraordinary circumstances.