Category Archives: Legal news

Processing Health Data: the Most Recent Amendment to Italian Privacy Code

Legal news, , , , , , ,

The Italian “Privacy Code” (Legislative Decree No. 196/2003), which governs data protection in Italy together with the European GDPR, has recently been amended.

Law No. 56/2024, further implementing the National Recovery and Resilience Plan, intervened on section 110 of the Privacy Code, which deals with the processing of health-related data for the purposes of medical, biomedical or epidemiological scientific research.

Section 110 provides that consent of the data subject for the processing of health-related data for the purpose of medical, biomedical or epidemiological scientific research is not required when:

  • the research is carried out on the basis of legal provisions or European Union law, when processing is necessary for scientific research or statistical purposes, provided that an impact assessment is carried out pursuant to sections 35 and 36 of the GDPR; or
  • informing the data subject is impossible or involves a disproportionate effort, or would render impossible or seriously jeopardise the attainment of the purposes of the research.

In such cases – before the latest amendment – the data controller had to:

1) take appropriate measures to protect the rights, freedoms and interests of the data subject;

2) obtain a favorable opinion of the competent ethics committee; and

3) consult the Italian Data Protection Authority prior to processing.

The obligation to consult the Italian Data Protection Authority has now been repealed. Thus, there is no need to apply for the Authority’s clearance prior to processing health-related data (in those cases where consent of the data subject is not required under section 110 of the Privacy Code). 

This amendment may have a significant impact especially on retrospective studies for which informing data subjects is particularly burdensome. The data controller will, in fact, be able to proceed without the Authority’s permission. Nonetheless, the data controller will still have to comply with specific guarantees and ethical rules issued by the Authority – as specified by the amended section 110.

On the one hand, the amended section 110 seems to favor accountability and to soften the procedural requirements in processing health data for research purposes, making the overall procedure quicker. When it comes to “secondary use” of health data, the accountability approach should be considered strong enough to protect data and favorably welcomed, as it moves in the same direction of the European Health Data Space – which intends to provide a reliable and efficient system for the re-use of health data in areas as research and innovation.

On the other hand, though, the Italian Data Protection Authority has already issued some interim guarantees, specifying that data controllers – when processing health data related to deceased or non-contact subjects – must carry out and publish an impact assessment, pursuant to section 35 of the GDPR, notifying it to the Authority. It remains to be seen how the amendment will be handled by the Authority in practice: the effects of the simplification provided by the new version of section 110 may be diminished if the guarantees set forth by the Authority generate equally articulate procedures.      

Effectively Implemented “231” Model Exempts Italian Company from Criminal Corporate Liability

Legal news, ,

A recent decision of the Milan Court exempted an Italian company from criminal charges under law 231, even while it found its employees guilty of a 231 financial crime.

The Court held that the company’s managers abused of their override powers to systematically ignore internal control systems. Nonetheless, the court found that the company had effectively implemented its compliance 231 model, although such model was fraudulently circumvented by the managers.

The Court confirmed, as already established in the Impregilo case, that the occurrence of a crime does not automatically prove the non-completeness and non-effectiveness of a company’s compliance program. A separate analysis of the compliance program must instead be carried out, even if a crime has occurred and individuals are found guilty.

Under Italian law 231, companies are liable for employees’ crimes when the crime is committed in the interest or to the advantage of the company. Such 231 liability can be lifted if the company has effectively implemented a compliance program aimed at preventing such crime. Despite the incentive built in in 231 law for companies to set up and effectively implement a compliance program, past case law has not been generous in granting such exemption from liability. The recent Milan court case may open a new path.

AI Breakfasts Continue

Events, Legal news, , , ,

Our breakfast presentation series dedicated to AI continues. Join us for our next event on May 24, 2024 at 9 via Dante in Milan! Our partner, professor Camilla Ferrari of the University of Milan, will be speaking about the impact of AI on contracts.

Curious about past presentations on AI and AI liability? You may find below our slides (in Italian).

life-sciences-practice-group-presentation-on-ai-legislation-engDownload
life-sciences-practice-group-presentazione-su-ia-e-responsabilita-itaDownload

Processing of personal and health data through apps and online platforms aimed at connecting HCPs and patients: the new digest of the Italian DPA

Legal news, , , , , , , , , , , , , , , , , , , , , ,

On March 2024, the Italian Data Protection Authority (“Italian DPA”) has issued a new digest (“Digest”) relating to the processing of personal data, whether or not concerning health data pursuant to section 9 of the GDPR, carried out through the utilization of platforms, accessible through apps or web pages (“Platforms”), that aim to facilitate connection between healthcare professionals (“HCPs”) and patients.

The use of such Platforms poses high risks to the protection and security of patients’ personal data, and in particular health-related data, given that the latter are subject to an enhanced protection regime set forth by section 9 of the GDPR. 

The Digest seeks to summarize the applicable data protection rules that may be followed, and defines the roles of the parties, as well as the legal bases, applicable to (i) the processing of personal data of the users by Platform’s owners; (ii) the processing of HCP’s personal data by Platform’s owners; and (iii) the processing of health data of the patients by the Platform’s owner and by the HCPs.

Additional guidance is provided as to:

  • The necessity for the Platform’s owner to carry out (and periodically update) a data protection impact assessment (DPIA) pursuant to section 35 GDPR, since the use of Platforms determine a “high risk” processing of personal data, as such kind of treatment automatically meets the criteria issued by the European Data Protection Board for the identification of the list of data processing that may be deemed subject to the duty to perform a DPIA;
  • Which information notices should be provided, by who and to whom, as well as the contents that such information notices should have in each case, according to sections 13 and 14 GDPR;
  • The specific rules applicable to cross-border data transfers and data transfer to third countries.

Lastly, the Digest includes a list of the most common measures that are taken by the data controllers to ensure an appropriate level of technical and organizational measures to meet the GDPR requirements, such as encryption, verification of the qualification of the HCPs that seek to enroll within the Platform; strengthened authentication systems, monitoring systems aimed at preventing unauthorized access or loss of data.

The Digest should be very welcomed by the Platform’s owners, as it now gives a reliable and complete legal frame that may be followed in order to set up a Platform in a way which is compliant with the GDPR principles.

A New European Digital Identity

Legal news, , , , , , ,

On March 26, 2024 the Council adopted a new framework for a European digital identity (eID).

Background. In June 2021, the Commission proposed a framework for a eID that would be available to all EU citizens, residents, and businesses, via a European digital identity wallet (EDIWs). The new framework amends the 2014 regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS regulation n. 910/2014), which laid the foundations for safely accessing public services and carrying out transactions online and across borders in the EU. According to the Commission, the revision of the regulation is needed since only 14% of key public service providers across all Member States allow cross-border authentication with an e-Identity system.

Entry into Force.  The revised regulation will be published in the EU’s Official Journal and will enter into force 20 days after its publication. The regulation will be fully implemented by 2026.

Digital Wallets.  Member States will have to offer citizens and businesses digital wallets that will be able to link their national digital identities with proof of other personal attributes (e.g., driving license, bank account). Citizens will be able to prove their identity simply using their mobile phones.

EU-wide Recognition.  The new EDIWs will enable all citizens to access online services with their national digital identification, which will be recognised throughout the EU. Uses of EDIWs include: opening a bank account, checking in in a hotel, filing tax returns, storing a medical prescription, signing legal documents.

The Right to Digital Identity.  The fundamental purpose of the regulation is to establish the right to a digital identity for Union citizens and to enhance their privacy.

Main features of EDIWs.  According to the new regulation:

• the use of EIDWs shall be voluntary and shall be provided directly, under mandate or recognition by a Member State;

• EDIWs shall enable the user to (1) securely request, store, delete, share person identification data and to authenticate to relying parties; (2) generate pseudonyms and store them encrypted; (3) access a log of all transactions and report to the national authority any unlawful or suspicious request for data; (4) sign or seal by means of qualified electronic signatures; (5) exercise the rights to data portability.

Privacy.  Privacy will be safeguarded through different technologies, such as cryptographic methods allowing to validate whether a given statement based on the person’s identification data is true without revealing any data on which that statement is based. Moreover, EDIWswillhave a dashboard embedded into the design to allow users to request the immediate erasure of any personal data pursuant to Article 17 of the Regulation (EU) 2016/679.

Corporate Liability Under Legislative Decree No. 231/2001: Latest Developments

Legal news, , , , ,

In the context of criminal proceedings for aggravated fraud for obtaining public funds (art. 640 bis of the Criminal Code) and for ideological falsity of the private party in a public deed (art. 483 of the Criminal Code), the Italian Supreme Court (ruling No. 3196/2024 Jan. 26, 2024) had the opportunity to reiterate some useful principles in the context of 231 Models:

the legal representative of the entity, suspected or accused of the predicate offense, cannot appoint the entity’s defense attorney, due to the absolute prohibition of representation posed by Article 39 of Legislative Decree No. 231 of 2001. The incompatible representative cannot perform any defensive act in the interest of the entity and, if performed, must be considered ineffective. However, the entity may join the proceedings by replacing the representative who has become incompatible or by appointing an ad hoc representative.

•The Court must always make an independent determination of the administrative liability of the entity and this means that:

1)It is not necessary to make a final and complete finding of individual criminal liability of the natural person, but a mere incidental finding is sufficient.

2)The configurability of criminal liability of managers for 231 crimes is not sufficient to affirm the liability of the entity. The judge must carry out a judgment of the suitability of the 231 Model adopted, ideally placing it at the time when the offence was committed, in order to verify whether compliance with the 231 Model would have eliminated or reduced the danger of the occurrence of offences of the same kind as the one that occurred.

The Italian Government Fund for the Governance of Medical Devices

Legal news, , , , , , , ,

With Ministerial Decree dated December 29, 2023, the Italian Ministry of Health has established criteria and methods for feeding the fund dedicated to the governance of medical devices, the so-called “Fondo per il governo dei dispositivi medici” (Fund for medical devices governance, “Fund”).

Key Features

  • Annual payment obligation.  Companies manufacturing or distributing medical devices, large medical equipment and in vitro diagnostic medical devices must pay a sum equal to 0.75% of the company’s previous year turnover from the sale of such devices to the National Health Service, net of VAT.
  • Annual Declaration Requirement.  Companies must submit an annual statement to the Ministry of Health regarding:
    • The estimated amount of 0.75% of the above-mentioned turnover.
    • The company’s previous year turnover to the National Health Service, net of VAT;
  • Use of the Fund. The Fund will be used for various activities related to Health Technology Assessment and governance of medical devices (including the management of the National Price Observatory, the vigilance system and the market surveillance system).
  • Deadlines and next steps. The first deadline for compliance with the fund regulations is set for December 31, 2024.

Companies are currently assessing whether the Fund can be challenged in court with arguments that may be similar to those raised in the so called “payback” litigation, which will see its day in Court (namely, the Italian Constitutional Court) on May 22, 2024.

Make Sure Employees’ E-Mail Metadata Are Deleted

Legal news, , ,
New guidelines have been issued by the Italian Data Protection Authority, or Garante, regarding processing of metadata relating to employees’ work emails. The Garante worries that, absent a specific agreement with trade unions, processing of such employees’ metadata may trigger risks of systematic monitoring, unlawful processing and excessive data retention. Therefore, they need to be deleted within a few hours/days and up to 7 days. Companies, who are acting as data controllers of such employees’ metadata, must ensure that their service providers carry out such deletions, making sure that default settings that prolong the processing are deactivated. They must also reflect in the information notice to employees the specific use of technologies that impact the processing of their data.

New Obligations for Companies Under the Proposed CS3D

Legal news, , , ,

The proposed Corporate Sustainability Due Diligence Directive, so-called CS3D, may set new rules binding large EU or non-EU companies aimed at preventing adverse impacts on the environment and human rights resulting not only from their own operations, but also from those of their business partners.

CS3D has been criticized for its strong impact on the whole supply chain. While only large companies are in scope, vendors of such obligated entities will need to comply with such entities’ policies inspired by CS3D.

What Are the Proposed Obligations?

New due diligence requirements are supposed to be established by CS3D and may subsequently be implemented by each member state. According to the text under discussion, companies will have to identify, prevent, stop, mitigate and account for the adverse impacts on the environment and human rights caused by their activities. In addition, they will need to have a plan to ensure that their business strategy is compatible with limiting global warming to 1.5°C in line with the Paris Agreementand the climate neutrality goals set by Regulation (EU) 2021/1119.

Which Companies are In Scope of CS3D?

CS3D would apply to European companies that:

  • have, on average, more than 250 employees and a global net turnover of more than EUR 40 million in the last financial year for which the annual accounts were drawn up;
  • even if they do not meet the minimum thresholds, are the parent company of a group that had 500 employees and a global net turnover of more than EUR 150 million in the last financial year for which the annual accounts were drawn up.

It would also applty to third-country companies that:

  • generated a global net turnover of more than EUR 150 million, provided that at least EUR 40 million of that turnover was generated in the European Union in the financial year preceding the last financial year, including turnover generated by third-country companies with which the company and/or its subsidiaries have concluded a vertical agreement in the Union in exchange for licensing rights;
  • even if they do not meet the minimum thresholds mentioned in point (a), are the parent company of a group that had 500 employees and a global net turnover of more than EUR 150 million, of which at least EUR 40 million was generated in the European Union in the last financial year for which the annual accounts were drawn up, including turnover generated by third-country companies with which the company and/or its subsidiaries have concluded a vertical agreement in the Union in exchange for licensing rights.

When Will It Enter into Force?

CS3D is still under discussion. The proposal for the Directive was presented by the European Commission on February 23, 2022, and the Parliament adopted the amended text on December 14, 2023. The proposal must be formally approved by the Commission, the Parliament and the Council before it can officially enter into force.