Category Archives: Legal news

The European Commission Recently Fined Teva: but Why?

Legal news, , , , , ,

With an order issued on October 31, 2024, the European Commission fined Teva Pharmaceutical Industries (“Teva”) EUR 462.6 million for abusing of dominant position in relation to its drug Copaxone.

This European Commission decision is meant to further set on fire the already lively debate on the limits of patent law and antitrust rules in Europe.

1. Allegations: Abuse of Dominant Position and Patent Strategy

The order fined Teva for abuse of a dominant position. Specifically, two conducts were alleged, namely:

  1. The first relates to the delaying of the market entry of competing generics of Copaxone – a drug containing the active ingredient glatiramer acetate produced by Teva and indicated for the treatment of multiple sclerosis – through the filing of several divisional patents and their subsequent waiver. This approach, referred to by the European Commission as ‘divisional games’, had, in the European Commission’s view, the effect of:
  2. artificially extending the term of patent protection
  3. restricting competition even beyond the natural expiry of the original patent.
  • The second claim against Teva concerned the dissemination of false information in breach of competition rules aimed at dissuading consumers and healthcare professionals from adopting such cheaper versions of the drug by:
  • denigrating generic Copaxone products
  • casting doubts on their safety and efficacy.

2. Legal Analysis of Breaches: Article 102 of the Treaty on the Functioning of the European Union(“TFEU”)

The Commission’s allegations are mainly based on Article 102 TFEU, which prohibits the abuse of a dominant position within the internal market. A dominant company must avoid practices that (i) restrict, (ii) distort or (iii) prevent competition.

The practice of filing “divisional patents”, carried out by Teva, has been considered as an “exclusionary abuse”, as it prevents the entry of new players in the market through manipulation of the patent system.

This approach, although in line with patent law and the procedures of the major patent offices, including the European Patent Office, has been criticized from the competition point of view. In principle, the divisional patent system should protect distinct innovations and not allow the fragmentation of protection for a single invention to artificially obstruct competition.

In addition, the use of a disinformation campaign constitutes an abusive conduct, as it aims at diminishing the quality of competitors’ products without objective reasons, thus damaging the market and final consumers.

3. The Role of Divisional Patents and the ‘Manipulation’ of the Patent System

divisional patent is an option under European law that allows patent owners to derive “child” patents from a main patent, thereby protecting more specific aspects of an invention. 

This system derives from one of the fundamental principles of patent law, i.e. that a patent can protect one, and only one, invention. Consequently, during the examination of patent applications, it is sometimes necessary to proceed with the filing of divisional applications when the examiner finds that more than one invention was covered by the original application. 

However, in Teva’s case, the excessive use of this practice was found to be abusive, as it was found to be aimed solely at extending the duration of monopoly protection for Copaxone. This practice, in addition to raising ethical and legal questions, led to the consideration of the need to change the patent system to avoid abuses. In particular, it has been suggested that European regulations on divisional patents may be updated to prevent anti-competitive practices, for instance by introducing stricter criteria for divisional patent granting.

4. Implications of the Teva Case for Competition Law and the Pharmaceutical Sector

The fine imposed on Teva represents a turning point for competition law applied to the pharmaceutical sector, as it further and rather explicitly underlines the need for a balance between patent protection and access to medicines

The European Commission, with this measure, wanted to give a strong signal against the strategic use of patents to obstruct access to generic medicines, which represent an affordable and accessible solution for patients, and which may also have a very important impact on Member States’ budgets concerning their healthcare spending.

In a scenario of increasing attention to anti-competitive practices in the health sector, the Commission’s intervention could lead other national and supranational authorities to monitor more strictly pharmaceutical companies’ behaviour in similar situations. Moreover, it may be possible that this case will put pressure on a reform of patent rules in Europe, aimed at limiting opportunities for abuse by dominant companies.

NIS 2 ENTERS INTO FORCE IN ITALY: LEARN WHAT YOU NEED TO DO

Legal news

After a long wait, EU directive 2022/2555 (“NIS 2 Directive”), which aims at achieving a common level of cybersecurity across member states, has been finally implemented in Italy, with legislative decree 138/2024 (“Legislative decree”).

The Legislative decree will apply starting from today, October 18, 2024.

Who are the actors involved?

The new regulation applies to economic operators that:

      • exceed the thresholds provided for small enterprises (i.e., more than 50 employees and annual turnover/balance sheet of more than Euro 10 million);
      • are subject to Italian jurisdiction.

      It is important to note that certain operators identified as critical subjects (according to the decree 134/2024, implementing EU directive 2022/2557 on critical subjects) are subject to the Legislative decree, even if they do not exceed the dimensional limits mentioned above. Among them, there are several operators in the healthcare field, such as:

      • Healthcare providers;
      • Subjects carrying out research and development on medicines;
      • Manufacturers of basic pharmaceutical products and pharmaceutical preparations;
      • Manufactures of medical devices considered critical in case of a public health emergency;
      • Wholesale distributors of medicinal products.

      What are the deadlines at this early stage?

      • All operators active in Italy must carry out an assessment to understand whether they fall within the scope of the Legislative decree;
        • From 1 January to 28 February of each year (starting from 2025) the economic operators subject to the Legislative decree must register or update their registration on the digital platform managed by the National Cybersecurity Agency (“NCA”) providing a set of information such as the company mission, address, and contact information, etc;
        • Within 31 March of each year (starting from 2025), NCA will draft a list identifying the so-called “essential and important subjects” following the criteria of Article 6 of the Legislative decree;
        • From 15 April to 31 May of each year (starting from 2025) the subjects identified as essential or important should provide further information, such as the IP address, domain names, EU’s States where the service is carried out, name of the legal representative, etc.

        What will happen after this first phase?

        After this first phase, a new set of obligations will progressively come into force, such as:

        • The obligation of essential and important subjects to implement technical measures to ensure the security of information and network systems used by operators (within 18 months from the communication of being considered as an essential or important subject);
          • The duty for essential and important subjects to notify the Computer Security Incident Response Team – Italy (“CSIRT Italy”) of each accident that can impact service delivery (within 9 months from the communication of being considered as an essential or important subject).

          How to proceed in these first months?

          It is key for all economic operators operating in Italy, before February 28, 2025, to carry out an assessment and understand if they fall under the perimeter of the application of the Legislative decree and, if so, act accordingly.

          Substances of Human Origin (or SoHO): the New EU Regulation

          Legal news, , , ,

          PURPOSE OF THE NEW REGULATION. On June 13, 2024, the European Parliament and the Council adopted a new regulation on the substances of human origin (so-called SoHO), repealing Directives 2002/98/EC and 2004/23/EC. The new regulation:

          • was necessary because previous directives only partially managed to harmonize member states’ legislation on cells, tissues and blood; also, a new definition of SoHO was needed;
          • introduces mechanisms to grant continuity and resilience of SoHO supplies and to facilitate EU cross border exchanges and access to SoHO;
          • enhances safety of donors and recipients (included the offspring born from medical assisted procreation).

          WHAT IS A ‘SOHO’? A SoHO is now defined as “any substance collected from the human body, whether or not it contains cells and whether or not those cells are alive, including SoHO preparations resulting from the processing of the above-mentioned substance”. The definition has been expanded to include breast milk and gut microbiota, as well as blood preparations different from those used for transfusions. Any future SoHO will be automatically included in the regulation. The regulation also defines SoHO preparation as a SoHO subjected to processing, with a specific clinical indication, intended for human application on a recipient or for distribution.

          WHO DEALS WITH SOHO? The regulation also defines which will be the main actors in the organizational chain from SoHO donation to application. Specifically:

          • A SoHO entity is a legal entity established in the EU that carries out SoHO-related activities (e.g. collection, processing, control, storage, release, distribution, import, export, application on human beings,  clinical studies and outcomes recording on SoHO preparations)
          • A SoHO establishment is a SoHo entity that carries out one of the following SoHO-related activities: A) both processing and storage; B) release; C) import; D) export;
          • Competent authorities for SoHO are appointed by each member state and 1) maintain SoHO entities’ registry, 2) deal with authorization process for SoHO establishments and SoHO preparations 3) carry out inspections and evaluate plans for monitoring clinical outcomes.

          WHEN?  The regulation will be enforceable by mid-2027.

          TAKEAWAYS. Apparently, it is science-friendly as the definition of SoHO will be broader and more flexible than before. Also, in view of its structure, there is hope that it will succeed in ensuring more uniformity and granting an enhanced minimum level of safety across EU.

          AIFA Guidelines Regarding Observational Studies on Medicines: What’s New?

          Legal news, ,

          The Italian Medicines Authority (“AIFA”) has recently issued new guidelines for the classification and conduct of observational studies on medicines (“Guidelines”) repealing the previous version of 2008. Through such new Guidelines AIFA has given full implementation to what was provided for in Article 6, par. 3 of the Ministry of Health November 30, 2021 decree, which had mandated that AIFA issues new guidelines for the classification and conduct of observational studies on medicine.

          The new Guidelines have extended the perimeter of observational studies and now include:

          • Retrospective studies related to unauthorized uses;
          • Pharmacogenetics and pharmacogenomics studies;
          • Databases and other data on drug therapies collected through online platforms, wearables, or other devices when the following conditions are met:
            1. They pursue the aim of keeping track of the medicines used by patients;
            2. They follow a specific protocol;
            3. They are carried out in accordance with Guidelines’ indications.

          Other new elements introduced by the Guidelines are:

          • The duty for ethics committees, in case of non-profit observational studies, to verify the independence from commercial promoters;
          • The duty to insert a specific section on informed consent in the protocol;
          • The duty to publish the results of the research (even if they are negative) within 12 months from the end of the study;
          • The duty to retain documents on observational studies for 7 years;
          • The possibility for the territorial ethics committee to apply a fee on profit observational studies;
          • The inclusion of universities among facilities where observational studies can be carried out;
          • The inclusion of new documents that the promoters must submit to ethics committee, such as a cover letter with the precise identification of the competent ethics committee, a summary of the protocol, and investigators/coordinators’ curricula
          • The duty of the legal representative of the research centre to execute an administrative agreement prior to the start of the study.

          The Guidelines confirm that there is no mandatory AIFA assessment on observational studies, even though the ethics committee may decide to consult AIFA if necessary. The Guidelines also confirm the duty to transmit the information on the studies to the “Registry of observational studies” run by AIFA.

          The definition of observational studies has not changed, i.e., studies that meet the following conditions:

          • Medicines are prescribed and delivered according to the conditions of use authorized for marketing in Italy;
          • Medicines are prescribed in the normal clinical practice;
          • The decision to prescribe the medicine to the patient must precede and be independent with the decision to include the patient in the study;
          • Diagnostic and evaluative procedures correspond to the current clinical practice without leading to negative consequences for the patient or the National Healthcare System.

          Your Face at the Airport: the EDPB Weighs in on Face Boarding

          Legal news, , , , , ,

          As you wander around an airport waiting to travel for the summer, you may notice that your image is captured by various devices. This process, known as facial recognition or “face boarding”, has recently been the subject matter of an opinion by the EDPB https://www.edpb.europa.eu/edpb_it, which issued an opinion (no. 11/2024, https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-112024-use-facial-recognition-streamline_en, pursuant to article 64 of the GDPR) – on the processing of data obtained in airports using facial recognition to streamline airport passenger’s flow.

          The EDPB assessed the compatibility of such data processing with:

          • article 5(1)(e) and (f) of the GDPR on storage limitation and integrity and confidentiality;
          • article 25 of the GDPR on privacy by default and privacy by design;
          • article 32 of the GDPR on security of processing.

          The opinion takes into account four different scenarios:

          • Scenario 1: Storage of an enrolled biometric template – which is a set of biometric features stored in a database for future authentication purposes – only in the hands of the passenger.

          Enrolment consists in recording – by each passenger who has consented to such processing – the biometric template and ID necessary for the processing, on the passenger’s device. Neither the passengers’ ID, nor their biometric data are retained by the airport operator after the enrolment process.

          The passenger is authenticated when going through specific checkpoints at the airport (equipped with QR scanners and cameras), through the use of a QR code produced by the passenger’s device, where the biometric template is stored.

          The EDPB opinion concludes that such processing could be considered in principle compatible with article 5(1)(f), 25 and 32 of the GDPR (nonetheless, appropriate safeguards must be implemented, including an impact assessment).

          • Scenario 2: centralized storage of an enrolled biometric template in an encrypted form, stored in a database within the airport premises and with a key solely in the passenger’s hands.

          The enrolment is controlled by the airport operator and consists in generating ID and biometric data that is encrypted with a key/ secret. The database is stored within the airport premises, under the control of the airport operator. Individual-specific encryption keys/ secrets are stored only on the individual’s device

          Passengers are authenticated when going through specific checkpoints, equipped with a control pod, a QR scanner and a camera. The passenger’s data are sent to the database to request the encrypted template, which is then checked locally on the pod and/or user’s device.

          The opinion concludes that such processing could be considered in principle compatible with article 5(1)(e)(f), 25 and 32 of the GDPR subject to appropriate safeguards. In fact, the intrusiveness from such processing through a centralized system can be counterbalanced by the involvement of the passengers, who hold control of the key to their encrypted data.

          • Scenario 3: centralized storage of an enrolled biometric template in a database within the airport, under the control of the airport operator and Scenario 4: centralized storage of an enrolled biometric template in a cloud, under the control of the airline company or its cloud service provider.

          The enrolment is done either in a remote mode or at airport terminals.

          At the airport passengers go through dedicated control pods equipped with a camera. Biometric data is sent to the centralized database or to the cloud server – where the matching of the data is processed. The biometric matching is only performed when the passengers present themselves at pre-defined control points at the airport, but the data processing itself is done in the cloud or in centralized databases.

          The EDPB considers that the use of biometric data for identification purposes in large central databases, as in Scenarios 3 and 4, interfere with the fundamental rights of data subjects and could possibly entail serious consequences. As such, Scenarios 3 and 4 are not compatible with article 25 of the GDPR because they imply the search of passengers within a central database, by processing each biometric sample captured. Also, taking into account the state of the art, the measures envisaged in such Scenarios would not ensure an appropriate level of security under article 5(1)(f) of the GDPR.

          In conclusion, the EDPB regards with suspicion the processing (through matching-and-authenticating process) of biometric templates of the passengers when it happens in centralized storage tools (databases or clouds). The EDPB regards that this increases risks for the security of data, requires the processing of much more data and does not leave passengers in control of the data.

          New Guidelines on Web Scraping

          Legal news, , ,

          Pursuant to Article 57(1)(b) of the GDPR, on May 20, 2024 the Italian Data Protection Authority (“Italian DPA”) adopted guidelines [LINK] on web scraping, with the aim of providing guidance to operators of websites and online platforms, acting in Italy as data controllers of personal data made available online to the public.

          Web scraping is defined by the Italian DPA as the massive collection of personal data from the web for the purpose of training generative artificial intelligence models. Specifically, whenever such phenomenon involves the collection of traceable information – linked to an identified or identifiable natural person – a data protection issue arises with reference to the identification of an appropriate legal basis for the processing of such data.

          According to the guidelines, the assessment of the lawfulness of web scraping must be carried out on a case-by-case basis. Personal data are made available on the web as a result of a primary level processing by operators of online platforms as data controllers. Only then, third parties – often web robots or “bots” – may gather such data for different purposes while scraping the web. This is the reason why the Italian DPA addresses its guidelines to operators of online platforms: they are, in fact, the only ones able i) to more easily evaluate how data are used after being scraped from their platforms and ii) to implement measures on their platforms that may prevent or mitigate web scraping activity for purposes of training algorithms.

          Possible precautions or enforcement actions identified by the Italian DPA are the following:

          • Creation of restricted areas, which can only be accessed after registration. In this way, certain personal data would be removed from public availability;
          • Inclusion of ad hoc clauses in the terms of service of the online platform expressly prohibiting the use of web scraping techniques;
          • Monitoring network traffic to detect any abnormal flow of data and adopting limits as countermeasures;
          • Direct intervention on bots (e.g. insertion on websites of CAPTCHA checks or monitoring log files to block undesirable users).  

          Such measures should be adopted by the data controller after an independent assessment – in compliance with the accountability principle, which increasingly appears to govern new data protection legislation and strategies. At any rate, the Italian DPA acknowledges that, albeit useful, none of these measures can be expected to entirely prevent web scraping from happening.  

          Processing Health Data: the Most Recent Amendment to Italian Privacy Code

          Legal news, , , , , , ,

          The Italian “Privacy Code” (Legislative Decree No. 196/2003), which governs data protection in Italy together with the European GDPR, has recently been amended.

          Law No. 56/2024, further implementing the National Recovery and Resilience Plan, intervened on section 110 of the Privacy Code, which deals with the processing of health-related data for the purposes of medical, biomedical or epidemiological scientific research.

          Section 110 provides that consent of the data subject for the processing of health-related data for the purpose of medical, biomedical or epidemiological scientific research is not required when:

          • the research is carried out on the basis of legal provisions or European Union law, when processing is necessary for scientific research or statistical purposes, provided that an impact assessment is carried out pursuant to sections 35 and 36 of the GDPR; or
          • informing the data subject is impossible or involves a disproportionate effort, or would render impossible or seriously jeopardise the attainment of the purposes of the research.

          In such cases – before the latest amendment – the data controller had to:

          1) take appropriate measures to protect the rights, freedoms and interests of the data subject;

          2) obtain a favorable opinion of the competent ethics committee; and

          3) consult the Italian Data Protection Authority prior to processing.

          The obligation to consult the Italian Data Protection Authority has now been repealed. Thus, there is no need to apply for the Authority’s clearance prior to processing health-related data (in those cases where consent of the data subject is not required under section 110 of the Privacy Code). 

          This amendment may have a significant impact especially on retrospective studies for which informing data subjects is particularly burdensome. The data controller will, in fact, be able to proceed without the Authority’s permission. Nonetheless, the data controller will still have to comply with specific guarantees and ethical rules issued by the Authority – as specified by the amended section 110.

          On the one hand, the amended section 110 seems to favor accountability and to soften the procedural requirements in processing health data for research purposes, making the overall procedure quicker. When it comes to “secondary use” of health data, the accountability approach should be considered strong enough to protect data and favorably welcomed, as it moves in the same direction of the European Health Data Space – which intends to provide a reliable and efficient system for the re-use of health data in areas as research and innovation.

          On the other hand, though, the Italian Data Protection Authority has already issued some interim guarantees, specifying that data controllers – when processing health data related to deceased or non-contact subjects – must carry out and publish an impact assessment, pursuant to section 35 of the GDPR, notifying it to the Authority. It remains to be seen how the amendment will be handled by the Authority in practice: the effects of the simplification provided by the new version of section 110 may be diminished if the guarantees set forth by the Authority generate equally articulate procedures.      

          Effectively Implemented “231” Model Exempts Italian Company from Criminal Corporate Liability

          Legal news, ,

          A recent decision of the Milan Court exempted an Italian company from criminal charges under law 231, even while it found its employees guilty of a 231 financial crime.

          The Court held that the company’s managers abused of their override powers to systematically ignore internal control systems. Nonetheless, the court found that the company had effectively implemented its compliance 231 model, although such model was fraudulently circumvented by the managers.

          The Court confirmed, as already established in the Impregilo case, that the occurrence of a crime does not automatically prove the non-completeness and non-effectiveness of a company’s compliance program. A separate analysis of the compliance program must instead be carried out, even if a crime has occurred and individuals are found guilty.

          Under Italian law 231, companies are liable for employees’ crimes when the crime is committed in the interest or to the advantage of the company. Such 231 liability can be lifted if the company has effectively implemented a compliance program aimed at preventing such crime. Despite the incentive built in in 231 law for companies to set up and effectively implement a compliance program, past case law has not been generous in granting such exemption from liability. The recent Milan court case may open a new path.

          AI Breakfasts Continue

          Events, Legal news, , , ,

          Our breakfast presentation series dedicated to AI continues. Join us for our next event on May 24, 2024 at 9 via Dante in Milan! Our partner, professor Camilla Ferrari of the University of Milan, will be speaking about the impact of AI on contracts.

          Curious about past presentations on AI and AI liability? You may find below our slides (in Italian).

          life-sciences-practice-group-presentation-on-ai-legislation-engDownload
          life-sciences-practice-group-presentazione-su-ia-e-responsabilita-itaDownload

          Processing of personal and health data through apps and online platforms aimed at connecting HCPs and patients: the new digest of the Italian DPA

          Legal news, , , , , , , , , , , , , , , , , , , , , ,

          On March 2024, the Italian Data Protection Authority (“Italian DPA”) has issued a new digest (“Digest”) relating to the processing of personal data, whether or not concerning health data pursuant to section 9 of the GDPR, carried out through the utilization of platforms, accessible through apps or web pages (“Platforms”), that aim to facilitate connection between healthcare professionals (“HCPs”) and patients.

          The use of such Platforms poses high risks to the protection and security of patients’ personal data, and in particular health-related data, given that the latter are subject to an enhanced protection regime set forth by section 9 of the GDPR. 

          The Digest seeks to summarize the applicable data protection rules that may be followed, and defines the roles of the parties, as well as the legal bases, applicable to (i) the processing of personal data of the users by Platform’s owners; (ii) the processing of HCP’s personal data by Platform’s owners; and (iii) the processing of health data of the patients by the Platform’s owner and by the HCPs.

          Additional guidance is provided as to:

          • The necessity for the Platform’s owner to carry out (and periodically update) a data protection impact assessment (DPIA) pursuant to section 35 GDPR, since the use of Platforms determine a “high risk” processing of personal data, as such kind of treatment automatically meets the criteria issued by the European Data Protection Board for the identification of the list of data processing that may be deemed subject to the duty to perform a DPIA;
          • Which information notices should be provided, by who and to whom, as well as the contents that such information notices should have in each case, according to sections 13 and 14 GDPR;
          • The specific rules applicable to cross-border data transfers and data transfer to third countries.

          Lastly, the Digest includes a list of the most common measures that are taken by the data controllers to ensure an appropriate level of technical and organizational measures to meet the GDPR requirements, such as encryption, verification of the qualification of the HCPs that seek to enroll within the Platform; strengthened authentication systems, monitoring systems aimed at preventing unauthorized access or loss of data.

          The Digest should be very welcomed by the Platform’s owners, as it now gives a reliable and complete legal frame that may be followed in order to set up a Platform in a way which is compliant with the GDPR principles.