Category Archives: Legal news

The Data Act: a New European Regulation on Data Sharing in the EU

Legal news, ,

Today, January 11, 2024, marks the entry into force of EU Regulation 2023/2854, better known as “Data Act”.

The new regulation sets forth new rules on B2B and B2C data access and provides a regulatory framework for sharing data generated by the use of connected devices and related services. In addition, the Data Act contains measures to restrain economic operators from abusing contractual imbalances in data-sharing contracts.

The new regulation’s declared goals are to:

  • stimulate a competitive and fair data market;
  • foster data-driven innovation;
  • boost data accessibility;
  • make it easier to switch between data processing service providers;
  • protect data from unlawful transfers;
  • develop interoperability standards for data to be reused between sectors.

Art. 50 of the regulation provides that the new set of rules shall apply from September 12, 2025; however, certain articles, shall apply at a later stage.

Will the Sunshine Act and the Whistleblowing Act change life sciences companies?

Legal news,

Although not revolutionary, these two new pieces of legislation are certainly of great interest to life sciences companies operating in Italy. They may, in fact, entirely change the quantity and quality of information available on and to life sciences companies, and perhaps even impact the cultural landscape in which such companies operate.

–> INFORMATION IN: the Whistleblowing Act is designed to encourage a flow of information to the company;

<– INFORMATION OUT: the Italian Sunshine Act will ensure that interactions with HCPs or HCOs are publicly disclosed, which will generate information from companies out to the public.

THE SUNSHINE ACT.

  • Not yet applicable.  The Italian Sunshine Act (law number 62 of 2022) is not yet applicable because the website of the Italian Ministry of Health where data should be published is not yet ready.
  • Aim.  The purpose of the Sunshine Act is to enhance transparency of relationships between companies and healthcare operators. Also, in the intention of the legislator, it also aims at fighting corruption even though the subject matters of the disclosure are entirely legitimate transactions.
  • Reportable interactions.  Under the Sunshine Act, agreements and delivery of money, goods, services or other benefits to an healthcare professional (HCP) having a value above €100 or an annual aggregate value of more than €1,000 trigger the obligation to report the transaction. The threshold is higher if an healthcare organization (HCO) is involved, as the value must be above €1,000 individually or above €2,500 annually. Additionally, any agreements with HCPs or HCOs regarding the attendance to congresses, trainings, events, or any consultancy, research and teaching relationship must also be reported, as well as any equity or bonds in life science companies granted to HCPs or HCOs (even if granted for free) and any consideration for intellectual property licenses. Reporting must occur every 6 months and the information on the registry will be available for 5 years. Consent to disclosure by HCPs is (supposedly) implied.

THE WHISTLEBLOWING ACT.

  • In force. The Whistleblowing Act (legislative decree no. 24 of 2023) is already in force for all companies to which it applies (including, but not limited to, life sciences’ companies). This means companies which have adopted a “231” model, as well as companies with more than 50 employees, or less if they are active in specific sectors.
  • Aim.  The purpose of whistleblowing legislation is to protect the reporting person by prohibiting any retaliation against him or her, while ensuring confidentiality and compliance with data protection legislation. This should encourage reports, also anonymous, on any illicit activity happening within or outside the company. Companies must appoint a specific body or person to manage the reports so that they can be properly investigated (when relevant), and feedback can be provided to the reporting person.

Both laws rest on the assumption that corruption is inherent in businesses, especially in life sciences’ companies, and should be unearthed, even in an industry that is heavily regulated, self-regulated, and closely monitored by regulators and authorities.

Will the Sunshine Act and the Whistleblowing Act change the perception of life sciences companies? Will their efforts in terms of transparency and accountability be rewarded with a more positive reputation? That’s hard to predict, and probably unlikely.

Life sciences companies must balance the tensions between health and profit, the needs of buyers, users and patients, their products’ innovation and safety. They must do that ethically and generally invest a lot of resources into their compliance efforts. The two new laws may further strengthen such commitment.

Quick Guide on Legislation In Force and Legislation Stalled

Legal news, , , , , , , ,

Just a quick blog post to align our readers on which legislation is in force and which is stalled at the moment:

  • The Ultimate Beneficial Owners register (discussed here), which companies strived to populate by December 11, 2023, is currently on hold due to administrative litigation that currently blocks the application of the register.
  • The European Regulation on Artificial Intelligence, which we already discussed here, is now final. It will enter into force in 2 years.
  • Legislation on payback for medical devices will be scrutinized by the Italian Constitutional Court thanks to decisions of the Lazio Administrative Court issued on November 24, 2023.
  • The Italian Sunshine Act (Law no. 62 of 2022), which we illustrated here, is in force but not yet applicable since the transparency website is not yet live.
  • Next week the Whistleblowing Law (analyzed here and here) will be mandatory for all companies in scope.
  • The Digital Services Act and the Digital Markets Act are in force.

Corporate Liability Under Legislative Decree No. 231/2001: Latest Developments

Legal news, , , , , , , , ,

Recently, the regulatory framework of administrative liability of entities for criminal offences has been partially amended, by (i) recognizing its central role within the framework of public tenders’ regulations, and (ii) expanding the catalogue of predicate offences (reati presupposto or 231 crimes).

  • 231 Corporate Liability as Ground for Exclusion from Public Tenders

Legislative Decree no. 36/2023, i.e., the new Italian Public Tenders Code (“PTC”), distinguishes between causes of automatic exclusion (Section 94) and causes of non-automatic exclusion from public tenders (Section 95).

In case of:

  • a criminal conviction or disqualification measure for the criminal offences listed under Section 94, paragraphs 1 and 2, of the PTC issued against an economic operator under Legislative Decree No. 231/2001 (Section 94, paragraphs 3, lett. a) and 5), or
  • a disqualification sanction referred to in Section 9, paragraph 2, lett. c) of Legislative Decree no. 231/2001 (or of any other sanction entailing the prohibition to enter into agreements with public entities)

the sanctioned entity will be automatically excluded from the public tender.

Moreover, if a 231 crime is ascertained, or even only contested, then a “serious professional offence” is triggered, which may lead to a non-automatic cause of exclusion from the public tender (Section 98 of the PTC).

  • New 231 Crimes

Following the PTC, Law no. 137/2023 increases the number of 231 crimes by providing for the inclusion of the following criminal offences:

  • Obstruction of tender procedures (in Italian, “Turbata libertà degli incanti”, Section 353 of the Italian criminal code), i.e., hindering or disrupting a public tender or turning away bidders by violence, threats, gifts, promises, collusion or other fraudulent means;
  • Obstruction of the choice of contractor procedure (in Italian, “Turbata libertà del procedimento di scelta del contraente”, Section 353-bis of the Italian criminal code), i.e., disruption of the administrative procedure by way of violence or threats, or by gifts, promises, collusion or other fraudulent means, in order to influence the manner in which the public administration chooses a contractor; and
  • Fraudulent transfer of values (in Italian, “Trasferimento fraudolento di valori”, Section 512-bis of the Italian Criminal code), i.e., fictitious attribution of the ownership or availability of money, goods or other utilities for the purpose of avoid the application of the provisions of the regulation on asset prevention measures or smuggling, or of facilitating the commission of one of the offences referred to in Sections 648, 648-bis and 648-ter.

The novelties described above shows the Italian legislator’s increasing attention to the conduct of entities participating in public tenders, and will result in the need to review and update the 231 model already adopted by entities, in order to (i) provide for procedures to ensure correctness of the company’s conduct with specific regard to participation in public tenders, and (ii) take into account the three new 231 crimes.

Implementation of the “231” Compliance Model in the Pharma Industry: New Guidelines issued by the Italian Association of Pharmaceutical Companies

Legal news, , , , , , , , , , , , , , , ,

On September 5, 2023, the Italian Association of Pharmaceutical Companies (“Farmindustria” – https://www.farmindustria.it/) has issued guidelines to design an organizational model pursuant to the Legislative Decree 231/2001 in the pharmaceutical sector (“Guidelines”).

In particular, the Guidelines, by taking into account the main peculiarities of the pharma industry, seek to identify the typical activities that are most at risk for the commission of criminal offences, and provide detailed guidance about the main policies and preventive actions that should be carried out by companies in order to prevent their commission.

As expected, the highest risks concern relationships with public officials, which may lead to crimes such as corruption or fraud against the State, with significant advantages for pharma companies.

The Guidelines seek to drive the attention of companies involved in the pharma sector on the risks that are latent in the following areas:

  • Relationships with healthcare professionals (“HCP”) and healthcare organizations (“HCO”): compliance programs should regulate activities of the key account managers and their bonuses, sponsorship of congresses, grants and donations to HCOs, gifts to HCPs, as well as other sponsorship or advertisement activities;
  • Relationships with Public Authorities: many interactions with public officials may entail corruptions risks, such as, e.g., obtainment of Market Authorizations, price reimbursement negotiations with the Italian drug regulatory agency (AIFA – https://www.aifa.gov.it/), management of site visits and inspections, participation and execution of public tenders for the supply of drugs to HCOs;
  • Relationships with private entities: relationships with suppliers providing services in the context of clinical studies, pharmacies, patient advocacy organizations, patients and “expert patients”, or management of patient support programs also need to be regulated.

The Guidelines also offer a complete set of policies and other preventive remedies that may be sufficient to prevent the envisaged criminal risks.

The Guidelines are a useful tool for pharma companies and no similar initiatives have been taken by other associations with regard to different industries and sectors. The Guidelines also constitute a benchmark for best practices that will be difficult to ignore.

Do you need help in designing or updating your company’s “231” compliance model? Do not hesitate to reach out!

231 organizational models and code of conduct: do companies need both?

Legal news, ,

Many Italian companies have equipped themselves with an organizational model under legislative decree 231 of 2001, as well as with a code of conduct. Are both needed and what is their relationship?

Light on such question has been shed by the Italian Supreme Court with a recent decision published on August 1, 2023, within a dispute where a third party claimed to have actionable rights on the basis of the provisions of the code of conduct.

The Court, while defining the code of conduct as an instrument of “preventive control of the correctness of the conduct of persons operating within and on behalf of the entity”, rejected the plaintiff’s claims on the sole basis of the interpretation of the provisions of the code of conduct. It added that “in companies, the Code of Conduct constitutes the necessary completion of the organization, management and control model of the entity, as a corporate document aimed at identifying, with reference to the ethics and values that inspire the business, the rights, duties and responsibilities of all those who participate in the business (employees and, where appropriate, external parties that have business relations with the companies)”.

In light of the above, it has been clearly confirmed as follows:

  • the code of conduct complements the 231 organizational model;
  • the provisions of the code of conduct must be interpreted considering the 231 organizational model; and
  • the provisions of the code of ethics apply to all subjects falling within the scope of application of the 231 organizational model.

Therefore, the 231 organizational model and the code of ethics have a strong connection, they both have to be adopted and interpreted in light of each other.

AI and Healthcare: Recommendations by the Italian Data Protection Authority

Legal news, , , , , ,

The use of Artificial Intelligence in healthcare continues to grow and it is poised to reach 188 billion by 2030. It also raises many concerns.

The Italian data protection authority (Garante) has recently issued recommendations based on 10 points, which can be found here.

The Garante particularly insists on:

  1. Human in the loop: a human being must be involved in the control, validation or change of the automatic decision;
  2. No algorithmic discrimination: trustworthy AI systems should reduce mistakes and avoid discrimination due to inaccurate processing of health data;
  3. Data quality: health data must be correct and updated. Representation of interested subjects must correctly reflect the population.
  4. Transparency: the interested subject must be able to know the decisional processes based on automated processes and must receive information on the logic adopted so as to be able to understand it (easier said than done!). The Garante also requires that at least an excerpt of the Data Protection Impact Assessment is published.

Other recommendations are not surprising for anyone familiar with the GDPR:

  • Profiling and decisions based on automated processes must be expressly allowed by Member State’s laws.
  • The principles of privacy by design and privacy by default obviously play a big role in healthcare AI systems.
  • Roles of controller and processor must be correctly allocated: in particular, the public administration must ensure that external entities processing data are appointed as data processors.
  • A Data Protection Impact Assessment must be carried out and any risks must be evaluated.
  • Integrity, security and confidentiality of data must be ensured.

Striving for genuine transparency in connection with very complex and rapidly evolving algorythms is not going to be an easy task for the data controller. Similarly, understanding how AI works in a healthcare setting is not going to be simple for patients.

Italy – At Last – Implemented the Registry of UBOs (Ultimate Beneficial Owners)

Legal news, , , , , , , , , , , ,

All legal entities established in Italy are affected by the new regulation, which provides for a December 11, 2023 deadline.

The register of ultimate beneficial owners has been established and has become
operational also in Italy, after several extensions and delays. In fact, on October 9,
2023, the decree certifying the operation of the system for the communication of
data and information on beneficial ownership was published in the Official Gazette.

This last decree, which completes the implementation of anti-money laundering
legislation, triggers the obligation for all companies, private legal entities
(associations, foundations and other institutions of a private nature with legal
personality) and trusts to communicate data and information relating to their
beneficial ownership.

The communication on beneficial ownership must be made to the Companies’
Registry at the territorially competent Chamber of Commerce by and no later than
December 11, 2023, using exclusively electronic methods. With regard to
companies, the communication must be digitally signed by a director, without the
possibility to delegate such task. Therefore, directors who do not yet have a digital
signature device will need to obtain one.

Subsequently, legal entities shall notify any change in their beneficial ownership
within 30 days of the occurrence of the change. In addition, on an annual basis (and
in any case within 12 months from the first communication), the beneficial
ownership shall be confirmed: for companies this may take place on the occasion
of the annual filing of the financial statements.

For more information on the new requirements, check out our Client Alert here or reach out to us directly.

GDPR Cross-Border Complaints: a New Regulation Proposal Attempts to Harmonize the Procedural Rules Among the Member States

Legal news, , , , , , , , , , ,

On July 4, 2023, the European Commission has issued a proposal for a new EU regulation laying down additional procedural rules aimed at ensuring a better and uniform enforcement of the GDPR among the Member States, especially with regard to the handling of cross-border complaints (“Proposal”).

The Proposal has been inspired by the findings of the reports issued by the European Commission and the European Data Protection Board concerning the status of the application of the GDPR among the Member States. Such reports stressed the need to make the handling of cross-border complaints more efficient and levelled across the EU, since the proceedings followed by local data protection authorities (“LDPA”) have been found to be differently designed and may thus lead to different application of the GDPR provisions.

The main features of the Proposal may be summarized as follows:

  • Submission and handling of cross-border complaints: The Proposal aims at removing the existing differences among the procedural rules applied by different LDPAs, namely with regard to how complaints on cross-boarder issues should be filed and which contents they should have. In such respect, a template for the filing of cross-border complaints – including a standard pre-determined set of information to be provided – has been drafted. The Proposal further specifies procedural rules for the rejection of complaints in cross-border cases and clarifies the roles and rights of the lead LDPA and of any other concerned LDPAs. A system of amicable settlement of complaints is also encouraged.
  • Procedural rights of parties under investigation: The Proposal further aims at harmonizing and strengthening the rights of defence in the course of cross-border investigations and proceedings. Specifically, the Proposal recognizes an extended right of the parties to be heard at key stages of the proceedings and imposes the creation of an administrative file and the parties’ rights of access to it.
  • Tools for cooperation between LDPAs: New tools have been designed to ease the building of consensus between the involved LDPAs on the main features of cross-border proceedings since their preliminary phase, in order to limit the recourse to the (time consuming) dispute resolution mechanism provided by section 65 GDPR only in few exceptional cases. LDPAs that are called to handle a cross-border complaint are required to provide other involved LDPAs with a summary of key issues”, wherethe main findings of facts and legal grounds underlying each complaint are set out. Concerned LDPAs will be able to provide their views on such summary and to raise “relevant and reasoned objections”, in which case a specific fast-track procedure is designed in order to ensure that disagreements among LDPAs are settled at the beginning of the process.
  • Acceleration of cross-border proceedings: Lastly, the Proposal, by imposing strict deadlines, aims to prevent undue delays within the proceedings.

At the moment it is still unclear whether the Proposal will be officially adopted and become a binding regulation. Certainly, it has been welcomed by the European Data Protection Board and by the European Data Protection Supervisor and may be a good opportunity to level the difference among Member States and make the proceedings more efficient.