Health Data Registries and Surveillance Programs, a New Italian Regulation Steps Up the Game

Legal news, , , , , , , , , , ,

A new Italian regulation governing health data registries and surveillance programs aims at facilitating the use of such tools for purposes of monitoring health of the population, as well as healthcare spending. A comprehensive legal instrument regulating the various categories of registries and programs was much needed. In fact, the adoption of such a regulation was envisaged by national legislation since 2012 (Section 10 of law decree 179/2012), but no implementing measures has yet been adopted. A draft of regulation has now been released by the Italian government and submitted to the State-Regions conference prior to formal entry into force. The draft has already been reviewed by the Italian Data Protection Authority.

The new regulation aims at standardizing registries and programs adopted over the years, by setting forth: (i) the entities and professionals who may access the information contained in the registries, (ii) the categories of data that are available, and (iii) the measures to be adopted to ensure the security of data in line with data protection legislation.

The goals pursued by the regulation include a better monitoring of diseases at national level and relating treatment, survival rates, mortality index, as well as the increase or decrease over time of a certain disease. The data stored in the registries should also facilitate the carrying out of epidemiological studies in specific territories and/or for specific subsets of the population. Such broad purposes would allow the data to be used in connection with scientific studies, but also for the treatment and prevention of particular diseases.

The data protection provisions enshrined in the regulation are particularly stringent, and provide that all data must be processed by individuals specifically appointed by the data controller and subject to secrecy obligations. Furthermore, the data shall be encoded in a way that does not allow the de-anonymization of the data. Only in case of adverse events and relating field actions, data may be used to contact the interested subject upon prior authorization of the national registry holder. Data breaches will also need to be reported to the Data Protection Authority.

In conclusion, the new regulation provides welcome clarity in a field where regulations have been sporadic and at times incoherent. Moreover, the new regulation seeks to govern at the same time the different legal aspects connected with registries, from healthcare monitoring to data protection. There is little doubt that the hope of the government is to optimize such instruments to better control healthcare spending and conduct a more effective assessment of therapies and products on the market.

 

 

Is Privacy Really a Fundamental Right?

Legal news, Uncategorized, , , , , , , ,

Privacy of individuals is framed as a fundamental right in the European Union. In fact, the new European Union Regulation no. 2016/679 reiterates this in the very first of its “whereas”.

Yet, it is clear to everyone that such “fundamental” nature is regularly questioned by various factors, and particularly:

  • Technological progress, coupled with people’s growing addiction to smartphones, allowing the collection of an amazing number of personally identifiable information and leading to big banks of intrusive data; and
  • Security threats that prompt governments to closely monitor citizens’ behavior.

Once upon a time courts were called to decide on how to balance conflicting rights. These days, the act of balancing privacy and other issues has become much more common and it is in the hands of a variety of subjects, such as data processors, who must carry out a data protection impact assessment according to Section 35 of the EU Regulation no. 2016/679, and data protection authorities, who provide both general guidelines and specific advice.

A couple of recent decisions by the Italian Data Protection Authority have led me to believe that the Authority is readier than before to accept that there are justified limits to the right to privacy:

  • On July 14, 2016, the Italian Data Protection Authority has decided that a bank is allowed to analyze behavioral/biometric information regarding its customers (such as mouse movements or pressure on the touch screen) as a measure to fight identity theft and internet banking fraud. Of course, a number of limitations have been set by the Authority, in addition to consent of the customer/data subject, such as specific safety measures, purpose and time limitations, and the segregation of the customer names from the bank’s IT provider.
  • On July 28, 2016, the same Authority has granted its favorable opinion to the use of a face recognition software at the Olimpico stadium during soccer games in order to check that the data on the ticket and the face of the person actually attending the event correspond. Provided that strong security measures are used and that the processing is carried out by police forces, the processing was deemed to be necessary.

A tougher stance, instead, is adopted by the Italian Data Protection Authority in cases of processing aimed at marketing purposes, as in this decision, for example. (I note, however, that the code of conduct applying to data processing for the purposes of commercial information that will enter into force on October 1, 2016, blessed by the Italian Data Protection Authority, continues to allow the dispatching of commercial communications to individuals whose personal data is included in public listings, even without the data subject’s express consent).

Balancing rights and interests is inherent to law and justice. It remains to be seen, considering the obvious (and absolutely reasonable) limitations to which the right to privacy is subject, if it will continue to make sense to frame it as “fundamental” right.

The New EU-US Privacy Shield

Legal news, , ,

Yesterday the European Commission announced that the new agreement between the European Union and the United States on European data flowing into the United States has been approved. After months of negotiations, the deal was enthusiastically announced as “a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses” that “brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints” in the words of Věra Jourová, EU Commissioner for Justice, Consumers and Gender Equality.

Ever since the 2015 Court of Justice of the European Union (“CJEU”) landmark decision that put an end to the Safe Harbour system (i.e., the previous agreement regarding EU-US data flows), the US and the EU had negotiated for about 2 years in the attempt to create a system that aims at reassuring European citizens and creating clarity for United States businesses. An initial agreement on the Privacy Shield was already reached in February, and heavily criticized by the association of European data protection authorities named “Article 29 Working Party” (as we covered in our blog). Allegedly, the European Commission has taken note of such criticism and added additional clarifications and improvements to the draft.

Here are the main features of the Privacy Shield, as set forth in the Commission’s fact sheet:

  •  The U.S. Department of Commerce will register U.S. companies under the Privacy Shield if they commit to process personal data in accordance with certain compliance standards. It will also conduct regular updates and compliance reviews of participating companies, and companies who do not comply face sanctions and removal from the Privacy Shield list.
  • U.S. government’s access to personal data for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. There will be no indiscriminate mass surveillance on personal data transferred to the US under the EU-U.S. Privacy Shield arrangement.
  • EU data subjects will, also for the first time, benefit from redress mechanisms in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State independent from the US intelligence services.
  • In case of processing of personal data in breach of the Privacy Shield, EU data subjects will have access to several dispute resolution mechanisms: (i) redress by the data controller, (ii) free of charge alternative dispute resolution solutions, (iii) complaints submitted to their national Data Protection Authorities, who will work with the U.S. Federal Trade Commission to resolve complaints, (iv) arbitration mechanism.
  • The functioning of the Privacy Shield will be monitored and a public report to the European Parliament and the Council will be issued.

The one million dollar question is: will the Privacy Shield hold?

The CJEU may struck it down in the future and privacy groups will undoubtedly test the waters with new cases. If this happens, some predict that there will not be any further attempt to create another “Safe Harbor” or “Privacy Shield”. As Mark Scott of the New York Times puts it: “The European Commission, the executive arm of the European Union, and the United States Department of Commerce spent years negotiating the new deal. If it were eventually overturned in court, few companies or privacy experts would have faith that either side could do any better the next time around”.

The Italian Administrative Supreme Court Opens New Perspectives for Therapeutic Equivalents

Uncategorized, , , , , , , , , , ,

By rejecting an appeal from Novartis, the Italian Administrative Supreme Court, with its decision n. 1306 of April 1st, 2016, focused on the notion of therapeutic equivalence under Italian law. Having underlined the difference with the concept of bioequivalence and having broadened its possible future application, the decision is likely to push forward the trend of public health care institutions to increase competition between pharmaceutical companies in the context of public tender offers, possibly for the benefit of taxpayers and patients.

The controversy arose from an opinion issued by the Italian Medicines Agency (“AIFA”) which, in a tender procedure held by Tuscany region, evaluated the drug Lucentis by Novartis (active ingredient ranibizumab) as a therapeutic equivalent to Eylea by Bayer (active ingredient aflibercept). This allowed the regional public administration to have the said drugs compete against each other in the same tender offer.

Debates as to whether Lucentis and Eylea are equivalent in terms of functions are not indeed new in the pharmaceutical scene and have caused many headaches to Novartis, let alone the critical issues raised in relation to Lucentis by the Italian Antitrust Authority.  Not a surprise, then, that Novartis tried to defend its product, alleging the illegitimacy and erroneousness of AIFA’s evaluation, which stated that the cheaper option by Bayer (Euro 780) is equally safe and effective in the treatment of macular degeneration as it is its more expansive (Euro 902) drug.

Novartis, nevertheless, failed in its claims. The Italian Administrative Supreme Court confirmed the validity and correctness of AIFA’s evaluation, together with the decision of the lower court, affirming, inter alia, that:

  • therapeutic equivalence is different from bioequivalence because the latter implies the identity of the active ingredient whether the former does not (indeed, FDA’s indications on the issue are rather similar);
  • the authority of AIFA in determining therapeutic equivalence is legitimate under Italian law;
  • evaluations regarding therapeutic equivalence cannot be based exclusively on the products’ leaflet: they are instead well motivated if they verify that (i) the drugs belong to the same Anatomical Therapeutic Chemical class; (ii) the drugs are subject to a similar route of administration and (iii) the drugs release the active ingredient in comparable ways.

Therapeutic equivalence, as it has recently emerged from Italian legislation and case law (in particular, from the decision discussed herein), is seen as a threat by pharmaceutical companies, unnerved by the increased competition effects.

Indeed, the debate has been escalated to a more general level by the Italian association of pharmaceutical companies, which challenged in many ways AIFA’s guidelines on therapeutic equivalence. As a consequence, a few days ago AIFA precautionary suspended for ninety days the said guidelines.

It looks like the match has just begun. Nevertheless, pharmaceutical companies should consider carefully on which side they should play. In fact, the expansion of the application of therapeutic equivalence, as a general trend, does not seem to be stoppable in a constant spending review context. Perhaps pharmaceutical companies should positively contribute to shape, rather than to stop, therapeutic equivalence and exploit its potential for the business in terms of new opportunities to access tender offer procedures.

FDA’s Initial Thoughts on 3D Printing of Medical Devices Published Today

Legal news, , , ,

Curious about how regulations on 3D printing of medical device will evolve? Check out the draft guidance published today by the United States Food and Drug Administration (“FDA”). Comments and suggestions are welcome and should reach the FDA within the next 60 days.

The draft guidance looks interesting under a number of aspects. First of all, it provides a definition of additive manufacturing (“AM”), i.e., “a process that builds an object by iteratively building 2-dimensional (2D) layers and joining each layer below, allowing device manufacturers to rapidly alter designs without the need for retooling and to create complex devices built as a single piece.”

It also defines itself as a “leap-frog guidance” and clarifies that “leap frog guidances are intended to serve as a mechanism by which the Agency can share initial thoughts regarding emerging technologies that are likely to be of public health importance early in product development”, which is a nice way to say that the FDA recognizes that its thoughts are just initial and subject to change.

A number of caveats are singled out and manufacturers are invited to be careful about, and to design their quality systems so they take due account of:

  • device design, which can be altered in AM due to various factors (pixelation of features, various patient-matching techniques, effects of imaging, etc.)
  • software and software interactions;
  • machine parameters and environmental conditions;
  • material used (which can be raw material or recycled);
  • post-processing phase;
  • process validation and acceptance activities;
  • device testing;
  • cleaning and sterilization;
  • biocompatibility.

The FDA also believes that AM devices that are patient-matched should be subject to additional labelling information.

The draft guidance does not address the use or incorporation of biological, cellular, or tissue-based products in AM, which may require additional regulation. Also, point-of-care device manufacturing may raise additional technical considerations.

Art. 29 Working Party on EU-US Privacy Shield: Trust Not Yet Restored For Transatlantic Data Flows

Legal news, , , , , , , , , , , ,

Only few months after the 2015 Court of Justice of the European Union (CJEU) landmark decision that put an end to the Safe Harbour system, the EU Commission proudly announced a new framework agreement with the US authorities, allegedly providing strong safeguards, sufficient to “enable Europe and America to restore trust in transatlantic data flows” (Commissioner Věra Jourová).

According to the Commission’s press release, the Privacy Shield’s guarantees include:

  • strong obligations on companies and robust enforcement;
  • clear safeguards and transparency obligations on US government access;
  • a redress possibility through an independent Ombudsperson mechanism;
  • effective protection of EU citizens’ rights through various measures (a specific timeline for resolving complaints , a free of charge alternative dispute resolution solution, as well as the possibility for EU citizens to lodge complaints with their national Data Protection Authorities, who will work with the Federal Trade Commission to solve them).

Nevertheless, the newly issued opinion of the Art. 29 Working Party (“WP29”) already raised strong criticism against the Privacy Shield, tempering the Commission’s enthusiasm. Although WP29 did not abstain from underlining the improvements the Privacy Shield offers in comparison to the invalidated Safe Harbour decision, its concerns seem to eclipse those positive features, leading to the overall negative assessment of the new framework. Moreover, the impression is that the Privacy Shield led to more uncertainty, leaving everyone frustrated, with the exception of those authorities that negotiated it.

But what are, then, according to WP29, the improvements offered by the Privacy Shield? On the other hand, what major concerns does it raise? Finally, does it provide for adequate answers to post-Safe Harbour issues?

Firstly, it must be recognized, as WP29 certainly does, that the Privacy Shield represents a large step forward from Safe Harbour in terms of data protection. And, one could argue, it couldn’t be otherwise, since the Safe Harbour decision dates back sixteen years ago, before Facebook, the social network, big data era and the emergence of encryption vs. surveillance-like debates.

However, WP29 welcomes the additional recourses made available to individuals to exercise their rights, together with the extensive attention dedicated to data accessed for purposes of national security and law enforcement. Increased transparency measures are also appreciated by WP29: both those offered by the US administration on the legislation applicable to intelligence data collection and those provided through the introduction of two Privacy Shield Lists on the US Department of Commerce website (one containing the records of those organizations adhering to the Privacy Shield and one containing the records of those that have adhered in the past, but no longer do so).

Unfortunately, it seems that, these (few), general, positive notes are by far neutralized by the much more incisive negative remarks made by the WP29. WP29 points out the inadequate safeguards set forth to protect some key data protection principles under European law: the data retention principle is not expressly mentioned by Privacy Shield instruments (nor it can be clearly construed from their current wording) and onward transfers of EU personal data to third Countries are insufficiently framed. Despite the EU Commission’s enthusiastic press releases, WP29 underlines how, from the documents signed  by US authorities, it cannot be fully excluded that US administrations will continue the collection of massive and indiscriminate data. And one cannot abstain from noting how crucial the latter aspect is, being one of the main reasons that led the CJEU to invalidate the Safe Harbour decision. Moreover , WP29, while recognizing the effort to create additional oversight mechanisms, considers those efforts not satisfactory: the new redress mechanisms, in practice, may prove to be too complex and difficult to use and, more specifically, the capability of the Ombudsperson mechanism to be truly independent from US governmental authorities is strongly questioned. The lack of clarity of the new framework is also stigmatized by the WP29 by calling for a glossary of terms to be included in the negotiated instruments, in order to ensure that the key data protection notions of the Privacy Shield will be defined and applied in a consistent way. Lastly, the WP29 points out, rightly, how the newly issued Privacy Shield documents already appear out-of-date, considering the approval and forthcoming enter into force of the EU data protection reform, which will bring important improvements on the level of data protection offered to individuals, not at all reflected in the Privacy Shield.

The adequacy of the Privacy Shield to address the issues raised after the CJEU decision invalidating Safe Harbour is hence, at least, arguable. The significant uncertainty created after the fall of Safe Harbour is not only far from being clarified but, possibly, worsened. The major concerns raised by the CJEU have not been adequately tackled, especially if one considers the absence of clear-cut undertakings of the US authorities on mass surveillance programs by security intelligence agencies. Regulatory costs on companies and governmental agencies will not therefore be balanced by stability, certainty and higher levels of fundamental rights protection, leaving everyone dissatisfied.

So, what’s next for Privacy Shield? Another advisory decision is awaited from Article 31 Committee after the second half of May. Then, different options are available but, basically, the implementation of Privacy Shield could take place with or without addressing WP29’s most important concerns. In any case, legal challenges before the CJEU, as well as claims brought to national data protection authorities, will always be open and much likely to happen, given the overall uncertainty characterizing transatlantic data flows: trust is, indeed, very far from being restored.

Interview with Diana Saraceni of Panakés Partners

Uncategorized, , , , , , ,

This post features an interview with Diana Saraceni, founder and managing partner of PANAKÈS PARTNERS , a venture capital investor that finances medical companies, early stage startup and SMEs in Europe and Israel.

Why does Panakés Partners focus on Med-Tech?

Life sciences, especially Med-Tech, have always been an innovative and growing sector. Improving health conditions is one of the goal of developed countries, and new challenges will always face us. Considering this highly changing environment, start-ups and small companies appears to have the best structure to generate innovative solutions. In Europe there are several areas of excellence in technology and chemistry, the ideal environment where promising Med-Tech start-ups can develop. Moreover, European regulatory system has faster and easier protocols for companies to get CE mark and go to market, especially compared to the American system, where FDA approval requires more efforts, both in economic and clinical terms, to enter the market. Lastly, if we consider that western countries invest, on average, 10% of GDP every year on health services and that medical and pharmaceutical enterprises are the most active in acquiring start-ups, the great opportunity Med-Tech represent for us becomes evident.

What are the specific areas where you expect more growth in the future?

Considering the ageing of population and the need of hospitals to optimize their resources and reduce costs, we expect a great demand for technologies designed for home healthcare and chronic pathologies management. These new solutions will allow patients to receive their treatment directly at their own home, letting hospitals to focus their resources on acute pathologies treatment. Furthermore, we are confident that there will be a significant growth in all technologies aimed to a minimally invasive medicine. We are talking about in vitro diagnostics systems or robot-assisted surgery, which will substitute, or at least reduce, tissue biopsies and traditional surgery. Lastly, we expect a great increase in solutions for personalized therapies. These technologies, which combine genetic profiling to Big Data algorithms, will help physicians in the definition of therapies specifically tailored for every patients, increasing the probability of success.

Which countries appears to have the best factors (in terms of legislation, culture, access to funding and applied research) that helps fostering innovation?

By tradition, Anglo-Saxons countries are the ones with a more innovation-oriented policy. Everyone who has interesting ideas is encouraged in developing them, entrepreneurs never stop to look for new opportunities and skip from one project to another, as if they have not realized anything yet, legislation offers benefits to support the creation of new companies. These are the reasons why realities such as incubators and venture capital funds were born and are widespread in these countries. Regarding the specific case of Italy, we can state that the presence of top-class engineers and the excellence of Italy in clinical research in several areas, combined with lower costs than the other developed countries, are the main factors for the success of many Italian start-ups.

Which challenges lay ahead of you?

We received hundreds of requests of funding from companies all over Europe. Now, our main challenge will be to select the most promising ones, both in terms of proposed technology and feasibility of the project. Furthermore, we need to enlarge our network, in order to reach more companies and to find those ones whith the potentiality to change the status of medicine and build up more success stories out of Europe. We like to think of Panakés as a highly entrepreneurial start-up from a certain point of view, with great opportunities and successes just waiting for us!

 

Encryption vs. Surveillance: How the Debate on Whether to Lock or Unlock a Cell Phone Will Shape Our Future

Legal news, , , , , , , ,

All of a sudden, the debate on privacy and encryption, typically confined within law school classes, between think tanks or on specialized blogs (such as ours), is making headlines.

Apple, the tech giant, is emerging as new privacy champion ready to fight against the US government, and possibly many other governments in the world in order to protect individual’s data.

It is probably too early to draw conclusions on this debate, the outcome of which will determine the degree of freedom that citizens will enjoy in the future, and the degree of surveillance that governments will have over citizens. The two extreme nightmare scenarios are clear:

  • an Orwellian world where individuals record every snippet of their life (including sensitive data such as health data!) and governments have unhindered access and control on such data;
  • a world devastated by terrorist groups, who want to destroy modern culture, yet have unconstrained access to encryption and to communication instruments that magnify their terror threats.

We are obviously eager to see what the US federal court will decide on the appeal announced by Apple. However, it is even more interesting to read the various positions on the issue in the debate. This is a list of articles that we have found more thought provoking:

Enjoy the reading!

Pause for the Holidays: an Exciting Year Lies Ahead!

Legal news, , ,

No doubt you deserve the holiday break that is coming up! We wish you a peaceful time off and a fabulous new year.

Indeed, 2016 promises to be a very interesting year for life sciences.

From the business point of view, the title of Deloitte’s study says it all: “Moving forward with cautious optimism”.  Not too enthusiastic, admittedly… but the centrality of the health sector in an ageing society is expected to overcome the strictures of health spending’s decrease in mature markets.

When it comes to legislation, the European Commission has certainly grand plans for 2016.  Final language is ready for the General Data Protection Regulation and the Data Protection Directive in the Field of Law Enforcement: the new rules will have an impact on m-health and medical devices’ manufacturers in particular, as well as on European companies in general. Stay tuned! Will the Medical Device Regulation and In-Vitro Diagnostic Regulations see the light in 2016? That remains to be seen.

We hope you have enjoyed our musings on issues that lie at the intersection of law and technology in 2015: we intend to bring you more in 2016.

Warm wishes from the Life Sciences’ Team at Italy Legal Focus.