Merry holidays and happy 2017! We’re moving and merging!

Dear Clients and Friends,

We are very pleased to inform you that, as of January 1, 2017, Studio Legale Bernascone e Soci – Italy Legal Focus will join forces with the law firm Gitti and Partners (www.grplex.com).

Gitti and Partners brings together talented attorneys who provide excellent independent legal advice in connection with complex and sophisticated transactions, some of which made history in the Italian market. After the combination, the firm will be powered by over 50 professionals with specific expertise in the areas of M&A/PE, Real Estate, Capital Markets, Banking & Restructuring, Litigation, Regulatory, Tax, Labour and Life Sciences.

Our clients will surely benefit from an increased spectrum of practice areas and industries’ focus, while continuing to rely on the excellence of client service that has always been a common feature of both firms”, commented Gabriele Bernascone, founding partner of Studio Legale Bernascone e Soci – Italy Legal Focus, whose roots trace back to 35 years ago and with a reputation as “an experienced and reliable firm” (The Legal 500, 2016).

As from December 30, 2016,  we will relocate to Via Dante 9, 20123 Milan, while our telephone numbers will remain unchanged. We are very excited by this new chapter of our professional lives and look forward to your continued support. We will continue to collect our reflections on law and innovation in this blog: stay tuned in 2017!

Best wishes from the blog’s contributors,

Paola Sangiovanni, Flavio Monfrini, Marco Bertucci

 

Advertisements

Healthcare, Technology and Malpractice in 2030

The “Home-Spital” of 2030.

I have enjoyed reading this article on what healthcare may look like in 2030 (in wealthy countries, may I point out). The author of the article says goodbye to the hospital, while welcoming the “home-spital”. She imagines that technology (think driverless cars and robot workers) will help us live in a safer world. Technology will also help preventing certain diseases. Regenerative options will slow down ageing. “You will go to hospital to be patched up and put back on track. Some hospital practices might even go away completely, and the need for hospitalization will eventually disappear. Not by 2030, but soon after”, she predicts.

Healthcare and Technology will be Increasingly Intertwined.

Telemedicine may become so pervasive that hospitals may be empty of patients and filled with patients’ data, continuously fed through wearable patient-monitoring devices or all kinds of sensors. Hospitals may become bio-printing laboratories, where 3D printers will manufacture organs, tissues and bones on demand.

It is somewhat uplifting to imagine that medicine may become so technologically advanced, so personalized and so effective, and health so plentiful. Others, however, warn against the threat of a de-humanized medicine that will solely rely on machines and will be unable to offer a human side to suffering individuals.

Will Technology Render Doctors Error-Free?

While this new world will pose issues of privacy, data security and fraud, will it solve the problem of malpractice? What will be the role of doctors in 2030? Will technology eradicate human error?

Technology is already helping doctors in many ways: drugs, devices, diagnostic instruments are now less harmful, more precise and a lot more effective. Watson computer is assisting oncologists finding the appropriate cure. Simulators helps doctor in their training and in performing surgical procedures. Checklists, protocols and guidelines can be embedded in the doctors’ routine so as to limit, recognize or avoid repetition of human error. We can foresee a world of doctors who follow protocols embedded in devices, leaving less room for deviation from standard practice, but also from mistakes: a computerized doctor, almost. Will this make doctors error-free?

Of Course, Technology can be a Source of Error, too.

The idea of technological devices that are perfectly designed and always perfectly functioning is false, as any product liability lawyer knows. Even the best technology is subject to faulty design of a whole line of products, or faulty manufacturing of a single product.

Malpractice and Product Liability Litigation may Merge in 2030.

Litigation may simply become more complex. In fact, doctors will be sued by patients along with creators of health apps, health data centers, data carriers, device or drug manufacturers, subjects who feed data to 3D printers or who analyze and monitor data processed by devices. It will be increasingly harder to disentangle doctors’ negligence with liability of med-tech, diagnostic or pharma companies. Litigation will rely even more heavily on the opinion of court appointed experts, who will need to be a panel of specialists with bioengineering, medical and information technology skills.

Two classes of doctors will probably emerge, even more distinctively than before: doctors who follow protocols suggested by computers, whose tasks will become closer to those of paramedics, and doctors engaged in research who write protocols that will bind other doctors. The first class will probably see a reduction in its freedom to make medical choices, but may be increasingly shielded from medical malpractice litigation. The protocol-writing doctors will work even more closely with the industry that designs, tests and manufactures medical technology.

Watch Out for the Paradox of Automation!

As this very interesting article (based on an analysis of the 2009 crash of Air France Flight 447, which killed 228 people) suggests, the so called “Paradox of Automation” could come into play. Tim Harford, the author, explains it as follows: “First, automatic systems accommodate incompetence by being easy to operate and by automatically correcting mistakes. Because of this, an inexpert operator can function for a long time before his lack of skill becomes apparent – his incompetence is a hidden weakness that can persist almost indefinitely. Second, even if operators are expert, automatic systems erode their skills by removing the need for practice. Third, automatic systems tend to fail either in unusual situations or in ways that produce unusual situations, requiring a particularly skilful response. A more capable and reliable automatic system makes the situation worse.

Technology that babysits doctors may ultimately weaken their skills. While automated devices may limit small errors, they may “create the opportunities for large ones”.

Conclusions.

Technology surely helps, who could deny that? But a messianic hope that technology will propel us into a risk-free, error-free and… malpractice-free world is a simplistic approach that is plain wrong.

Italian Data Protection Authority Authorizes the “Privacy Shield”

The Italian Data Protection Authority has authorized the transfer of personal data to the United States on the basis of the new “Privacy Shield” program, designed by the European Commission and the U.S. Department of Commerce to provide companies with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. On July 12, 2016 the European Commission deemed that the “Privacy Shield” offered adequate protection and could enable data transfers under EU legislation.

The Italian Data Protection Authority has now issued a general authorization for the processing and transfer of personal data in accordance with the “Privacy Shield” program and with the European Commission adequacy decision. The general authorization will be published today on the Official Gazette. Italian companies and multinational corporations active in Italy will therefore be able to transfer personal data to United States entities adhering to the “Privacy Shield”.

This latest decision comes after the expiration of the previous general authorization allowing the transfer of personal data to the United States pursuant to the “Safe Harbor” framework, held invalid by the Court of Justice of the European Union on October 22, 2015.

The European Commission plans to implement a continuous monitoring of the “Privacy Shield”, while at the moment it remains unclear how many business entities will seize this opportunity and join in the new program.

Artificial intelligence and robotics: a report reflects on legal issues

With its report issued on May 31, 2016 by the European Parliament (“Report”), the European Union has stepped into the debate on how to deal with artificial intelligence and robotics (“AI&R”). The ultimate goal of the European Parliament is to set forth a common legal framework that may avoid discrepancies arising from different national legislations, which would otherwise create obstacles to an effective development of robotics.

The Report introduces ethical principles concerning the development of AI&R for civil use and proposes a Charter on Robotics, composed by a Code of Ethical Conduct for Robotics Engineers, a Code for Research Ethics Committees and Licenses for Designers and Users.

Furthermore, the Report suggests the creation of a European Agency for AI&R, having an adequate budget, which would be able to generate the necessary technical, ethical and regulatory expertise. Such agency would monitor research and development activities in order to be able to recommend regulatory standards and address customer protection issues in these fields.

The Report, which recommends to the Commission to prepare a proposal of directive on civil law rules on robotics, illustrates many of the issues that society could face in a few decades regarding the relationship between humans and humanoids. In fact, a wide range of robots already can, and could even more in the future, affect people’s life in their roles as care robots, medical robots, human repair and enhancement robots, doctor training robots, and so on.

A further development that may be concerning for lawyers is connected to the announcement, a few days ago, by the University College London that a computer has been able to predict, through a machine-learning algorithm, the decisions by the European Court of Human Rights with a 79% accuracy. Will this result in a more automatic and predictable application of the law?

In order to secure the highest degree of professional competence possible, as well as to protect patients’ health when AI&R is used in the health field, the Report recommends to strengthen legal and regulatory measures such as data protection and data ownership, standardization, safety and security.

One concern arising from the Report is civil liability arising from the use of robots. Should the owner be liable for damages caused by a smart robot? In fact, in the future, more and more robots will be able to make “smart” autonomous decisions and interact with third parties independently, as well as cause damages by their own. Should such damages be the responsibility of the person who designed, trained or operated the robot?

Some argue in favor of a strict liability rule, “thus requiring only proof that damage has occurred and the establishment of a causal link between the harmful behavior of the robot and the damage suffered by the injured party”.

The Report goes even further by asking the Commission to create a compulsory insurance scheme for owners and producers to cover damage potentially caused by robots and a compensation fund guaranteeing compensation for damages, but also allowing investments and donations in favor of robots.

Exciting times lay ahead of us. It remains to be seen if the current legal principles will be sufficient or if new ones will actually be necessary.

Legal Issues 4.0: what approach suits innovation better?

The fourth industrial revolution is undoubtedly on the bull’s eye of international and domestic economic discussions. To name just one of the major events that recently focused on the Industry 4.0 debate, one could mention the World Economic Forum 2016 Annual Meeting held in Davos on January 20-23 2016, together with its ambitious title: Mastering the Fourth Industrial Revolution.

Indeed, starting from Germany’s Industrie 4.0, European governments have been trying to master the demanding challenges that the fourth industrial revolution brought, taking co-ordinate actions with companies and research institutions in order to attract investments and be more competitive in the global manufacturing scene.

At a glance, Industry 4.0 consists in the transformation – or rather the evolution – of industrial manufacturing based on the new possibilities offered by:

  • The ability of machines, devices and sensors to connect and communicate with each other and analyze/process large amounts of data;
  • The ability of information systems to create a virtual copy of the physical world by enriching digital plant models with sensor data;
  • The ability of assistance systems to support humans by aggregating and visualizing information comprehensibly for making informed decisions and solving urgent problems on short notice;
  • The ability of cyber physical systems to physically support humans by conducting a range of tasks that are unpleasant, too exhausting, or unsafe for humans;
  • The ability of cyber physical systems to make decisions on their own and to perform their tasks as autonomous as possible.

The phenomenon hence embraces many fast-evolving fields such as Robotics, Internet of Things, Big Data and Smart Data.

After Germany, other European as well as oversea governments took actions aimed at exploiting, promoting and fueling with investments the research and development driven by such innovations. The United States started Manufacturing USA and France announced Industrie du Futur, to name just a few of such governmental programs.

Lastly, here in Italy, only a few days ago the Italian government announced the main features of its national Industria 4.0. The plan will make available public investments up to ten billion euro between 2017 and 2020, providing for tax incentives, as well as support for venture capital, ultra-broadband development, education and innovative research centers.

A number of legal issues are raised by the fourth industrial revolution.

  • The first and – one would say – more obvious one, is related to data protection. Intelligent and multi-linked objects continuously collect, generate and transmit data (including personal data) that are processed and analyzed, often across State’s boundaries, by both automated and manual means. It is hence fundamental that data protection laws and regulations offer appropriate legal instruments to control and limit what can potentially become an uncontrolled and automated leakage of personal data.
  • Property law is also at stake. In particular, in relation to non-personal data produced by machines and objects, ownership of such “products” seem to be mainly unregulated, with the exception of some specific instruments subject to database’s Moreover, moving towards more typical IP issues, it is clear that enhanced digitalization and connectivity both bring the risk of not being able to effectively keep trade and industrial secrets, as well as not being able to protect undisclosed know-how and business information.
  • Labour law will have to find instruments in order to manage the potential job loss deriving from automatization and innovation.
  • Product liability and, more in general, the legal framework of civil (and criminal) wrongs will have to face the fact that machines are more and more able to communicate, act and, in a way, “think” autonomously.

Can these challenges be tackled with existing legal instruments or do they require the adoption of tailor-made, brand new solutions?

The legal fields that have been mentioned here are, indeed, varied and do not allow one straightforward answer. Nevertheless, it may be worth noting that pushing for over-specific and unrealistically always-up-to-date legal instruments can be very risky. It can result, in fact, in a never-ending (but always late) frantic chase of fast-pacing technological developments, which can be more effectively tackled by adapting traditional flexible tools.

As it has been recently underlined by a study led by the European Parliament, “many of these issues have a cross-border and even pan-European element, e.g. migration of skilled labour, completing the digital single market and cybersecurity, cross-border research, standards etc”.

Perhaps, the success of the fourth industrial revolution from a legal point of view will largely depend on the ability and willingness to find harmonized and common solutions to global challenges, rather than create over-particular and specific new instruments. From this perspective, the new European Regulation on Data Protection can be seen as an encouraging legislative action providing for flexible but effective tools (such as, for example, data protection by design and data protection by default provisions) within the framework of the harmonizing strength of the European Regulation legal instrument.

Health Data Registries and Surveillance Programs, a New Italian Regulation Steps Up the Game

A new Italian regulation governing health data registries and surveillance programs aims at facilitating the use of such tools for purposes of monitoring health of the population, as well as healthcare spending. A comprehensive legal instrument regulating the various categories of registries and programs was much needed. In fact, the adoption of such a regulation was envisaged by national legislation since 2012 (Section 10 of law decree 179/2012), but no implementing measures has yet been adopted. A draft of regulation has now been released by the Italian government and submitted to the State-Regions conference prior to formal entry into force. The draft has already been reviewed by the Italian Data Protection Authority.

The new regulation aims at standardizing registries and programs adopted over the years, by setting forth: (i) the entities and professionals who may access the information contained in the registries, (ii) the categories of data that are available, and (iii) the measures to be adopted to ensure the security of data in line with data protection legislation.

The goals pursued by the regulation include a better monitoring of diseases at national level and relating treatment, survival rates, mortality index, as well as the increase or decrease over time of a certain disease. The data stored in the registries should also facilitate the carrying out of epidemiological studies in specific territories and/or for specific subsets of the population. Such broad purposes would allow the data to be used in connection with scientific studies, but also for the treatment and prevention of particular diseases.

The data protection provisions enshrined in the regulation are particularly stringent, and provide that all data must be processed by individuals specifically appointed by the data controller and subject to secrecy obligations. Furthermore, the data shall be encoded in a way that does not allow the de-anonymization of the data. Only in case of adverse events and relating field actions, data may be used to contact the interested subject upon prior authorization of the national registry holder. Data breaches will also need to be reported to the Data Protection Authority.

In conclusion, the new regulation provides welcome clarity in a field where regulations have been sporadic and at times incoherent. Moreover, the new regulation seeks to govern at the same time the different legal aspects connected with registries, from healthcare monitoring to data protection. There is little doubt that the hope of the government is to optimize such instruments to better control healthcare spending and conduct a more effective assessment of therapies and products on the market.

 

 

Is Privacy Really a Fundamental Right?

Privacy of individuals is framed as a fundamental right in the European Union. In fact, the new European Union Regulation no. 2016/679 reiterates this in the very first of its “whereas”.

Yet, it is clear to everyone that such “fundamental” nature is regularly questioned by various factors, and particularly:

  • Technological progress, coupled with people’s growing addiction to smartphones, allowing the collection of an amazing number of personally identifiable information and leading to big banks of intrusive data; and
  • Security threats that prompt governments to closely monitor citizens’ behavior.

Once upon a time courts were called to decide on how to balance conflicting rights. These days, the act of balancing privacy and other issues has become much more common and it is in the hands of a variety of subjects, such as data processors, who must carry out a data protection impact assessment according to Section 35 of the EU Regulation no. 2016/679, and data protection authorities, who provide both general guidelines and specific advice.

A couple of recent decisions by the Italian Data Protection Authority have led me to believe that the Authority is readier than before to accept that there are justified limits to the right to privacy:

  • On July 14, 2016, the Italian Data Protection Authority has decided that a bank is allowed to analyze behavioral/biometric information regarding its customers (such as mouse movements or pressure on the touch screen) as a measure to fight identity theft and internet banking fraud. Of course, a number of limitations have been set by the Authority, in addition to consent of the customer/data subject, such as specific safety measures, purpose and time limitations, and the segregation of the customer names from the bank’s IT provider.
  • On July 28, 2016, the same Authority has granted its favorable opinion to the use of a face recognition software at the Olimpico stadium during soccer games in order to check that the data on the ticket and the face of the person actually attending the event correspond. Provided that strong security measures are used and that the processing is carried out by police forces, the processing was deemed to be necessary.

A tougher stance, instead, is adopted by the Italian Data Protection Authority in cases of processing aimed at marketing purposes, as in this decision, for example. (I note, however, that the code of conduct applying to data processing for the purposes of commercial information that will enter into force on October 1, 2016, blessed by the Italian Data Protection Authority, continues to allow the dispatching of commercial communications to individuals whose personal data is included in public listings, even without the data subject’s express consent).

Balancing rights and interests is inherent to law and justice. It remains to be seen, considering the obvious (and absolutely reasonable) limitations to which the right to privacy is subject, if it will continue to make sense to frame it as “fundamental” right.

The New EU-US Privacy Shield

Yesterday the European Commission announced that the new agreement between the European Union and the United States on European data flowing into the United States has been approved. After months of negotiations, the deal was enthusiastically announced as “a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses” that “brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints” in the words of Věra Jourová, EU Commissioner for Justice, Consumers and Gender Equality.

Ever since the 2015 Court of Justice of the European Union (“CJEU”) landmark decision that put an end to the Safe Harbour system (i.e., the previous agreement regarding EU-US data flows), the US and the EU had negotiated for about 2 years in the attempt to create a system that aims at reassuring European citizens and creating clarity for United States businesses. An initial agreement on the Privacy Shield was already reached in February, and heavily criticized by the association of European data protection authorities named “Article 29 Working Party” (as we covered in our blog). Allegedly, the European Commission has taken note of such criticism and added additional clarifications and improvements to the draft.

Here are the main features of the Privacy Shield, as set forth in the Commission’s fact sheet:

  •  The U.S. Department of Commerce will register U.S. companies under the Privacy Shield if they commit to process personal data in accordance with certain compliance standards. It will also conduct regular updates and compliance reviews of participating companies, and companies who do not comply face sanctions and removal from the Privacy Shield list.
  • U.S. government’s access to personal data for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. There will be no indiscriminate mass surveillance on personal data transferred to the US under the EU-U.S. Privacy Shield arrangement.
  • EU data subjects will, also for the first time, benefit from redress mechanisms in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State independent from the US intelligence services.
  • In case of processing of personal data in breach of the Privacy Shield, EU data subjects will have access to several dispute resolution mechanisms: (i) redress by the data controller, (ii) free of charge alternative dispute resolution solutions, (iii) complaints submitted to their national Data Protection Authorities, who will work with the U.S. Federal Trade Commission to resolve complaints, (iv) arbitration mechanism.
  • The functioning of the Privacy Shield will be monitored and a public report to the European Parliament and the Council will be issued.

The one million dollar question is: will the Privacy Shield hold?

The CJEU may struck it down in the future and privacy groups will undoubtedly test the waters with new cases. If this happens, some predict that there will not be any further attempt to create another “Safe Harbor” or “Privacy Shield”. As Mark Scott of the New York Times puts it: “The European Commission, the executive arm of the European Union, and the United States Department of Commerce spent years negotiating the new deal. If it were eventually overturned in court, few companies or privacy experts would have faith that either side could do any better the next time around”.

The Italian Administrative Supreme Court Opens New Perspectives for Therapeutic Equivalents

By rejecting an appeal from Novartis, the Italian Administrative Supreme Court, with its decision n. 1306 of April 1st, 2016, focused on the notion of therapeutic equivalence under Italian law. Having underlined the difference with the concept of bioequivalence and having broadened its possible future application, the decision is likely to push forward the trend of public health care institutions to increase competition between pharmaceutical companies in the context of public tender offers, possibly for the benefit of taxpayers and patients.

The controversy arose from an opinion issued by the Italian Medicines Agency (“AIFA”) which, in a tender procedure held by Tuscany region, evaluated the drug Lucentis by Novartis (active ingredient ranibizumab) as a therapeutic equivalent to Eylea by Bayer (active ingredient aflibercept). This allowed the regional public administration to have the said drugs compete against each other in the same tender offer.

Debates as to whether Lucentis and Eylea are equivalent in terms of functions are not indeed new in the pharmaceutical scene and have caused many headaches to Novartis, let alone the critical issues raised in relation to Lucentis by the Italian Antitrust Authority.  Not a surprise, then, that Novartis tried to defend its product, alleging the illegitimacy and erroneousness of AIFA’s evaluation, which stated that the cheaper option by Bayer (Euro 780) is equally safe and effective in the treatment of macular degeneration as it is its more expansive (Euro 902) drug.

Novartis, nevertheless, failed in its claims. The Italian Administrative Supreme Court confirmed the validity and correctness of AIFA’s evaluation, together with the decision of the lower court, affirming, inter alia, that:

  • therapeutic equivalence is different from bioequivalence because the latter implies the identity of the active ingredient whether the former does not (indeed, FDA’s indications on the issue are rather similar);
  • the authority of AIFA in determining therapeutic equivalence is legitimate under Italian law;
  • evaluations regarding therapeutic equivalence cannot be based exclusively on the products’ leaflet: they are instead well motivated if they verify that (i) the drugs belong to the same Anatomical Therapeutic Chemical class; (ii) the drugs are subject to a similar route of administration and (iii) the drugs release the active ingredient in comparable ways.

Therapeutic equivalence, as it has recently emerged from Italian legislation and case law (in particular, from the decision discussed herein), is seen as a threat by pharmaceutical companies, unnerved by the increased competition effects.

Indeed, the debate has been escalated to a more general level by the Italian association of pharmaceutical companies, which challenged in many ways AIFA’s guidelines on therapeutic equivalence. As a consequence, a few days ago AIFA precautionary suspended for ninety days the said guidelines.

It looks like the match has just begun. Nevertheless, pharmaceutical companies should consider carefully on which side they should play. In fact, the expansion of the application of therapeutic equivalence, as a general trend, does not seem to be stoppable in a constant spending review context. Perhaps pharmaceutical companies should positively contribute to shape, rather than to stop, therapeutic equivalence and exploit its potential for the business in terms of new opportunities to access tender offer procedures.

FDA’s Initial Thoughts on 3D Printing of Medical Devices Published Today

Curious about how regulations on 3D printing of medical device will evolve? Check out the draft guidance published today by the United States Food and Drug Administration (“FDA”). Comments and suggestions are welcome and should reach the FDA within the next 60 days.

The draft guidance looks interesting under a number of aspects. First of all, it provides a definition of additive manufacturing (“AM”), i.e., “a process that builds an object by iteratively building 2-dimensional (2D) layers and joining each layer below, allowing device manufacturers to rapidly alter designs without the need for retooling and to create complex devices built as a single piece.”

It also defines itself as a “leap-frog guidance” and clarifies that “leap frog guidances are intended to serve as a mechanism by which the Agency can share initial thoughts regarding emerging technologies that are likely to be of public health importance early in product development”, which is a nice way to say that the FDA recognizes that its thoughts are just initial and subject to change.

A number of caveats are singled out and manufacturers are invited to be careful about, and to design their quality systems so they take due account of:

  • device design, which can be altered in AM due to various factors (pixelation of features, various patient-matching techniques, effects of imaging, etc.)
  • software and software interactions;
  • machine parameters and environmental conditions;
  • material used (which can be raw material or recycled);
  • post-processing phase;
  • process validation and acceptance activities;
  • device testing;
  • cleaning and sterilization;
  • biocompatibility.

The FDA also believes that AM devices that are patient-matched should be subject to additional labelling information.

The draft guidance does not address the use or incorporation of biological, cellular, or tissue-based products in AM, which may require additional regulation. Also, point-of-care device manufacturing may raise additional technical considerations.