AI and Healthcare: Recommendations by the Italian Data Protection Authority

Legal news, , , , , ,

The use of Artificial Intelligence in healthcare continues to grow and it is poised to reach 188 billion by 2030. It also raises many concerns.

The Italian data protection authority (Garante) has recently issued recommendations based on 10 points, which can be found here.

The Garante particularly insists on:

  1. Human in the loop: a human being must be involved in the control, validation or change of the automatic decision;
  2. No algorithmic discrimination: trustworthy AI systems should reduce mistakes and avoid discrimination due to inaccurate processing of health data;
  3. Data quality: health data must be correct and updated. Representation of interested subjects must correctly reflect the population.
  4. Transparency: the interested subject must be able to know the decisional processes based on automated processes and must receive information on the logic adopted so as to be able to understand it (easier said than done!). The Garante also requires that at least an excerpt of the Data Protection Impact Assessment is published.

Other recommendations are not surprising for anyone familiar with the GDPR:

  • Profiling and decisions based on automated processes must be expressly allowed by Member State’s laws.
  • The principles of privacy by design and privacy by default obviously play a big role in healthcare AI systems.
  • Roles of controller and processor must be correctly allocated: in particular, the public administration must ensure that external entities processing data are appointed as data processors.
  • A Data Protection Impact Assessment must be carried out and any risks must be evaluated.
  • Integrity, security and confidentiality of data must be ensured.

Striving for genuine transparency in connection with very complex and rapidly evolving algorythms is not going to be an easy task for the data controller. Similarly, understanding how AI works in a healthcare setting is not going to be simple for patients.

Italy – At Last – Implemented the Registry of UBOs (Ultimate Beneficial Owners)

Legal news, , , , , , , , , , , ,

All legal entities established in Italy are affected by the new regulation, which provides for a December 11, 2023 deadline.

The register of ultimate beneficial owners has been established and has become
operational also in Italy, after several extensions and delays. In fact, on October 9,
2023, the decree certifying the operation of the system for the communication of
data and information on beneficial ownership was published in the Official Gazette.

This last decree, which completes the implementation of anti-money laundering
legislation, triggers the obligation for all companies, private legal entities
(associations, foundations and other institutions of a private nature with legal
personality) and trusts to communicate data and information relating to their
beneficial ownership.

The communication on beneficial ownership must be made to the Companies’
Registry at the territorially competent Chamber of Commerce by and no later than
December 11, 2023, using exclusively electronic methods. With regard to
companies, the communication must be digitally signed by a director, without the
possibility to delegate such task. Therefore, directors who do not yet have a digital
signature device will need to obtain one.

Subsequently, legal entities shall notify any change in their beneficial ownership
within 30 days of the occurrence of the change. In addition, on an annual basis (and
in any case within 12 months from the first communication), the beneficial
ownership shall be confirmed: for companies this may take place on the occasion
of the annual filing of the financial statements.

For more information on the new requirements, check out our Client Alert here or reach out to us directly.

GDPR Cross-Border Complaints: a New Regulation Proposal Attempts to Harmonize the Procedural Rules Among the Member States

Legal news, , , , , , , , , , ,

On July 4, 2023, the European Commission has issued a proposal for a new EU regulation laying down additional procedural rules aimed at ensuring a better and uniform enforcement of the GDPR among the Member States, especially with regard to the handling of cross-border complaints (“Proposal”).

The Proposal has been inspired by the findings of the reports issued by the European Commission and the European Data Protection Board concerning the status of the application of the GDPR among the Member States. Such reports stressed the need to make the handling of cross-border complaints more efficient and levelled across the EU, since the proceedings followed by local data protection authorities (“LDPA”) have been found to be differently designed and may thus lead to different application of the GDPR provisions.

The main features of the Proposal may be summarized as follows:

  • Submission and handling of cross-border complaints: The Proposal aims at removing the existing differences among the procedural rules applied by different LDPAs, namely with regard to how complaints on cross-boarder issues should be filed and which contents they should have. In such respect, a template for the filing of cross-border complaints – including a standard pre-determined set of information to be provided – has been drafted. The Proposal further specifies procedural rules for the rejection of complaints in cross-border cases and clarifies the roles and rights of the lead LDPA and of any other concerned LDPAs. A system of amicable settlement of complaints is also encouraged.
  • Procedural rights of parties under investigation: The Proposal further aims at harmonizing and strengthening the rights of defence in the course of cross-border investigations and proceedings. Specifically, the Proposal recognizes an extended right of the parties to be heard at key stages of the proceedings and imposes the creation of an administrative file and the parties’ rights of access to it.
  • Tools for cooperation between LDPAs: New tools have been designed to ease the building of consensus between the involved LDPAs on the main features of cross-border proceedings since their preliminary phase, in order to limit the recourse to the (time consuming) dispute resolution mechanism provided by section 65 GDPR only in few exceptional cases. LDPAs that are called to handle a cross-border complaint are required to provide other involved LDPAs with a summary of key issues”, wherethe main findings of facts and legal grounds underlying each complaint are set out. Concerned LDPAs will be able to provide their views on such summary and to raise “relevant and reasoned objections”, in which case a specific fast-track procedure is designed in order to ensure that disagreements among LDPAs are settled at the beginning of the process.
  • Acceleration of cross-border proceedings: Lastly, the Proposal, by imposing strict deadlines, aims to prevent undue delays within the proceedings.

At the moment it is still unclear whether the Proposal will be officially adopted and become a binding regulation. Certainly, it has been welcomed by the European Data Protection Board and by the European Data Protection Supervisor and may be a good opportunity to level the difference among Member States and make the proceedings more efficient.

New ANAC Guidelines On Whistleblowing Legislation

Legal news, , , , ,

On July 12, 2023 the Italian Anti-Bribery Authority (“ANAC”) has issued the much awaited “Guidelines on the Protection of Persons Reporting Violations of Italian and European Law” (the “Guidelines”).

The Guidelines, inter alia, indicate who the recipients of whistleblowing reports may be. The reports may be handled, alternatively, by:

  1. an internal person within the administration/body; or
  2. an internal office within the administration/body with dedicated staff, even if not exclusively; or
  3. an external person.

With regard to private entities, ANAC requires that the person or office entrusted with the task to manage the reporting channel has autonomy, which, in the opinion of ANAC, is to be interpreted as impartiality and independence.

Furthermore, ANAC leaves certain room to identify such person or offices depending on circumstances. In fact, the Guidelines set forth that “for private entities, the choice of the entity to be entrusted with the role of the whistleblowing management is left to the organizational autonomy of each entity, in consideration of the requirements related to the size, the nature of the activity carried out and the actual organizational reality. [..] This role, purely by way of example, may be entrusted, inter alia, to the internal audit bodies, to the Supervisory Board provided for by the rules of Legislative Decree No. 231/2001, and to the ethics committees.”, thus confirming that the Supervisory Body can act as recipient of the reports.

Excellent, Again!

Events, , , , , , , , ,

We are very proud to share that our practice has been recognized once again for its “excellent” work in the 2023 rankings of Leaders’ League for the Healthcare, Pharmaceutical and Biotech sector in Italy.

Striving for excellence is our goal and we are thankful to our clients and colleagues who have made all of this possible and continue to trust us.

The full rankings are accessible here: https://www.leadersleague.com/en/rankings/healthcare-pharmaceuticals-biotech-sector-health-pharmaceutical-industry-ranking-2023-law-firm-italy

Looking forward to many more future achievements!

GDPR Turns 5, and Trans-Atlantic Data Flow Remains a Headache

Legal news, , , ,
Happy birthday to the GDPR, who has turned 5 years old on May 25, 2023! Is the European Union (and, given the Brussels effect, perhaps the entire world) a better place than pre-GDPR? This is a difficult question. Surely there has been a lot more focus on data protection by companies. And one of the reasons why companies have attempted to comply (100% compliance appears to be an unachievable goal!) is the possibility of being sanctioned with “administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher“. Clearly, while the very same GDPR language applies throughout the EU, data protection legislation is not yet harmonised, not even 5 years after its entry into force. About 30 articles of the GDPR allow Member States to depart from it. Interpretations of the Regulation also vary, so in many areas uniformity has given way to diversity (which, in this case, is not ideal).     Additionally, enforcement of the GDPR is entirely decentralized and data protection authorities have different views, differing resources and different strategies. A list of GDPR sanctions is regularly updated and since the Meta decision of May 22, 2023, the Irish Data Protection Commission has emerged as the champion. While it was previously criticized for “being too cozy to Big Tech”, it has issued the highest ever sanction, along with strong measures ordering Meta to stop further transfers of personal data from the EU to the US and to bring its processing operations of data already transferred to the US into compliance with the GDPR. The problem, once again, stems from the trans-Atlantic data flow from the EU to the US, and from the concerns that such EU personal data is subject to surveillance in the US, without any redress system for EU citizens. (Incidentally, thousands of companies, like Meta, may have the same problem).  The US and EU have yet to reach an agreement that would allow a safe flow of data (although there are hopes that progress will be achieved by July). Further, there is no guarantee that the European Court of Justice will not strike down any such new arrangement, like it did in the past (twice). Meanwhile, the post-GDPR world appears to strongly push towards data localization (or “sovereign cloud”), making data flows out of the EU to non-“adequate” countries very scary. 

GARANTE VS. CHATGPT: LATEST DEVELOPMENTS

Legal news, , , , , ,

1. An Order to Stop ChatGPT

On March 30, 2023 the Italian Data Protection Authority (“Garante”) issued an order by which it temporarily banned the ChatGPT platform (“ChatGPT”) operated by OpenAI LLC (“OpenAI”). The Garante in fact regards ChatGPT as infringing Articles 5, 6, 8, 13 and 25 of the GDPR. In particular:

  • No Information.  OpenAI does not provide any information to users, whose data is collected by OpenAI and processed via ChatGPT;
  • No Legal Basis.  There is no appropriate legal basis in relation to the collection of personal data and their processing for the purpose of training the algorithms underlying the operation of ChatGPT;
  • No Check of User’s Age.  OpenAI does not foresee any verification of users’ age in relation to the ChatGPT service, nor any filters prohibiting the use for users aged under 13.

Given that, the Garante has immediately banned the use of ChatGPT, and OpenAI has blocked the access to ChatGPT to the Italian people.

2. Measures Offered by OpenAI

On April 11, 2023, in light of the willingness expressed by OpenAI to put in place measures to protect the rights and the freedom of the users of ChatGPT, the Garante issued a new order, which opened the possibly to re-assess ChatGPT if OpenAI adopts the following measures:

  1. to draft and publish an information notice to data subjects, which should be linked so that it can be read before the registration;
  2. to make available, at least to data subjects who are connected from Italy, a tool to exercise their right to (i) object, (ii) obtain a rectification, insofar as such data have been obtained from third parties, or (iii) the erasure of their personal data;
  3. to change the legal basis of the processing of users’ personal data for the purpose of algorithmic training, by removing any reference to contract and instead relying on consent or legitimate interest;
  4. to include a request to all users connecting from Italy to go through an “age gate” and to submit a plan for the deployment of age verification tools; and
  5. to promote a non-marketing-oriented information campaign by May 15, 2023 on all the main Italian mass media, the content of which shall be agreed upon with the Italian Authority.

OpenAI has until April 30, 2023 to comply (until May 31, 2023 to prepare a plan for age verification tools). The objections by the Garante have been echoed by other European Union data protection authorities. The European Data Protection Board will be attempting to solve the dispute within two months and launched a dedicated task force on ChatGPT “to exchange information on possible enforcement actions conducted by data protection authorities”

PAYBACK ON MEDICAL DEVICES IN ITALY: LATEST UPDATES

Legal news, ,

The medical devices sector in Italy has been struggling for several months now as the Government is retroactively demanding that sellers of medical devices refund a quota of the excessive expenses sustained by the regional health systems during the years 2015-2018.

In fact, following a law decree enacted in August 2022, businesses and companies that won public tenders and provided Italian hospitals with medical devices from 2015 and onwards have been requested to turn back to the Regions part of the relating income, for a total amount of more than 2 billion euros.

In December 2022, Regions issued decrees ordering that the medical devices operators pay their respective quotas of the so-called “payback” contribution by the end of January 2023.

However, hundreds of claims were filed before the Administrative Court of Rome and the Government decided to postpone the payment deadline to 30 April 2023.

As the payment deadline draws closer, it appears that on yesterday’s Council of Ministers the Government issued a new law decree providing for a (still unspecified) discount in favour of businesses and companies that waive all claims and pay the discounted contribution by 30 June 2023.

While this new law decree is yet to be published on the Official Journal, it seems likely that the compromise reached at political level will not satisfy the expectations of several companies operating in the medical devices sector, meaning that the challenge is far from over.