Tag Archives: data protection

Italian Data Protection Legislation Is Enacted

Finally (!), the Italian government has enacted a legislative decree that amends the existing Data Protection Code in order to ensure its compliance with the GDPR. Additionally, the Italian legislator has filled the gaps that the GDPR had left to Member States.

Here are the main takeaways in the health area:

  • Processing of health data, genetic data or biometric data requires compliance with specific protection measures (“misure di garanzia”) that will be issued by the Italian Data Protection Authority bi-annually in light of guidelines of the European Committee, of technological developments and in the interest of data circulation within the European Union.
  • Under section 9.2.g) of the GDPR, personal data relating to health can be processed when processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law. The Italian legislator has listed the circumstances under which such substantial public interest exists, i.e., inter alia:
    • administrative activities connected to those of diagnosis, assistance or health or social therapy;
    • obligations of the national health service and of subjects operating in the health area;
    • hygiene and safety tasks to be carried out on the workplace and for safety and health of the population, for protection of the population and to safeguard life and physical integrity;
    • management and assessment of health assistance;
    • social protection of maternity and abortion, addictions, assistance, social integrations and rights of disabled individuals.
  • Data protection rights of deceased individuals may be exercised by those who have act on the basis of an own interest, in protection of the interested person, or for family reasons that are worth of protection, unless – with respect of services of information society – the interested person has expressly prohibited through a written statement the exercise of such rights by third parties. Such statement must be unequivocal, specific, informed and free, and may also relate only to some of the rights. The prohibition must not prejudice the exercise by third parties of patrimonial rights arising from death of the interested person nor the right to judicial defense.
  • The prescription of drugs that do not require the indication of the name of the interested person will be subject to specific measures (misure di garanzia) also in order to control the correctness of the prescription, for administrative purposes and for the purpose of scientific research in public health.
  • Reuse of personal data for purposes of scientific research or for statistical purposes must be previously authorized by the Data Protection Authority, who can set forth conditions for the processing. Reuse of genetic data cannot be authorized. However, processing of personal data collected for clinical activity for the purpose of research by research hospitals (IRCCS, both private and public) is not deemed to be reuse.
  • Processing of health personal data for the purpose of scientific research in the medical, biomedical or epidemiological field without the patient consent is in any case subject to a favorable opinion by the competent ethics committee and a consultation with the Data Protection Authority.
  • Criminal sanctions continue to apply in case of illegal data processing and can be up to 6 years of imprisonment.
  • The Data Protection Authority has 90 days to indicate which of the measures contained in the general authorizations it already adopted are compatible with the GDPR. The ones which are not will cease to apply.

Legal Issues 4.0: what approach suits innovation better?

The fourth industrial revolution is undoubtedly on the bull’s eye of international and domestic economic discussions. To name just one of the major events that recently focused on the Industry 4.0 debate, one could mention the World Economic Forum 2016 Annual Meeting held in Davos on January 20-23 2016, together with its ambitious title: Mastering the Fourth Industrial Revolution.

Indeed, starting from Germany’s Industrie 4.0, European governments have been trying to master the demanding challenges that the fourth industrial revolution brought, taking co-ordinate actions with companies and research institutions in order to attract investments and be more competitive in the global manufacturing scene.

At a glance, Industry 4.0 consists in the transformation – or rather the evolution – of industrial manufacturing based on the new possibilities offered by:

  • The ability of machines, devices and sensors to connect and communicate with each other and analyze/process large amounts of data;
  • The ability of information systems to create a virtual copy of the physical world by enriching digital plant models with sensor data;
  • The ability of assistance systems to support humans by aggregating and visualizing information comprehensibly for making informed decisions and solving urgent problems on short notice;
  • The ability of cyber physical systems to physically support humans by conducting a range of tasks that are unpleasant, too exhausting, or unsafe for humans;
  • The ability of cyber physical systems to make decisions on their own and to perform their tasks as autonomous as possible.

The phenomenon hence embraces many fast-evolving fields such as Robotics, Internet of Things, Big Data and Smart Data.

After Germany, other European as well as oversea governments took actions aimed at exploiting, promoting and fueling with investments the research and development driven by such innovations. The United States started Manufacturing USA and France announced Industrie du Futur, to name just a few of such governmental programs.

Lastly, here in Italy, only a few days ago the Italian government announced the main features of its national Industria 4.0. The plan will make available public investments up to ten billion euro between 2017 and 2020, providing for tax incentives, as well as support for venture capital, ultra-broadband development, education and innovative research centers.

A number of legal issues are raised by the fourth industrial revolution.

  • The first and – one would say – more obvious one, is related to data protection. Intelligent and multi-linked objects continuously collect, generate and transmit data (including personal data) that are processed and analyzed, often across State’s boundaries, by both automated and manual means. It is hence fundamental that data protection laws and regulations offer appropriate legal instruments to control and limit what can potentially become an uncontrolled and automated leakage of personal data.
  • Property law is also at stake. In particular, in relation to non-personal data produced by machines and objects, ownership of such “products” seem to be mainly unregulated, with the exception of some specific instruments subject to database’s Moreover, moving towards more typical IP issues, it is clear that enhanced digitalization and connectivity both bring the risk of not being able to effectively keep trade and industrial secrets, as well as not being able to protect undisclosed know-how and business information.
  • Labour law will have to find instruments in order to manage the potential job loss deriving from automatization and innovation.
  • Product liability and, more in general, the legal framework of civil (and criminal) wrongs will have to face the fact that machines are more and more able to communicate, act and, in a way, “think” autonomously.

Can these challenges be tackled with existing legal instruments or do they require the adoption of tailor-made, brand new solutions?

The legal fields that have been mentioned here are, indeed, varied and do not allow one straightforward answer. Nevertheless, it may be worth noting that pushing for over-specific and unrealistically always-up-to-date legal instruments can be very risky. It can result, in fact, in a never-ending (but always late) frantic chase of fast-pacing technological developments, which can be more effectively tackled by adapting traditional flexible tools.

As it has been recently underlined by a study led by the European Parliament, “many of these issues have a cross-border and even pan-European element, e.g. migration of skilled labour, completing the digital single market and cybersecurity, cross-border research, standards etc”.

Perhaps, the success of the fourth industrial revolution from a legal point of view will largely depend on the ability and willingness to find harmonized and common solutions to global challenges, rather than create over-particular and specific new instruments. From this perspective, the new European Regulation on Data Protection can be seen as an encouraging legislative action providing for flexible but effective tools (such as, for example, data protection by design and data protection by default provisions) within the framework of the harmonizing strength of the European Regulation legal instrument.

Health Data Registries and Surveillance Programs, a New Italian Regulation Steps Up the Game

A new Italian regulation governing health data registries and surveillance programs aims at facilitating the use of such tools for purposes of monitoring health of the population, as well as healthcare spending. A comprehensive legal instrument regulating the various categories of registries and programs was much needed. In fact, the adoption of such a regulation was envisaged by national legislation since 2012 (Section 10 of law decree 179/2012), but no implementing measures has yet been adopted. A draft of regulation has now been released by the Italian government and submitted to the State-Regions conference prior to formal entry into force. The draft has already been reviewed by the Italian Data Protection Authority.

The new regulation aims at standardizing registries and programs adopted over the years, by setting forth: (i) the entities and professionals who may access the information contained in the registries, (ii) the categories of data that are available, and (iii) the measures to be adopted to ensure the security of data in line with data protection legislation.

The goals pursued by the regulation include a better monitoring of diseases at national level and relating treatment, survival rates, mortality index, as well as the increase or decrease over time of a certain disease. The data stored in the registries should also facilitate the carrying out of epidemiological studies in specific territories and/or for specific subsets of the population. Such broad purposes would allow the data to be used in connection with scientific studies, but also for the treatment and prevention of particular diseases.

The data protection provisions enshrined in the regulation are particularly stringent, and provide that all data must be processed by individuals specifically appointed by the data controller and subject to secrecy obligations. Furthermore, the data shall be encoded in a way that does not allow the de-anonymization of the data. Only in case of adverse events and relating field actions, data may be used to contact the interested subject upon prior authorization of the national registry holder. Data breaches will also need to be reported to the Data Protection Authority.

In conclusion, the new regulation provides welcome clarity in a field where regulations have been sporadic and at times incoherent. Moreover, the new regulation seeks to govern at the same time the different legal aspects connected with registries, from healthcare monitoring to data protection. There is little doubt that the hope of the government is to optimize such instruments to better control healthcare spending and conduct a more effective assessment of therapies and products on the market.