Tag Archives: italy

What if hospitals don’t pay?

Legal news, ,

Many of our clients encounter challenging dilemmas when public hospitals fail to reimburse the supplies they provide. Our seminar, held yesterday in our auditorium, was designed to discuss risks and potential solutions.

We regret if you were unable to attend, particularly as it was followed by an enjoyable aperitivo. However, we have included the slides presented by our attorneys, Fabrizio Sardella, Damiano Pallottino, and Francesco Clerici, who offered an analysis of the topic from a criminal, administrative, and civil law perspective.

slidesDownload

Regulation On Space Activities Under Parliamentary Examination

Legal news, , , , , , ,

When it comes to human activities in space, a paradigm shift is currently taking place. Government authorities, instead of operating on their own, increasingly opt for the development of multiple forms of interaction with private operators, while the latter are keen to invest to ultimately conduct space activities in partial independence from governments. The involvement of private actors in space missions is led by technological progress and by the view of space as an economic asset.

This phenomenon implies the need for new regulations, shaping the peculiarities of the relationship between governments and private entities, while avoiding any overregulation that would constrain a rising market. The matter is, in fact, sensitive:

1) States – while wishing to interact with private entities and boost the “space economy” – are bound by international treaties and agreements.

2) Private entities need a clear delimitation of the perimeter in which they can profitably intervene, with legal certainty on the allocation of responsibilities. 

3) States and private entities ultimately need each other to harness the inherent potential of space economy. 

Today, space laws regulating the relationship between States and private operators have been adopted by more than 40 countries. Generally, States opt for an authorization system either for specific missions or for a fixed period of time.

Italy still lacks a relevant specific discipline, being merely part of international treaties regulating states’ access to outer space and space resources.

Additionally, section 189 of the Treaty on the Functioning of the European Union excludes the possibility of any harmonization of laws and regulations of EU member states in space-related policies. Thus, member states must ultimately rely on their own forces to regulate the space economy.

The good news is that Italian Parliament is currently examining a legislation, proposed on September 10, 2024, potentially able to fill the regulatory void

Specifically:

  1. the regulation would apply to space activities carried out both by operators of any nationality in Italian territory and by Italian national operators outside Italian territory;
  2. the relevant space activities virtually concern all possible extra-atmospheric human activities and are subject to authorization issued by the Government, which may involve a single space activity or several space activities of the same type or several interrelated space activities of different types;
  3. issuance of authorization is subject to objective (safety of space activities, resilience of infrastructure and, interestingly enough, environmental sustainability) and subjective criteria (including having an insurance contract and financial soundness). However, the Government’s power to deny authorization is broad and highly discretionary: authorization is in fact denied if space activity is detrimental to national interests or if there is any link between the space operator and non-democratic states.

The proposed regime for the allocation of liabilities provides for a liability of the operator for damages caused to third parties on the earth’s surface as well as to aircraft in flight and to persons and property on board of such aircraft. The liability is excluded only if the operator proves that the damage was caused exclusively and maliciously by a third party – unrelated to the space activity – and that could not have been prevented.

Furthermore, the Italian Government will be entitled to exercise a right of recourse against the space operator who caused damage to persons or property.

Will Parliament consider this framework enough to get the ball of space economy rolling? Stay tuned for the parliamentary progresses of this piece of legislation.

Happy GDPR-compliant Xmas and a prosperous new year!

Legal news, , , , , , , , , , , , , ,

Winter recess is about to start. While we’ll all be resting, GDPR will not!

While we will all be recharging our batteries to tackle the challenges for the upcoming 2025, GDPR will not go on vacation, and will thus never be out-of-office!

Check out the following tips that the Italian Data Protection Authority has recently issued in order to avoid threats to your privacy rights during the upcoming vacations:

  • Are you receiving plenty of virtual greetings and commercial offers? Be careful about them, even if apparently sent by a friend or parent: they may contain viruses, obscure links or may hide tentative of phishing. Not all presents may be welcome.
  • Have you taken good family pictures that you wish to share on your social network? Don’t forget to ask consent of all depicted individuals. Is your grandpa going to provide his consent as well?
  • Have you filmed your children’s Christmas pageant? Keep it for yourself! You’d need consent from all depicted individuals for publishing (including from their parents in case of minors).
  • Are you wishing to download any specific Christmas-related app on your smartphone? Choose them carefully, check their issuer and the reviews. You may inadvertently be downloading the Grinch’s one!
  • Are you going away for a trip? Don’t share too much information and pictures on your social media about your time off, your house and your vehicles, as it may attract thieves. Only Santa Claus shall be allowed to break in without your consent!
  • Are you connecting with your hotel’s or restaurant’s Wi-Fi? Ask the staff about its security: they may not be protected enough.
  • Have you bought any “smart” presents for your little nephews? Check whether they may collect any personal data from their users. In the affirmative, make sure that they will not harm them in any way possible.

Our own additional tips: rest, enjoy good food, spend time with your loved ones, and get ready for 2025! We wish you happy holidays and a healthy and successful new year.

Gitti and Partners Life Sciences Team

The European Commission Recently Fined Teva: but Why?

Legal news, , , , , ,

With an order issued on October 31, 2024, the European Commission fined Teva Pharmaceutical Industries (“Teva”) EUR 462.6 million for abusing of dominant position in relation to its drug Copaxone.

This European Commission decision is meant to further set on fire the already lively debate on the limits of patent law and antitrust rules in Europe.

1. Allegations: Abuse of Dominant Position and Patent Strategy

The order fined Teva for abuse of a dominant position. Specifically, two conducts were alleged, namely:

  1. The first relates to the delaying of the market entry of competing generics of Copaxone – a drug containing the active ingredient glatiramer acetate produced by Teva and indicated for the treatment of multiple sclerosis – through the filing of several divisional patents and their subsequent waiver. This approach, referred to by the European Commission as ‘divisional games’, had, in the European Commission’s view, the effect of:
  2. artificially extending the term of patent protection
  3. restricting competition even beyond the natural expiry of the original patent.
  • The second claim against Teva concerned the dissemination of false information in breach of competition rules aimed at dissuading consumers and healthcare professionals from adopting such cheaper versions of the drug by:
  • denigrating generic Copaxone products
  • casting doubts on their safety and efficacy.

2. Legal Analysis of Breaches: Article 102 of the Treaty on the Functioning of the European Union(“TFEU”)

The Commission’s allegations are mainly based on Article 102 TFEU, which prohibits the abuse of a dominant position within the internal market. A dominant company must avoid practices that (i) restrict, (ii) distort or (iii) prevent competition.

The practice of filing “divisional patents”, carried out by Teva, has been considered as an “exclusionary abuse”, as it prevents the entry of new players in the market through manipulation of the patent system.

This approach, although in line with patent law and the procedures of the major patent offices, including the European Patent Office, has been criticized from the competition point of view. In principle, the divisional patent system should protect distinct innovations and not allow the fragmentation of protection for a single invention to artificially obstruct competition.

In addition, the use of a disinformation campaign constitutes an abusive conduct, as it aims at diminishing the quality of competitors’ products without objective reasons, thus damaging the market and final consumers.

3. The Role of Divisional Patents and the ‘Manipulation’ of the Patent System

divisional patent is an option under European law that allows patent owners to derive “child” patents from a main patent, thereby protecting more specific aspects of an invention. 

This system derives from one of the fundamental principles of patent law, i.e. that a patent can protect one, and only one, invention. Consequently, during the examination of patent applications, it is sometimes necessary to proceed with the filing of divisional applications when the examiner finds that more than one invention was covered by the original application. 

However, in Teva’s case, the excessive use of this practice was found to be abusive, as it was found to be aimed solely at extending the duration of monopoly protection for Copaxone. This practice, in addition to raising ethical and legal questions, led to the consideration of the need to change the patent system to avoid abuses. In particular, it has been suggested that European regulations on divisional patents may be updated to prevent anti-competitive practices, for instance by introducing stricter criteria for divisional patent granting.

4. Implications of the Teva Case for Competition Law and the Pharmaceutical Sector

The fine imposed on Teva represents a turning point for competition law applied to the pharmaceutical sector, as it further and rather explicitly underlines the need for a balance between patent protection and access to medicines

The European Commission, with this measure, wanted to give a strong signal against the strategic use of patents to obstruct access to generic medicines, which represent an affordable and accessible solution for patients, and which may also have a very important impact on Member States’ budgets concerning their healthcare spending.

In a scenario of increasing attention to anti-competitive practices in the health sector, the Commission’s intervention could lead other national and supranational authorities to monitor more strictly pharmaceutical companies’ behaviour in similar situations. Moreover, it may be possible that this case will put pressure on a reform of patent rules in Europe, aimed at limiting opportunities for abuse by dominant companies.

New Guidelines on Web Scraping

Legal news, , ,

Pursuant to Article 57(1)(b) of the GDPR, on May 20, 2024 the Italian Data Protection Authority (“Italian DPA”) adopted guidelines [LINK] on web scraping, with the aim of providing guidance to operators of websites and online platforms, acting in Italy as data controllers of personal data made available online to the public.

Web scraping is defined by the Italian DPA as the massive collection of personal data from the web for the purpose of training generative artificial intelligence models. Specifically, whenever such phenomenon involves the collection of traceable information – linked to an identified or identifiable natural person – a data protection issue arises with reference to the identification of an appropriate legal basis for the processing of such data.

According to the guidelines, the assessment of the lawfulness of web scraping must be carried out on a case-by-case basis. Personal data are made available on the web as a result of a primary level processing by operators of online platforms as data controllers. Only then, third parties – often web robots or “bots” – may gather such data for different purposes while scraping the web. This is the reason why the Italian DPA addresses its guidelines to operators of online platforms: they are, in fact, the only ones able i) to more easily evaluate how data are used after being scraped from their platforms and ii) to implement measures on their platforms that may prevent or mitigate web scraping activity for purposes of training algorithms.

Possible precautions or enforcement actions identified by the Italian DPA are the following:

  • Creation of restricted areas, which can only be accessed after registration. In this way, certain personal data would be removed from public availability;
  • Inclusion of ad hoc clauses in the terms of service of the online platform expressly prohibiting the use of web scraping techniques;
  • Monitoring network traffic to detect any abnormal flow of data and adopting limits as countermeasures;
  • Direct intervention on bots (e.g. insertion on websites of CAPTCHA checks or monitoring log files to block undesirable users).  

Such measures should be adopted by the data controller after an independent assessment – in compliance with the accountability principle, which increasingly appears to govern new data protection legislation and strategies. At any rate, the Italian DPA acknowledges that, albeit useful, none of these measures can be expected to entirely prevent web scraping from happening.  

Processing Health Data: the Most Recent Amendment to Italian Privacy Code

Legal news, , , , , , ,

The Italian “Privacy Code” (Legislative Decree No. 196/2003), which governs data protection in Italy together with the European GDPR, has recently been amended.

Law No. 56/2024, further implementing the National Recovery and Resilience Plan, intervened on section 110 of the Privacy Code, which deals with the processing of health-related data for the purposes of medical, biomedical or epidemiological scientific research.

Section 110 provides that consent of the data subject for the processing of health-related data for the purpose of medical, biomedical or epidemiological scientific research is not required when:

  • the research is carried out on the basis of legal provisions or European Union law, when processing is necessary for scientific research or statistical purposes, provided that an impact assessment is carried out pursuant to sections 35 and 36 of the GDPR; or
  • informing the data subject is impossible or involves a disproportionate effort, or would render impossible or seriously jeopardise the attainment of the purposes of the research.

In such cases – before the latest amendment – the data controller had to:

1) take appropriate measures to protect the rights, freedoms and interests of the data subject;

2) obtain a favorable opinion of the competent ethics committee; and

3) consult the Italian Data Protection Authority prior to processing.

The obligation to consult the Italian Data Protection Authority has now been repealed. Thus, there is no need to apply for the Authority’s clearance prior to processing health-related data (in those cases where consent of the data subject is not required under section 110 of the Privacy Code). 

This amendment may have a significant impact especially on retrospective studies for which informing data subjects is particularly burdensome. The data controller will, in fact, be able to proceed without the Authority’s permission. Nonetheless, the data controller will still have to comply with specific guarantees and ethical rules issued by the Authority – as specified by the amended section 110.

On the one hand, the amended section 110 seems to favor accountability and to soften the procedural requirements in processing health data for research purposes, making the overall procedure quicker. When it comes to “secondary use” of health data, the accountability approach should be considered strong enough to protect data and favorably welcomed, as it moves in the same direction of the European Health Data Space – which intends to provide a reliable and efficient system for the re-use of health data in areas as research and innovation.

On the other hand, though, the Italian Data Protection Authority has already issued some interim guarantees, specifying that data controllers – when processing health data related to deceased or non-contact subjects – must carry out and publish an impact assessment, pursuant to section 35 of the GDPR, notifying it to the Authority. It remains to be seen how the amendment will be handled by the Authority in practice: the effects of the simplification provided by the new version of section 110 may be diminished if the guarantees set forth by the Authority generate equally articulate procedures.      

Effectively Implemented “231” Model Exempts Italian Company from Criminal Corporate Liability

Legal news, ,

A recent decision of the Milan Court exempted an Italian company from criminal charges under law 231, even while it found its employees guilty of a 231 financial crime.

The Court held that the company’s managers abused of their override powers to systematically ignore internal control systems. Nonetheless, the court found that the company had effectively implemented its compliance 231 model, although such model was fraudulently circumvented by the managers.

The Court confirmed, as already established in the Impregilo case, that the occurrence of a crime does not automatically prove the non-completeness and non-effectiveness of a company’s compliance program. A separate analysis of the compliance program must instead be carried out, even if a crime has occurred and individuals are found guilty.

Under Italian law 231, companies are liable for employees’ crimes when the crime is committed in the interest or to the advantage of the company. Such 231 liability can be lifted if the company has effectively implemented a compliance program aimed at preventing such crime. Despite the incentive built in in 231 law for companies to set up and effectively implement a compliance program, past case law has not been generous in granting such exemption from liability. The recent Milan court case may open a new path.

Processing of personal and health data through apps and online platforms aimed at connecting HCPs and patients: the new digest of the Italian DPA

Legal news, , , , , , , , , , , , , , , , , , , , , ,

On March 2024, the Italian Data Protection Authority (“Italian DPA”) has issued a new digest (“Digest”) relating to the processing of personal data, whether or not concerning health data pursuant to section 9 of the GDPR, carried out through the utilization of platforms, accessible through apps or web pages (“Platforms”), that aim to facilitate connection between healthcare professionals (“HCPs”) and patients.

The use of such Platforms poses high risks to the protection and security of patients’ personal data, and in particular health-related data, given that the latter are subject to an enhanced protection regime set forth by section 9 of the GDPR. 

The Digest seeks to summarize the applicable data protection rules that may be followed, and defines the roles of the parties, as well as the legal bases, applicable to (i) the processing of personal data of the users by Platform’s owners; (ii) the processing of HCP’s personal data by Platform’s owners; and (iii) the processing of health data of the patients by the Platform’s owner and by the HCPs.

Additional guidance is provided as to:

  • The necessity for the Platform’s owner to carry out (and periodically update) a data protection impact assessment (DPIA) pursuant to section 35 GDPR, since the use of Platforms determine a “high risk” processing of personal data, as such kind of treatment automatically meets the criteria issued by the European Data Protection Board for the identification of the list of data processing that may be deemed subject to the duty to perform a DPIA;
  • Which information notices should be provided, by who and to whom, as well as the contents that such information notices should have in each case, according to sections 13 and 14 GDPR;
  • The specific rules applicable to cross-border data transfers and data transfer to third countries.

Lastly, the Digest includes a list of the most common measures that are taken by the data controllers to ensure an appropriate level of technical and organizational measures to meet the GDPR requirements, such as encryption, verification of the qualification of the HCPs that seek to enroll within the Platform; strengthened authentication systems, monitoring systems aimed at preventing unauthorized access or loss of data.

The Digest should be very welcomed by the Platform’s owners, as it now gives a reliable and complete legal frame that may be followed in order to set up a Platform in a way which is compliant with the GDPR principles.

Corporate Liability Under Legislative Decree No. 231/2001: Latest Developments

Legal news, , , , ,

In the context of criminal proceedings for aggravated fraud for obtaining public funds (art. 640 bis of the Criminal Code) and for ideological falsity of the private party in a public deed (art. 483 of the Criminal Code), the Italian Supreme Court (ruling No. 3196/2024 Jan. 26, 2024) had the opportunity to reiterate some useful principles in the context of 231 Models:

the legal representative of the entity, suspected or accused of the predicate offense, cannot appoint the entity’s defense attorney, due to the absolute prohibition of representation posed by Article 39 of Legislative Decree No. 231 of 2001. The incompatible representative cannot perform any defensive act in the interest of the entity and, if performed, must be considered ineffective. However, the entity may join the proceedings by replacing the representative who has become incompatible or by appointing an ad hoc representative.

•The Court must always make an independent determination of the administrative liability of the entity and this means that:

1)It is not necessary to make a final and complete finding of individual criminal liability of the natural person, but a mere incidental finding is sufficient.

2)The configurability of criminal liability of managers for 231 crimes is not sufficient to affirm the liability of the entity. The judge must carry out a judgment of the suitability of the 231 Model adopted, ideally placing it at the time when the offence was committed, in order to verify whether compliance with the 231 Model would have eliminated or reduced the danger of the occurrence of offences of the same kind as the one that occurred.

The Italian Government Fund for the Governance of Medical Devices

Legal news, , , , , , , ,

With Ministerial Decree dated December 29, 2023, the Italian Ministry of Health has established criteria and methods for feeding the fund dedicated to the governance of medical devices, the so-called “Fondo per il governo dei dispositivi medici” (Fund for medical devices governance, “Fund”).

Key Features

  • Annual payment obligation.  Companies manufacturing or distributing medical devices, large medical equipment and in vitro diagnostic medical devices must pay a sum equal to 0.75% of the company’s previous year turnover from the sale of such devices to the National Health Service, net of VAT.
  • Annual Declaration Requirement.  Companies must submit an annual statement to the Ministry of Health regarding:
    • The estimated amount of 0.75% of the above-mentioned turnover.
    • The company’s previous year turnover to the National Health Service, net of VAT;
  • Use of the Fund. The Fund will be used for various activities related to Health Technology Assessment and governance of medical devices (including the management of the National Price Observatory, the vigilance system and the market surveillance system).
  • Deadlines and next steps. The first deadline for compliance with the fund regulations is set for December 31, 2024.

Companies are currently assessing whether the Fund can be challenged in court with arguments that may be similar to those raised in the so called “payback” litigation, which will see its day in Court (namely, the Italian Constitutional Court) on May 22, 2024.