Tag Archives: law

Facial Recognition Technology: Are We Close to a Turning Point?

When people think about facial recognition technology (“FRT”), they immediately imagine the use of their faces to unlock their smartphones. But this technology is far more complicated, useful and potentially dangerous.

First, it is important to understand the difference among “facial detection”, “facial characterization”, “facial identification” and “facial verification”. Such terms have been defined by the non-profit organization Future of Privacy Forum (https://fpf.org/wp-content/uploads/2019/03/Final-Privacy-Principles-Edits-1.pdf) as follows:

  • Facial detection simply distinguishes the presence of a human face and/or facial characteristics without creating or deriving a facial template.
  • In facial characterization the system uses an automated or semi-automated process to discern a data subject’s general demographic information or emotional state, without creating a unique identifier tracked over time.
  • Facial Identification is also known as “one-to-many” matching because it searches a database for a reference matching a submitted facial template and returns a corresponding identity.
  • The last one, facial verification, is called “one-to-one” verification because it confirms an individual’s claimed identity by comparing the template generated from a submitted facial image with a specific known template generated from a previously enrolled facial image.

There are many possible uses of facial recognition. In the private sector FRT may be used to keep track of employees’ time and attendance, identify shoppers’ patterns inside stores, implement smart homes, etc. In the public sector, FRT may be used to monitor protests, identify suspects in security footage, check claimed identities at borders, etc.

This relatively new technology brings, besides a wide range of possible implementations, significant concerns regarding privacy, accuracy, race and gender disparities, data storage and security, misuse. For instance, depending on the quality of images compared, people may be falsely identified. In addition to that, in its current state, FRT is less accurate when identifying women compared to men, young people compared to older people, people of color compared to white people. Privacy is certainly another concern: without strong policies it is unclear how long these images might be stored, who might gain access to them or what they can be used for; not to mention that this technology makes far easier for government entities to surveil citizens and potentially intrude into their lives (see “Early Thought & Recommendations Regarding Face Recognition Technology”, First report of the AXON AI and policing technology Ethics Board https://www.policingproject.org/axon-fr).

Once the possible implementations and the related risks are understood, the worldwide lack of regulation becomes even more surprising.

Within the European Union, the General Data Protection Regulation obviously applies to FRT. Furthermore, “Guidelines on Facial Recognition” have been released on January 28, 2021 by the Consultative Committee of the Council of Europe with regard to automatic processing of personal data (https://rm.coe.int/guidelines-on-facial-recognition/1680a134f3). This latter document includes:

  • Guidelines for legislators and decision-makers;
  • Guidelines for developers, manufacturers and service providers;
  • Guidelines for entities using FRT;
  • Rights of data subject.

When it comes to Italy, particular attention has been drawn by several decisions of the Italian Data Protection Authority on the topic. Recognizing the innovative potential of FRT as well as its riskiness for individual rights, the Authority adopted a more permissive approach regarding the private sector’s use of FRT, while issuing stricter decisions with regard to the use of FRT by public authorities. For instance, the Authority allowed the use of FRT by police forces for purposes of identifying individuals among archived images, but prohibited real-time surveillance using the same technology (see https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9040256 and https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9575877). On the other hand, the Authority allowed one airport to implement FRT for purposes of improving efficiency in the management of the flow of passengers, so long as images of individuals were not stored (see https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/8789277).

The European Commission, in light of the complexity of the situation and the necessity of a strong and harmonised legislative action, presented on April 21, 2021 its “Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence” (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0206). This Proposal was already the subject, on June 18, 2021, of a EDPB and EDPSs’ joint-opinion (https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-52021-proposal_en), in which they called for a general ban on the use of FRT for:

  • Automated recognition of human features in publicly accessible spaces;
  • Categorization of individuals into clusters according to ethnicity, gender, etc., based on biometric features;
  • Inference of individuals’ emotions.

What the European Commission is doing is an example of a more globally widespread legislators’ attitude towards artificial intelligence in general and FRT in particular. These technologies are more and more in our lives and are constantly evolving. Consequently, there is an increasing request, both from public and private subjects, for clear rules to govern this new technology and ensure that individual rights are safeguarded. Hopefully in the next months/years the situation will become clearer.

Flavio Monfrini / Michele Galluccio

Repeal of Patent Linkage in Italy is on the Horizon

The patent linkage is the practice of linking the marketing authorisation of medicinal products, their pricing or reimbursement, or any other generic drug approval, to the patent status of the original reference product.

On 4 November 2021 the Italian Council of Ministers approved the draft law for the market and competition for the year 2021 (the “Draft Law”), by means of which by the end of this year the Italian Government intends to modify, update and renovate the regulatory framework of several critical sectors of the economic life of the country, amongst which energy, transportation, entrepreneurship and healthcare.

With the aim of removing barriers to market entry for generic medicines, the Draft Law inter alia provides for the abolition of the patent linkage, finally bringing Italy, on this point, in line with the EU law and the other European countries.

Indeed, the Draft Law repeals article 11, paragraph 1, of Law no. 189/2012 (the “Balduzzi Decree”), pursuant to which generic drugs cannot be included in the list of the medicines reimbursed by the Italian National Health Service before the expiry date of the patent or of the supplementary protection certificate of the corresponding originator’s product.

Because it establishes a patent linkage, said provision of the Balduzzi Decree is generally held in breach of the EU law, according to which regulatory bodies, when granting a marketing authorisation for a medicine, setting its price, and determining its class of reimbursement, cannot consider the patent coverage, but only the quality, safety, and efficacy of medicines.

In the last decade the Italian association of generic drug manufacturers (Assogenerici), several patient advocacy groups and even the Italian Competition Authority had tried to push the Italian Government to repeal article 11, paragraph 1, of the Balduzzi Decree, but without success. Now, probably also under the EU Commission’s pressures to comply with the requirements it set in the framework of the aids given to Italy to face the economic and social consequences of the Covid-19 pandemic, the Italian Government decided to finally remove the patent linkage.

The purpose of the measure provided by the Draft Law is to allow manufacturers of generic medicines to carry out all the negotiation procedures for price and reimbursement to be ready to enter the market as soon as the patent expires, and so to increase the competition in the healthcare sector.

The Draft Law will be soon submitted to the Italian Parliament, where it will be discussed and where it might be subject to several and significant amendments. We will see whether the abolition of the patent linkage will be eventually approved and will therefore become law.

Web Cookies’ Processing: New Guidelines by the Italian DPA

On June 10, 2021 the Italian DPA has officially issued new guidelines for the processing of cookies and other online tracking instruments. Such newly-issued guidelines are aimed at compliance with principles set forth by the GDPR, as well as by the recently issued contributions of the European Data Protection Board. The new guidelines complement and update the previous ones issued in 2014.

New provisions mainly regard how consent is acquired and information to be provided to interested subject. In fact:

  • consent by the user must be given in accordance with principles of freedom and unambiguousness. Accordingly, the use of methods that do not comply with such principles, such as the “scrolling-down” and the “cookie-wall”, are unlawful and void;
  • the “cookie banner” must comply with the “privacy by design” and “privacy by default” principles, as resulting from article 25 of the GDPR. Consequently, simplified manners for the obtainment of the consent are allowed only to the extent that they comply with some pre-determined requirements;
  • “analytic cookies” can be processed without any consent by users only if they do not allow any identification (direct identification of the person concerned should not be achieved), and if they are used for the production of aggregate data only. Otherwise, they need to be expressly authorized;
  • information to be provided to the users must be specific and comply with articles 12 and 13 of the GDPR.

Data controllers now have a 6-months term (expiring on December 2021) for the adoption of the measures necessary to comply with such giudelines.

The full text of the measure can be found at the following link: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9677876.

New Data Transfer Standard Contractual Clauses Approved by the EU Commission

On June 4, 2021 the EU Commission approved new standard contractual clauses (“SCC“), which are regarded to provide appropriate safeguards within the meaning of Article 46(1) and (2) (c) of the GDPR.

The new SCC are updated with GDPR, the opinions expressed during the course of the consultation phase (including those of the European Data Protection Board and the European Data Protection Supervisor), as well as take into account the recent Schrems II judgement of the Court of Justice.

There are two different sets of SCC: (i) for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) and (ii) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).

The new SCC promisemore flexibility for complex processing chains, through a ‘modular approach’ and by offering the possibility for more than two parties to join and use the clauses“.

If you or your company are using the old SCC, you have a transition period of 18 months.

Five Key Takeaways from Our Seminar on Clinical Trials

If you missed our seminar on clinical trials on January 16, here are five key takeaways to help you understand the changing regulatory environment in Europe and Italy.

  1. Be ready for a new regulatory landscape

The recent clinical trials regulatory overhaul within the EU aims at fostering research and facilitating the tasks of all actors involved in this area. However, delays in the implementation of such new legislation are posing an actual risk for the entire sector throughout the EU, while competition from emerging economies is getting stronger.

  1. Harmonized, but not enough

In several areas, such as observational studies or ethical committee’s assessments, a unified approach at European level is yet to be adopted. This leaves a lot of fragmentation among the various countries and a lot of work to be done at local level in order to ensure compliance with applicable regulations. Be prepared to deal with such inconveniences, in particular in the pharmaceutical sector.

  1. Changes in data protection laws offer new opportunities but challenges remain

GDPR brought new harmonized provisions to improve and support the use of data for the purpose of conducting research. However, guidance from national data protection and regulatory authorities in areas such as legal grounds for processing and secondary use is far from established. Moreover, different EU countries continue to adopt opposite approaches when it comes to consent and legitimate interest as valid legal grounds for data processing in the framework of clinical research. Data protection compliance will therefore continue to require local check-ups.

  1. New opportunities for independent research

Recent regulatory changes in Italy are being implemented to foster independent not-for-profit research in the clinical area. The new regulations, which are about to be adopted, envisage new opportunities for the participation of private actors in independent research and allow not-for-profit research institutions to better exploit the results of their research. The potential for conflicts remain and caution should be exercised within public-private relationships, but there is hope that new paradigms of collaboration will see the light.

  1. A new world of evidence is out there

More and more projects in the clinical research field involve real world data and real world evidence, gathered in a number of different ways outside the rigid protocols of a controlled study, whether through medical devices or other data collection instruments. Real world data are key to understanding how treatments work in reality and developing new healthcare paths. However, both clinicians and private actors are operating in uncharted territories and the line between studies and alternative research projects is thinner than you may expect. Be mindful of the regulatory and compliance ramifications of these new powerful tools.

Copyright European Legislation: Getting Ready for the Digital Era.

On September 12th the European Parliament approved amendments to the controversial Proposal for a Copyright Directive, the Directive of the European Parliament and of the Council on Copyright in the Digital Single Market, which aims at updating copyright rules.

Not many topics have polarized opinions in recent years in Europe. While supporters claim to have protected artists and to have inflicted a blow to the American tech giants, critics have talked about the “death of the internet”.

For clarity, even if the Directive passed the European Parliament vote, the changes are not yet definitive and it may be too early to conclude on what this decision entails. The Directive text shall be further reviewed in subsequent negotiations and there is still a slight chance that it may be rejected at another vote by the European Parliament in 2019. In addition, the Directive, even if (and when) definitely approved, should be implemented by single Member States.

But which results does the Directive aim to achieve?

Its scope and purpose appear based on the evolution of digital technologies, which has changed the way copyright works and other protected material are created, produced, distributed and exploited, with the consequence that new uses, new payers and new business models have emerged. The digital environment has given birth to new opportunities for customers to access copyright-protected content. In this new framework, right-holders face difficulties to be remunerated for the online distribution of their works. So, even if the objectives and principles laid down by the EU copyright framework remain valid, there is an undeniable need to adapt them to the new reality.

The Directive also intends to avoid the risk of fragmentation of rules in the internal market. In fact, the Digital Single Market Strategy1 adopted in May 2015 identified the need «to reduce the differences between national copyright regimes and allow for wider online access to works by users across the EU». The idea expressed in the 2015 by the European Commission was to «move towards a modern, more European copyright framework». The EU legislation purports to harmonize exceptions and limitations to copyright and connected rights, however some of these exceptions, which aim at achieving public policy objectives, such as research or education, remain regulated on national level, with the consequence that legal certainty around cross-border uses is not guaranteed.

As to the content of the Directive, we note the following points:

  • With specific regard to the scientific research, recital number 9 of the Directive says that the Union has already provided certain exceptions and limitations (even if optional and not fully adapted to the use of technology in the scientific research) covering uses for scientific research purposes which may apply to acts of text and data mining. Where researcher have lawful access to content, for example through subscription to publication or open access licenses, the term of the licenses may exclude text and data mining.
  • Article 11, called “link tax”, gives publishers a right to ask for paid licenses when online platforms share their stories. The amended version clarifies that this new rights «shall not prevent legitimate private and non-commercial use of press publications by individual users». The amendment tries also to clarify what can be considered as “sharing a story”, indicating that the mere hyperlinks cannot be taxed, nor can individual words.
  • Article 13, called by the critics as “upload filter”, sets forth that platforms storing and giving access to large amounts of works uploaded by their users shall conclude licensing agreements that include liability for copyright infringement, thus putting a large responsibility on platforms and copyright holders that must «cooperate in good faith» to stop this infringement by carefully monitoring every upload.

The Directive has been designed with the intent to rebalance the core problem of contemporary web: big platforms like Facebook and Google are making huge amounts of money providing access to material made by other people. Nevertheless critics object that this intent could lead to serious collateral effects.

We will see what the future of this Directive will be, and which consequences will entail. The path seems to be still long, but, at least, it has started.

 

Who’s Who Legal 2018: Our Life Sciences Practice in the Top Three!

Who’s Who Legal just published its 2018 rankings, highlighting the leading practitioners recognized “for their excellent work across the full spectrum of life sciences law”.

Our very own Paola Sangiovanni has been recognized among the top three most highly regarded practitioners in the life sciences legal industry in Italy. Here’s what Who’s Who Legal says about Paola:

«The “fantastic” Paola Sangiovanni at Gitti and Partners is “a truly dedicated life sciences expert”, who is considered “a great deal-maker”. Her transactional expertise in the life sciences space is in high demand, thanks to her “client-focused approach and excellent service”».

We are very proud to share such a terrific achievement with our clients and friends, and we would like to thank you all for your continued support!

New Whistleblowing Legislation Approved in Italy

Whistleblowers will be granted a higher level of protection under new legislation passed earlier this week in Italy.

The new provisions apply to civil servants as well as employees in the private sector. Whistleblowing protection will shield individuals who submit a good faith report concerning unlawful conduct, provided that such report is based on a reasonable belief and factual elements.

The new legislation prohibits any retaliation or other discriminatory measures against good faith whistleblowers, including termination, demotion, transfer or other organizational action.

In the private sector, the new legislation has a significant impact on organizational models adopted to prevent corporate criminal liability pursuant to Legislative Decree 231 of 2001. In fact, all organizational models will need to set up appropriate channels for the confidential reporting of criminal conduct and violations of the organizational models themselves.  Measures aimed at protecting the identity of the whistleblowers and the confidentiality of the reports, as well as disciplinary sanctions against retaliatory or discriminatory measures against whistleblowers, will also need to be included in such organizational models.

The new legislation is expected to enter into force shortly, upon publication in the official gazette.

Legality Rating by the Italian Antitrust Authority: Is It Useful?

Not only must we punish corrupt companies but also encourage healthy businesses“. The statement released by Mr. Raffaele Cantone, Chairman of the Italian Anti Corruption Authority, summarizes the rationale underpinning the so called “legality rating”, i.e. a score that the Italian Antitrust Authority assigns to companies who apply for it. In fact, Law no. 62/2012, converting Law Decree no. 29/2012, requires the Italian Antitrust Authority to assign a score ranging from one to three “stars”, to any applying company who complies with a series of legal requirements (inter alia, the absence of criminal sanctions or preventive/precautionary measures against key personnel of the company, no judgments pursuant to Legislative Decree No. 231/2001, no breaches in the field of health and safety at work, and no definitive tax assessments against the company).

The instrument, available to entities generating a turnover in excess of Euro two million per year, is completely optional, but continues to be widely utilized. A statement of the Antitrust Authority shows in fact that, in January 2015, the Authority  received respectively 14% more applications than in the previous month and the trend seems to continue.

So, companies line up as schoolboys in order to show that they are worth a certain number of “stars” in an effort to demonstrate the soundness of their compliance program: is it worth it? To respond, we have looked into the benefits of the legality rating to understand the actual relevance of a practice that is becoming widespread. Below is a summary of the alleged benefits.

  • A new Regulation, developed by the Italian Antitrust Authority in collaboration with the National Anti Corruption Authority, entered into force on November 14, 2012, sets forth that companies benefitting from a legality rating are enrolled in a register of virtuous firms. Such registration is supposed tofacilitate relations with banks or the granting of public funding as well as the possibility to participate in public tenders.
  • The first example of a public procurement process taking into account the legality rating refers to postal services. The procurement documentation (Decision of December 9, 2014, published in the Official Gazette no. 1 of the January 2, 2015) stated for the first time that “for the public procurement of large size, the contracting authorities can evaluate the opportunity to give an additional and proportionate score to companies that benefit from a legality rating issued by the Antitrust Authority pursuant to §. 5 ter of Law-Decree no. 1 of January 24, 2012, or that have equivalent certifications issued to foreign firms from other agencies or public authorities”. For the first time, legality rating actually mattered as it gave a chance to companies to score additional points in public tenders.Some have criticized the use of a legality rating in this context, given that section 83 of the Italian Public Procurement Code (Legislative Decree no. 163/2006) requires that contracting authorities assess bidding companies on the basis of objective requirements only. It has been in fact argued that making reference to a legality rating is too discretionary. However, the Antitrust Authority, in opinion no. 163/2013, seemingly admits the possibility of using discretionary requirements, such as “the curriculum of the company, possession of licenses or quality certifications, availability of business assets, the providing of services or similar work, and in general, skills and references” as “factors that can be weighedas criteria for admission to tenders”.

In conclusion, if public procurement tenders give some weight to the legality rating, then obtaining it may actually be a good idea.

The risk is, as with any type of certification, that it will become a merely formal requirement, which does not attest the actual compliance efforts or a corporation’s culture.