Italian retrospective scientific research no longer subject to privacy approval of the Data Protection Authority

On 23 April 2024, the Italian Parliament approved an important change to the Italian Privacy Code, enabling companies to run retrospective scientific research without first getting prior approval from the Data Protection Authority (the Garante).

This change involves Article 110 of the Italian Privacy Code addressing “Medical, Biomedical, and Epidemiological Research.” It eliminates the requirement for companies to consult the Italian Data Protection Authority (Garante) and get their approval before conducting research programs involving the processing of health data for scientific purposes, when obtaining consent from data subjects is unattainable.

The Italian regulatory framework has been emphasizing a consent-centric approach so far to justify the processing of health-related personal data for scientific research, except in cases where:

• the research was carried out based on specific legal or regulatory provisions; or
• informing data subjects was “impossible” or involved “disproportionate effort” or risked “making it impossible or seriously prejudicing the achievement of the purposes of the research” (Article 110, paragraph 1, second sentence of the Italian Privacy Code).

In cases under second point above, data controllers had to get prior approval from the Garante under Article 36 of the GDPR. They also had to get approval from the relevant ethics committee and implement “appropriate measures to protect the rights, freedoms and legitimate interests of the data subjects. ”

This requirement presented a significant impediment to scientific research, particularly for retrospective studies. These studies rely on pre-existing data (typically collected in regular clinical practice), where obtaining consent may be impossible because data subjects are unavailable or may even have died.

Article 36 of the GDPR stipulates that the Italian data protection authority should provide its opinion within a specified timeframe (i.e., within eight weeks of receiving the consultation request, extendable by an additional six weeks in the case of particularly complex processing). However, practical constraints often hindered timely responses, potentially prolonging the research process and increasing costs.

The requirement for prior approval from the Garante has been a deterrent for sponsors to conduct studies. We’ve helped multinational pharmaceutical companies that have decided not to conduct retrospective studies in Italy precisely because of this requirement, instead choosing jurisdictions that don’t have such restrictions and don’t require to get patients’ consent. These problems have now been overcome thanks to the amendment approved by the Italian Parliament.

This amendment is a welcome effort to streamline national legislation, aligning it with the overarching support for scientific research embedded in the GDPR. By eliminating unnecessary regulatory burdens, the amendment facilitates research endeavours while upholding data protection principles.

The decision of the Italian Parliament marks a crucial step in fostering a more conducive environment for retrospective scientific research by removing a data protection law requirement that’s a burdensome peculiarity of Italian data protection law.

On a similar topic, you can find the following article “Rules for AI in the healthcare sector set by the Italian privacy authority”.