Takeaway: Although the enactment of the Italian Sunshine Act furthers the global expansion of healthcare transparency, the implied consent provision may not comply with the GDPR.

I. Overview and Requirements of the New Italian Sunshine Act

Law n. 62 of May 31, 2022[1], or the Italian Sunshine Act, took effect on June 26, 2022. This law requires transparency of “relationships, having economic relevance or advantage, between companies producing drugs, tools, equipment, goods and services, including non-medical ones, and the subjects who operate in the health sector or health care organizations” for the first time in Italy. The Sunshine Act advances the right to knowledge of economic relationships in the healthcare sector by broadly defining its reach. Article 1 notes that the law is aimed to promote transparency as well as prevent and fight corruption.

Article 5 establishes an online public registrar that will become active through the Ministry of Health within six months of the date of entry into force of law. Data will be reported and published bi-annually and will remain publicly available for five years. The Minister of Health will consult with the Agency for Digital Italy, the National Anti-Corruption Authority, and the Italian Data Protection Authority within three months from the date of entry of the law to determine the best technical characteristics of the electronic public registrar and the requirements for transmission of data.

The Italian Sunshine Act requires disclosure of three types of financial arrangements described in Articles 3 and 4.

1. First, agreements or disbursements of money, goods, services, or other benefits between a manufacturing company and (a) a subject operating in the health sector, when they have a value unit greater than 100 euros or a total annual value amount greater than 1,000 euros, or (b) a health organization, when they have a value unit greater than € 1,000 or a total annual value amount greater than 2,500 euros must be reported every semester.
2. Second, agreements between companies in the health sector or health organizations which “produce direct or indirect benefits, consisting of participation in conferences, training events, committees, commissions, advisory bodies or scientific committees or the establishment of consultancy, teaching or research” must also be reported every semester.
3. Third, ownership of shares or bonds in any organization in the health sector or income from intellectual property licenses must be reported by January 31 each year.

The Act outlines the information that must be reported and published following any of the three abovementioned transactions in Article 3. Such information includes the contact information of the parties to each agreement, the date of the agreement, the nature of the agreement, and the value of the agreement.

II. Penalties Under the Italian Sunshine Act

The penalties for violating the Italian Sunshine Act are described in Article 6. Healthcare providers and organizations that do not comply with the reporting requirements face fines for each non-reported transfer of value. Fines will also be published on the public database. Article 6 states that individuals may report violations of the Sunshine Act to the Ministry of Health in accordance with the Law of November 30, 2017, n. 179, as a failure to report financial relationships constitutes grounds for a whistleblowing report.

III. The Enactment of the Italian Sunshine Act Furthers the Global Expansion of Healthcare Transparency

Italy is the latest country to follow the increasing trend of healthcare transparency. The United States Physician Payments Sunshine Act (PPSA) took effect in 2013 and requires medical product manufacturers to disclose payments or transfers of value made to physicians or teaching hospitals to the Centers for Medicare & Medicaid Services (CMS).[2] PPSA also requires manufacturers and group purchasing organizations to disclose any physician’s ownership or financial interest in those companies. The disclosed data is published annually in a publicly searchable database. There has been handful of PPSA enforcement actions so far. [3] The framework of the Italian Sunshine Act allowing whistleblowing reports of noncompliance is similar to the PPSA in that the PPSA has been enforced in conjunction with fraud and abuse statutes such as the False Claims Act and the Anti-Kickback Statute.

Other European Union member countries have enacted sunshine statutes of their own, although the European Union has not yet enacted a similar statute. For example, France enacted the Bertrand Law of December 29, 2011, referred to as the French Sunshine Act, which works with several anti-corruption laws and ordinances including French Law No. 2016-1691, or Sapin II Law, a general anti-corruption law intended to increase transparency, and Ordinance No. 2017-49, an anti-gift legislation specifically aimed at healthcare companies. Sapin II strengthens its reach by imposing fines against companies that fail to prevent and detect corruption even if no misconduct has occurred. Other countries that have taken transparency measures include Portugal, Greece, Romania, Latvia, and Denmark.

IV. The Implied Consent Provision of the Italian Sunshine Act May Violate the GDPR

Notably, Paragraph 6 of Article 5 of the Italian Sunshine Act states that the act of entering into an agreement, accepting a transfer of value, or acquiring shares or licenses serves as the parties’ implicit consent to data processing and publication. This provision may run afoul of certain privacy rights prescribed in the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Article 5 of the Sunshine Act expressly preserves the rights of the GDPR Articles 15, 16, 17,18, 19, and 21. However, Paragraph 6 of Article 5 may not be compliant with the enumerated Articles. For example, the implied consent provision and publication requirements of the Sunshine Act may violate the right to erasure described in Article 17 of the GDPR.

V. Conclusion

The enactment of the Italian Sunshine Act advances the global increase of transparency in healthcare. Accountability and novel enforcement actions will likely follow, along with exposure and deterrence of fraud and corruption. The question remains whether future enforcement actions or amendments to the Italian Sunshine Act will resolve the potential conflict between the Act and the GDPR.

[1] https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:legge:2022-05-31;62
[2] For a comprehensive analysis of the PPSA key statutory language and its impact from a fraud and abuse standpoint, see https://www.pietragallo.com/publications/the-physician-payments-sunshine-act-and-the-future-of-healthcare-transparency-part-1/
[3] For a discussion of the PPSA enforcement actions, see https://www.pietragallo.com/publications/the-physician-payments-sunshine-act-and-the-future-of-healthcare-transparency-part-2/