Healthcare

That burden of rules on the shoulders of scientific research

Urgent to think about a project to simplify and consolidate regulations also in the recent digital sphere

3' min read

3' min read

The Italian law on artificial intelligence, which is now close to final approval (C.2316- approved in the Senate on 20 March 2025 and now being examined by the Chamber of Deputies), makes an important opening on scientific research carried out in healthcare with artificial intelligence. The processing of personal and health data for research purposes, with artificial intelligence, is legitimised by the public interest, which is based on the constitutional principles protecting research and health referred to in the same provision (Art. 8). Therefore, to the most commonly used legal basis, that of the consent of the person concerned, and to the other legal bases constituted by the rules governing research projects, which are sometimes invoked, as well as Article 110 bis of the Privacy Code, which dictates a more open discipline for projects of which the Irccs are promoters, a further relevant assumption of legitimacy is added: that of the public interest. In a nutshell, personal data may be processed in the context of health research because a public interest is thereby realised.

The rule applies to research projects managed by public entities, by IRCCSs, and also by private entities together with IRCCSs.

Loading...

While one can only applaud this important legislative innovation, which finally recognises the importance of scientific research in healthcare and relieves the regulatory burden, consisting mainly of so-called paper compliance, from the shoulders of our researchers, and makes the country more competitive, precisely on scientific research in healthcare, on the other hand, if one widens one's gaze, the need for simplification appears more evident and increasingly pressing.

In fact, one only has to go to the next article of the same law and it becomes apparent that a prima facie overlapping case is being regulated. It regulates, once again, the processing of personal and health data for research purposes with artificial intelligence. But the tangle of norms seems to unravel if one considers that the new provision actually concerns the so-called 'sandboxes', i.e. the regulatory and normative spaces for experimentation.

Italy has rightly seized the opportunity offered by the AI Act to establish these special spaces, which for general AI applications will be set up and managed by AgID and ACN, each within their respective competences. For sandboxes in the health field, with research purposes, managed with AI, specific rules will be dictated by the Ministry of Health, after consulting, of course, the Privacy Guarantor and the parties most directly concerned.

But the potential regulatory overlap does not end there.

Suffice it to think of the EHDS ('European Health Data Space', established by Regulation (EU) 2025/327, in force since 26 March 2025 and with a staggered implementation timeframe, from 2027 to 2031), which introduces the opt-out model, instead of the opt-in model, for the processing of health data; it is well known that when faced with difficult choices, most people postpone the decision, and therefore the opt-out model is the one that allows more data to be collected. The EHDS also provides for the free use of health data for research purposes, likewise based on the opt-out, as well as on the submission of access applications to special bodies, which will provide access to anonymised or pseudonymised health data, depending on the purpose to be pursued. Then there is the Eds ('Ecosystem of Health Data', established by the Decree of the Ministry of Health of 31 December 2024), which also provides for the processing of health data for scientific research purposes, specifically in the medical, biomedical and epidemiological fields.

The trend of all these regulations is clear: enhancing the value of health data and facilitating its circulation. It is a new trend, certainly a very positive one, after a period of often excessive data protection, which implements what the GDPR envisages. This, in fact, already in its title, intends to protect personal data, and likewise to favour their circulation, as did the parent directive, in vain, back in 1995.

But on the other hand, the overlapping of rules, Italian and European, on the same subject, does not benefit legal certainty and does not help operators and researchers. The overregulation, both Italian and European, is now a problem that needs to be tackled: it is time to think about a project to simplify and consolidate standards, including in the recent digital sphere. A small, but too small, signal comes from the European Commission's very recent simplification proposal on GDPR. More courage is needed and one could start precisely with the provisions on health scientific research.

Copyright reserved ©
Loading...

Brand connect

Loading...

Newsletter

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Iscriviti