spacer
home > epc > autumn 2014 > potential impact
PUBLICATIONS
European Pharmaceutical Contractor

Potential Impact

On 12 March 2014, the European Parliament endorsed the core principles of the proposal for a new General Data Protection Regulation (1), as amended through the vote of the Civil Liberties, Justice and Home Affairs Committee (LIBE) in 2013. With more than 4,000 suggested amendments received up until the LIBE vote, the regulation is among the most heavily lobbied pieces of legislation in the history of the EU, impacting all industry sectors.

To become law, the proposed regulation still needs to be agreed in the triage between the Council of Ministers, the Parliament and the European Commission. Given this year’s elections, it remains to be seen if a general agreement can be reached by the end of this year. The new, seemingly more ‘Eurosceptic’ Parliament is not bound by the former members’ March vote, although it is considered to provide a sense of direction for future negotiations.

Considering recent revelations on the practice of certain intelligence agencies and related mass surveillance, there is increased pressure from the general public and members of the Parliament to adopt and implement a new legal framework (2).

This article will highlight some main areas of change presented in the current version of the proposed regulation and their relevance to the pharmaceutical industry.

What’s New?

Compared to the Data Protection Directive (3) adopted almost 20 years ago, the new regulation will (if adopted) introduce some elements which can be expected to have far-reaching consequences, including:

  •  A ‘regulation’, as opposed to the current ‘directive’, will lead to a higher degree of legal framework harmonisation across the EU, since its provisions as a regulation will have direct effect in member states and will not need to be transposed through national law
  • The concept of a ‘one-stop-shop’. In cases involving data subjects from various countries or when a company is active in multiple EU member states, one national authority would take the coordination lead. This may simplify the system compared to the current situation, where data controllers need to interact directly with various separate data protection authorities in one and the same matter. There are, however, still extensive discussions around the details of this process
  • Increased obligations for companies (data controllers and processors) with regard to internal compliance measures, such as personal data impact assessments, appointment of a data protection officer and extensive internal documentation on data processing, as well as notifications to individuals and authorities in case of violations 
  • Extended rights for data subjects, such as rights to be informed, access and obtain data, rights to rectification, rights to object, and the right to data erasure
  • More detailed requirements on consent
  • New rules for transfer of personal data outside of the EU 
  • High fines for data protection violations: up to €100 million or 5% of a company’s worldwide annual turnover, whichever amount is higher (4)
Like the directive currently in force, the proposed regulation only applies to personal data. This may seem self-evident, but it is nevertheless important to remember that in case a natural person cannot be directly or indirectly identified through the data, the regulation will not be directly relevant for the processing of such (for example, in cases of anonymisation, where the data is impossible to retrace back to the person to whom it relates – defined as such by the European Data Protection Supervisor) (5). As a result, the definition of personal data is very broad, and refers to identifiers such as name, location data, culture, gender or physical factors to determine whether the data is identifiable.

Effects on Life Sciences

Activities in the field of medical research and clinical trials, pharmacovigilance, and market research traditionally involve the processing of personal data and will, therefore, be heavily influenced by new legislation. Below are some topics expected to be of particular relevance for the sector:

Processing Health Data
As has been the case under the current directive, the proposed regulation states a general prohibition on processing health data. However, under certain defined circumstances, processing is allowed, for example:

  • The data subject has given his/her consent
  • Processing is necessary to protect the vital interests of the data subject
  • It relates to data which is manifestly made public by the data subject 
  • Data processing is necessary for health purposes
In addition to these established situations, the regulation specifically allows for health data to be processed for reasons of public interest in the area of public health, including ensuring high standards of quality and safety. This exemption provides the basis for pharma companies’ ability to fulfil the strict reporting obligations stated in the pharmacovigilance legislation.

The proposed regulation also lays down rules for the circumstances in which personal data (in general, not only related to health) may be processed for the purposes of historical, statistical or scientific research. Such processing is legitimate only if the data subject has given his/her consent; the research purposes cannot be achieved through the use of anonymised data; and the personal data has been pseudonymised (key-coded, for instance) as far as possible. The EU member states may provide for exemptions to the requirement of consent if the research serves a high public interest and cannot be carried out otherwise. In such cases, the data shall be anonymised if possible, and otherwise pseudonymised.

The exemption relating to situations where the data subject has manifestly published health data may be of relevance to online data collection (for example, so-called ‘online listening’). If the data processing is related to historical, statistical or scientific research though, the data subject’s consent will be required.

In terms of health data, the proposed regulation provides multiple layers of safeguards for data subjects’ rights and interests in the context of scientific research. In addition, the legal framework for clinical trials and Good Clinical Practice already in place apply to this setting. To meet the policy objective of reducing administrative burden and increasing clarity with regard to applicable rules, a high degree of harmonisation in the implementation of these various legal frameworks is extremely important.

Pseudonymised and Encrypted Data
One concern of the pharma sector so far in the legislative process is the applicability of the proposed regulation to key-coded data. Clinical trial data reported by study sites to researchers and pharma companies, for example, does not reveal patient identities, but is coded, and the keys required to render the data identifiable are held by the study sites and their involved healthcare professionals. The International Pharmaceutical Privacy Consortium has identified at least two areas where a less stringent approach to such key-coded data is important to facilitate medical research (6):

  • Transfer of data to countries outside the EU. Taking into account that modern research involves sites around the world, the need for information exchange between researchers and the nature of key-coded data, the mere transfer of such data to a third country for scientific research purposes should not require further regulatory authorisation as long as the key remains in the EU. A system of seeking approval for such transfer can result in significant delays in researchers’ ability to analyse data
  • Breach notification requirements. Key-coded data should not be subject to the breach notification requirements applying to data that directly identifies a natural person, since key-coded data is not readily identifiable

The proposed regulation in its most recent version introduces the concepts of ‘pseudonymised’ and ‘encrypted’ data. Pseudonymised data cannot be attributed to a specific individual without the use of additional information, as long as such information is kept separate and secure. Encrypted data is rendered unintelligible to unauthorised access through technical protection measures.

While pseudonymised and encrypted data are both still considered personal under the regulation, such information is, to some extent, subject to less stringent rules. Consider the intention that processing limited to pseudonymous data should be presumed to meet reasonable expectations of the data subject when balanced against a controller’s legitimate right under Article 6(f ) to process such data, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding (cited in Recital 38).

Or, to take another case, profiling based solely on the processing of pseudonymous data should be presumed not to significantly affect the interests, rights or freedoms of the data subject (Recital 58a). This may impact activities in the field of market research, such as online data processing.

These examples are indications of a less stringent approach with regard to pseudonymous and encrypted data, but it is unclear how such data would be treated under the very strict rules for processing of personal data (in general, as well as personal health data) in the medical research context. This may be further clarified through delegated acts enacted by the European Commission after adoption of the regulation. Companies active in medical research may want to consider continued active participation in the legislative process to ensure a balanced and holistic approach on this important topic.

Rules for Consent

The requirements for consent as a basis for processing personal data are more detailed in the latest proposed regulation, compared to previous versions. The consent has to be freely given (in other words, no pre-ticked boxes), informed, explicit, affirmative through action (for instance, ticking a box) or statement, and limited to a specific purpose (Recital 25). If consent is given in the context of a written declaration, it must be clearly distinguishable from any other matter stated in the same declaration. The burden of proof that a lawful consent has been provided is with the data controller.

The proposed new regulation, at several instances, states the right for the data subject to withdraw consent. This is in line with the provisions of the newly adopted Clinical Trials Regulation (7), applicable as of May 2016, and to which there is an explicit reference in the proposed regulation regarding consent to participation in clinical trials. Most importantly, the withdrawal of consent must not affect the lawfulness of processing before the withdrawal – a principle that is also clearly stated in the Clinical Trials Regulation (Article 28.3). It is unclear how this will play out in practice: if data included in a clinical trial can remain part of the study after consent has been withdrawn, or if such would need to be erased. This is a highly significant question as, in the worst case, withdrawal of consent may impact the validity of the trial.

One important clarification, especially considering the more stringent requirements on the explicitness of the consent, is that it may be given for several similar future medical researches. This may provide a basis for data processing where the medical research activities were not possible to foresee in detail at the time of obtaining consent. A confusing aspect is that the regulation refers to the Clinical Trials Regulation in general, with regard to rules for consent in the context of trials – the Clinical Trials Regulation, however, states that consent to use of data outside the defined protocol for the trial needs to be in line with the legislation on protection of personal data.

Company Compliance
In general, the proposed regulation imposes more extensive obligations on data controllers, as well as on processors to implement internal controls. For example, companies must ensure that, by default, only the data that is absolutely necessary for the purpose is collected, and that the data is retained only for the minimum time required.

Moreover, a data protection impact assessment shall be performed in cases where activities may pose a specific risk (processing of health data, for instance). Such impact assessment shall also include consultation with data protection authorities and data subjects. A welcome clarification in the latest version of the proposed regulation is that a single impact assessment will suffice for similar cases of data processing, provided risks are not increased.

Future Outlook


It is still unclear what will be the final content of the regulation and how it will be applied to activities in the life sciences field. In a number of areas, the European Commission will be mandated to issue clarifying, binding rules through delegated and implementing acts at first, once the regulation is adopted.

The opinion of the Council of Ministers and the election of a new Commission, as well as appointment of new heads of committees, will impact the possibilities for reaching a timely agreement on this new piece of legislation. Considering the public pressure of strengthening the protection of personal data, however, it is reasonable to expect that this will continue to be a priority for the Commission.

References

1. Proposed General Data Protection Regulation, Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 25 January 2012, consolidated 22 October 2013
2. Kuner C, Burton C and Paternaki A, The proposed EU data protection regulation two years later, Bloomberg BNA Privacy & Security Law Report, 13 PVLR 8, 1 June 2014
3. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
4. Kuner C, European Commission’s proposed data protection regulation: A Copernican revolution in European data protection law, Bloomberg BNA Privacy & Security Law Report, 11 PVLR 6, 2 June 2012
5. Opinion of the European Data Protection Supervisor, 2009/C 229/04, 23 September 2009
6. International Pharmaceutical Privacy Consortium, Comments in response to the call for evidence on data protection proposals, 6 March 2012 7. Regulation (EU) no 536/2014 of the European Parliament and of the Council 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC

Read full article from PDF >>

Rate this article You must be a member of the site to make a vote.  
Average rating:
0
     

There are no comments in regards to this article.

spacer
Samantha Regenthal counsels clients from various industry sectors on legal, compliance and corporate governance matters, as well as related company internal control processes and systems. She specialises in life sciences law and EU competition/antitrust law, and holds Master of Law degrees from universities in Sweden and Germany. For the past seven years, Samantha has been active as a lawyer in the life sciences sector. Earlier this year she founded her own consultancy, Regenthal Legal & Compliance.
Print this page
Send to a friend
Privacy statement
News and Press Releases

PCI Pharma Services Announces Organization Updates

Philadelphia, PA – May 20, 2019 – PCI Pharma Services, a leading biopharmaceutical outsourcing services provider, is pleased to announce the following management updates to help drive the company’s future vision, strategy and growth.
More info >>

White Papers
 
Industry Events

Nordic Life Science Days 10/12 September 2019

10-12 September 2019, Malmo Sweden

Nordic Life Science Days is the largest Nordic partnering conference for the global Life Science industry. Bringing together the best talents in Life Science, offering amazing networking and partnering opportunities, providing inputs and content on the most recent trends. Nordic Life Science Days attracts leading decision makers from the Life Science sector, not only from biotech, pharma and medtech but also from finances, research, policy and regulatory authorities.
More info >>

 

 

©2000-2011 Samedan Ltd.
Add to favourites

Print this page

Send to a friend
Privacy statement