Although the devil will be in the detail of the final compromise text of the General Data Protection Regulation (GDPR), we have highlighted below how a few of the proposed changes could potentially impact the pharmaceutical industry.
Data protection in the EU is currently governed by the Data Protection Directive (95/46/EC) (the “Directive”) which has been implemented by domestic legislation in each of the 28 EU member states and members of the European Economic Area (EEA). Broadly, the Directive protects individual data subjects by placing restrictions on the processing (holding, collecting, using or disclosing) of their personal data (any information relating to an identified or identifiable natural person). Obligations under the Directive apply to data controllers, who determine the purpose for which personal data is processed, but not to the data processors who process data on the behalf of an instructing data controller.
In 2012, the European Commission proposed a comprehensive reform of the EUs 1995 data protection rules. The Commissions proposal for a new General Data Protection Regulation (GDPR) was drafted to reflect the way that data is now collected, stored, accessed, used and transferred following increased globalisation and the rapid technological advances that have been made in the two decades following implementation of the Directive. The proposal was also in response to the fact that the implementation of the Directive has been inconsistent between individual member states, resulting in businesses having to modify their practices to accommodate local data protection requirements throughout the EU. When in force, likely in 2018, the GDPR will have direct effect on all member states, which should hopefully harmonize data protection procedures and enforcement.
Although reform of the data protection regime was broadly welcomed, aspects of the proposals have caused some controversy. Both the European Parliament (EP) and EU Council proposed several significant amendments to the original proposals by the Commission. Following the publication of the EU Councils general approach to the GDPR in June 2015, discussions between the EU Council, the Commission and EP were initiated with the ambitious aim of producing a final compromise text of the GDPR by the end of the year. We understand that negotiations are on track, with the first two meetings of the three groups over the summer reaching consensus on issues including data transfer.
Although the devil will be in the detail of the final compromise text of the GDPR, we have highlighted below how a few of the proposed changes could potentially impact the pharmaceutical industry.
One of the most significant changes is that the GDPR will significantly widen the territorial scope of the data protection regime in the EU.
For example, data processors established in the EU will be specifically included within the scope of the GDPR. This means that data processors (who do not have obligations under the current regime) will have to carry out data protection impact assessments, maintain documentation relating to all of the processing operations under their responsibility and those who process data beyond the scope of a controllers instructions will be considered joint controllers.
Data controllers established outside the EU will also fall within the scope of the GDPR if they process personal data relating to goods or services offered to data subjects within the EU, and/or if they process data related to the monitoring of the behavior of data subjects (for example using cookies on internet browsers).
The GDPR will adopt a broader approach to the definitions of personal data and data subject ensuring that any data relating to a natural person who can be identified either directly or indirectly by it will be classed as personal data.
Relevant for those undertaking scientific research, a new concept of pseudonymized data (i.e. information that does not allow the identification of an individual without additional information that is kept separate from it) was introduced by amendments to the GDPR made by the EP (by proposing a new category of data) and EU Council (proposing a definition of pseudonymization). In both drafts, any data that is pseudonymized will still be treated as personal data and the benefits to an organisation for making data pseudonymized are not clear – it would be helpful for the industry if the final text of the GDPR clarified that the requirements for dealing with pseudonymized data are less stringent than that for personal data.
Similarly new concepts of genetic data and biometric data (for example fingerprint data) have been proposed. Along with data concerning health, genetic data (but not biometric data) is one of the special categories of personal data defined in Article 9 of the GDPR.
It is proposed that individual member states may allow these special categories of personal data to be processed without explicit consent for healthcare and medical purposes when carried out by or under the responsibility of a healthcare professional (or other person subject to an obligation of confidentiality). The EU Council have also proposed a provision allowing individual member states to maintain or introduce more specific provisions with regard to genetic data or health data, including the possibility to introduce further conditions for processing. However, if enacted these provisions are likely to have the unfortunate consequence that data protection requirements for health data across the EU remain inconsistent. So much for harmonization. Is it wishful thinking that the three groups can find a way to a compromise that both protects individuals interests and maintains the exemptions for health and scientific research that can be applied throughout the EU?
The EU Council has proposed that any consent given to process personal data must be unambiguous, and when dealing with special categories of personal data, such as genetic data or data concerning health, the data subject must have given explicit consent to their processing. The differences between unambiguous and explicit are not currently set out in the draft and may cause confusion for data controllers - hopefully practical guidance will be provided by the final text of the GDPR. Notably, the Commission and EP believe that explicit consent is required to allow the processing of all personal data.
It its amendments of the GDPR, the EU Council reinstated the EPs deletion of the provisions that, provided data privacy standards are maintained, allow the further processing of personal data for scientific purposes, without the need to obtain consent for the additional processing from the data subject. These exceptions are vital for healthcare research and we are hopeful that the EU Council, the Commission and EP will ensure that they remain in the final text of the GDPR.
In the EU, companies must comply with the Pharmacovigilance Directive (2010/84/EU) and Regulation (EU No 1235/2010) by processing data related to health in order to identify, assess and prevent any adverse reactions to medicinal products and establish their full safety profile. Any adverse events found are then reported back to the relevant health authorities. Obtaining an individual data subjects consent in such circumstances is likely not to be possible.
There is a lack of clarity in terms of the interrelationship between the pharmacovigilance and current data protection regimes. The GDPR tries to address this by setting out specific exemptions when data related to health can be processed without obtaining explicit consent, including when the processing is necessary for the purpose of preventative or occupational medicine; medical diagnosis and the provision of health treatment; the management of health or social care systems and reasons of public interest including public health and, specifically, ensuring high standards of quality of medicinal products and medical devices.
Given that the purpose of pharmacovigilance is to ensure the safety of medicinal products, there are clear grounds for establishing a legal basis for processing genetic and health data for reasons of public health interest under the GDPR. This should make the pharmaceutical industrys data protection obligations clearer in this regard.
Directive 2001/20/EC prescribes that participants in any clinical trial conducted in the EU must give their informed consent before enrolling on the trial. Proposed recitals in the GDPR suggest that consent will not be considered freely-given and will not provide a valid legal ground for processing where there is a clear imbalance between the position of the data subject and the controller. Could such an imbalance be inferred between clinical trial patients and the pharmaceutical company conducting that clinical trial? In these circumstances, would the patients informed consent be enough to allow the pharmaceutical company to process patients health data? This will need to be clarified by the EU Council, the Commission and EP.
The broadening of data subject rights under the GDPR could potentially pose difficulties to those undertaking clinical trials. For example, the so-called right to be forgotten, more accurately termed the right to erasure in the GDPR, has been the subject of much debate, particularly since the European Google Spain case in which the Google was asked to take down historic links that pointed to a certain individuals financial status. The EU Councils draft of the GDPR provides that a data controller will be under an obligation to erase personal data without undue delay in a number of circumstances, including when the data subject withdraws his consent on which the processing is based. However, the draft includes a number of important exceptions including if processing is necessary for reasons of public interest in the area of public health and for scientific research. This will no doubt be an area of intense debate between the EU Council, the Commission and EP but hopefully a compromise can be found which will not thwart ongoing medical research projects which rely on the integrity of the data that was originally collected and processed. The GDPR will also introduce the right to data portability. Effectively, this is the right of a data subject who has provided data about themselves to a controller to receive that data back, or have it transferred to another data controller, in a structured and machine-readable format. However, this right will be without prejudice to the safeguards discussed above in relation to a data subjects right to erasure.
Clinical trials can involve transfers of personal data from the EU to sponsors and other service providers, such as clinical research organizations, located outside the EU. Such transfers are already subject to restrictions on cross-border transfers under the current data protection regime, but a company’s obligations will change under the GDPR. Transfers of personal data outside the EEA will be prohibited under the GDPR unless certain conditions are met, namely if the European Commission has decreed that the country where the data is transferred adequately protects personal data (which currently doesn’t include the US); certain legal derogations apply (for example, if the data subject has consented), or the controller or processor adduces adequate safeguards. These adequate safeguards can include adopting binding corporate rules when transferring personal data between companies forming part of multinational groups of companies; using standard contractual clauses adopted by the EU Commission or an approved data protection agency; or adopting an approved code of conduct or certification mechanism which includes binding and enforceable commitments of the controller or processor to apply the appropriate safeguards in the third country.
We keenly await the final text of the GDPR to see exactly how it will impact the ability to process data in the life sciences sector. In the meantime those involved in clinical trials and who process personal data in other ways may be wise to give some thought to the likely changes to the regime.
Gillian Johnson and Charlotte Tillett are joint Heads of Life Sciences at Stevens & Bolton LLP. Katrina Walter is currently training to be a solicitor at the firm.