John O’Connor examines the proposed EU Data Protection Regulation and the implications for the life sciences sector.
To ensure safer and more effective drug development it is vital for the life sciences industry to be able to collect, analyse and transfer personal data, including sensitive personal data for clinical trials, pharmacovigilance and medical research.
The EU General Data Protection Regulation, which was formally issued by the European Commission in 2012 to replace the existing EU data protection framework, could adversely affect the life sciences industry, and is perhaps the most important piece of proposed European legislation for the industry in many decades.
One of the key potential advantages of the regulation for the life sciences sector is the promise that data protection laws can finally be harmonised across all 28 member states.
REGULATION READY
The regulation is progressing through the European legislative process and is likely to be adopted in 2016. Once adopted it is intended to be enforceable in all member states within two years. However, many life sciences organisations have already begun a comprehensive data protection health check of their activities so they are ready for the proposed regulation. This is strongly recommended.
Some key aspects of the proposed legislation include:
Extra-territorial application – The regulation will apply to data controllers established in the EU, but it is also very likely to apply to organisations operating from outside the EU where they offer goods or services to EU residents or monitor/profile the behaviour of EU residents.
Due to its broad territorial application, the regulation will, for example, apply to a pharmaceutical or medical device company with no operation in the EU but that operates a clinical trial or study in the EU.
Increased fines/supervision – The regulation may contain fines of up to 5% of annual worldwide turnover of the organisation or €100m (whichever is the greater) for non-compliance. Data protection authorities, such as the Office of the Irish Data Protection Commissioner (DPA) are likely to be given even wider powers to impose a temporary or permanent restriction on processing personal data, to enter premises and suspend data transfers to recipients located outside of the European economic area.
Notification of data security breaches – There is likely to be a compulsory obligation on data controllers in the life sciences sector to report a data security breach to its DPA without undue delay and, where feasible, within 72 hours. Where this cannot be achieved within 72 hours, an explanation of the reasons for the delay should accompany the notification. Where the breach is likely to adversely affect relevant data subjects, they will also need be notified.
Consent – The draft regulation requires consent to be ‘specific, informed and explicit’. Health research today sometimes relies on a broad consent/opt out model where participants need to opt out of giving their consent for their data to be used for a variety of research studies. This method of obtaining consent is unlikely to be effective under the regulation.
Moreover, the data controller will need to prove consent was provided if challenged and consent must be purpose limited and will cease to be valid when the purpose is completed.
The regulation also provides that consent is not valid if there is a significant imbalance between the position of the data controller and the data subject – it is not clear if this condition will impact upon the ability to rely on explicit consent in some circumstances.
Impact assessments – The proposed regulation contains a requirement to carry out data protection impact assessments on activities where the data being processed involves specific risks such as in the case of data relating to health. This will include identifying the data protection risks involved and putting security and privacy measures in place to deal with such risks, consulting with national DPAs and seeking the views of data subjects. This requirement may add significant cost and complexity to, for example, clinical trials.
Appointment of a data protection officer – If the processing is carried out by a legal person and is in relation to more than 5,000 data subjects in any consecutive 12-month period, there may be a requirement for that organisation to appoint a dedicated data protection officer.
Many life sciences organisations have already begun a comprehensive data protection health check
International data transfers – The regulation provides that transfers of personal data from the EU to countries that are not deemed by the EU to provide an adequate level of data protection should take place only on the basis of legal agreements such as Binding Corporate Rules and the EU’s standard contractual clauses. Existing decisions relating to adequacy of data protection – such as the US Safe Harbor scheme, which is currently being heavily scrutinised – will remain in force for only two years after the regulation takes effect. The restrictions on data transfers in the regulation will need to be carefully monitored by the industry.
Lead authority mechanism – As a concept, this mechanism appeared to be consistent with harmonisation of data protection law across the EU and was intended to apply so that where the processing activities of a data controller are established in more than one EU member state, the DPA of the member state of the main establishment of the data controller would act as a single point of contact for that data controller. This provision has been substantially re-negotiated at EU level and it appears unlikely to survive as originally envisaged.
Consumers – Any association or body acting in the public interest will be entitled to submit a complaint to a national DPA and to bring legal proceedings on behalf of data subjects for non-compliance with the regulation seeking damages for losses incurred and also for pain and suffering.