Fit for life: Bringing data protection into the 21st century
This first appeared in Scrip Regulatory Affairs, 1 Feb 2012.
Life sciences companies will be used to operating under the shadow of strict data privacy laws in Europe. Other than the healthcare industry, no other industry is likely to hold and make use of such a mass of sensitive personal data as that which is collected from clinical trials either by or on behalf of those companies. Pharmaceutical and medical device companies will want to keep within sight the proposals for significant change that the European Commission has been working on for the past two years. The reason for the changes is to try to bring Europe's data protection regime into the 21st century. In what will undoubtedly be the most significant global legislative development of the past 15 years affecting the collection, use and protection of personal information, the European Commission will publish its legislative proposals for reforming Europe's aging data protection framework in the coming weeks.
The draft legislation crafted by the Directorate General for Justice, Freedom and Security has already been circulated around other Directorate Generals and the final touches are now being applied. Why is this such a critical development? What does the draft say and how will it affect life sciences companies?
Although built on the foundations of the existing data protection directive, the new framework will bring with it considerable changes aimed at rejuvenating a law which has lost its effectiveness in tackling many of today's data privacy changes.
The main novelties introduced by the new regime will be as follows:
- A Regulation – It is widely accepted that a regulation, rather than another directive, will be the best mechanism for a harmonised regime that delivers a consistent level of protection across the EU. Once adopted, the regulation will be directly and universally applicable across all EU Member States without the need for national implementing legislation (as is the case currently). There are obvious pros and cons to this approach, so whilst a single law will be generally beneficial to companies operating internationally, life sciences companies established in jurisdictions with a more business-friendly approach to data protection legislation (such as the UK), will lose the benefit of this.
- Applicability based on establishment and targeting of European residents – Any company that processes personal data in the context of an EU-based establishment will be subject to the new law in any event. However, the new regulation also applies to organisations established anywhere in the world if they direct their processing activities at, or monitor the behaviour of, individuals who live in the EU. This will have a significant impact on US-based life sciences companies that currently fall outside Europe's data protection regime but collect data from EU citizens – in the future, these businesses will need to ensure their compliance with EU data privacy rules.
- Consent – Individuals' consent will remain a cornerstone of European data protection law but the standard for valid consent will be higher than ever before, with a greater emphasis on the individual's freedom of choice. In particular, the revised law is likely to require companies to bear the burden of proving that the data subject has given consent. Consent to the use of data arising in a clinical trial is of course not just about a signature on a page headed "Patient Consent Agreement", but is about the quality of that consent, which will require the patient to have an understanding of what precisely the data is to be used for and by whom. Further, consent will not provide a legal basis for the processing if there is a significant imbalance in the form of dependence between the position of the data subject and the company using its data. This has the potential to give rise to an interesting debate about the "dependence" of a very sick patient on a pharmaceutical company, where participating in the trial is their only hope of fighting the disease. Life sciences companies who currently predicate many of their activities on consent, in particular in relation to employee or physician data, will need to consider other, non-consent based means to legitimise their data uses.
- Stronger rights – Some rather radical changes are likely to come in the shape of new or strengthened individuals' rights. Top of the list will be the much publicised right to have personal data removed from a particular company's system, the so called "right to be forgotten", followed closely by data portability rights (probably more relevant to employees' and physicians' than to patients' data). In addition, expanding on the current directive, life sciences companies will need to provide customers, physicians and patients with additional transparency information such as the period for which the personal data will be stored, the different rights available to them and whether their personal data will be transferred internationally.
- Enhanced responsibilities – As a flipside of the increased rights of individuals, companies will face very specific responsibilities ranging from the adoption of policies and principles such as privacy by design and privacy by default to the mandatory training of staff and the requirement to appoint data protection officers. Life sciences companies will find that putting in place a comprehensive data protection compliance programme will be a legal obligation in the black letter of the law.
- Data breach notification – An obligation to notify security breaches to data protection authorities (and in some cases to the individuals affected) will now apply. Again, this will represent a significant departure from current practices and will make the likelihood of investigations by the data protection regulators much greater.
- International data transfers – International life sciences companies will be pleased to note that greater flexibility is expected on this issue, which is particularly important in the context of multi-site clinical trials. The European Commission has made it clear that they expect binding corporate rules (BCR) to become the norm for all international companies going forward.
- Enforcement powers – The promise by the Commission of stronger enforcement powers for the data protection authorities is bound to bring harmonised and hefty monetary fines of potentially up to 5% of annual worldwide turnover – ultimately, putting data protection fines on a par with antitrust fines.
Practical implications for life sciences companies
Data protection compliance is already a key priority for life sciences companies, and will take on even greater importance under the new regime. In the light of the forthcoming regime, there are some immediate actions that should be at the top of every life science company's list, including:
- Legislative outreach activities – The legislative process initiated by the European Commission will carry on in the coming months, so there are clear opportunities to influence the outcome by reaching out to legislators and policy makers both in Brussels and at a Member State level.
- Privacy policies and patient consent forms – As transparency and consent take the centre stage, the importance of deploying the right privacy policies and consent forms will be paramount. The time for reviewing their content and channels of communication is now.
- Accountability framework – Under the new regime, evidencing compliance will be critical. This means adopting internal compliance policies which are readily accessible and implementing a sensible line of responsibility. Whilst it is still too early to know what privacy by design and privacy by default will amount to, the practice of carrying out privacy impact assessments should already be embedded into product design activities where such products involve accessing or using customer, physician or patient data.
- Flexible international data transfers – The days of blindly signing up to the so-called model clauses and putting the contract in the drawer are over. BCR are tipped to become the way to go and the only guarantee for an effective global data protection approach. Not only that, but an effective BCR program will go a significant way to meeting the accountability requirements of the new regulation – now is the time for life sciences companies to look at their existing data transfer mechanisms and consider the adoption of BCR to future proof their compliance.
All in all, it is beyond doubt that the Commission has crafted a framework that aims to strengthen the rights of EU citizens vis-à-vis their personal data. Those citizens include the employees of pharmaceutical, biotech and medical device companies, the patients participating in clinical trials run by them, and physicians and hospital administrators who are on the visiting lists of these companies' sales representatives. In view of the potential for substantial fines, life sciences companies would be well advised to gear-up for the new regime in advance of it coming into effect.
Eduardo Ustaran is a partner and Head of the Privacy & Information Law Group at Fieldfisher
Phil Lee is a senior associate in the Privacy & Information Law Group at Fieldfisher
Alison Dennis is a life sciences partner at Fieldfisher