The European Parliament’s Civil Liberties Committee has published its draft report on the proposed EU Data Protection Regulation which will have a significant impact on the life sciences industry.
There has been considerable debate on the proposed Regulation over the last twelve months but there is still time for those concerned to make their views known to the European legislature. A summary of the main elements of the proposed regulation as amended by the Committee, that are relevant to the life sciences industry, are set out below.
- Application to Non European Businesses – the Regulation will apply to data controllers established in the EU or operating from outside the EU where the processing activities are aimed at the offering of goods or services to individuals in the EU, irrespective of whether payment is required. So called “producers” (i.e., hardware and software developers) that produce systems to process personal data must also take measures to ensure data protection compliance when designing systems. Due to its broad territorial application the Regulation will, for example, apply to a pharmaceutical company outside the EU that operates a clinical trial or study in the EU.
- Enforcement – fines of up to 2% of annual worldwide turnover can be imposed on businesses subject to the Regulation for non compliance, with additional criteria proposed under the amendments that would be taken into account by Data Protection Authorities (DPA) when determining the fines.
- Health Data and Consent – alarmingly the processing of health data, for the purposes of scientific research will not, according to the amendments, be considered “as urgent or compelling as public health or social protection”. Such processing will, therefore, be permitted only with the consent of the data subject, unless the relevant EU Member State adopts exceptions under national law to the requirement of consent for research that serves an exceptionally high public interest, if that research cannot possibly be carried out otherwise. The amendments go on to provide that “[t]he data in question shall be anonymized, or if that is not possible for the research purposes, pseudonymized under the highest technical standards, and all necessary measures shall be taken to prevent re-identification of the data subjects.” It is unclear what level of pseudonymization will be required. The condition in the Regulation that consent is not valid if there is a significant imbalance between the position of the data controller and the data subject is of particular concern as it raises the question of whether patient consents are legally valid.
- Impact Assessments – the requirement to carry out data protection impact assessments where data involves specific risks (such as health data) remains as does the obligation to seek the views of data subjects on the intended data processing. The amendments propose that a data controller must consult with its Data Protection Officer (DPO) on the impact assessment. The DPO will also have an obligation to report suspected breaches to the DPA. The requirement to carry out impact assessments on activities, such as a new clinical trial or a new research study database, may add significant cost to life sciences companies.
- Rights of Individuals – data subjects (such as patients or healthcare professionals) must be provided with data protection notices using multi-layered formats and icons with full information available on request. Data subjects will also have: (i) the Right to be Forgotten (i.e., to have personal data erased), although the amendments provide that data controllers will no longer have to take reasonable steps to contact third parties to request them to erase copies of the data if the personal data has been transferred or made public based on legal grounds; and (ii) the Right to Data Portability (i.e., to obtain a copy of the data being processed and to move the data to another platform). Profiling will only be permitted with the data subject’s consent or based on an express statutory provision. All of these rights, such as having to delete data from a research study and restrictions on profiling, could significantly impact life sciences activities.
- International Data Transfers – transfers of personal data from the EU to countries that are not deemed by the EU to provide an adequate level of protection (such as the US) should only take place on the basis of binding legal instruments (e.g., Binding Corporate Rules and the EU’s standard contractual clauses). Existing decisions relating to adequacy of data protection (such as the US Safe Harbor scheme) will remain in force for only two years after the Regulation takes effect. A new provision provides that where a court, tribunal or authority in a country outside the EU, such as the US, requests a controller or processor to disclose personal data, then the controller’s representative must notify the DPA to obtain prior authorization for the transfer. The restrictions on cross-border data transfers in the Regulation will be of continuing concern for international life sciences companies.
- Information Security – in the case of a security breach, the period to notify the DPA is extended from 24 to 72 hours while the scope of the obligation to notify data subjects of a security breach has been extended to require that information be included regarding the rights of the data subject, including redress.
- One Stop Shop – a modified ‘one stop shop’ approach to EU data protection regulation is proposed: where the processing activities of a controller or processor are established in more than one EU Member State, or affecting data subjects in several Member States, the DPA of the Member State of the main establishment of the data controller will be the lead authority, acting as a single contact point for the controller or processor.
- Class Actions – a number of amendments strengthen the position on collective redress: any association or body acting in the public interest will be able to go to court on behalf of data subjects (such as a patient) to seek damages which will now also be permitted for non-pecuniary loss, such as distress. This could open the doors to a significant increase in privacy litigation.
The next steps in the EU legislative timetable include: (i) 27 February 2013: deadline for tabling amendments by MEPs on the Civil Liberties Committee; (ii) end of April 2013: vote by the Civil Liberties Committee; and (iii) from May 2013 onwards: depending on progress in the EU’s Council of Ministers, negotiations between European Parliament, the Council and the Commission (the so called “Trilogue”). The Regulation is expected to be adopted in 2014.
Please contact one of the Sidley lawyers listed below, or your usual Sidley contact, if you have any questions regarding the Guidelines or the EU’s rules relating to the use of health claims regarding foods more generally.
The EU Life Sciences Practice of Sidley Austin LLP Sidley’s EU Life Sciences practice assists multinational companies and trade associations with food, pharmaceutical, biotechnology, medical device, cosmetics and dietary supplement issues in the European Union. Our lawyers offer strategic advice for gaining and maintaining market access. We anticipate government actions, advise on approval and submission strategies, and interface with trade associations, consultants and governmental officials. Clients turn to our group for assistance with compliance issues relating to Good Manufacturing Practice, EU Drug Safety/Pharmacovigilance, and Quality System regulations, as well as EU competition and trade law issues.
For further information on the EU Life Sciences Practice, please contact:
Maurits J.F. Lugard +32.2.504.6417
Maarten Meulenbelt +32.2.504.6467
Vincenzo Salvatore +32.2.504.6478
On three continents, Sidley’s Global Life Sciences Practice team offers coordinated cross-border and national advice on Food, Drug and Medical Device Regulatory, Life Sciences Enforcement, Litigation and Compliance, Healthcare Regulatory, Products Liability, Intellectual Property, Corporate and Technology Transactions, Securities and Corporate Finance, International Trade and Arbitration, FCPA/Anti-Corruption, Antitrust/Competition, Environmental/Nanotechnology. Globally rated as one of the top life sciences practices, our team includes former senior government officials, medical doctors and leaders in various life sciences fields.
For further information on the Global Life Sciences Practice, please contact:
Scott Bass +1.202.736.8684 +1.212.839.5613
James C. Stansel +1.202.736.8092
To receive future copies of Sidley updates, click here.
This Global Life Sciences: EU Update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results described herein do not guarantee a similar outcome.