On 15 June 2015, the Council of the European Union (“Council”) adopted its position on the draft Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Draft Regulation”).
This article discusses certain aspects of the Draft Regulation which could impact the conduct of clinical trials and other activities conducted by healthcare companies that involve the processing of personal data and personal health data. Such revisions merit consideration for the healthcare industry, sponsors of clinical trials, contract research organisations (“CROs”) and other relevant stakeholders.
Scope of application of the Draft regulation
The Draft Regulation will apply to personal data processed by data controllers established in the European Union (“EU”) and to data controllers established outside the EU that process personal data pertaining to individuals residing in the EU in relation to:
- the offering of goods or services to individuals in the EU, irrespective of whether payment is required; or
- the monitoring of the behaviour of such individuals as far as their behaviour takes place within the EU.
While the Draft Regulation does not elaborate on the concept of monitoring the behaviour of individuals, it can be concluded that medical devices which monitor the behaviour of individuals would fall within the scope of the Draft Regulation where such devices process personal data related to persons residing in the EU. This conclusion would apply even if such devices are manufactured by entities that are established outside the EU.
Pursuant to the Draft Regulation, data controllers would be bound by more pronounced obligations than those in the current Data Protection Directive in relation to the information to be provided to data subjects prior to obtaining their informed consent for processing personal data. For instance, such requirements apply to sponsors of clinical trials who are required to obtain the informed consent of the patient prior to the conduct of the clinical trial.
In addition to the requirements provided the current Data Protection Directive, the Draft Regulation requires the following information to be provided to data subjects prior to obtaining his or her informed consent:
- the legal basis on which the processing of the data is permitted;
- the existence of the right to request access, rectify, erase or restrict the processing of their personal data;
- the existence of the right to withdraw consent at any time, without affecting the lawfulness of any processing conducted prior to the withdrawal; and
- the right to lodge a complaint to the competent data protection authority.
Data controllers must also inform data subjects of any automated decision making which produces legal effects concerning the data subject or significantly affects him or her. Moreover, data subjects must be informed of the procedure governing such processing, the significance and envisaged consequences of the processing. Automated decision making includes the concept of “profiling” which is defined in the Draft Regulation as:
“any form of automated processing of personal data consisting of using those data to evaluate personal aspects relating to a natural person, in particular to analyse and predict aspects concerning performance at work, economic situation, health, personal preferences, or interests, reliability or behaviour, location or movements.”
Any automated processing of personal data to analyse and predict the health or behaviour of a patient would, therefore, require the provision of detailed information concerning the method, the significance and the consequences of such processing to the data subject.
Data concerning health and genetic data
The Draft Regulation maintains the restrictions imposed by the Data Protection Directive on the processing of sensitive personal data such as health data.
However, the Draft introduces a specific definition of personal health data. Data concerning health is defined as:
“data related to the physical or mental health of an individual, which reveal information about his or her health status.”
Included in the concept of sensitive personal data is genetic data. The restrictions governing the processing of personal health data will also be applicable to genetic data. Genetic data is defined as:
“all personal data relating to the genetic characteristics of an individual that have been inherited or acquired, (…) which give unique information about the physiology or the health of that individual, resulting in particular from an analysis of a biological sample from the individual in question.”
The Draft Regulation permits the EU Member States to maintain or introduce further restrictions or conditions concerning the processing of personal health data or genetic data. Healthcare companies would, when processing personal health or genetic data, be required to take into account both the provisions of the new Draft Regulation and those laid down at a national EU Member State level governing personal health data or genetic data.
Pursuant to the current Draft Regulation, data controllers would no longer be required to submit a notification to the competent data protection authorities prior to the conduct of any processing activities.
However, Article 33(1) of the Draft Regulation would require data controllers to perform an impact assessment prior to the processing of certain data which is likely to result in a high risk to the protection of the rights and freedoms of data subjects. The Draft Regulation includes a non-exhaustive list of certain types of data which requires a prior impact assessment including:
· processing of data based on profiling and on which decisions are based that produce legal effects concerning data subjects or severely affect data subjects; and
· processing of sensitive personal data such as health data in circumstances where the data is processed for the purposes of taking decisions concerning data subjects on a large scale.
The assessment would include, at least, an analysis of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Draft Regulation. Moreover, as part of this impact assessment, data controllers must consult and seek the views of the data subjects on the intended purposes of such processing.
If, the conclusion of such impact assessment is that the processing would result in a high risk to the rights and freedoms of data subjects and the measures taken by the data controller would not mitigate such risks, the data controller must consult the competent data protection authority.
If the competent data protection authority considers that the processing would not comply with the provisions of the Regulation, the competent authority may provide written advice to the data controller concerning any potential steps to remedy the breach. Moreover, the competent authority may impose a number of enforcement measures such as:
· order the data controller or data processor to comply with the provisions of the Regulation;
· order the rectification, restriction or erasure of personal data and communicate such actions to those to whom the data has been disclosed;
· impose a temporary or definitive limitation on processing activities;
· order the suspension of transfer of personal data to a recipient in a third country; or
· impose an administrative fine.
The competent data protection authority has a maximum period of six weeks to issue its advice or impose enforcement measures. This period can be extended for a further six weeks due to the complexity of the case. The data controller will be informed of any such extension.
Transfer of data outside the EEA
Similar to the Data Protection Directive, transfers of personal data outside the EEA are only permitted if performed within appropriate safeguards. The Draft Regulation has, however, introduced a number of new mechanisms by which transfers of personal data are permitted outside the EEA. This includes the transfer of personal data to entities established outside the EEA if such entitles adhere to an approved code of conduct together with binding and enforceable commitments to apply the appropriate safeguards in the code of conduct.
The codes of conduct can be developed by associations and other bodies representing categories of controllers or processors. Such codes must be approved by the competent data protection authority. A relevant expert body with the expertise in relation to the provisions of the code of conduct and which is accredited by the competent data protection authority for such purposes will monitor the application of the codes of conduct. Approved codes of conduct will be made publically available.
The expert body responsible for monitoring compliance with the code of conduct may take a number of enforcement actions including suspension or expulsion of any data controller or data processor from adherence to the code and inform the competent data protection authority concerning any enforcement measures taken.
The Draft Regulation permits the competent data protection authority to undertake a number of sanctions in relation to any breach of the provisions of the Draft Regulation. This includes a range of monetary penalties. The maximum monetary penalty imposed could be up to €1,000,000 or two percent of the total of the previous annual worldwide turnover of a data controller or data processor for any intentional or negligent beach of the Draft Regulation.
A final text of the Draft Regulation must be agreed concurrently by the Council, the European Commission, and the European Parliament during. This is known as the “trilogue”. It is expected that a final text could be agreed upon by the EU Institutions by the end of 2015.
We will continue to further monitor the trilogue as it cannot be excluded that the Draft Regulation will be substantially amended prior to final adoption.