News and Insights

Print this page

Search News & Insights

The proposed EU Data Protection Regulation: Implications for the Life Sciences Sector

PRACTICE AREA GROUP: Life Sciences, Technology and Innovation, Data Protection
DATE: 15.07.2015

To ensure safer and more effective drug development it is vital for the life sciences industry to be able to collect, analyse and transfer personal data, including sensitive personal data for clinical trials, pharmacovigilance and medical research. The EU General Data Protection Regulation (the Regulation) was formally issued by the European Commission in January 2012 to replace the existing EU data protection framework (Directive 95/46/EC).

The Regulation could adversely affect the life sciences industry and is perhaps the most important piece of proposed European legislation in many decades for the industry. One of the key potential advantages of the Regulation for the life sciences sector is the promise that data protection laws may (at last) be harmonised across all 28 Member States. The Regulation is slowly progressing through the European legislative process and is likely to be adopted in 2016. Once adopted it is intended to be enforceable in all Member States within 2 years.

Some key aspects of the proposed Regulation are considered below:
• Extra-Territorial Application – the Regulation will apply to data controllers established in the EU but it is also very likely to apply to organisations operating from outside the EU where they offer goods or services to EU residents or monitor/profile the behaviour of EU residents. Due to its broad territorial application the Regulation will, for example, apply to a pharmaceutical or medical device company with no operation in the EU but that operates a clinical trial or study in the EU.
• Vastly Increased Fines / Supervision – the Regulation may contain fines of up to 5% of annual worldwide turnover of the organisation or €100,000,000 (whichever is the greater) for non-compliance.  Data protection authorities (such as the Office of the Irish Data Protection Commissioner) (DPAs) are likely to be given even wider powers to impose a temporary or permanent restriction on processing personal data, to enter premises and suspend data transfers to recipients located outside of the European Economic Area.
• Notification of Data Security Breaches –there is likely to be a compulsory obligation on data controllers in the life sciences sector to report a data security breach to its DPA without undue delay and, where feasible, within 72 hours. Where this cannot be achieved within 72 hours, an explanation of the reasons for the delay should accompany the notification. Where the breach is likely to adversely affect relevant data subjects they will also need be notified.
• Consent – the draft Regulation requires consent to be ‘specific, informed and explicit’. Health research today sometimes relies on a broad consent/opt out model where participants need to “opt out” of giving their consent for their data to be used for a variety of research studies. This method of obtaining consent is unlikely to be effective under the Regulation. Moreover, the data controller will need to prove consent was provided if challenged and consent must be purpose limited and will cease to be valid when the purpose is completed. The Regulation also provides that consent is not valid if there is a significant imbalance between the position of the data controller and the data subject – it is not clear if this condition will impact upon the ability to rely on explicit consent in some circumstances.
• Impact Assessments – the proposed Regulation contains a requirement to carry out data protection impact assessments on activities where the data being processed involves specific risks such as in the case of data relating to health. This will include identifying the data protection risks involved and putting security and privacy measures in place to deal with such risks, consulting with national DPAs and seeking the views of data subjects. This requirement may add significant cost and complexity to, for example, clinical trials.
• Appointment of a Data Protection Officer -  If the processing is carried out by a legal person and is in relation to more than 5000 data subjects in any consecutive 12 month period, there may be a requirement for that organisation to appoint a dedicated Data Protection Officer.
• International Data Transfers – the Regulation provides that transfers of personal data from the EU to countries that are not deemed by the EU to provide an adequate level of data protection should take place only on the basis of legal agreements such as Binding Corporate Rules and the EU’s standard contractual clauses. Existing decisions relating to adequacy of data protection (such as the US Safe Harbor scheme which is currently being heavily scrutinised) will remain in force for only 2 years after the Regulation takes effect. The restrictions on data transfers in the Regulation will need to be carefully monitored by the industry.
• Lead Authority Mechanism / One Stop Shop – as a concept this mechanism appeared to be consistent with harmonisation of data protection law across the EU and was intended to apply so that where the processing activities of a data controller are established in more than one EU Member State the DPA of the Member State of the main establishment of the data controller would act as a single point of contact for that data controller. This provision has been substantially re-negotiated at EU level and it appears unlikely (unfortunately) to survive as originally envisaged. 
• Consumer Body Actions – any association or body acting in the public interest will be entitled to submit a complaint to a national DPA and to bring legal proceedings on behalf of data subjects for non-compliance with the Regulation seeking damages for losses incurred and for pain and suffering.

Many life sciences organisations have already begun a comprehensive data protection health check of their activities so they are ready for the proposed Regulation. This is strongly recommended.

This article originally appeared in Business and Finance 1 July 2015.



About cookies on our website

Following a revised EU directive on website cookies, each company based, or doing business, in the EU is required to notify users about the cookies used on their website.

Our site uses cookies to improve your experience of certain areas of the site and to allow the use of specific functionality like social media page sharing. You may delete and block all cookies from this site, but as a result parts of the site may not work as intended.

To find out more about what cookies are, which cookies we use on this website and how to delete and block cookies, please see our Which cookies we use page.

Click on the button below to accept the use of cookies on this website (this will prevent the dialogue box from appearing on future visits)