The EU Data Protection Regulation imposing requirements for processing of

Despite a wider analysis of implications of the new EU General Data Protection Regulation 2016/679 (the GDPR) ⁵¹² is left outside the primary scope of this study, there is a need to briefly outline some aspects that influence data controlling and processing in context of clinical trials and traceability aspects of ATMPs in particular. Compliance with data protection requirements is of paramount importance for protection of the privacy and integrity of participants of clinical trials or donors of materials of human origin. Yet, it should be noted that compliance measures needed to comply with more stringent EU-wide, mandatory data protection requirements may cause additional financial burden for SMEs that are struggling with limited financial and human resources.

As a starting point the protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the EU and Article 16(1) of the TFEU provide that everyone has the right to the protection of personal data concerning him or her. GDPR shall apply to any processing of personal data in the context of the activities of an establishment of a controller or a processor of data in the EU, regardless of whether the processing itself takes place within the EU or not.⁵¹³ Pursuant to the GDPR, the definition of personal data is defined as “any information related to an identified or identifiable natural person or data subject. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.⁵¹⁴ The definition of sensitive personal data has been expanded to cover genetic data and biometric data processed to identify a person uniquely.⁵¹⁵ The GDPR shall not be applicable to anonymised data. Yet, it should be noted that the GDPR recognises that there is category of data between anonymised and personally identifiable data. Such category is called pseudonymised data, personal data that has been processed in such a way that the data can no longer be related to a specific data subject without the use of additional information as long as such additional information is kept separate and

512It was finally formally approved by the EU Parliament on 14 April 2016 after more than four years of debate, lobbying and negotiations. GDPR is expected to be published in the Official Journal of EU in June 2016, which will begin a two-year transition period. During that transition period, the data processors should review and adjust their data processing practices in order to meet the new requirements imposed by the GDPR.

513 See Article 3. Entities processing personal data on behalf of a data controller will have direct and independent obligations to comply with particular data protection requirements which previously only applied to data controllers.

514 Article 4.1.

515 Article 9.1.

119

subject to technical and organisational measures to ensure that is not attributed to an identifiable person.⁵¹⁶

The transparency and publication requirements of arising out of Clinical Trials Regulation raised some data protection related issues to be resolved in a public consultation of the Clinical Trials Regulation. Specific concerns have been expressed that presentation of information in documents that are sent to the clinical trials portal, or errors in the Member States’ or sponsors’ redaction in such documents, may result in involuntary publication of either protected personal data or confidential commercial data.⁵¹⁷ For instance, clinical trial result summaries may include information that indirectly can be associated with individuals (despite the information about adverse reactions is structured according to Annex IV and V) or notice and summary of a serious breach may also include similar personal data.⁵¹⁸ Especially, in case of an orphan disease the patient population may be so small that despite anonymisation, the data risks becoming attributable to a specific patient. The EMA’s legal responsibilities as data controller regarding the content of the database needed further clarification. As a starting point, the EMA is responsible for ensuring that no such information will enter the public domain. In an automated system, it may not be possible for the EMA to manually review all submitted documents to ensure that they do not contain such confidential information or personal data. Therefore it would be advisable for the EMA to e.g. issue templates or specific guidelines for submission of data in the different situations where a risk of inadvertent publication of confidential business information or personal data exists.⁵¹⁹ Also concerns were expressed that the definition of commercially confidential information, as no specific examples of information from registration or summary results that should be commercially confidential have been provided.⁵²⁰ When it comes to relation between the transparency requirements of the Clinical Trials Regulation and the Trade Secrets Directive⁵²¹, pursuant to the Trade Secrets Directive the public interest prevails over private interest and care subject to legal obligations to disclose information of public interest, e.g. in pharmaceutical sector. According to the Trade Secrets Directive, regulations ensuring a high level of

516 Recital 26.

517European Medicines Agency. “Overview of comments on EMA/641479/2014 Draft proposal for an addendum, on transparency, to the Functional specifications for the EU portal and EU database to be

audited - EMA/42176/2014”, 8. Available at:

http://www.ema.europa.eu/docs/en_GB/document_library/Overview_of_comments/2015/11/WC5001965 62.pdf. Accessed 6 June 2016.

518 Ibid.

519 Ibid.

520 Op.cit., 20.

521 See for further details European Commission. “Trade Secrets”. Available at:

http://ec.europa.eu/growth/industry/intellectual-property/trade-secrets/index_en.htm. Accessed 21 June 2016. The European Commission is currently working to harmonise the existing diverging national laws on the protection against the misappropriation of trade secrets so that companies can exploit and share their trade secrets with privileged business partners across the internal market to foster economy. On 15 December 2015 the European Parliament and the Council reached a preliminary agreement on the text of the Trade Secrets Directive. The agreement will need to be formalised by the European Parliament and the Council.

120

transparency will not be affected. Hence, trade secrets may not be used to negatively affect protection of public health.⁵²²

As mentioned in Section 7.3.2 above, tissue donors may have a particular interest in self-determination and privacy protection in regards to those samples. The GDPR imposes more stringent consent requirements: consent for the processing of personal data must be clear and have an unambiguous indication of a data subject’s agreement to the processing of their personal data. A request for consent must be “clearly distinguishable” from any other issues in a written document, and it must be provided

“in an intelligible and easily accessible form, using clear and plain language”.⁵²³ Thus, consent may not be “veiled” within other contractual documents. If consent obtained prior to the application date of the GDPR does not meet the requirements set forth in the GDPR, new consent should be sought from the data subjects. The GDPR also imposes an obligation to appoint a data protection officer in certain circumstances, such as large scale processing of sensitive personal data.⁵²⁴ Furthermore, the GDPR requires that data controllers provide more detailed information to the data subjects.⁵²⁵ The GDPR also confers new rights for individuals. These include, for example, the right to have personal data deleted and data portability.⁵²⁶ Data controllers and processors will be obliged to use appropriate and organizational measures taking into account “the state of the art and costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and

522 The interfaces of the Trade Secrets Directive and the Clinical Trials Regulation that aims at promoting transparency of clinical trials via publication of research results in a centralised database have been left outside of the scope of this study. Yet these considerations would require further clarification.

523 Recital 32.

524 Under Article 37 data protection officer shall be appointed ) if the processing is carried out by a public authority; ii) if core activities of the controller or the processor consist of processing operations which, require regular and systematic monitoring of data subjects on a large scale; or iii) if sensitive data is processed on a large scale. The wording of the GDPR does not contain any quantitative thresholds (e.g. in terms of number of data subjects) with respect to an obligation to appoint a data protection officer.

525 The GDPR contains an extensive list of information that controllers are obliged to provide to data subjects. Information requirements slightly vary depending on whether the personal data is to be obtained directly from the data subject (Article 13) or indirectly from somewhere else (Article 14). Information must be provided in a concise, transparent, intelligible and easily accessible way using clear and plain language. The GDPR also requires data controllers and processors to maintain records relating to their respective processing activities. Such records must be made available to the supervisory authority upon request.

526 Under Article 17 data subjects shall have the right to request the deletion of personal data, e.g. if i) the data is no longer needed for the purposes by which it was collected; ii) the data subject withdraws consent; iii) the data subject objects to the processing; or iv) the data was processed unlawfully. If the data controller has an obligation to erase data, it must also take reasonable steps to inform other controllers that are processing the data about the person’s objection. The GDPR contains a list of exemptions to the right to be forgotten. Whereas data portability requires the data controller to provide the data subject with the personal data concerning him/her in a structured, commonly used, machine-readable and interoperable format. Data portability under Article 20 applies only to data that has been provided to the data controller by the data subject where the processing is based on the data subject’s consent or data is being processed to fulfill a contract.

121

freedoms of individuals.⁵²⁷ The GDPR also includes a notification obligation in case of a breach of personal data⁵²⁸ and penalties arising in case of non-compliance.⁵²⁹

The GDPR also requires controllers and processors to conduct a privacy impact assessment of the impact of the envisaged processing operations if the processing poses a high risk for the rights and freedoms of individuals. In this assessment, the nature, scope, context and purpose of the processing and the sources of the risk should be taken into account.⁵³⁰ In the GDPR, a systematic and extensive evaluation of personal aspects related to natural persons that is based on automated processing as well as processing of sensitive personal data on a large scale is mentioned as an example of high risk processing. If a privacy impact assessment indicates a high risk, consultation with a supervisory authority is mandatory.

When it comes to protection of personal data in transatlantic context, the European Commission has recently adopted the so-called “Privacy Shield” arrangement by issuing an adequacy decision on 12 July 2016. It provides an additional mechanism for European companies to legally transfer personal data from the EU to the U.S., and it will replace the Safe Harbour Agreement invalidated by the EJC (case C-362/14) in October 2015.⁵³¹

527 Article 32.1. of the GDPR provides a list of security measures that may be regarded as “appropriate”:

pseudonymisation and encryption of personal data; the ability to ensure ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data; the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

528 Under Article 33 of the GDPR, in the event of a personal data breach, data controllers must notify the appropriate supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach. Notice is not required if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. Minimum content requirements for notice are provided for in the GDPR. In the event that a data processor experiences a personal data breach, it must notify the controller but does not have an obligation to notify the data protection authority. The GDPR also requires a data controller to inform data subjects without undue delay about the breach if the breach is likely to result in a high risk to the rights and freedoms of individuals.

529 Under Article 83 of the GDPR, the supervisory authorities may impose administrative fines on data controllers and processors for non-compliance with provisions of the GDPR. There will be two tiers of fines:a) Max 10M EUR / 2% of total worldwide turnover, e.g. for a breach of obligations related to the implementation of organizational and technical measures to protect privacy; the use of data processors;

data breach notifications; appointment and responsibilities of data protection officers. b) 20M EUR / 4%

of total worldwide turnover, e.g. for a breach of obligations related to fundamental data processing principles; the requirements for obtaining consent from data subjects; data subjects’ rights regarding access to information, the right to be forgotten, the right to restrict the use of data, data portability obligations and the right to object to automated data decision-making; the transfer of personal data to third countries; and non-compliance with an order from a supervisory authority. Fines may be imposed instead of or in addition to other measures available for supervisory authorities. Such measures include warnings, reprimands, bans and suspensions. Any fines imposed by the supervisory authorities must be effective, proportionate and dissuasive. For example, the nature, gravity and duration of the violation, actions taken by the data controller to mitigate the damage, the degree of responsibility of the controller or processor and the type of personal data affected by the violation should be taken into account when imposing the fines.

530 Article 35.

531 Yet, there is a risk that like its predecessor, the Privacy Shield may also be challenged before the ECJ.

Therefore, European companies should not rely on the new Privacy Shield as the only mechanism for

122

All in all, the data protection requirements imposed by the GDPR play an important role in protection of privacy of research subjects. They also simultaneously constitute additional administrative and financial burden for SMEs and academia, as adequate processes and personnel need to be in place to comply with the requirements. Data protection constitutes an essential element of a quality management system of a company developing medicines. As clinical trials rely on data, business continuity planning is a critical aspect to protect data during the required retention time.⁵³² Escrow agreements with providers of escrow services are likely to become more and more common means to ensure that such relevant pieces of information and audit trail can still be accessed in the case of an unanticipated event. ⁵³³