If you’re active in the medical devices industry in Europe you will no doubt have come across EU data protection regulation. It applies to all personal data (including data concerning health) relating to EU citizens that your company processes. As you may know, the EU is presently revising the current directive and has a proposal in the legislative works for a General Data Protection Regulation, the GDPR. Since I have been quite active with respect to the GDPR proposal behind the scenes, I thought it would be a good idea to step forward with some thoughts on the occasion of developments that occurred just before last Christmas.
The GDPR is a lot more prescriptive, top down and detailed than the current data protection directive. One of the reasons is that since the directive entered into force in 1995 the EU has promoted the protection of personal data from a predominantly internal market subject to a constitutional right as one of the novelties of the Treaty of Lisbon. In the mean time, the sense of urgency in protecting personal data at member state level varied wildly with the Germans taking it extremely serious to the Brits not taking it that serious, just to paraphrase both ends of the spectrum (and overgeneralizing more than I probably should). So the EU decided it needed stronger medicine to control processing of personal data – which, mind you – is now planned to affect every company that processes personal data of more than 500 EU data subjects with organizational requirements, according to the last step in the legislative process: the Draft Report of Parliament rapporteur Mr. Albrecht issued on 17 December 2012. This report sets out the changes that the rapporteur proposes for the first reading by the parliament to the initial text as proposed by the European Commission. And it’s only 215 pages of dense technical reading containing just 350 amendments, so you can imagine that I spent some happy hours with it over the holidays. Mind you, the EU considers health data among the most sensitive categories of personal data and it’s upping its game in considerably tightening controls over it. Really, it’s no laughing matter: the authorities can impose really severe penalties for non-compliance (how about up to 2% of your company’s worldwide turnover?).
The GDPR requires a lot more from companies than is currently required, no less from those in the medical devices sector. I am not going to provide a complete overview of how the GDPR works and how the initial version might impact the medical devices industry. There are very good other sources that explain the general workings of the GDPR. COCIR and Continua Health Alliance did a nice job on explaining how the initial text might impact medical devices and eHealth companies with activities in the EU. Suffice to say here that the mandatory ‘privacy by design’ requirements for how you structure data flows and operations in your company will require a lot of work and time to get right. The Commission has described succinctly how current data protection law works in relation to eHealth in its recent telemedicine paper in the eHealth Action Plan package and there was of course the Article 29 Working Party opinion on the epSOS project for cross-border eHealth services, which give you a good idea of where the pressure points currently are if you process health data in the EU. With respect to clinical research there is the elaborate FEAM position paper. And there is a lot more.
What I would like to do is take a number of proposals from the recent Report to show that the devices industry has a lot more complexity to look forward to if these amendments to the initial proposal are adopted, and which it will be strongly impacted by:
- Proposed instrument to impose technical design requirements for services and devices with a view to compliance with data processing rules. Medical devices companies are used to the design requirements in the medical devices directives, their harmonised standards and a bunch of other statutes, like WEEE, EUP, RoHs, REACH, Batteries and the rest. The GDPR proposes to add an additional one by creating competence to prescribe how a company must design its devices and services to ensure compliance with the GDPR: “The principle of data protection by design require data protection to be embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal. The principle of data protection by default requires privacy settings on services and products which should by default comply with the general principles of data protection, such as data minimisation and purpose limitation.” and “Processing of personal data shall be organised and carried out in a way that ensures compliance with the GDPR principles ; producers, data controllers and data processors shall take technical and operational measures to ensure such compliance in the design, set-up, and operation of automatic data processing or filing systems.” (my italics) The Report then goes on to give the Commission and the European Data Protection Board competence to issue further specific criteria for implementation. In other words, your device may be prohibited if it is not designed from the start to meet EU privacy requirements by default.
- Increased regulation of profiling (monitoring). Under the GDPR all monitoring of persons (so also of patients) is considered profiling. Profiling has a really bad ring to it. We all hate it if external parties are sneakily profiling us for their own commercial purposes to figure out what we really want to buy based on how we behave, perhaps even without us knowing or based on consent buried in fine print so dense that you need a whole law firm to understand what you consented to. So far so good. What’s not so good is that the definition of profiling (“any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behavior”) also includes monitoring as we know it in healthcare, both remote monitoring and non-remote monitoring. And because we hate profiling in general because we don’t trust those companies on the internet, the GDPR is going to make profiling extra difficult to do and give the data subject the right to object to profiling across the board. Exceptions for health data – surely they would have thought about that? No, there is only an exception insofar as the processing takes place under a doctor’s medical privilege and then the patient can still object retroactively. Does this put a stake right through the heart of the (remote) monitoring industry? No, because you can still monitor with consent. However, consent has become the company’s problem: the burden is on you to prove that consent was informed, specific, freely given, unbiased, not given in a situation of imbalance and that your policies that were consented to were actually understandable. And then the patient can always withdraw his consent later and demand erasure of all data relating to him. How about that for a foundation to build a business model on?
- Even stricter regulation of processing of health data for scientific research. The medical devices industry is dependent on research for innovation. Consequently it’s not good news that the Parliament is planning to make the already very strict exemptions for processing health data for research basically impossible to work with from a regulatory compliance perspective. The Report proposes to require that processing of pseudonomised (reversibly coded) health data can only take place with consent of the data subject except in cases of “research that serves an exceptionally high public interest and if that research cannot possibly be carried out otherwise”. Time will tell what that means but I predict it is not going to make things easier when a company wants to use health data for long term purposes research because all data obtained with valid (for what it’s worth with all the complexity surrounding consent) consent is subject to the obligation that “all necessary measures shall be taken to prevent re-identification of the data subjects“. Good luck doing corrective actions for the lucky people in that group.
Not helpful in the real world
Anyway, I could go on but these three points really jumped out at me and indicate to me that the EU is not really thinking constructively about health data in the real world in which commercial companies rely on data for meeting their regulatory obligations and developing innovative technology. I am following these and other points up in Eucomed and in several associations specifically active in eHealth and mHealth. I will also be speaking about this subject next week in the Netherlands at the Lexxion conference on the new medical devices regulation. To me it is still hard to understand why the Commission on the one hand launches ambitious eHealth actions plans (that rely on workable data protection rules by the way) and wants a competitive European healthcare industry as a matter of policy but on the other hand makes the output of research really difficult to leverage for innovation and improvement of healthcare. Of course there has to be a balance and fundamental rights need to be respected. I don’t have the feeling however that the healthcare industry are the bad guys in the eyes of patients and trial subjects. Innovative companies in healthcare are no sneaky profiling marketeers or social media on which you post your drunken face to your detriment for the rest of your career. Therefore, they should not be regulated with the same undifferentiated instruments. As is clear from the position papers I have linked to above, the industry is not in the least trying dodge its responsibility, but it does raise red flags about how this will not work for anyone nor help achieve the policy goals the EU has for healthcare.
So, what happens next?
The European Parliament will now ruminate on the Draft Report and see whether they really want this as amendments, or maybe want to add some more to 350 amendments proposed (end of February). The Rapporteur is however not crazy and will only propose things of which he knows have support in the Parliament. The Parliamentary Committee charged with this dossier, the Civil Liberties Committee, will then vote (end of April) and the dance between the Commission, Council (the Member States) and the Commission (the initial author of the proposal) will start to see if they can agree (from May onwards) in the so-called Trilogue. And in the mean time every stakeholder and stakeholder group will be lobbying like crazy to try to make a difference.
And: companies will have to start to make sense of how to implement all of this. Because even if the GDPR may change on some points in the process – it’s not going away, I assure you that much.
Thank you for the briefing! I do have a few questions:
1. do I understand correct that it only applies when data of more than 500 subjects are involved? What about clinical trials with 100 or 200 patients?
2. under new changes 2nd bullet when you say monitoring do you mean tracking in general or monitoring as we do in clincial trials?
3 under new changes 3rd bullet is this meant for anonymized data in clinical trials or beyond that (as we already use informed consent, with some exeptions in case of postmarket registries), and would saftey fall into the category of high public interest you think?
Hi Annet, thanks for these comments. Let me address them in the same order:
1. My language was not entirely precise initially: the GDPR will apply to any processing of personal data, but for 500 data subjects or more a company need to have a ‘privacy officer’ to oversee the processing (the 500 data subjects is new, it was ‘companies with 250 or more employees’ in previous drafts). I have amended that in the text of the article.
2. General monitoring would also seem to fit in the definition, as you are observing and recording what the patient is doing with the purpose of drawing conclusions about their behavior or clinical state.
3. The GDPR is neutral to the stage of the clinical trial in the development of the device, so it could relate to any trial wherever in a device’s development and life cycle.
I hope this answers the questions; if not, let’s continue the dialogue!