The European Union and the U.S. have wrapped up a data privacy framework that covers broad swaths of both economies, including the transmission of clinical trial data across the Atlantic Ocean. Drug and device makers that want to make use of this framework and thus jettison the contractual clause to ensure data privacy may find compliance with this new framework much more efficient in the long run, but will have to do a lot of compliance work on the front end to achieve those efficiencies.
As a growing roster of nations moves to protect individual genomic and other health data in the name of privacy under the General Data Protection Regulation in the EU and similar laws elsewhere, chief aggregators of such data, drug developers, are struggling.
As a growing roster of nations moves to protect individual genomic and other health data in the name of privacy under the General Data Protection Regulation in the EU and similar laws elsewhere, chief aggregators of such data, drug developers, are struggling.
LONDON – The European Commission (EC) has put forward proposals for a Data Act that is intended to both give users greater rights over their own data and allow greater third-party access. The Act sets out who can use and access data generated in the EU across all sectors of the economy. It is pitched by the EC as opening the doors to an under-used resource that will in turn promote research and innovation and create new markets in information services.
DUBLIN – The ongoing legal uncertainty surrounding the transfer of data from European research institutions or companies to international partners shows little sign of resolution, despite the urgency of the COVID-19 pandemic, which has engendered an extraordinary collaborative response from the global scientific community.
Device makers may see privacy legislation in California and other U.S. states as a source of regulatory balkanization, but that very same problem is cropping up in the international arena. In addition to the European General Data Protection Regulation (GDPR), privacy requirements are popping up in Brazil and elsewhere, and Eric Bowlin, a partner at Deloitte Risk & Financial Advisory, told attendees on a virtual symposium that the best approach might be to base a compliance program on general principles.
The Court of Justice for the European Union (CJEU) has invalidated the EU-U.S. Privacy Shield, a mechanism designed to ensure the privacy of EU citizens’ data when conveyed to other nations in a manner consistent with the EU’s General Data Protection Regulation (GDPR). Makers of drugs and devices are not without recourse in transferring patient data to the U.S. for clinical trials conducted in Europe, but industry must revisit their standard contractual clauses to ensure those protocols provide the necessary privacy provisions, or face fines that could amount to tens of millions of euros.
U.S.-based device makers have been grappling with FDA cybersecurity requirements for some time, but now the European Union (EU) is working on cybersecurity regulations as well. Throw in privacy requirements by the state of California and the EU’s General Data Protection Regulation (GDPR), and device makers are facing an increasingly complicated world of enforcement and litigation.