EU-to-US transfers of personal information that identifies or potentially identifies participants in clinical research has long posed complex challenges for pharmaceutical and biotech companies. Issues including the transfer of key-coded patient data and the sharing of identifiable information with public agencies have lacked consensus or resolution, resulting in difficult legal and compliance challenges. For businesses seeking answers to these transfer issues, the EU-US Privacy Shield may provide some solutions. Supplemental Principle 14, in particular, addresses the use of personal information in the context of EU-based pharmaceutical research.
Transfer of Key-Coded Data
Personal Information of individual patients participating in clinical research is – in nearly all instances – pseudonymized using unique key codes. In line with standard industry practices, the key to this information is held by the investigator or contract research organization supporting the study and is not available to the pharmaceutical company sponsoring the study. Thus, under the Privacy Shield, key-coded personal information is not considered identifiable. As a result, under Privacy Shield Supplemental Principle 14, the transfer to the US of key-coded personal information from EU-based clinical research does not comprise a transfer of Personal Information. Such data, therefore, is not subject to Privacy Shield Principles. Stated more plainly, a Privacy Shield certified entity may transfer key-coded clinical study patient data to the US without applying the Privacy Shield Principles (e.g., notice, consent, access).
This Supplemental Principle, however, is not without controversy and opposition from some authorities in the EU. The Article 29 Working Party (comprised of representatives of Data Protection Authorities around Europe) in particular, has stated that:
the transfer of key-coded data enjoys protection under European data protection law. This means that in practice the Privacy Shield cannot cover such transfers.
While the Article 29 Working Party specifically called on the EU commission to rule that its adequacy decision with regard to the Privacy Shield will not cover transfers of key-coded patient data, the adequacy decision issued on July 12th 2016 does not address the issue. While this is likely to be the subject of further debate between EU regulators and their US counterparts, under current Privacy Shield rules, certified entities can freely transfer such key-coded data.
Transfers for Purposes of Product Safety and Efficacy Monitoring
Throughout the lifecycle of a pharmaceutical product – from clinical trials through commercial use – a process must be in place to handle personal information associated with reports of adverse events. Adverse event reporting will occur in a number of scenarios, each with its own complexities which must be carefully navigated. Safety reporting requirements may require the collection, processing and transfer of certain identifiable data elements (e.g., age, gender, disease, locale, ethnicity) of the patient, sometimes directly identifying them. However, the sponsoring pharmaceutical company may not have the opportunity to obtain consent from the patient to collect and process this data, as they often have no direct relationship. In such instances, the appropriate action on the part of the pharmaceutical company is not always clear. However, Privacy Shield’s supplemental Principle 14 directly addresses the transfer of such information to the US and the subsequent processing.
Principle 14 provides:
A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration.
In any scenario it is important to weigh the public health and safety considerations against the privacy rights of the individuals in question. However, for Privacy Shield certified companies transferring adverse event and other safety information to the US in order to meet applicable regulatory requirements, Supplemental Principle 14 provides a reasonably straightforward solution to many of the complexities that have posed hurdles to compliance with EU requirements on international transfers.
Future Scientific Research
Supplemental Principle 14 also addresses the fact that personal information obtained and processed for purposes of a specific medical or pharmaceutical study may hold value in future scientific research. In line with this, the supplemental principle provides that in instances where personal information collected for one research study is transferred to a Privacy Shield certified entity, that entity can use the information for a new scientific research activity, if appropriate notice and choice have been provided to the patients. The Principle states that such notice should, if possible, contain specific information about future uses of the data, such as periodic follow-up or related clinical research. Such notice can (and should) be part of the initial notice, likely contained in the Informed Consent Form provided to a patient, and in this respect, Supplemental Principle 14 does not cover much new ground. However, the Principle does address the fact that future research cannot always be anticipated, and does state that, “the notice should therefore include an explanation that personal data may be used in future medical and pharmaceutical research activities that are unanticipated.” In instances where a new use unrelated to the original purpose for which the information was collected, new consent must generally be obtained.
Supplemental Principle 14 contains additional provisions that facilitate other necessary processing of personal information of patients and clinical trial participants after transfer to the US. For example, the Principle addresses the fact that pharmaceutical companies may need to provide personal information from clinical trials conducted in the EU to regulators in the US and gives a general green light to such transfers.
The Principle also addresses the sometimes complicated issue of data subject access to personal information about them in blinded studies. Supplemental Principle 14 provides that because providing access could jeopardize the validity of a study (e.g., could reveal to a patient that he or she is receiving a placebo), access to such personal information need not be provided during the trial. In such instances, however, the blinded nature of the study and resulting restrictions should be explained at the beginning of the individual’s participation.
Supplemental Principle 14 contains a number of provisions that are highly beneficial to pharmaceutical and biotech entities that transfer personal information of patients to the US for further processing, whether for ongoing clinical research, to meet regulatory requirements or for any number of other legitimate purposes. While the provisions are not without controversy, particularly the transfer and further processing of key-coded personal information, Privacy Shield is in effect and the rules of the Principle apply.
Pharmaceutical and biotech entities seeking a mechanism for transfer of EU-sourced personal information of patients and clinical trial participants, should become familiar with Supplemental Principal 14 and consider whether Privacy Shield may provide streamlined solutions to previously complex privacy compliance issues.