Ringing in the New Year? Don't Drop the Ball on GDPR Compliance
Many U.S. institutions and biopharma and device companies that are engaged in international research studies may soon be subject to a new foreign privacy law, the European Union ("EU") General Data Protection Regulation or Regulation 2016/679 ("GDPR"), which takes effect on May 25, 2018. If your institution or company engages in EU research and has not yet made plans to address compliance with the GDPR, the time to act is now, as May will be here before we know it.
As a reminder, the GDPR will replace the EU's current privacy framework, Directive 95/46/EC, more commonly known as the Data Protection Directive ("Directive"). The Directive has been implemented in various different ways by the EU member states, which has led to fractured and inconsistent data protection requirements across the EU (and, more broadly, the European Economic Area1). The GDPR will significantly harmonize data protection regulation across the EU. It will also strengthen protections for personal data and increase the penalties for noncompliance. Specifically, noncompliance may lead to administrative fines of up to 20,000,000 EUR, or in the case of an entity (referred to as an "undertaking" under the GDPR), up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The increased penalties are certainly a reason to pay attention to the GDPR even if your organization does not have a plan for compliance with the Directive. However, there are two other changes effected in the GDPR that are particularly important for U.S. institutions and companies involved in EU research studies.
First, the GDPR's reach outside of the EU to organizations in the U.S. and elsewhere will be broader than that of the Directive. The Directive, as implemented by EU member states, generally applies to U.S. institutions and companies involved in research studies in the EU but not established there (e.g., not having an office or subsidiary there) only if the U.S. institutions and companies function as "controllers" under the Directive and, for purposes of processing personal data, make use of equipment in the EU (such as collecting data through computers located in an EU member state). In contrast, the GDPR will apply to the processing of personal data of EU data subjects by either a controller or a processor not established in the EU when the processing activities are related to (a) the offering of goods or services to data subjects in the EU or (b) the monitoring of the behavior of data subjects in the EU. A U.S. institution or company that is taking the position that it is not subject to the Directive in the context of its EU research activities because it does not make use of equipment in the EU may have a difficult time making a similar argument under the GDPR given the GDPR's expanded application to organizations outside of the EU. Either of the new criteria triggering application of the GDPR to non-EU organizations could be said to apply to most research.
Second, the definition of "personal data" under the GDPR is arguably broader than under the Directive. The Directive defines "personal data" in relevant part as "any information relating to an identified or identifiable natural person." "Identifiable person" is in turn defined as a person "who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." Although this definition of personal data under the Directive is fairly broad,2 EU member states do not all interpret it in the same manner, such as with respect to key-coded data (i.e., data that has been stripped of all identifiers other than a code that can be used to relink the data to identifiable information). In particular, key-coded research data held by U.S. institutions and companies are not always "personal data" under all EU member states' data protection laws implementing the Directive.
However, the GDPR introduces the concept of pseudonymisation, which refers generally to the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. Importantly, the GDPR is clear that pseudonymised data that could be attributed to a person by the use of additional information are considered a type of personal data and within the scope of the GDPR. Key-coded research data would likely be considered to be pseudonymised data under the GDPR and therefore subject to the GDPR. U.S. institutions and companies that have taken the position that the Directive does not apply to their research activities because they receive only key-coded research data may no longer be able to use this argument once the GDPR takes effect.3
Given these and other significant changes that are included in the GDPR, U.S. institutions and companies should analyze their involvement in research studies in the EU to determine whether the GDPR will apply to the processing of data in the context of the studies and, by extension, to the U.S. institution or company. If the GDPR will apply, steps should be taken before May 25, 2018 to address compliance, such as the following, as applicable:
- Identify activities for which the organization is functioning as a controller or a processor of personal data within the meaning of the GDPR,
- Determine the basis under the GDPR that permits the processing of an individual's personal data and the transfer of his/her personal data out of the EU into the U.S.,
- Update research consent forms to include specific information required by the GDPR,
- Revise data protection and breach reporting policies and procedures for compliance with the GDPR,
- Amend contracts with vendors or others that process personal data on the organization's behalf if the processing is subject to the GDPR,
- Ensure that contracts with other parties sponsoring or conducting the research (e.g., sponsor, research sites) reflect each party's role in controlling or processing personal data and appropriately allocate data protection responsibilities, within the parameters of the GDPR,
- Determine whether a representative must be designated in the EU and if so, enter into an appropriate arrangement with such a representative, and
- Designate a data protection officer, to the extent required by the GDPR.
Verrill Dana's Academic and Clinical Research Group and Biopharma and Medical Device Group work with institutions and companies conducting research in the EU. We can help your organization identify activities that may trigger the GDPR and help create a plan to prioritize your compliance efforts to ensure your institution or company doesn't drop the ball on GDPR compliance. For more information, contact Andrew Rusczek, Emily Fogler, or your regular Verrill Dana attorney.
1The European Economic Area ("EEA") consists of the 28 EU member states as well as Iceland, Liechtenstein, and Norway. The Directive applies directly to the 28 EU member states. The Directive also applies to Iceland, Liechtenstein, and Norway because, as of October 27, 2017, it has been incorporated into the Agreement on the European Economic Area ("EEA Agreement") through Annex XI. The GDPR has not yet been incorporated into the EEA Agreement, but steps have been taken to start the process of incorporation.
2Not only is the definition of "personal data" fairly broad as drafted under the Directive, but it has also been interpreted broadly by the main EU data protection advisory body, the Article 29 Data Protection Working Party. See, for example, the Article 29 Data Protection Working Party's guidance document, Opinion 4/2007 on the Concept of Personal Data (June 20, 2007).
3Of course, even under the Directive, U.S. institutions and companies that receive access to only key-coded research data could still be directly or indirectly subject to the Directive, such as if the data originates in an EU member state that treats key-coded data as "personal data" or if the U.S. institution or company acts as the controller and, for purposes of processing personal data, makes use of equipment in the EU.
This communication is intended for general information purposes and as a service to clients and friends of Verrill Dana, LLP. This publication, which may be considered advertising under the ethical rules of certain jurisdictions, should not be construed as legal advice or a legal opinion on any specific facts or circumstances, nor does it create attorney-client privilege.