The EU Data Protection Regulation (DPR) and cross-national data sharing RSS, London, 19 December 2016 The EU Data Protection Regulation (DPR) and cross-national data sharing Cross-national research data Access, legality, ethics, and opportunities The Royal Statistical Society London, United Kingdom 19 December 2016 Francis P. Crawley Clinical Practice Alliance – Europe fpc@gcpalliance.org 1 FP Crawley, GCPA, fpc@gcpalliance.org

The Vantage Point EU GCP Directive and Paediatric Regulation Chair WG, Guidelines and Recommendations for European Ethics Committees (Brussels 1995/7) Chair WHO WGs on Guidelines for Ethics Committees & DSMBs Past member UNAIDS ERC Member, EORTC IRB; Chair, INCTR EC Co-founder, Strategic Initiative for Developing Capacity in Ethical Review (SIDCER) Co-founder, European Network for Research on Alternating Hemiplegia (ENRAH) Past Member, WHO GCP & ICTRP Committees Member, EWG, European Academy of Paediatrics EUROSOCAP, nEUroped, RESPECT, ENCCA

Aliis exterendum ‘to be threshed by others’ or ‘to be threshed for others’

‘the new phrenology of the body social’ Data Science ‘the new phrenology of the body social’

WMA Declaration of Taipei on Ethical Considerations Regarding Health Databases and Biobanks October 2016 5.   Research using Health Databases and Biobanks can often significantly accelerate the improvement in the understanding of health, diseases, and the effectiveness, efficiency, safety and quality of preventive, diagnostic and therapeutic interventions. Health research represents a common good that is in the interest of individual patients, as well as the population and the society.

The Interests of Health & Science in Data Sharing To promote health and enhance the well-being of society To mutually benefit and improve our understanding of the natural, technological, historical, economic, and psychological/spiritual worlds To build and improve best practices for an ethically sound and socially acceptable health and science working environment. To address population and individual health issues regarding the prevention, diagnosis, treatment, and follow-up to health conditions

EU General Data Protection Regulation (GDPR) replaces Directive 95/46/EC (31 European countries) 27 April 2016  25 May 2017 The aim of the General Data Protection Regulation: ‘[1] to reinforce data protection rights of individuals, [2] facilitate the free flow of personal data in the digital single market and [3] reduce administrative burden.’

Assessing Values Behind Data (Health) Science ‘It is the duty of the physician to promote and safeguard the health, well-being and rights of patients, including those who are involved in medical research. The physician's knowledge and conscience are dedicated to the fulfilment of this duty.’ Paragraph 4, Declaration of Helsinki, 2013

GDPR Article 2 Material Scope ‘This Regulation applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.’ nb, this includes ‘pseudonymised data’

The Kinds of Data Health and Science Want to Share Data not related to persons Data related to persons Personal data [“identified or identifiable natural person (‘data subject’)” {or group?}] Data directly linked to a specific person Data indirectly linked to a person Personal non-identifiable data (‘anonymous information’ Recital 26) e.g., de-identified personal identifiable data e.g., ‘Big Data’

Vera Jourova Commissioner for Justice, Consumers and Gender Equality, European Commission Brussels, 1 December 2016 ‘The goal is to have a unified rule everywhere in Europe. Now we need to come and do it.’ ‘Measures taken at the national level must not lead to any fragmentation.’ ‘the absolute state’ vs. ‘absolute individual freedoms’ ‘This is business and technology first, and then the law, partly lagging behind.’ “I call this ‘Kissing the ring of the Digital God.’”

Article 5 Principles relating to processing of personal data 1.   Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’) [‘broad consent’];

‘Broad Consent’ ‘It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.’ Recital 33

Article 9 Processing of special categories of personal data 1.   Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

Article 9 Processing of special categories of personal data 2. Paragraph 1 shall not apply if one of the following applies: (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

Article 9 Processing of special categories of personal data 3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

Article 9 Processing of special categories of personal data 2. Paragraph 1 shall not apply if one of the following applies: (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

Article 9 Processing of special categories of personal data 2. Paragraph 1 shall not apply if one of the following applies: (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Article 9 Processing of special categories of personal data 4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

Article 89 Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes 1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

Article 89 2. Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15 [right of access], 16 [right to rectification], 18 [right to restriction of processing] and 21 [right to object] subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

Article 89 3. Where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18, 19*, 20** and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes. *Notification obligation regarding rectification or erasure of personal data or restriction of processing **Right to data portability

Data Controller “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;” Article 4 (7)

Article 7 Conditions for Consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

Article 7 Conditions for Consent 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.

EU-Third Countries Data Sharing ‘In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.’ GPDR Recital 101

EU-Third Countries Health & Science Data Sharing ‘Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority [DPA?] should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.’

EU-US Data Sharing International Safe Harbor Privacy Principles (July 2000 EC Decision to October 2015 ECJ Ruling) EU-U.S. Privacy Shield (12 July 2016) ‘a system of self-certification by which U.S. organisations commit to a set of privacy principles’ ‘administered and monitored by the Department of Commerce’ ‘to facilitate trade and commerce between the United States and European Union’ EU-U.S. Data Protection ‘Umbrella Agreement’ (EU-US law enforcement cooperation)

EU-U. S. Privacy Shield Framework Principles Issued by the U. S EU-U.S. Privacy Shield Framework Principles Issued by the U.S. Department of Commerce ‘Personal data developed in specific medical or pharmaceutical research studies often play a valuable role in future scientific research. Where personal data collected for one research study are transferred to a U.S. organization in the Privacy Shield, the organization may use the data for a new scientific research activity if appropriate notice and choice have been provided in the first instance.’ (14.b.i.)

EU-U. S. Privacy Shield Framework Principles Issued by the U. S EU-U.S. Privacy Shield Framework Principles Issued by the U.S. Department of Commerce ‘Pharmaceutical and medical device companies are allowed to provide personal data from clinical trials conducted in the EU to regulators in the United States for regulatory and supervision purposes. Similar transfers are allowed to parties other than regulators, such as company locations and other researchers, consistent with the Principles of Notice and Choice.’ (14.d.i.)

Consequences for Researchers Ensure that Data Controllers and Data Protection Officers are clearly identified and work according to EU & Member State law and best practices Close attention to ‘the accountability principle’: ‘privacy-by-design and privacy-by-default’ Guidance from the European Commission, the Article 29 Working Group, and implementation into EU & Member State laws and practices Establish accepted protocols (MOU’s, generic contracts) for cross-national science and health data transfers in the EU and with Third Countries.

Looking Forward Directive 2002/58/EC (the ePrivacy Directive or ePD) upcoming revision see Article 29 WP Opinion 02/2016, 19 July 2016 Data portability see Article 29 Guidelines on the right to data portability 13 December 2016 Data Protection Officers see Article 29 Guidelines on the Data Protection Officers 13 December 2016 Lead Supervisory Authority see Article 29 Guidelines for identifying a controller or processor’s lead supervisory authority, 13 December 2016

Two Questions No reference to ethics committees in the GDPR. However, ethical review required by OECD (October 2016) & WMA (October 2016). Do ethics committees have a role? Are we asking too much of (informed) consent? Is consent still meaningful?