BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.
LIFE SCIENCES DATA PRIVACY DAY PALO ALTO
April 17, 2012
LIFE SCIENCES DATA PRIVACY DAY
TABLE OF CONTENTS
TAB
AGENDA 1
SPEAKER BIOGRAPHIES 2
FTC REGULATION AND DEVELOPMENTS – IMPACT ON THE LIFE SCIENCES INDUSTRY LAURA BERGER, FTC 3
1. FAQS - EU DATA PROTECTION REGULATION 2. THE PROPOSED EU DATA PROTECTION REGULATION AND LIFE SCIENCES WILLIAM LONG, SIDLEY AUSTIN 4
PRIVACY AND SECURITY – ENABLERS TO ADOPTION OF HEALTH IT DEVEN MCGRAW, CENTER FOR DEMOCRACY & TECHNOLOGY 5
1. LEGAL BEST PRACTICES FOR SOCIAL MEDIA AT PHARMACEUTICAL COMMUNICATIONS 2. INFORMATION GOVERNANCE ASSESSMENTS EDWARD MCNICHOLAS, SIDLEY AUSTIN 6
HIPAA, HITECH, AND KEY STATE LAW CONSIDERATIONS FOR LIFE SCIENCES COMPANIES ANNA SPENCER, SIDLEY AUSTIN 7
MANAGING DATA PROTECTION IN INTERNATIONAL CLINICAL TRIALS & OBSERVATIONAL STUDIES JUDITH BEACH, QUINTILES 8
RESEARCH USE OF BIOSPECIMENS: PROPOSED CHANGES TO FEDERAL REQUIREMENTS GAIL JAVITT, SIDLEY AUSTIN 9
RECENT SIDLEY AUSTIN PRIVACY UPDATES 1. WHITE HOUSE ISSUES FIRST EVER ADMINISTRATION-LEVEL DATA PRIVACY FRAMEWORK 2. FTC RELEASES FINAL REPORT ON CONSUMER PRIVACY 10
DATA PROTECTION AND LIFE SCIENCES: IMPACT OF THE PROPOSED EU REGULATION 11
SIDLEY AUSTIN LLP
in Silicon Valley
Life Sciences Data Privacy Day – April 17, 2012
8:30 am – Arrival and Registration 9:00 am
9:00 am – Welcome and Opening Remarks 9:05 am Deborah Marshall, Global Coordinator, Emerging Companies and Venture Capital Practice, Sidley Austin LLP
9:05 am – FTC Regulation and Developments – Impact on the Life Sciences Industry 9:55 am • Recent FTC enforcement actions • Current approach to regulation Laura Berger, Senior Attorney, Division of Privacy & Identity Protection, FTC
10:00 am – Reform of the EU’s Data Protection Directive – Impact on the Life Sciences 10:40 am Industry • Detailing the proposed EU Data Protection Regulation • Update on review of EU Data Protection Directive • Application of EU data protection laws to life sciences • Adopting the accountability principle • Implementing privacy by design William Long, EU Privacy, Data Security and Information Law Practice Sidley Austin LLP
10:40 am – Coffee Break 10:55 am
10:55 am – Health Information Technology (HIT) Developments and Consumer 11:35 am Perspectives • Electronic medical records/meaningful use • Initiatives to expand regulation • Theories of liability • Issues with use of de-identification Deven McGraw, Director, Health Privacy Project, Center for Democracy & Technology and Co-Chair, Privacy & Security Tiger Team, the Office of the National Coordinator for HIT, HHS
11:40 am – Dealing with Social Media 12:20 pm • Data privacy issues with social media • Liability for user generated content (UGC) • Pharma regulatory requirements with social media Edward McNicholas, Global Coordinator, Privacy, Data Security and Information Law Practice (Privacy Investigations, Assessments, and Litigation), Sidley Austin LLP
1 Sidley in Silicon Valley Life Sciences Data Privacy Day – April 17, 2012
12:20 pm – Lunch Break 1:10 pm
1:10 pm – Remarks from Gail Maderis, President of BayBio 1:20 pm
1:20 pm – Update on US Health Privacy Developments 2:10 pm • Requirements under HITECH • Enforcement actions by state AGs under HITECH • Aggressive new state legislation (e.g., CA and Texas) • Issues with use of de-identified data Anna Spencer, Global Coordinator, Privacy, Data Security and Information Law Practice (Medical Privacy and e-Health Records), Sidley Austin LLP
2:15 pm – Managing International Clinical Trials and Observational Studies and Data 2:55 pm Privacy • Application of international data protection laws • Creating and managing informed consents • Using data for research purposes • Data sharing and use of service providers • Data transfer solutions Judith E. Beach, Ph.D., Esq., Senior VP, Senior Associate General Counsel for Regulatory & Government Affairs and Global Chief Privacy Officer, Quintiles
2:55 pm – Coffee Break 3:10 pm
3:10 pm – Industry Panel Discussion 4:00 pm Moderator: David Ralston, Senior Director Business Conduct, Gilead Sciences Damon Burrows, Vice President, Associate General Counsel, Allergan, Inc. Ashley Gould, Chief Legal Officer, Vice President of Corporate Development, 23andMe, Inc.
4:00 pm – Breakout Sessions 4:45 pm
4:50 pm – Concluding Remarks 5:00 pm
5:00 pm – Cocktail Reception 6:00 pm
2
DR. JUDITH E. BEACH Senior Vice President, Senior Associate General Counsel for Regulatory and Government Affairs, and the Global Chief Privacy Officer
Quintiles
Dr. Judith E. Beach is the Senior Vice President, Senior Associate General Counsel for Regulatory and Government Affairs, and the Global Chief Privacy Officer with Quintiles, a fully integrated biotechnology and pharmaceutical services provider offering clinical, commercial, consulting and capital solutions. Based in North Carolina, Quintiles has over 23,000 employees in offices in 60 countries. Dr. Beach’s responsibilities include providing legal counsel to Quintiles’ employees and customers on all aspects of food and drug law. She chairs the Company’s Council on Research Ethics (CORE), which provides guidance to the company’s research personnel on ethical issues related to all stages of drug development. Judy was recently appointed to the Editorial Advisory Review Board of the Food and Drug Law Journal.
As Quintiles’ global Chief Privacy Officer and Chair of the Council on Data Protection, Quintiles’ global internal privacy board, Judy coordinates the monitoring of the company's policies and procedures for protection of personal data. She serves on the company’s Privacy Incident Response Team (PIRT), which investigates and manages any privacy / security incidents. In addition, Judith founded and chairs the Carolina Privacy Officials Network (CPON), which is an informal group of privacy officials with North Carolina companies from a broad spectrum of industries. CPON, which is sponsored by Quintiles, serves as a forum for benchmarking and the development of industry standards and best practices and as a vehicle to contribute to public policy on data protection matters on a national and global scale.
Dr. Beach graduated cum laude from Georgetown University Law Center. She was an attorney with two Washington, D.C., law firms: Akin, Gump, Strauss, Hauer & Feld and Hyman, Phelps & McNamara, P.C., where she specialized in civil litigation and food, drug, and medical device law, respectively. She is admitted to the State Bars of Virginia, Maryland, District of Columbia and North Carolina and is admitted to practice before the United States Supreme Court. Prior to law school, Judith received her B.S. degree summa cum laude from Clemson University and her Ph.D. in Physiology and Pharmacology from Duke University. She was a Fellow in Reproductive Endocrinology at the University of California San Francisco, and then a clinical investigator at Walter Reed in Washington, D.C.
LAURA D. BERGER Senior Attorney, Division of Privacy and Identity Protection
Federal Trade Commission
Laura D. Berger is a senior attorney in the Division of Privacy and Identity Protection at the Federal Trade Commission. She enforces federal laws protecting consumers’ privacy. Her recent law enforcement work has focused on privacy in online social media and in other online contexts. She received a B.A. in English from Tulane University and a J.D. from the University of Michigan Law School.
Damon O. Burrows
Damon Burrows is Vice President, Associate General Counsel for Allergan, Inc. He began at Allergan in October, 2008 and is currently responsible for providing counsel on all regulatory, global manufacturing, clinical trials, promotion/marketing, and safety matters. Mr. Burrows also sits on the Policy Committee for the company and supports Allergan’s advocacy efforts at the state and federal levels.
Allergan is a $4.8 billion company focusing on eye care, neurosciences, medical dermatology, and urologics. The company is headquartered in Irvine, CA with a presence in over 100 countries worldwide.
Prior to joining Allergan, Mr. Burrows worked in private practice for six years counseling healthcare companies, pharmaceutical companies, and medical device companies as an associate with Jenkens & Gilchrist and Of Counsel for Baker Donelson. Both offices were in Washington, DC. Mr. Burrows then served as Senior Counsel for five years at Hoffmann-La Roche, a $45 billion pharmaceutical and medical device company headquartered in Basel, Switzerland. Mr. Burrows received his Juris Doctor degree from the Catholic University of America in Washington, DC and is a member of the State Bar of California and the bar of the District of Columbia.
Mr. Burrows resides in southern California with his wife and one year-old daughter.
ASHLEY GOULD Vice President Corporate Development and Chief Legal Officer
23andMe
As Vice President Corporate Development and Chief Legal Officer, Ashley leads 23andMe's legal and governmental affairs and oversees regulatory affairs, human resources and public relations. Prior to joining 23andMe in April 2007, Ashley was vice president, Legal Affairs at CoTherix, Inc., a public biopharmaceutical company acquired by Actelion Ltd. in January 2007. Previously, Ashley was associated with the law firms of Wilson Sonsini Goodrich & Rosati PC and O'Melveny & Myers LLP. Ashley received her JD from the University of San Francisco School of Law and her BS in Political Economy of Natural Resources from the University of California, Berkeley.
MATERIALS ONLY
GAIL H. JAVITT Counsel
Washington, D.C. 202.736.8980 202.736.8711 Fax [email protected]
PRACTICES ADMISSIONS & CERTIFICATIONS • Food, Drug and Medical Device Compliance and • District of Columbia, 1996 Enforcement • Maryland, 2010 • Food, Drug and Medical Device Regulatory EDUCATION AREAS OF FOCUS • Harvard Law School • Clinical Trials (J.D., 1993, cum laude) • Compliance Counseling - FDA • Johns Hopkins Bloomberg School of Public Health • Food and Drug Regulation (M.P.H., 2000) • Medical Devices • Columbia University • Pharmaceuticals (B.A., 1990, magna cum laude) CLERKSHIPS • U.S. District Court, C.D. of California, Gary L. Taylor
GAIL H. JAVITT is Counsel in Sidley’s Food and Drug Regulatory practice. She joins Sidley from her post as the Law and Policy Director at the Genetics and Public Policy Center, at Johns Hopkins University. At the Center she was responsible for developing policy options to guide the development and use of reproductive technologies and led an initiative to improve oversight of genetic testing quality.
Ms. Javitt currently serves as a Research Scholar in the Berman Institute of Bioethics at Johns Hopkins University. She has also served as adjunct professor of law at the Georgetown University Law Center, and at the Johns Hopkins School of Public Health, and has taught courses including Genetics and Law and Food and Drug Law. She was a Greenwall Fellow in Bioethics and Health Policy at Johns Hopkins and Georgetown Universities. Prior to her academic career, she was an associate at a Washington, D.C. law firm where she specialized in FDA regulatory issues. She served as law clerk to the Honorable Gary L. Taylor, U.S. District Court, Central District of California. She has written extensively on a variety of issues at the intersection of law, science, and policy including direct-to-consumer marketing of genetic testing and FDA regulation of biotechnology.
She holds the Juris Doctor (J.D.), cum laude, from Harvard Law School, a Masters of Public Health (M.P.H.) from the Johns Hopkins University and a B.A., magna cum laude, Phi Beta Kappa, from Columbia College.
PUBLICATIONS
Articles include:
• Javitt G., Carner K., “Must FDA Engage in Rulemaking to Regulate Laboratory-developed Tests?,” FDLI’s Food and Drug Policy Forum (2011)
SIDLEY AUSTIN LLP GAIL H. JAVITT MATERIALS ONLY
• Javitt G., Katsanis S. H., Scott, J., Hudson, K. “Developing the Blueprint for a Genetic Testing Registry,” Public Health Genomics (epub ahead of print July 2009);
• Javitt G., Hudson K., “DNA Snoops,” Los Angeles Times, Jan. 27 (Op-Ed) (2009);
• Javitt G., “Sometimes I Feel Like a Motherless Child: Maryland’s High Court Confronts New Reproductive Realities,” Maryland Bar Journal XLI: 40-45 (2008);
• Kaufman, D.J., Katsanis, S.H., Javitt, G.H, Murphy, J.A., Scott, J.A., Hudson, K.L. “Carrier Screening for Cystic Fibrosis in US Genetic Testing Laboratories: A Survey of Laboratory Directors,” Clinical Genetics 74: 367-373 (2008);
• Katsanis, S.H., Javitt, G., Hudson, K., “A Case Study of Personalized Medicine,” Science 320: 53-54 (2008);
• Javitt, G., Berkowitz D., Gostin, L. “Assessing Mandatory HPV Vaccination: Who Should Call the Shots?,” Journal of Law, Medicine, and Ethics 36: 384-395 (2007);
• Javitt, G. “In Search of a Coherent Framework: Options for FDA Oversight of Genetic Tests,” Food and Drug Law Journal 62: 617-652 (2007);
• Hudson, K., Javitt, G., Burke, W., Byers P. “ASHG Statement on Direct-to-Consumer Genetic Testing in the United States,” The American Journal of Human Genetics 81: 635–637 (2007);
• Javitt, G., Hudson, K. “The Right Prescription for Personalized Genetic Medicine,” Personalized Medicine 4(2): 115-118 (2007);
• Javitt, G., “Old Legacies and New Paradigms: Confusing ‘Research’ and ‘Treatment’ and its Consequences in Responding to Emergent Health Threats,” Journal of Health Law & Policy 8: 38-70 (2005); and
• Javitt, G., Hudson, K., Stanley, E., “Direct-to-Consumer Genetic Tests, Government Oversight, and the First Amendment: What the Government Can (and Can’t) Do to Protect the Public’s Health,” Oklahoma Law Review 57: 251-302 (2004).
Book Chapters include:
• Hogarth, S., Javitt, G., Melzer, D. “The Current Landscape for Direct-to-Consumer Genetic Testing: Ethical, Legal, and Policy Issues,” Annual Review of Genomics and Human Genetics 9: 161-182 (2008);
• Hudson, K., Baruch, S., Javitt, G. “Genetic Testing of Human Embryos: Ethical Challenges and Policy Choices,” in Expanding Horizons in Bioethics (Arthur Galston, Christiana Peppard editors), Springer, Dordrecht (2005); and
• Merrill, R., Javitt, G. “Regulation of Gene Therapy by the U.S. Food and Drug Administration,” in Encyclopedia of Ethical, Legal, and Policy Issues in Biotechnology (Thomas J. Murray and Maxwell J. Mehlman, eds.), John Wiley & Sons., (2000).
Reports include:
• Javitt G., Hudson K., “Public Health at Risk: Failures in Oversight of Genetic Testing Laboratories,” Washington, D.C.: Genetics and Public Policy Center, (2006);
SIDLEY AUSTIN LLP 2 GAIL H. JAVITT MATERIALS ONLY
• Javitt, G., Suthers, K., Hudson, K., “Cloning: A Policy Analysis,” Washington, DC: Genetics and Public Policy Center (2005); and
• Baruch, S., Javitt, G., Scott, J., Hudson, K. “Reproductive Genetic Testing: Issues and Options for Policymakers,” Washington, DC: Genetics and Public Policy Center (2004).
SIDLEY AUSTIN LLP 3 WILLIAM RM LONG Counsel
London +44.20.7360.2061 +44.20.7626.7937 Fax [email protected]
PRACTICES ADMISSIONS & CERTIFICATIONS • Financial Institutions Regulatory • England and Wales (Solicitor), 1993 • Healthcare EDUCATION • Privacy, Data Security and Information Law • Queen Mary College, London AREAS OF FOCUS (LL.B., 1989) • Consumer Protection and Unfair Trade Practices • Lancaster Gate, London • Electronic Commerce (LSF, 1991) • EU and International Privacy • FCPA/Anti-Corruption • Financial Industry and Payment Processing • Financial Information and Privacy Law • Financial Institutions Business Transactions • Financial Institutions Counseling • Financial Services Legislation • Global Financial Services • Healthcare Information and Privacy • Healthcare Regulatory • Information Security and Data Breaches • Internal Investigations • Internet, Social Media and E-Commerce • IT Procurement and Outsourcing • Life Sciences Transactions • Payment Systems • Retail Financial Services • Technology, Media and Privacy Law
WILLIAM LONG is counsel in the London office of Sidley Austin LLP. He advises international clients on a wide variety of social media, data protection, privacy, information security, e-commerce and other regulatory matters. Mr. Long has experience with EU and international social media, data protection and privacy projects particularly in the life sciences and financial services sectors, advising on social media regulation, cross-border data transfer, data security and other data protection issues. He is a regular speaker on social media, data protection and e-commerce matters.
Mr. Long is a co-founder of the Social Media Governance Forum, a networking group of companies involved in social media, and was previously in-house counsel to one of the world’s largest international financial services groups as their e-Commerce counsel dealing with e-commerce and data protection matters. He has been a member of a number of working groups in London and Europe looking at the EU regulation of e-Commerce and data protection and spent a year at the UK’s Financial Law Panel (established by the Bank of England), as assistant to the Chief Executive working on regulatory issues with online financial services. He also writes extensively for a number of journals including Journal of Medical Research Law & Policy, Data Protection Law & Policy, Journal of Electronic Business Law, Journal of eCommerce Law and Policy and E-Finance & Payments Law & Policy. English Solicitor.
SIDLEY AUSTIN LLP WILLIAM LONG
MEMBERSHIPS, PRESENTATIONS & ARTICLES
• Co-founder of the Social Media Governance Forum
• Previous Member of the Centre for European Policy Studies Working Group on eCommerce Regulation
• Article “New International Guidelines on the Transfer of Personal Health Data” – Medical Research Law & Policy
• Article “Data Security breaches: the changing legal landscape” – E-Finance Law & Policy - October 2008
• Article “Data Security and payments: dynamic Phorm of development” – E-Finance Law & Policy - April 2009
• Article on “Pharmacovigilance and Data Protection” – Data Protection Law & Policy – December 2010
• Article on EU Implementation of New Website Cookie Law – Data Protection Law & Policy – August 2011
• Presenter at European Data Protection Summit, London, May 2010
• Chair on healthcare session at 23rd Annual International Privacy Laws & Business Conference at St John’s College, Cambridge, July 2010
• Presenter at Data Protection Compliance Conference, London, October 2010
• Presenter at Data Protection and Financial Services Workshop, London, November 2010
• Presenter at IAPP Europe Data Protection Congress, Paris, November 2010 on data security issues
• Presenter on data protection and social media at the 5th DataGuidance European Data Protection Intensive in London in May 2011
• Presenter on data protection and social media at the 24th Annual International Privacy Laws & Business Conference at St John’s College, Cambridge University in July 2011
SIDLEY AUSTIN LLP 2 DEBORAH A. MARSHALL Partner
Palo Alto 650.565.7004 650.565.7100 Fax [email protected]
PRACTICES ADMISSIONS & CERTIFICATIONS • Emerging Companies and Venture Capital • California, 1986 • M&A and Private Equity EDUCATION • Technology Transactions • New York University School of Law AREAS OF FOCUS (LL.M., 1985) • Digital Media and Entertainment • Northeastern University School of Law • Internet, Social Media and E-Commerce (J.D., 1982) • Life Sciences Transactions • Columbia University (B.A., 1979, cum laude) • Medical Devices • Pharmaceuticals • Private Equity and Venture Capital Funds
DEBORAH A. MARSHALL is a partner with the firm and concentrates her practice on strategic business counseling for emerging growth companies and investors at all stages of development, from start-up entrepreneurs to publicly traded entities and technology-based, multinational corporations.
Ms. Marshall has advised issuers, investors and investment banking firms in the internet, software, electronics, clean technology, media, entertainment, biopharmaceutical, genomics, medical device and diagnostics sectors. She has significant experience in venture capital financing, mergers and acquisitions, public offerings, private equity and strategic partnerships.
Ms. Marshall is a frequent speaker on issues related to venture capital, emerging growth companies, life sciences, public securities and entrepreneurship. She has been a guest lecturer on entrepreneurship at the University of California Berkeley Haas School of Business, as well as a member of the faculty of the Haas Business School’s Global Bio-Executive Program.
AWARDS & HONORS
• Ms. Marshall has been recognized in The Best Lawyers in America in Corporate, M&A and Securities Law each year since 2007.
• Ms. Marshall’s work as a corporate lawyer is highlighted in the 2007 Corporate and Finance version of The Legal 500 United States edition.
SELECTED PUBLICATIONS
• The Entrepreneur’s Guide to Business Law, 2nd Edition – contributions include Chapter 5 (“Structuring the Ownership”), Chapter 13 (“Venture Capital”) and Chapter 17 (“Going Public”)
SELECTED PRESENTATIONS
• Women in the Law Conference, Northeastern University School of Law (April 2009)
• Columbia University Women’s History Month Speaker Series: Women in Law (March 2009)
SIDLEY AUSTIN LLP DEBORAH A. MARSHALL
• “Doing Well, Doing Good - An Introduction to Socially Responsible Investing” Merrill Lynch’s Women in the Know: Empowering Women Through Knowledge Series (April 2008)
• “Innovation and Growth Through Partnerships: Key Aspects of Collaboration Agreements,” GlobalBio Program, Haas School of Business (December 2006)
• “Duties of Directors in a Changing Landscape,” Practising Law Institute, Venture Capital 2004: Venture Creation, Management & Financing in the New “Post-Bubble” Market
• “M & A Transactions for Biotech Companies,” Practising Law Institute, Biotechnology & Pharmaceutical Law 2004: Patents & Business Strategies (November 2004)
• “Reconsidering the Limited Liability Company as a Vehicle for Emerging Growth Companies,” Practising Law Institute, 36th Annual Institute on Securities Regulation (November 2004)
• “Strategic Financing of Biotech,” University of California, Haas Business School, BioEntrepreneurship Certificate Program. Faculty member (May 2004)
• “Mergers-Acquisitions Case Study,” Practising Law Institute, Handling High Tech M&As In a Cooling Market (2001)
• “Latest Trends with Lockups and Other Underwriting Arrangements,” Practising Law Institute, 32nd Annual Institute on Securities Regulation (2000)
MEMBERSHIPS & AFFILIATIONS
• State Bar of California
• Advisory Board of the Women’s Technology Cluster (non-profit organization focused on entrepreneurship for women in technology), 1999-2006
• Visiting Committee for Northeastern University School of Law, 2001-2004
• Columbia University Campaign Council for Undergraduate Education, 2009 - Chair, Columbia University School of General Studies Annual Fund
SIDLEY AUSTIN LLP 2
DEVEN MCGRAW Director, Health Privacy Project
Center for Democracy & Technology
Deven McGraw is the Director of the Health Privacy Project at CDT. The Project is focused on developing and promoting workable privacy and security protections for electronic personal health information.
Ms. McGraw is active in efforts to advance the adoption and implementation of health information technology and electronic health information exchange to improve health care. She was one of three persons appointed by Kathleen Sebelius, the Secretary of the U.S. Department of Health & Human Services (HHS), to serve on the Health Information Technology (HIT) Policy Committee, a federal advisory committee established in the American Recovery and Reinvestment Act of 2009. She chairs the Committee’s Privacy and Security Workgroup (the “Tiger Team”) and serves as a member of its Meaningful Use and Information Exchange Workgroups. She also served on the Policy Steering Committee of the eHealth Initiative and now serves on its Leadership Council. She is also on the Steering Group of the Markle Foundation’s Connecting for Health multi-stakeholder initiative.
Ms. McGraw has a strong background in health care policy. Prior to joining CDT, Ms. McGraw was the Chief Operating Officer of the National Partnership for Women & Families, providing strategic direction and oversight for all of the organization’s core program areas, including the promotion of initiatives to improve health care quality. Ms. McGraw also was an associate in the public policy group at Patton Boggs, LLP and in the health care group at Ropes & Gray. She also served as Deputy Legal Counsel to the Governor of Massachusetts and taught in the Federal Legislation Clinic at the Georgetown University Law Center.
Ms. McGraw graduated magna cum laude from the University of Maryland. She earned her J.D., magna cum laude, and her L.L.M. from Georgetown University Law Center and was Executive Editor of the Georgetown Law Journal. She also has a Master of Public Health from Johns Hopkins Bloomberg School of Hygiene and Public Health.
EDWARD R. MCNICHOLAS Partner
Washington, D.C. 202.736.8010 202.736.8711 Fax [email protected]
PRACTICES ADMISSIONS & CERTIFICATIONS • Privacy, Data Security and Information Law • U.S. Supreme Court, 2004 • Complex Commercial Litigation • U.S. Courts of Appeals, various • U.S. District Court, District of Columbia, 1999 AREAS OF FOCUS • U.S. District Court, District of Maryland, 1996 • Consumer Protection and Unfair Trade Practices • District of Columbia, 1998 • Electronic Commerce • Maryland, 1996 • EU and International Privacy • Financial Information and Privacy Law EDUCATION • Healthcare Information and Privacy • Harvard Law School • Information Security and Data Breaches (J.D., 1996, cum laude, Harvard Law Review • Internal Investigations Editor) Princeton University • Internet, Social Media and E-Commerce • (A.B., 1991, summa cum laude, Phi Beta Kappa) • National Security • Technology, Media and Privacy Law CLERKSHIPS • Trade Secret and Unfair Competition Litigation • U.S. Court of Appeals, 4th Circuit, Paul V. Niemeyer
EDWARD R. MCNICHOLAS is a partner in the Washington, D.C., office of the international law firm Sidley Austin LLP and a global coordinator of its Privacy, Data Security, and Information Law practice. His practice focuses on clients facing complex information technology, constitutional and privacy issues in civil and white-collar criminal matters. Mr. McNicholas concentrates his practice on trial and appellate representations of technologically-sophisticated clients including telecommunications carriers, electronic service providers, financial services companies, pharmaceutical manufacturers and other companies facing complex personal information issues.
Mr. McNicholas has significant experience with a wide-range of cutting-edge Internet and information law matters involving privacy and data protection, online brand protection, e-discovery, electronic surveillance, copyright, defamation, information security, cloud computing, trade secrets, social media, locational privacy, e-commerce, and national security. Mr. McNicholas and Sidley’s Privacy and Data Security practice were selected for Chambers USA: America’s Leading Lawyers for Business for 2008-2011 as well as Chambers Global for 2010-11, the 2011 Legal 500, and The International Who's Who of Internet, e- Commerce & Data Protection Lawyers 2011. He has also been recognized in Computerworld survey of “Best Privacy Advisers” as one of the “Top 25 Privacy Experts,” and Chambers USA 2010-11 also separately recognized Mr. McNicholas in nationwide litigation rankings for e-discovery.
Mr. McNicholas previously served as an Associate Counsel to President Clinton. In that capacity, he advised senior White House staff regarding various Independent Counsel, congressional and grand jury investigations, with a particular focus on issues of Executive Privilege and electronic discovery. He also previously served as a desk officer at the U.S. Office of Government Ethics, where he helped agencies establish effective ethics compliance programs.
SIDLEY AUSTIN LLP EDWARD R. MCNICHOLAS
LITIGATION REPRESENTATIONS
Mr. McNicholas‘ litigation experience includes several matters before the Federal Trade Commission and other regulatory agencies, as well as considerable experience with arbitration proceedings and internal investigations. His major litigation representations include:
• In re: Google Inc. Cookie Placement Consumer Privacy Litigation, MDL No. 2358 (2012) – Representation of Internet advertising company, PointRoll, in litigation regarding cookies and browser settings.
• Turner v. Rogers (U.S. 2011) – Representation of amici Legal Aid Society of D.C. et al. in significant right to counsel appeal.
• MeadWestvaco Corporation v. Rexam PLC (E.D.Va. 2010-11) – Represented party regarding effect of French blocking statute on U.S. discovery requirements.
• Accusearch v. Federal Trade Commission (10th Cir. 2008) – Representation of the Office of the Privacy Commissioner of Canada as amicus curiae in appeal from privacy enforcement action.
• MDL 1791: In re National Security Agency Telecommunications Records Litigation - (N.D.Cal. and 9th Cir. 2006-11) Defense of AT&T against constitutional and statutory claims in multiple purported class actions related to alleged national security programs.
• Menges v. Walgreen Co. v. Blagojevich (Illinois state and federal courts. 2005-09) - Defense of Walgreens in suits related to whether pharmacists must dispense Plan B emergency contraception.
• Crawford v. Marion County Election Board (U.S. 2008): Represented the National Law Center on Homelessness and Poverty and a coalition of other national homelessness groups as amici curiae in this significant challenge to voter identification requirements.
• City of New York v. Fifth Avenue Presbyterian Church (S.D.N.Y., 2d Cir., U.S., 2002-07) – Successfully represented the Fifth Avenue Presbyterian Church in a dispute over its homeless ministry, where Sidley has successfully defended a permanent injunction in favor of our client.
• AT&T Corp. v. 2PrePaid Inc. (M.D. Fla. 2006) - Obtained damages and permanent injunction against unlawful Internet sales of counterfeit AT&T prepaid calling cards.
• Boothe v. Hanson (Texas District Court 2005) - Obtained a blanket injunction against an elusive Internet critic in a case involving extensive use of Internet forensics. See “As Angry Patients Vent Online, Doctors Sue to Silence Them,” Wall Street Journal, Sept. 14, 2005.
• AT&T Corp. v. CyberTelecom, Inc. (S.D. Fla. 2004) - Obtained preliminary and permanent injunctions against Internet distribution of counterfeit AT&T prepaid calling cards in a case involving extensive Internet forensic evidence.
• In re Microsoft Corp. Antitrust Litigation, MDL No. 1332 (D. Md.) - Represented Microsoft in competitor class actions including those brought by Netscape and Burst. These actions were dismissed with prejudice after the parties reached private resolutions.
• Physicians Interactive v. Lathian Systems, Inc. (E.D. Va. 2003) - Obtained preliminary injunction for plaintiffs alleging hacking of computer systems in order to obtain trade secrets. The action was dismissed after the parties reached a private resolution.
SIDLEY AUSTIN LLP 2 EDWARD R. MCNICHOLAS
COMMUNITY SERVICE
Mr. McNicholas frequently advises organizations that combat homelessness regarding complex constitutional issues at both the trial and appellate levels and before legislative bodies. His work for such organizations contributed substantially to the firm being awarded the 2004 Counsel Pro Bono Award by the National Law Center on Homelessness and Poverty.
Mr. McNicholas now serves as the Vice Chairman on the Board of Directors for the National Law Center on Homelessness and Poverty.
SELECTED ARTICLES AND OTHER PUBLICATIONS
Mr. McNicholas is a frequent commentator on privacy, data security, and information law issues and has written extensively on various information law and civil liberties topics for a variety of publications. He currently serves on the Advisory Board for the BNA Privacy & Security Law Report and one of his articles received a 2010 Burton Award for Legal Achievement. Many of his privacy articles are collected on the www.Sidley.com/InfoLaw site, including:
• “Privacy and Security,” in Business and Commercial Litigation in Federal Courts (3d Ed. 2011) (co-author of chapter on implications of privacy and data security laws for commercial litigation).
• Information Security and Privacy: A Practical Guide for Global Executives, Lawyers and Technologists (2011) (contributor) (ABA Section of Science and Technology Law publication).
• “Regulated Social Media: Practical Advice for Addressing Evolving Technologies in Regulated Industries,” by Edward McNicholas and Sabrina Ross, BNA’s Privacy & Security Law Report (June 14, 2010).
• “An Uneasy Peace: Maine’s Act to Prevent Marketing to Minors and the Continuing Problems of Privacy for Children and Teens,” by Edward McNicholas and Colleen Rutledge, BNA’s Privacy & Security Law Report (Sept. 14, 2009).
• “End of the Notice Paradigm?: FTC’s Proposed Sears Settlement Casts Doubt On the Sufficiency of Disclosures in Privacy Policies and User Agreements,” by Alan Raul, Edward McNicholas, et al., BNA’s Electronic Commerce & Law Report (July 15, 2009).
• “National Security Letters: Practical Advice For Understanding and Handling Exceptional Requests,” by Edward McNicholas, BNA Privacy & Security Law Report (March 30, 2009).
• “Assessing the EU Working Party’s Guidance on Harmonizing U.S. Discovery and EU Data Protection Requirements,” by Alan Raul, Edward McNicholas, et al., BNA Privacy & Security Law Report (March 9, 2009).
• “Competitive Privacy: Towards A New Area of Privacy Litigation?,” by Edward McNicholas and Jennifer Tatel, IAPP Privacy Tracker (July/August 2008).
• “A Path to Resolving European Data Protection Concerns With U.S. Discovery,” by Stanley W. Crosley, Alan Charles Raul, Edward R. McNicholas, et al., Privacy and Security Law (Oct. 2007).
SIDLEY AUSTIN LLP 3
DAVID RALSTON Senior Director of Business Conduct Gilead Sciences
David Ralston is Senior Director of Business Conduct at Gilead Sciences where his team advises the company on all aspects of sales and marketing promotional compliance for the company's product portfolio.
David previously served as Section Head of Abbott's Legal, Regulatory and Compliance section where his team advised on fraud and abuse, pricing, privacy and anti-corruption issues for the diversified healthcare business. His first position was with Schering-Plough where his main emphasis was on price reporting and compliance issues.
David has a BA from the University of Texas - Austin, a Masters in Public Health from UT Houston Health Sciences Center and his JD from the Law Center at the University of Houston where he focused his studies in the health law program.
ANNA L. SPENCER Partner
Washington, D.C. 202.736.8445 202.736.8711 Fax [email protected]
PRACTICES ADMISSIONS & CERTIFICATIONS • Healthcare • Alabama, 1996 • Privacy, Data Security and Information Law • District of Columbia, 2000
AREAS OF FOCUS EDUCATION • Medical Devices • Vanderbilt University Law School • Healthcare Information and Privacy (J.D., 1995) • Pharmaceuticals • Sewanee (B.A., 1992, magna cum laude, Phi Beta Kappa)
CLERKSHIPS • Tennessee Court of Criminal Appeals, Jerry E. Smith
ANNA L. SPENCER is a partner in Sidley Austin’s Washington, D.C. office whose practice focuses primarily on health care. Ms. Spencer works on regulatory and transactional health care matters, including privacy and security of health information, fraud and abuse compliance and investigations, drug pricing, as well as Medicare and Medicaid coverage and reimbursement. She regularly counsels a broad range of clients, including financial institutions, pharmaceutical and medical device manufacturers, health care providers, auditing firms, employers that sponsor group health plans, and entities that qualify as business associates, on healthcare information privacy and security issues. This includes assisting clients with respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and amendments made to HIPAA by the Health Information Technology for Economic and Clinical Health Act (“HITECH”). She also advises clients on various state health care privacy laws, including state health information privacy and marketing laws.
Ms. Spencer has significant experience in investigating and responding to data breaches and information security incidents. She has represented clients in connection with data breach reporting obligations under the new HITECH regulations for breaches of protected health information and defended health care providers in investigations initiated by the Office of Civil Rights, Department of Health and Human Services.
Ms. Spencer has advised numerous clients on privacy and security compliance issues associated with clinical trials, patient assistance programs, point-of-sale messaging, sales and marketing practices, and de-identification of data sets, among others. In connection with these matters, she frequently addresses emerging issues, such as the applicability of genetic information privacy law and HIPAA to tissue samples collected during clinical trials.
On behalf of covered entities and entities that qualify as HIPAA business associates, Ms. Spencer has developed multiple HIPAA privacy and security compliance and training programs. She has negotiated hundreds of Business Associate Agreements on behalf of various clients.
SIDLEY AUSTIN LLP ANNA L. SPENCER
Ms. Spencer has spoken on privacy/security matters on behalf of numerous groups such as BNA and the American Conference Institute. She has authored a variety of articles on privacy/security issues, Medicare coverage, and fraud and abuse.
SIDLEY AUSTIN LLP 2 LIFE SCIENCES DATA PRIVACY DAY
Laura D. Berger FTC, Division of Privacy and Identity Protection April 17, 2012
Roadmap
• Background • FTC Privacy Report • FTC Health Breach Notification Rule • Endorsement Guides • Data Security • Recent Enforcement Actions
FTC Background • FTC is an independent law enforcement agency
• Consumer protection and competition mandate
• Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices”
• Commission brings law enforcement actions in federal or administrative court
• Commission also does policy work – public workshops, Congressional testimony, consumer education, and guidance to business
• Privacy has been a key consumer protection priority
Privacy Roundtables
• Three public roundtables to explore privacy in light of new technologies, including social media • Significant public participation • 200 participants reflecting range of perspectives • Transcripts and comments on FTC’s website
Roundtable Themes
• Increased collection and use of consumer data • Lack of understanding and informed consent • Consumers are interested in privacy • Benefits of data collection and use • Decreasing relevance of PII/non-PII distinction Privacy Report
• Issued Final Report, March 2012.
• Key elements: • Privacy by Design • Simplified Choice • Greater Transparency
Do Not Track
• Easy to Use
• Persistent
• Effective Health Breach Notification Rule
• Background • Part of the American Recovery and Reinvestment Act of 2009 • Interim final rule • Only applies to entities NOT covered by HIPAA Health Breach Notification Rule
• Who is covered? • Vendors of personal health records (PHRs) • You are a vendor of personal health records if you offer or maintain a personal health record • PHR related entities • You are a PHR related entity if you (1) offer products or services through a website of a PHR vendor (2) access information in a PHR or (3) send information to a PHR • Third-party service providers • You are a third-party service provider if you offer services to a PHR vendor or PHR related entity involving the use, maintenance, disclosure, or disposal of health information Health Breach Notification Rule
• What triggers notification?
• You must provide notice when there has been the unauthorized acquisition of PHR-identifiable health information that is unsecured and in a personal health record Health Breach Notification Rule
• Under the FTC’s Rule, companies that have suffered a breach must:
• Notify everyone whose information was breached; • In some cases, notify the media; and • Notify the FTC
• More information available at: http://business.ftc.gov/privacy-and- security/health-privacy
Endorsement Guides and Social Media
Recently updated Endorsement and Testimonial Guides require disclosure of a connection between a seller and an endorser that might materially affect the weight or credibility of the endorsement Application of Endorsement Guides to Blogging
• The proposed guidelines require bloggers to disclose not only when they are paid by a company, but also when they receive a free product. • Blogs that promote products are consumer endorsements. Four Points that Guide the FTC’s Information Security Enforcement • Information security is an ongoing process. • A company’s security procedures must be reasonable and appropriate in light of the circumstances. • A breach does not necessarily show that a company failed to have reasonable security measures – there is no such thing as perfect security. • A company’s practices may be unreasonable and subject to FTC enforcement even without a known security breach. Anatomy of a FTC Investigation
• Finding cases • Pre-search • Civil Investigative Demand or access letter • Analyzing the facts • Litigation or consent negotiation (or closing letter) • Compliance and monitoring FTC PRIVACY AND DATA SECURITY CASES Questions?
http://business.ftc.gov/privacy-and-security
Laura Berger [email protected]
April 2012
FREQUENTLY ASKED QUESTIONS ON THE PROPOSED EU DATA PROTECTION REGULATION
1. What is the Proposed EU Data Protection Regulation and why is it important?
The EU is in the process of reforming its data protection laws so that they are suitable for the modern digital economy. The current EU Data Protection Directive will be replaced by a new EU Data Protection Regulation (the “Proposed Regulation”). The Proposed Regulation is likely to be adopted in 2014. The aim behind the Proposed Regulation is to provide harmonised data protection laws across the EU and reduce some administrative burdens, such as removing the requirement to register with local Data Protection Authorities. The Proposed Regulation will have a significant impact on life sciences companies which use personal data in many activities including pharmacovigilance, clinical trials and medical research as explained further in these FAQs.
2. Which companies will be subject to the Proposed Regulation?
The Proposed Regulation will apply to all companies in the EU that process personal data (i.e. data that identifies a living individual) and so will include all life sciences companies. The Proposed Regulation will also apply to companies outside the EU that process personal data in connection with the offering of goods or services to data subjects in the EU, or that monitors their behaviour. This will mean that many life sciences companies outside the EU, such as in the US, will be subject to the requirements of the Proposed Regulation.
3. What are the penalties for not complying with the Proposed Regulation?
The Proposed Regulation introduces significant enforcement powers including fines of up to 2% of the annual worldwide turnover of a business for failure to comply with the Proposed Regulation. In addition, Data Protection Authorities will be able to apply fines to a potentially minor data protection breach and where no damage has been suffered by the data subject. Data Protection Authorities will also be able to carry out audits and to ban the processing of personal data. Individuals may bring damages claims for non-compliance while consumer groups and other representative bodies will be able to bring claims on behalf of individuals.
4. What are the main requirements for life sciences companies under the Proposed Regulation?
The Proposed Regulation introduces the concept of “Accountability” that is companies have to take responsibility for and to be able to demonstrate compliance with data protection requirements through implementing appropriate policies and measures. The measures include keeping a detailed record of all forms of data processing and verifying the effectiveness of the measures such as through internal or external audits.
The Proposed Regulation also requires that data protection impact assessments be conducted where the processing is likely to present specific risks, such as the processing of health data. This may have a significant impact on pharmaceutical companies, particularly as the company has to seek the views of individuals or their representatives on the data processing and must consult with the relevant Data Protection Authority where the impact assessment indicates a high degree of risk. Where the Authority considers that the processing does not comply with the Proposed Regulation, such as where risks are not adequately identified, it can prohibit the data processing.
Importantly, businesses will also be required to appoint a data protection officer with “expert knowledge of data protection law and practices” where they have over 250 employees or where they monitor individuals. Data protection officers must be able to act independently and report directly to the management of the company. This requirement could result in significant additional costs for life sciences companies and some may use external consultants to fulfill this role.
5. Do individuals get new rights under the Proposed Regulation?
Yes, the Proposed Regulation will introduce a new “Right to be Forgotten” which will give individuals the right to request that their personal data be erased. There are some exceptions where it is necessary to retain the data for reasons of public interest and scientific research but many businesses are concerned about the scope and impact of this new right. In addition, there is a new “Right of Data Portability” which gives individuals the right to request that their personal data be transferred to a new provider.
6. What is the impact of the Proposed Regulation on data security?
The Proposed Regulation will require companies to report security breaches to a Data Protection Authority “without undue delay” and “where feasible” within 24 hours and to notify affected individuals if the security breach is likely to adversely affect them. The security breach requirements are likely to mean that companies will need to prepare in advance for possible security breaches by organizing data breach teams and procedures so the company can respond quickly.
7. Are international transfers of personal data permitted under the Proposed Regulation?
The Proposed Regulation continues the current restrictions on the transfer of personal data from the European Economic Area (“EEA”) to countries outside the EEA that are not considered to provide an adequate level of protection, which includes the US. The Proposed Regulation does try to make some of the possible legal mechanisms that can be used to permit such international transfers to be more flexible. For example, Binding Corporate Rules (“BCRs”) (i.e. a global internal data protection policy which is binding on the whole corporate group and approved by a relevant Data Protection Authority) can under the Proposed Regulation be adopted by both a data controller and a data processor whereas currently BCRs can only be adopted by a data controller. However, the continuing restrictions under the Proposed Regulation on the transfer of personal data from the EEA will need to be carefully considered by life sciences companies.
8. How does the Proposed Regulation affect Pharmacovigilance?
The Proposed Regulation specifically allows the processing of health data to be processed for “reasons of public interest in the area of public health including to ensure high standards of quality and safety for medicinal products or medical devices.” The reference to “safety” would appear to give a specific legal ground to process personal data for pharmacovigilance and, to the
2 extent it does this, is a welcome clarification. However, pharmacovigilance activities will be impacted by other requirements in the Proposed Regulation, for example: (i) personal data may not be collected beyond the minimum necessary and so it needs to determined what is the minimum data required for pharmacovigilance purposes; (ii) full documentation on personal data processed for pharmacovigilance will need to be prepared as well as data protection policies and other measures that take privacy by design into account; and (iii) data protection impact assessments may be needed for pharmacovigilance activities.
9. What is the impact of the Proposed Regulation on Clinical Trials?
Clinical trial activities, in addition to being subject to the requirements around data protection documentation and impact assessments referred to above, will also be subject to new requirements around obtaining consent for processing of personal data, for example in the patient informed consent form. The Proposed Regulation requires that consent must be given explicitly with the data controller having the legal burden of proving that the data subject has given valid consent. In addition, where the consent is to be given in a written declaration, the requirement to give consent must distinctly appear in the document, and be kept separate from consent to be given in the context of other matters. Also, consent is not valid where there is a significant imbalance between the position of the data subject and the data controller. This may cause uncertainty as there is arguably an inherent imbalance between the position of the individual patient and the pharmaceutical company carrying out the clinical trial.
Many of the requirements in the Proposed Regulation also apply to data processors (e.g. CROs) who will now be equally responsible for data protection compliance. This will require an examination of existing contracts with service providers involved in clinical trials to determine responsibility and liability for data protection obligations.
10. Does the Proposed Regulation cover Medical Research?
Personal data used in medical research will be subject to the requirements of the Proposed Regulation similar to other life sciences activities that use personal data such as pharmacovigilance and clinical trials. The Proposed Regulation does appear to permit health data to be processed for scientific research purposes where used in a key coded form. However, it is currently unclear whether key coded research data processed for an initial research purpose can be processed subsequently for a secondary research purpose which is not compatible with the purposes for which the data was collected for the initial research.
For more information on the application of the Proposed Regulation, please contact William Long, at Sidley Austin, London ([email protected]).
3 BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.
The Proposed EU Data Protection Regulation and Life Sciences Life Sciences Data Privacy Day - April 17th 2012 William Long ([email protected])
Proposed EU Data Protection Regulation
• Proposed EU Data Protection Regulation released on Wednesday 25 January 2012
• Regulation will replace the existing EU Data Protection Directive
• Regulation expected to be adopted in 2014 following consultation with Council of Ministers and European Parliament
• Regulation will have a significant impact on life sciences companies
Summary of EU Legislative Process • Timeline until 2014 – Jan Philipp Albrecht MEP, Rapporteur (drafts person) with Axel Voss MEP acting as shadow Rapporteur
– 3 Parliamentary Committees LIBE (Civil Liberties, Justice and Home Affairs Committee), INCO (Internal Market and Consumer Affairs Committee) and ECON (Economic and Monetary Affairs Committee) – Q4 2012: EP Committee vote and Council “General Approach” – First half of 2013: “Trialogue” negotiations – Q4 2013: Political Agreement – 2014: EP Plenary adoption of the Regulation in its final form • Delegated and Implementing Acts – Once the Regulation is adopted, important details will need further adoption in the form of delegated acts or implementing acts
Proposed EU Data Protection Regulation
• Application to Non-European businesses - the Regulation will apply to non EU based businesses that offer good and services to individuals residing in the EU or monitor the data subjects behaviour • Greater Enforcement – fines of up to 2% of the annual worldwide turnover of a business for failing to comply with the proposed Regulation requirements • Class Actions – consumer organisations may bring class actions on behalf of individuals for non-compliance, even without their consent • Consent – explicit consent of individuals must be obtained before their data can be processed, although this may be withdrawn at any time. There cannot be a significant imbalance between the position of the data subject and the data controller • Transparency – controller must provide transparent and clear information on how data will be used • Transfer of Personal Data from the EU – can only be made to countries outside the EU that have an adequate level of protection. Solutions include among others BCRs, Model Contracts and Safe Harbor The question of the ability to transfer personal data internationally for compliance purposes to other entities or regulators is still of concern for life sciences companies
Proposed EU Data Protection Regulation
• Privacy by Default/Design – measures must be in place to ensure that data is: o processed which are necessary for each specific purpose o not retained beyond the minimum necessary o not made accessible to an indefinite number of individuals
• Right to be forgotten and right to data portability – obligation to delete users’ personal data it has made public and “to take all reasonable steps” to inform third parties that individuals’ personal data processed needs deleting and right to transfer personal data to another provider
• Data Protection Notifications – no longer a requirement for data controllers to notify Data Protection Authorities of their data processing activities But new obligation to keep a detailed documentation on all the processing operations will increase compliance costs
• Data Protection Officers – requirement to appoint a data protection officer when have more than 250 employees or if activities require monitoring of data subjects. A group may appoint a single data protection officer
Proposed EU Data Protection Regulation
• Data Protection Impact Assessments and prior consultation of DPA– requirement to conduct impact assessments where processing is likely to present specific risks (such as health data) and in such a case to seek the views of data subjects and consult with relevant supervisory authorities - this could be relevant to many activities of life sciences companies including clinical trials and other studies
• Pharmacovigilance – under the proposed Regulation health data may be processed under certain grounds including for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety for medicinal products or medical devices (Article 81)
• Medical Research – under the proposed Regulation personal data may be processed for historical, statistical or scientific research purposes if these purposes cannot be fulfilled by processing data which does not permit identification and the data enabling the attribution of information to an identifiable data subject is kept separately from the other information (Article 83)
Questions/Comments
BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D . C .
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm. For purposes of compliance with New York State Bar rules, Sidley Austin LLP’s headquarters are 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Doc. 5466368
Privacy and Security – Enablers to Adoption of Health IT
Deven McGraw Director, Health Privacy Project November 10, 2011
Health Privacy Project at CDT
. Health IT and electronic health information exchange are engines of health reform with tremendous potential to improve health, reduce costs and empower patients. . Some progress has been made on resolving the privacy and security issues raised by e-health – but gaps remain and implementation challenges loom. . Project’s aim: Develop (papers) and promote (advocacy) workable privacy and security policy solutions for personal health information.
People want Health IT - but also have significant privacy concerns
. Survey data shows the public wants electronic access to their personal health information.
. But a majority - 67% - also have significant concerns about the privacy of their medical records (California Healthcare Foundation 2005; more recent focus groups and surveys confirm).
. New London/Fair Warning recent on-line survey:
. 27.1% stated they would withhold information from their care provider based on privacy concerns. . 27.6% said they would postpone seeking care for a sensitive medical condition due to privacy concerns. . >1 out of 2 persons said they would seek care outside of their community due to privacy concerns, and 35% said they would drive more than 50 miles to seek care. http://www.fairwarningaudit.com/documents/2011-WHITEPAPER-US-PATIENT- SURVEY.pdf
Consequences of Failing to Act
. Protecting privacy is important
. Prevents harm . Good health care depends on accurate and reliable information . Without privacy protections, people will engage in “privacy-protective behaviors” to avoid having their information used inappropriately.
. 1 in 6 adults withhold information from providers due to privacy concerns. (Harris Interactive 2007) . Persons in poor health, and racial and ethnic minorities, report even higher levels of concern and are more likely to engage in privacy-protective behaviors. (CHF 2005)
Health IT Can Protect Privacy – But Also Magnifies Risks
. Technology can enhance protections for health data (for ex., encryption; role-based access; identity proofing & authentication; audit trails) . But moving and storing health information in electronic form – in the absence of strong privacy and security safeguards – magnifies the risks
. Thefts of laptops, inadvertent posting of data on the Internet, reports of internal “snooping” . Increased media attention to data captured on the Internet . Cumulative effect of these reports deepens consumer distrust A Comprehensive Approach is Needed
. Privacy and security protections are not the obstacle - enhanced privacy and security can be an enabler to health IT. . The essence of what we mean by “workable” protections . A comprehensive privacy and security framework is needed to facilitate health IT and health information exchange.
. Fair information practices – strong data stewardship model; consent plays important role but is not linchpin . Sound network design . Accountability/Oversight Fair Information Practices – Markle Common Framework . Openness and transparency . Purpose specification and minimization . Collection limitation . Use limitation . Individual participation and control . Data integrity and quality . Security safeguards and controls . Accountability and Oversight . Remedies
Role for Individual Consent
. Public debates about privacy protection until recently have focused almost exclusively on whether patients should be asked to authorize all uses of their information. . Individual control is an important component of fair information practices - but it is just one component. . Tends to provide weak privacy protection in practice (authorizations are either generally worded for brevity or too long)
“Next Generation” of Health Privacy
. Build on HIPAA for traditional health care entities – no need to rip and replace (HITECH took the first step here) . Establish protections for health information that migrates outside of the HIPAA bubble . Address concerns raised by new HIT infrastructure (such as HIEs) . Essentially, hold all entities who handle health data accountable for complying with baseline protections Agenda for the future . Successful implementation of new HITECH privacy provisions . Address issues raised by the use of HIEs or data exchange “intermediaries”
. Are business associate rules sufficient? . Protections for health data that is outside the HIPAA bubble
. Will new consumer privacy efforts (FTC & White House reports, HHS upcoming report on PHRs) pay off for health information? . Secondary data uses – for ex., comparative effectiveness research
. Distributed data networks vs. centralization
Agenda for the future (cont.) . Policies for de-identified data – focus on robust methodologies, prohibit re-identification
. Also – encouraging use of “less identifiable” data for routine purposes; possible interpretation of minimum necessary standard? . Better enforcement & active policy “stewardship” by regulators
. Issuance of guidance, clarifications, FAQs . Safe Harbors? . Regulation of business associates
De-Identification Policy Challenges
. “De-identified data” = data that meets HIPAA standard for deidentification (and is therefore not PHI) . Ensuring very low risk of re-identification – particularly through safe harbor standard - is getting more difficult due to increased availability of data . Statistical method for de-identification is meant to be flexible over time – but robustness depends on quality of statistical analysis . Safe harbor (removal of 18 specific data elements) will lose its potency over time
De-Identification Policy Challenges (2)
. Data risk is contextual:
. What other data does the data recipient have access to . What is the recipient’s motivation to re-identify or use inappropriately . HIPAA approach – particularly the safe harbor method – assumes a static environment and concludes that data can be deemed to raise a very low risk without consideration of this context
Less Identifiable = Less Risk
. There are limits to whether true de-identification can be achieved – but this does not mean all data present equal risk . De-identifying or removing identifiers from data, or shielding identity through use of technology, provides additional protections for confidentiality and maximizes data use
Need More Use of “Anonymized” Data & More Data Anonymization Options . HIPAA permits use of fully identifiable data where “less identifiable” data would suffice
. Health care operations, for example (quality assurance, credentialing, business analytics) . De-identified data is often not useful for research, public health, and quality purposes because too much data is removed . Limited data set (LDS) preserves more data – but still rigid and may not be f l f i t t CDT Recommendations on De- identification . Review de-identification safe harbor standard on regular basis to bolster its efficacy
. Expand safe harbors? . Process for vetting statistical de- identification . Strengthen accountability for re- identification of de-identified data . Consider whether health data should ever be made publicly available (vs. solely through data use agreement) CDT Recommendations on De- identification(2) . Designate de-identification “Centers of Excellence” . Consider increasing public transparency re: uses of de-identified data . Require recipients of de-identified data to adopt security protections
Questions?
Deven McGraw 202-637-9800 x115 [email protected] www.cdt.org/healthprivacy BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.
Legal Best Practices for Social Media at Pharmaceutical Communications
Edward McNicholas Social Media is Different
• Re-defined privacy boundaries for individuals – Both a private and a public space (home/office) – Digital natives and generational challenges • New definitions of “community” – Transparent peer influence – Trusted relationships despite not meeting in person • Unprecedented virtual footprint – Interconnected, interacting spheres of life – Timelines and lingering content • Distributed control
Continuing Technological Transformations
• Online behavorial tracking and targeting in a rapidly evolving “partner” eco-system • Gamification of non-recreational content • Virtual worlds • Location-aware devices • Augmented reality devices and mirror worlds • Micro-transactions, “Freemium” pricing innovations • Smart mobile payment systems • User-generated, distributed creation of content
Pharma Companies Use Social Media Social Media Challenges
• Internal Challenges – Careless employees (talking trade secrets) – Whistle-blower employees (exposing issues) – Disloyal employees (posting confidential information) • External Challenges – Customers • Claiming injuries • Seeking off-label information – Civil Society Activists / Journalists – Hackers – Regulators Is Regulation Catching Up?
“Social media is landscape-shifting. It converts the traditional two-party, adviser-to-client communication into an interactive, multi-party dialogue among advisers, clients, and prospects, within an open architecture accessible to third-party observers. It also converts a static medium, such as a website, where viewers passively receive content, into a medium where users actively create content.”
National Examination Risk Alert (January 4, 2012) SEC Office of Compliance Inspections and Examinations
Is Regulation Catching Up?
“Because consumers increasingly use the Internet to search for information about medical conditions and treatments, firms may receive public requests for off label information about their products through, for example, product websites, discussion boards, chat rooms, or other public electronic forums that they maintain and over which they have full control. Firms may also encounter requests for off-label information on third-party sites (i.e., websites and other venues that are either entirely independent of a firm’s control and influence or not fully controlled by a firm).” FDA Guidance for Industry: Responding to Unsolicited Requests for Off-Label Information About Prescription Drugs and Medical Devices (December 2011)
Ad Age: “FDA Social-Media ‘Guidelines’ Befuddle Big Pharma”
US Social Media is Generally Unregulated
• Communications Decency Act Immunity, 47 U.S.C. § 230(c) “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” • Rules are different elsewhere. See, e.g., Sweden's Data Inspection Board (DIB) • US Immunity not without limits: – FTC v. Accusearch Inc., 570 F.3d 1187 (10th Cir. 2009): – Fair Housing Council v. Roommates.com, LLC, 521 F.3d 1157 (9th Cir. 2008) – Doe v. SexSearch.com, 551 F.3d 412 (6th Cir. 2008) – affirmed dismissal for failure to state a claim, but did not adopt a reading of Section 230 that “potentially abrogat[ed] all state- or common-law causes of action brought against interactive Internet services.”
Financial Services Regulatory Analogs
• FINRA Guidance: Regulatory Notices 11-39, 10-06
– Retain records of communications on sites – Establish policies and procedures – Supervise electronic communications with procedures – Prohibit employees from using social media outside of firm supervision – Screen content from third-parties on social media sites – Bar employees who present significant compliance risks • National Association of Insurance Commissioners ("NAIC") Social Media Working Group Whitepaper Financial Services Regulatory Analogs
• SEC OCIE Guidance: Risk-based protections: • Usage guidelines, in light of site functionality • Content standards • Pre-approval requirements for social media content • Monitoring, training, certification, and oversight resources • Personal / professional site guidance – Allowing any interaction? Depending on the circumstances, use of a “like” button could constitute a prohibited client “testimonial.” – “Recordkeeping obligation does not differentiate between various media” – Problem of “multiple overlapping procedures that apply to advertisements, client communications or electronic communications generally, which may or may not specifically include social media use.”
FTC Testimonial Issues
• Providing payment or other consideration for posts – Free products are consideration • Key is disclosure of connections – Must disclose connections between advertisers and endorsers that might materially affect the weight or credibility of the endorsement • Creating transparent policies – Policies should address disclosure – Require reviewers receiving any consideration to disclose • FTC issues are in addition to FDA concerns Guides Concerning the Use of Endorsements and Testimonials in Advertising. 16 CFR Part 255.
FDA Regulatory Issues
• FDA’s Principal Position: Internet communications are subject to same statutory and regulatory provisions as traditional advertising and promotional labeling formats • April 2009, the FDA issued 14 letters to major drug manufacturers citing sponsored links in violation of the Federal Food, Drug, and Cosmetic Act (“FDCA”) – letters mandated that companies’ search advertisements -- the short text ads that run beside search engine results pages -- had to be rewritten to include risk information about each drug or removed
FDA’s Public Hearing – Nov. 2009
• General concept of Internet promotion: “positive or negative” • Topics identified by FDA: – For what online communications are manufacturers accountable? – How can manufacturers fulfill regulatory requirements in their Internet/social media promotion? – What parameters should apply to the posting of corrective information on Web sites controlled by third parties? – When is use of links appropriate? • “We are specifically interested in data and research on the use of social media tools in promotion, including data from companies on their own experiences, the extent to which health care professionals and consumers are using and are influenced by various social media tools, and the impact of Internet and social media promotion on the public health.”
FDA Guidance: Responding to Unsolicited Requests for Off-Label Information
• Firm may respond to public unsolicited requests for off- label information only when the request pertains specifically to its own named product (and is not solely about a competitor’s product). • Public response to public unsolicited requests for off-label information about firm’s own named product should only: – Provide specific contact information, – Convey that the use is unapproved or uncleared, and – Not include any off-label information. • Responding representatives must clearly disclose affiliation. • Nothing promotional in nature or tone is allowed.
Open Regulatory Issues for Online Fora
• Will sponsor be held responsible for: – Inadequate risk information or lack of fair balance – Off-label discussion in which they do not participate – Adverse event information – Criticism of competitor’s product • Will passive or active social media be allowed – If passive, is selective moderation, censorship, or comment possible? – If active, moderate discussion, possibly through pre-approval of posts » Editorial policies regarding off-label promotion » Posted terms of use and disclaimers » Required balance of positive and negative comments
Social Media and EU Data Privacy
• Data privacy is a major concern with social media • Under EU Data Protection Directive, a pharma company will likely be a data controller of personal data collected through social media applications • Where sensitive personal data is processed, consent is likely required, but UGC may include data for a third party • The proposed EU Data Protection Regulation sets out fines of up to 2% of annual worldwide turnover and class actions • The proposed EU Data Protection Regulation also has a new right to be forgotten and a right of data portability (i.e. to transfer data to a new provider) Social Media and EU Pharma Advertising
• Article 88(1) of Directive 2001/83 prohibits advertising to the general public of prescription-only medicines
• Current guidance on medicinal product advertising generally does not address social media applications
• In UK, PMCPA has published on April 1, 2011 Q&A guidance document on Digital Communications
• In Sweden, pharma trade association (LIF) has published interpretative document on social media and ethical rules
Recipe For Employee Social Media Policy
• Reason for the policy—Impact on company and its reputation • Company will speak for itself – Others may not represent or appear to represent the company – If mentioning the company, should state not speaking for it • Prohibitions on supervisors and managers – Prohibit initiation of social networking relations with employees/applicants • Respect privacy and dignity of colleagues • Protect trade secrets and protectable confidential business information • Prohibit violation of harassment and discrimination policies – Reference applicable policies
• Provide notice that, to the extent allowed by law, employees will be disciplined for violating the company's Social Media Policy
Best Practices for Risk Mitigation in Firm Social Media Projects
Dynamic, privacy by design review processes - The functions, promise and challenge of social media are evolving too quickly for a one-time social media compliance project - Processes to continually assess and respond to changes in technologies, uses, and regulatory guidance are essential - Social media plans must be vetted by relevant stakeholders - Appoint social media project owners and digital spokespersons - Develop social media adverse event monitoring plan - Develop social media approved response elements - “Virtualized interactivity”
Best Practices for Risk Mitigation
Terms of use and privacy settings can help - Provisions to protect from misuse and limit liability - Help protect take down rights and procedures - Customized micro-privacy policies Review third party use of terms and conditions - Prohibitions on the use of social media - Ownership of data and IP Disclaimers - Clear and unambiguous - Distinguish links to sites not under company control - Specify audience and country specific limits Best Practices for Risk Mitigation
Separate country web pages - Establish one international domain name and then have a screen that directs users to content focused on a particular country Restricted access areas, such as HCP communities - Registration requirements - Password control - Watch IP and defamation issues
Best Practice and Risk Mitigation
Policies and Employee training - Keep policies broad and flexible - Build monitoring into internal audit performance evaluation processes - Ensure appropriate employee training particularly for those involved with content monitoring Develop policies to cover aspects of specific channels e.g. - Facebook - Twitter - Wikipedia - You Tube Top 10 Checklist
Actively manage legal risk on social media sites Design processes to requires early consultation with the legal and compliance teams before engaging in social media Designate a social media project owner is in place Ensure that systems and controls are in place to monitor content on external social media sites for misleading statements, off-label discussions, adverse events, and other inappropriate content Continually monitor and engage with regulatory developments Adequately train and resource employees Assess third party terms and conditions thoroughly Draft appropriate terms and conditions of use, privacy policies and take down procedures Consider the use of multiple “sites” or restricting access to sites for different audiences Remain aware of jurisdictional challenges
Any Questions ?
Ed McNicholas
[email protected] (202) 736-8010
www.Sidley.com/InfoLaw
This presentation has been prepared by Sidley Austin LLP as of April 15, 2012, for educational and informational purposes only. It does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking personalized advice from professional advisers.
BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas, London, Hong Kong, Houston, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto); Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas, Houston); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm. For purposes of compliance with New York State Bar rules, Sidley Austin LLP’s headquarters are 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.
INFORMATION GOVERNANCE ASSESSMENTS
Companies need to understand the rapidly evolving world of information law and to be able to assess whether they are exercising appropriate governance over personal data and other information assets. Sidley provides a range of privacy information governance assessments to establish and assist corporate data protection programs. Data Protection Diligence
Privacy diligence involves having Sidley attorneys evaluate a snapshot of a privacy / information governance program within a company or in a potential corporate acquisition. We guide clients in preparing a virtual data room and present a prioritized assessment of major privacy issues. This diligence can also be helpful for those who need to develop a rapid, privileged understanding of their compliance status and can be used to support self-verification for the US-EU Safe Harbor for data transfers. Information Governance Gap Analysis
An Information Governance Gap Analysis is designed to offer detailed, strategic guidance regarding the controls over information within an organization. It avoids the cost and delay of compiling a complex “data map,” and instead focuses on producing a privileged, legal risk- based report identifying and recommending solutions for gaps within an existing data protection program. Information Governance Program Assessments
A full information governance program assessment investigates the collection, use and movement of personal data within an organization and develops a detailed report analyzing how personal data is acquired, used, shared, and stored within an organization. These assessments can be very useful in understanding how well an existing privacy program is actually working and in demonstrating to regulators that privacy commitments are taken seriously and have been honored or that past breaches have been remedied. Privacy Impact Assessments for Specific Products or Services
Personal data issues in particularly complex or sensitive new products or marketing campaigns often merit focused attention. A project privacy impact assessment helps a business team understand and assess personal data flows, develop privacy-enhancing protections, and ensure legal compliance. Privacy impact assessments can help integrate “privacy by design” throughout a company’s products and services by modeling best practices.
For more information, please go to www.Sidley.com/InfoLaw or contact the attorney at Sidley with whom you normally communicate or Edward McNicholas, a global coordinator of Sidley’s Privacy, Data Security, and Information Law group, (202) 738-8010, [email protected].
SIDLEY AUSTIN LLP BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK SAN FRANCISCO SHANGHAI SINGAPORE TOKYO WASHINGTON, D.C.
HIPAA, HITECH, and Key State Law Considerations for Life Sciences Companies
Anna L. Spencer – [email protected] 202-736-8445
Overview
• Setting the Stage – Big Picture • HIPAA Fundamentals: Applicability and Requirements • Key Considerations for Life Science Companies – PAPs, Marketing, Clinical Research and More • De-Identification • State Law Considerations
2 Privacy of Health Information
• Meaningful Use/Electronic Health Records (EHRs) • Health Information Exchanges (HIEs) • Office of National Coordinator (ONC) – Mobile Computing Devices
3 HIPAA’s Administrative Simplification: The Basics • Health Insurance Portability and Accountability Act (HIPAA) - large statute covering many areas • Three sets of regulations under Administrative Simplification – Electronic Data Interchange – Privacy – Security • Apply to Covered Entities and, as a result of HITECH, their Business Associates • Governs the use and disclosure of Protected Health Information (PHI)
HITECH
• Health Information Technology for Economic and Clinical Health Act (HITECH) • Part of the stimulus legislation signed into law in February 2009 • Ambitious goals for EHRs and a national HIT infrastructure • Expanded the reach of HIPAA, created federal breach reporting requirements and increased penalties for violations • Status of the Omnibus Rule
5 Heightened Enforcement and Penalties Under HITECH
• Requires that the HHS Secretary formally investigate any complaint of a HIPAA violation if a preliminary investigation indicates a possible violation due to “willful neglect” • Empowers state attorneys general to bring civil actions in federal court on behalf of their citizens when the attorney general has reason to believe that an interest of one or more residents has been threatened or adversely affected by a person who violates HIPAA • Increases penalties for noncompliance: – Criminal penalties will apply against a person (including an employee or other individual) where PHI is maintained by a Covered Entity and the individual obtained or disclosed the information without authorization in violation of HIPAA – Creates a tiered approach to civil monetary penalties for violations of HIPAA and HITECH (maximum penalty increased from $25k to $1.5 million)
6 Heightened Enforcement and Penalties Under HITECH (cont’d)
• Incentives for individuals to file complaints with the HHS Secretary and state attorneys general regarding alleged violations – GAO Report recommending methodology for individual to receive percentage of CMPs (18 months after enactment) – Establishment of methodology (3 years after enactment) • Incentives for agency to investigate and prosecute violations – CMPs and monetary settlements reinvested in OCR • Requirement that Secretary periodically audit Covered Entities and Business Associates • Breach reporting rule
7 Recent Enforcement Activity
• Recent Settlements – BC/BS of TN (March 2012) – $1.5M and CAP – UCLA Health System (July 2011) -- $865k and CAP – Cignet (Feb. 2011) – $4.7M and CAP • AG HITECH Litigation – CT and VT actions against HealthNet for a massive data breach – MN action against Accretive
8 HIPAA and HITECH Application to Pharmaceutical and Medical Device Manufacturers, Generally
• Manufacturers typically are not Covered Entities, so HIPAA does not directly apply – Exception: Direct consumer sales are a covered entity activity – But Note: Under HITECH, certain privacy and security standards will apply directly to manufacturers that operate as Business Associates • Even so, there may still be HIPAA exposure for disclosures in violation of HIPAA • Primary significance of HIPAA for manufacturers where there is no direct application is how it affects the manufacturer’s customers and whether PHI may be permissibly disclosed by the customer to the manufacturer
9 Exceptions to the Authorization Requirement
• In general, individual authorization is required to use or disclose PHI unless an exception applies • Treatment, Payment and Health Care Operations (TPO) • Disclosures for Facility Directories and to Persons Assisting in an Individual’s Care or Payment for Care – Individual Agreement • Public Policy Exceptions (next two slides)
10 Public Policy Uses/Disclosures
• Uses and disclosures for public health activities - prevent/control disease, injury or disability (e.g., CDC, FDA, OSHA, child abuse agencies) – Disclosures to a person subject to the jurisdiction of the FDA with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety, or effectiveness of such FDA-regulated product or activity • Including to collect or report adverse events, product defects or problems, or biological product deviations; to track FDA-regulated products; to enable product recalls, repairs, etc.; to conduct post-marketing surveillance
11 Public Policy Uses/Disclosures • Uses and disclosures for research purposes - if a Covered Entity receives documentation that waiver of individual authorization requirements have been approved by an IRB or an equivalent body referred to as a Privacy Board – Use/Disclosure involves no more than minimal risks to privacy of individual • Adequate plan to protect identifiers from improper use/disclosure • Plan to destroy identifiers at earliest opportunity consistent with research unless there is a health/research justification for retention or retention required by law • Adequate assurances that PHI will not be re-used or re-disclosed except as required by law, for authorized oversight of research or other research purposes – Research could not practicably be conducted without PHI – Research could not practicably be conducted without waiver • Uses and disclosures of PHI (1) about decedents for research purposes and (2) for reviews preparatory to research without obtaining authorization if certain 12 conditions are met
Special Rules for Marketing Activities
• Marketing - to make a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service • Prior Exclusions: A Covered Entity is not engaged in “marketing” when it communicates to individuals about: – Health-related products or services provided by, or included in a plan of benefits of, the Covered Entity making the communication; – The individual’s treatment; – Case management or care coordination for the individual; or – Directions or recommendations for alternative treatments, therapies, health care providers, or settings of care to the individual • HITECH modifications
13 Marketing Restrictions Under HITECH
• Some of the most complex and technical provisions in HITECH • Communication will not be considered a “health care operation” (and therefore authorization will be required) if the Covered Entity receives remuneration for the communication, unless: – The communication describes only a drug or biologic currently being prescribed for the recipient of the communication and the payment received by the Covered Entity is a “reasonable amount” as defined by the HHS Secretary • Exception for treatment communications – “Treatment” under the HITECH Proposed Rule
14 Restrictions on Disclosure and Sale of EHRs or PHI Under HITECH
• Generally prohibits receipt of direct or indirect remuneration by Covered Entities or Business Associates in exchange for PHI without an individual’s authorization • Exceptions for: – Public health activities – Research (price restricted to costs of preparing and transmitting data) – Treatment of the individual – Sale, transfer, or merger of one Covered Entity with another – Providing remuneration to a Business Associate under a Business Associate Agreement for services rendered by the entity – Providing an individual with access to his or her PHI – Any other exception promulgated by the Secretary • Effective 6 months after regulations promulgated
15 Manufacturer Activities Potentially Subject to HIPAA Restrictions
• Patient Assistance Programs (PAPs) – Potential HIPAA implications: Manufacturer is likely not a Covered Entity, but the physician is • Will physician be required to obtain patient’s authorization for release of PHI to the manufacturer? • Does provision of PHI to facilitate enrollment in a PAP fall under the HIPAA treatment exception? • Reimbursement assistance – Potential HIPAA implications: Manufacturer is likely not a Covered Entity, but the physician is • Will physician be required to obtain patient’s authorization for release of PHI to the manufacturer? • Is a Business Associate Agreement needed? 16 Manufacturer Activities Potentially Subject to HIPAA Restrictions
• Financial support of refill reminders sent by pharmacies – Potential HIPAA implications: Patient authorization is not required under HIPAA pre-HITECH – Impact of HITECH marketing provisions? • Potential applicability of two exceptions • Financial support of provider communications about alternative treatments – Potential HIPAA implications: Patient authorization is not required under HIPAA pre-HITECH – Impact of HITECH marketing provisions? • Potential applicability of one exception
17
Research: Options for Permissible Uses and Disclosures
Waiver of authorization requirement by an IRB or Privacy Board
OR Limited to information to develop research protocol
OR Limited to information about decedents
OR “Limited data set” pursuant to Data Use Agreement
OR Authorization
18 De-Identification
• De-identified Data – Two Methods: • Delete an enumerated list of data elements, such as: – (1) Name, (2) Address, (3) Birth Date or Age, (4) Telephone Number, (5) Medical Record Number, (6) Biometric Identifier, (7) Health Plan Number, (8) Occupation, (9) Photos, and (10) Employer • Health information may be treated as de-identified even if all identifiers are not removed, but only if a person with appropriate statistical and scientific expertise determines that the risk of identification is very small
19 De-Identification: Additional Considerations • Contractual restrictions – Business Associate Agreement restrictions • A Business Associate may use and disclose PHI as permitted by its Business Associate Agreement – http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_ technology/544.html • Guidance provides that Business Associates may de- identify PHI for their own purposes IF the BAA authorizes the Business Associate to do so – Authorizations may be relevant as well • HIPAA requires a statement about the potential loss of protection and secondary disclosures • Nevertheless, some may be drafted in a way that restrict secondary uses or disclosures
20 De-Identification: Evolving Standards
• De-identification is not without risk – Risk of re-identification – Potential legal challenge • 2010 Complaint to FTC alleging online pharmaceutical marketing violates consumer privacy – Potential application of state law • HITECH requires the Secretary of HHS to issue new guidance – Some are pushing to make the standard stricter
21 State Law Preemption
• HIPAA privacy and security requirements preempt contrary state laws – Exception: If the state law relates to the privacy of health information and is more stringent, the state law is not preempted – In other words, Federal law sets the floor • Distinguish between general state privacy laws that protect medical information and those that apply to particularly sensitive medical data – Most of the former apply only to providers and plans and, therefore, do not reach manufacturers • However, some general state privacy laws that protect the confidentiality of medical information apply to manufacturers (e.g., Texas, California) – Most of the latter apply to any recipient, including manufacturers 22
Anna L. Spencer [email protected] 202-736-8445
This presentation has been prepared by Sidley Austin LLP as of April 17, 2012, for educational and informational purposes only. It does not constitute legal advice.
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.
23
Life Sciences Data Privacy Day - April 17, 2012 Managing Data Protection in International Clinical Trials &
Observational Studies Judith E. Beach, Ph.D., Esq. Senior Vice President & Senior Associate General Counsel; Global Chief Privacy Officer Key International Privacy Laws – United States: • “HIPAA 1” and “HIPAA 2” (HITECH Act) (applies to Protected Health Information held by a Covered Entity such as a clinical investigator) • Security Breach Notification laws – Omnibus rule due in ~ 90 days • Federal Trade Commission (FTC) Act, Section 5 on Unfair or Deceptive Trade Practices – Europe: • European Union Directive on Protection of Personal Data 95/46/EC – Canada: • 2001 Personal Information Protection and Electronic Documents Act (PIPEDA) – Australia: • Privacy Amendment (Private Sector) Act 2000 – Japan: • Personal Information Protection Act (PIPA) 2003
2 European Data Protection Laws
– Limit how we may use / process personal information about individuals, regardless of where processing takes place
– “Processing” can take many forms, including: • collecting, obtaining, recording, holding, sharing, combining, and even destroying personal information . . . anything you do with personal data.
– Personal Data lawfully processed must be adequately protected with organizational and technical measures
3 Transferring Clinical Trial Data Outside EU/EEA
EU laws restrict • Lawfully collected in the country export of of origin (e.g., with consent) and • With adequate level of protection personal data provided by recipient UNLESS
• Certified to the US-EU Safe Harbor • Transfer to a «white-listed» country • Other transfers may require a specific, Adequate Level detailed set of contractual obligations– EU Model Contracts / Data Transfer of Protection Agreements • Binding Corporate Rules • De-identified / Key-Coded / Dummy / Pseudonymized Study Subject Data
4 Certification to U.S. - EU Safe Harbor – Certification to the US-EU Safe Harbor with annual recertification • Transfers of personal data out of Europe to “harborites” in the US, which are deemed by EU / EEA to provide an adequate level of protection: http://export.gov/safeharbor/ We Self-Certify Compliance With:
– Binding Corporate Rules (BCRs) – if the proposed EU Data Protection Regulation becomes the rule in all member states and the proposed “one-stop shop” DPA is retained, then BCRs should be considered by companies for transferring data out of Europe to all over the world.
5
U.S.- EU Safe Harbor Privacy Principles
– Notice – Choice – Data Integrity – Transfers to Agents – Access and Correction – Security – Enforcement – Dispute Resolution
6 Data Protection: Privacy by Design - Technical and Organizational Measures
Access Controls / Encryption of Robust / mandatory authorization laptops and portable privacy training procedures media
Robust data protection De-identification Encoding and language in contracts and Aggregation (including Model stripping identifiers wherever possible Contracts - Data Transfer Agreements)
Periodic privacy Regional and Proactive Vendor compliance reviews Country Specific Management (internal and Privacy Programs vendors)
7 Managing Privacy Risks of Third-Party Vendors
• 39% of U.S. data breaches in 2010 involved third-party organizations such as outsourcers and contractors Security • From: Ponemon Institute. 2010 Annual Study: U.S. Cost of a Data Breach Breach, March 2011
• Vetting vendors and including privacy certifications in vendor contracts • Require vendor privacy assessment questionnaires and / or Protect personal data systems compliance audits • Include a Vendor Privacy Certification Standard in vendor contracts
• Actively monitoring vendors throughout the relationship • Include the right in vendor contracts to conduct reviews Monitor • Require reporting of vendor privacy incidents
8
Potential Consequences of a Security Breach
Disciplinary action Lawsuits, consent against employees by decrees and Poor public relations / Human Resources, fines/penalties (also harm to reputation up to and including criminal) dismissal
Harm or distress to Breach of the individual whose Loss of consumer or confidentiality privacy may have customer confidence provisions in been violated customer contracts
Costly security Potential for charges breach notifications brought against to individuals, individual employees authorities & media plus legal fees
9
Informed Consent in Clinical Research The nature of the data to be processed about them Informed Consent Form The purposes for which their data will be processed
ICF should To whom their data will or may be disclosed inform prospective How their data will be kept secure (e.g., key-coding, research encryption) participants of how their data How to exercise their rights as data subject to will be used if access, correct and (in some cases) obtain deletion they participate or destruction of their data in the study, including: Effect of withdrawal of consent on the use / disclosure of their data
10 Informed Consent in Clinical Trials Compliance required with data protection laws of countries where data is collected AND where the data will be processed
Global ICF templates developed by sponsors / CROs include data Adaptation of global templates to protection language that is meet country-specific data generally acceptable around the protection requirements. world.
11 Informed Consent in Clinical Trials
Examples of necessary Specific statements of modifications to a compliance with local data global ICF protection laws / regulations template: are required in some countries (e.g., Italy, France)
Data Protection Requirements on the Authorities & Ethics collection, storage & Committees in certain future use of genetic countries object to the use samples vary from of participants’ initials in country to country the their coded study identification number (e.g., Germany)
12 Problems Arising With Respect to Opt-In Consent for Observational / Retrospective Studies: In one study, analyses confined to the hospital records of - women who consented to the postal questionnaire survey Growing body of showed a spurious finding concerning the provision of evidence: radiotherapy for women from underprivileged areas and uncertainty concerning the general provision of care due to small sample size. • Opt-in Consent may result in In another study of consent bias on medical records, it was selection bias found that requiring written authorization for research use of the medical records resulted in substantial biases in etiologic and outcome studies, the direction and magnitude of which may vary according to the purpose of the research. • Opt-in Consent may result in un- representative, Accordingly, research studies based on medical records, for incorrect, or the purpose of reviewing the coverage and equity of health care should, with appropriate safeguards, be recognized as a misleading class of study for which individual patient consent is not findings required or even encouraged.
13
References on Selection Bias / Misleading Results
– Macleod , U and Watt, CMW. The impact of consent on observational research: a comparison of outcomes from consenters and non consenters to an observational study. BMC Medical Research Methodology 2008, 8:15doi:10.1186/1471-2288-8-15. – Jocobsen SJ, Xia Z, Campion ME, Darby CH, Plevak MF, Seltman KD, Melton JL: Potential effect of authorization bias on medical records research. Mayo Clin Proc 1999, 74:330-338. – Woolf SH, Rothemich SF, Johnson RE, Marsland DW: Selection bias from requiring patients to give consent to examine data for health services research. Arch Fam Med 2000, 9:1111-1118. – Harris T, Cook DG, Victor C, Beighton C, DeWilde S, Carey S: Linking questionnaires to primary care records: factors affecting consent in older people. J Epidemiol Community Health 2005, 59:336-338. – Dunn KM, Jordan K, Lacey RJ, Shapley M, Jinks C: Patterns of consent in epidemiologic research: evidence for over 25, 000 responders. American Journal of Epidemiology 2004, 159:1087-1094. – Al-Shahi R, Vousden C, Warlow C: Bias from requiring explicit consent from all participants on observational research: prospective, population study. BMJ doi:10.1136/bmj.38624.397569.68 (13 October 2005).
14 Pseudonymization / Dummy / Key-Coding Data in Clinical Trials, Wherever Possible
DPAs & Ethics Committees: Determination on Case-by- Case Basis, Strictly Interpreted, & Rarely Challenged
Reasonably Balancing Risks to Patients’ Safety & Data Integrity? Two unique Privacy Risk Labs and Dummy Data identifiers Very Low ECGs?
• To check that • Increases • No reported • Lab & ECG patients are not error rates & incidents of results read & enrolling in the same study at risk to improper re- reported in different sites patients’ identification specific age or different safety of a study ranges & studies at subject require other same site identifiers
15
FEBRUARY 29, 2012
PRIVACY, DATA SECURITY AND INFORMATION LAW UPDATE White House Issues First Ever Administration-Level Data Privacy Framework
On February 23, 2012, the Obama Administration released an important policy initiative embodied in a white paper setting forth a comprehensive privacy framework—the first such framework ever introduced by any administration. The white paper, titled Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (the “White Paper”), is the culmination of extensive policy development by the U.S. Commerce Department and the Federal Trade Commission. The White Paper also represents a significant U.S. response to the European Union’s proposed data protection regulation to replace the EU Data Protection Directive (95/46/EC). The White Paper has reasserted the U.S. position that the U.S. framework for data protection is substantively strong and worthy of “mutual recognition” by the EU, but it may also crystallize a clash between the EU conception of privacy as a fundamental human right and the U.S. conception of privacy as a value to be balanced against competing values (e.g., innovation, communication and economic growth). Perhaps the most important dimension of the White Paper is who, how and where it was issued: by announcing the White Paper in the White House with a statement by the President, it is intended to represent a presidential initiative; this could significantly elevate the stature of privacy and data protection issues in the overall hierarchy of federal policy. Overall, the framework adopts a balanced approach to the contentious debate about privacy as a fundamental human right versus privacy as a hindrance to innovation. First, the White Paper expressly affirms the administration’s stated commitment to the Internet as an open, decentralized user-driven platform for communication, innovation and economic growth. It is important that the Paper acknowledges the clear benefits to consumers of promoting and preserving openness, flexibility and innovation in connection with collecting and using data. Second, while proposing relatively modest changes to U.S. privacy law, it essentially confirms that the existing model of U.S. privacy law is working reasonably well both to protect privacy and to promote innovation. And third, it recognizes that the substantive values underlying the U.S. approach to privacy as expressed in the framework itself are substantially equivalent to those expressed by the EU Data Protection Directive and the Asia-Pacific Economic Cooperation Privacy Framework. The White Paper sets forth four “key elements” to protecting privacy. These elements include: (1) the first ever “Consumer Privacy Bill of Rights”; (2) development of “appropriate, legally enforceable codes of conduct” through the cooperation of private and public stakeholders; (3) Federal Trade Commission (“FTC”) enforcement of the Consumer Privacy Bill of Rights; and (4) “mutual recognition” and “enforcement cooperation” aimed at “global interoperability.” Among the more notable principles advanced in the White Paper are standards obligating companies to limit the overall amount of data they collect about consumers in a more “focused” manner, and to restrict the data they collect
This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers. Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results do not guarantee a similar outcome. PRIVACY, DATA SECURITY AND INFORMATION LAW UPDATE Page 2 and use in light of the “context” of their relationship with consumers. At the same time, the White Paper emphasizes that consumers also bear significant responsibility for managing the privacy of their own data. Perhaps most significantly, the framework proposes to make industry privacy and security practice more consistent and useful to consumers through development of industry-wide codes of conduct and nationally standardized approaches to privacy disclosures and choices. Indeed, the White Paper overall expresses strong support for a unified, national approach to privacy and data security through federal standards and preemption of state laws. In particular, it argues that the patchwork of state data breach laws creates burdens without commensurate benefits, and that expansion of FTC enforcement authority would enhance standardization by strengthening the hand of a central federal regulator. While the White Paper emphasizes the importance of national uniformity, it does not purport to replace or challenge the role or propriety of the sector-specific federal laws that currently comprise U.S. privacy and data security law. Indeed, the White Paper is a clarion confirmation that existing U.S. privacy framework is working well, and that case-by case-enforcement effectively protects consumers’ privacy.
White Paper Advocates Adoption of Consumer Privacy Bill of Rights The Consumer Privacy Bill of Rights purports to create a federal “baseline of clear protections for consumers and greater certainty for companies.” It represents an effort to unify existing U.S. privacy law, which is viewed by some observers—especially in the EU—as an uneven amalgam of sector-specific laws at both the federal and state levels. The White Paper asserts that, while the current U.S. framework is flexible and effective in certain regards, gaps in federal privacy protection exist in several sectors of the economy. The White House argues that the framework advocated in the White Paper will be consistent with President Obama’s regulatory review/cost-benefit Executive Order No. 13563, and thus provide greater certainty, promote innovation, and minimize compliance costs for businesses while giving consumers more tools for understanding and controlling how their personal data “flows in the digital economy.” Unfortunately, however, the White Paper does not explain how or why the policies it advocates would satisfy existing cost-benefit review standards. Nonetheless, by addressing standardization at a federal level, the White Paper’s endorsement of the Consumer Privacy Bill of Rights may move international perceptions of U.S. privacy law closer to the model of a comprehensive, omnibus approach to data privacy and protection seen in the EU and in other nations, including Argentina, Australia, Canada, Israel and New Zealand. The Consumer Privacy Bill of Rights is based on Fair Information Practice Principles (“FIPPs”), a longstanding framework embedded in the federal Privacy Act of 1974 addressing privacy with respect to government agencies. The FIPPs approach is echoed in a number of state laws. As described in the white paper, the FIPPs embrace a “flexible” approach to evaluating the competing interests that underlie privacy in order to encourage innovation. As set forth in the Consumer Privacy Bill of Rights, these principles are:
• Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. • Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices. • Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. • Security: Consumers have a right to secure and responsible handling of personal data. • Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
PRIVACY, DATA SECURITY AND INFORMATION LAW UPDATE Page 3
• Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. • Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
Consumer Privacy Bill of Rights Implementation Significantly, the Administration believes that the Consumer Privacy Bill of Rights can have an immediate and lasting impact on the regulatory landscape even if Congress does not pass legislation adopting it. The Administration intends for this framework to “serve as a template for privacy protections” in the U.S. Indeed, the Administration announced that it “will implement this framework without delay,” by charging the Department of Commerce to work with federal agencies “to convene stakeholders, including our international partners, to develop enforceable codes of conduct that build on the Consumer Privacy Bill of Rights.” This call to immediate action is perceived as an alternative to congressional action that is stymied by indecision over other privacy legislation, including a host of data breach notification and cybersecurity bills. The Administration is plainly looking to influence both consumers and companies to adopt the Consumer Bill of Rights as the prevailing set of common expectations that can be enforced by the FTC, state Attorneys General and plaintiffs’ lawyers through existing legal authorities.
Stakeholder Participation Will Guide Code of Conduct Development The White Paper outlines the Administration’s goal of initiating a multi-stakeholder process to produce enforceable codes of conduct implementing the Consumer Privacy Bill of Rights. The Administration announced in the White Paper its goal of involving stakeholders, including consumer groups and privacy advocates, in open and transparent forums directed by the National Telecommunications and Information Administration, the agency within the Department of Commerce charged with advising the President on telecommunications and information policy. The purpose of these forums would be to arrive at a consensus on legally enforceable codes of conduct for each market or business context, so that consumers can be assured of a consistent approach to privacy among similar companies. The White House took care to note that private sector participation would be voluntary and companies would not be required to adopt a given code of conduct. While private sector participation would be voluntary, these codes of conduct will have far-reaching legal significance, as they create a new standard of “reasonable” privacy and security; deviation from the code could entail liability under existing law, negligence actions or trigger an FTC enforcement action. Ultimately, however, the codes of conduct are intended to give U.S. companies a role in developing clear standards and safe harbors regarding their compliance with U.S. privacy law.
Consumer Privacy Bill of Rights Enforcement Delegated to the FTC Under the Administration’s framework, the FTC would have potentially far-reaching rulemaking authority under the Administrative Procedure Act (“APA”) as well as enforcement powers over privacy issues. While the White Paper asserts that it intends to expand the FTC’s enforcement authority, it simply endorses the FTC’s recent de facto assumption of considerable privacy regulatory authority in high-profile enforcement actions against Google, Facebook, Twitter and other prominent companies, and clarifies the range of the agency’s authority. In proposing APA rulemaking authority for the FTC, the White Paper does not mention that this independent agency is not currently obligated to follow the cost-benefit principles set forth in Executive Order 13563 and in other Executive Orders governing regulatory review, although it has committed to do so voluntarily. As evidenced in recent congressional activity on data breach legislation, Congress will not easily agree to endow the FTC with new rulemaking authority. The White House cites FTC enforcement as a critically important tool in ensuring that companies are accountable for adhering to their privacy commitments and that responsible companies are not disadvantaged by competitors who may
PRIVACY, DATA SECURITY AND INFORMATION LAW UPDATE Page 4 adopt less stringent privacy policies or practices. In the White Paper, the Obama Administration encourages Congress to provide the FTC and state Attorneys General with specific authority to enforce the Consumer Privacy Bill of Rights should it be adopted into law. It is unclear how this mandate would impact current FTC privacy enforcement trends under the FTC’s current Section 5 authority; the White House notes that the FTC and State Attorneys General have authority to enforce private-sector standards that are adopted by industry pursuant to its pre-existing legal authority. In addition, the White Paper recommends permitting the FTC to grant a “safe harbor” from enforcement of the Consumer Privacy Bill of Rights to companies that adopt and follow a code of conduct that has been renewed and approved by the FTC. Companies that decline to adopt one of the codes of conduct or fail to seek FTC review of a self-created code would be subject to the general obligations imposed by the Consumer Privacy Bill of Rights. It is possible that the FTC would permit companies to use the award of “safe harbor” status as a point of competitive distinction in the digital marketplace.
Global Interoperability as an Administration Goal In the White Paper, the Administration recognizes that Internet commerce has been tremendously helpful for American companies, and states that its goal is improving international interoperability to provide consistent rules for personal data in the user-driven and decentralized online environment. The White Paper cites mutual recognition and enforcement cooperation, with a focus on effective enforcement and well-defined accountability mechanisms, as the two principles that underlie the administration’s approach to interoperability. The White Paper advocates for law enforcement cooperation to ensure that countries are able to protect their citizens’ rights when personal data crosses national boundaries. At the same time, it calls for the federal government to clarify global data protections and ensure flexibility that leads to commercial innovation. Its clear message is that the Executive branch must—and will—engage more with international counterparts on key data privacy issues.
Dogs That Didn’t Bark The White Paper is notable not only for its proposals, but also for its resounding silence on several high-profile privacy issues. For example, the White Paper does not mention the need for or the importance of protecting against dignitary or intangible harm resulting from privacy abuses, nor does it address “big data” issues, such as data mining and analytics, even though such practices have recently garnered considerable scrutiny in the U.S. (by members of Congress and the FTC) and abroad. While the framework would bolster FTC authority, the White Paper does not purport to present any Executive agency as a centralized privacy policy maker akin to Data Protection Authorities in the EU and elsewhere. And, interestingly, the White Paper makes no express attempt to claim EU-level “adequacy” for the U.S. data protection system.
The White Paper Follows a Year of Administration Data Privacy Activity The new White Paper does not come as a surprise. The Obama Administration has been working steadily towards this moment for more than a year. In October 2010, the administration launched an inter-agency committee to address issues relating to privacy and Internet policy.1 This was followed in December 2010, by the release of significant reports addressing the topic of consumer privacy prepared by the FTC2 and the Department of Commerce Internet
1 White House Office of Sci. & Tech. Policy, White House Council Launches Interagency Subcommittee on Privacy & Internet Policy (Oct. 24, 2010), http://www.whitehouse.gov/blog/2010/10/24/white-house-council-launches-interagency-subcommittee-privacy- internet-policy. 2 Fed. Trade Comm’n, Preliminary FTC Staff Report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (Dec. 2010).
PRIVACY, DATA SECURITY AND INFORMATION LAW UPDATE Page 5
Policy Task Force.3 In March 2011, the Obama Administration called for a “privacy bill of rights” and in November 2011, the administration announced that it will move forward in proposing privacy legislation. In December 2011, the administration released recommendations that included creating a privacy policy office in the Commerce Department and establishing clear guidelines for what kind of information can be collected about users and how companies can use the data. The new White Paper builds on these prior efforts. The Obama Administration has stated that it will work with federal agencies to convene stakeholders, including consumer groups, privacy advocates, and industry stakeholders, to develop enforceable codes of conduct building upon the Consumer Privacy Bill of Rights. The FTC is expected to release its own privacy report early this year.
If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work.
The Privacy, Data Security & Information Law Practice of Sidley Austin LLP We offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes regulatory compliance lawyers, litigators, financial institution practitioners, healthcare lawyers, EU specialists, IT licensing and marketing counsel, intellectual property, and white collar lawyers. Sidley provides services in the following areas: . Privacy and Internet Litigation and Regulatory Advice . Data Breach, Incident Response, and Cybersecurity Advice . Global Data Protection and Information Security . Information Governance Assessments and Compliance Programs . International Data Transfer Solutions, Outsourcing and Cross-Border Issues . Cyberlaw, E-Commerce, Social Media, Cloud Computing and Internet Issues . EU, China and Japan Compliance Counseling . Gramm-Leach-Bliley and Financial Privacy . HIPAA and Healthcare Privacy . Communications Law and Data Protection . Workplace Privacy and Employee Monitoring . Unfair Competition, Advertising and Consumer Protection . Website Policies Online Trademarks and Domain Name Protection . Records Retention, Electronic Discovery, Government Access and National Security
To receive future copies of this and other Sidley updates via email, please sign up at www.sidley.com/subscribe
BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. www.sidley.com
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas, London, Hong Kong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto); Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.
3 U.S. Dep’t of Commerce Internet Policy Task Force, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework (Dec. 2010).
APRIL 3, 2012
PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE
FTC Releases Final Report on Consumer Privacy: Calls for Enhanced Practices and Further Congressional Action
On March 26, 2012, the Federal Trade Commission (“FTC” or “Commission”) released its long-awaited report on consumer privacy, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers” (the “Report”).1 The Report presents the Commission’s conclusions drawn from its review of consumer privacy practices and regulations, including hundreds of comments from industry, consumer groups, and other stakeholders, following the FTC’s call for a new privacy “framework” in a December 2010 preliminary staff report (the “preliminary report”).2 This report was issued as a Commission document, rather than a staff draft, over the dissent of Commissioner J. Thomas Rosch. The key concepts advanced by the FTC include the following: privacy by design, meaningful consumer choice, and industry transparency. The Commission suggests that the framework provided within the Report should serve as a baseline model for business-consumer privacy expectations. The Report states that the FTC will not proceed to enforce standards unless they already are part of existing law but clarification is lacking as to what that will mean in practice. By elaborating a baseline set of privacy expectations, the Report indicates that the FTC will continue its diminishment of the value of consumer-facing privacy policies. The Report also suggests that the Commission will increase its scrutiny of “unfair” privacy trade practices. Significantly, the Report offers no cost-benefit analysis to justify its new standards and does not acknowledge the importance of preserving innovation on the Internet as clearly as the FTC staff's preliminary report.3 The new Commission document appears to be considerably more regulatory in tone and intent than the preliminary staff report and the White House approach, although the Commission expresses the belief that its framework is “consistent” with the policies outlined in the Obama Administration’s Consumer Privacy Bill of Rights. The White House paper, titled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and
1 FTC, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (Mar. 26, 2012), hereinafter “Report,” available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf. 2 FTC, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (Dec. 1, 2010) (hereinafter “Report”), available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf. See Sidley Update: FTC Report Heralds Intensified Privacy Regulation (Dec. 16, 2010), available at http://www.sidley.com/sidleyupdates/Detail.aspx?news=4637. 3 For an overview of the privacy framework as it was proposed in the preliminary report, see Sidley Update: FTC Report Heralds Intensified Privacy Regulation (December 16, 2010), available at http://www.sidley.com/sidleyupdates/Detail.aspx?news=4637.
This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers. Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results do not guarantee a similar outcome. PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE Page 2
Promoting Innovation in the Global Digital Economy” (“Administration White Paper”), was released on February 23, 2012.4 The FTC intends the Report to help establish best industry practices and assist Congress in developing privacy legislation. The FTC also expects its Report to complement the Department of Commerce’s “parallel privacy initiative.”5 Notably, the FTC explains in the Report that it does not anticipate using the privacy framework elaborated within the Report as a predicate for future law enforcement actions under the FTC Act. In the Report, the Commission urges companies to implement best practices—including making privacy the “default setting” for commercial data practices and providing consumers with control over the collection and use of their personal data—to protect consumers’ personal information, enhance trust, and stimulate commerce. The FTC suggests that “privacy by design,” “simplified choice for businesses and consumers,” and “greater transparency” should be the basic tenets of companies’ privacy practices. The FTC plans to promote the implementation of the privacy framework through focusing on five major aspects of the framework. The FTC plans to work with the Digital Advertising Alliance and World Wide Web Consortium to advance international standards for Do Not Track, and with industry and the Department of Commerce to develop sector-specific codes of conduct as suggested in the Administration White Paper. The FTC asks the data broker industry to consider the creation of a centralized website to provide consumers with information about the industry and about how to access or exercise choice relating to their data. Finally, the FTC plans to host two public workshops in 2012: one workshop, on May 30, will focus on the development of improved privacy protections in the context of mobile services, including the adoption of short and effective privacy disclosures for use on mobile devices; the second workshop, scheduled for the second half of the year, will explore issues relating to how “large platform providers,” such as Internet Service Providers, operating systems, browsers, and social media, may comprehensively track consumers’ online activities. The Report differs in several respects from the framework outlined in the preliminary report. First, the FTC will not apply the privacy framework to companies collecting only non-sensitive data from fewer than 5,000 consumers per year, so long as the companies do not share the consumer data with third parties. Second, the Commission revised its approach to how companies should provide privacy choices to consumers: the Report advocates a “context of the interaction” standard, under which companies would not be required to provide consumers with choice prior to collection of the consumers’ data for practices that are “consistent with the context of the transaction,” “consistent with the company’s relationship with the consumer,” or as required or authorized under law. In essence, this approach would favor first-party Internet advertisers and undercut third-party Internet advertisers and advertising networks and exchanges. Third, the Commission recommends that Congress consider enacting legislation to bring transparency for and control over information brokers’ practices, in addition to general, baseline privacy legislation. Fourth, and finally, the Report singles out the use of deep packet inspection for advertising/tracking purposes as a practice that is of special concern to the FTC. In particular, the FTC suggests that “large platform providers,” including internet service providers, browsers, and operating systems, might be subject to additional Commission scrutiny because of their ability to “comprehensively track” consumers.
The FTC Privacy Framework The FTC intends the final privacy framework to explain best practices for companies working with consumer data and to assist Congress as it considers privacy legislation. Although the framework excludes many small businesses, it
4 See Sidley Update: White House Issues First Ever Administration-Level Data Privacy Framework (Feb. 29, 2012), available at http://www.sidley.com/SidleyUpdates/Detail.aspx?news=5110. 5 The FTC notes in the Report that Commission and Department of Commerce staff have “communicated regularly” with respect to developing a “consistent approach to privacy protection.” Report at 3. The FTC also notes that the new framework reflects similar “international interest” in developing more inter-operable systems.
PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE Page 3 expressly applies to “all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties.” The FTC also took pains to ensure that the framework is seen as a complement to guidance existing under the Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Gramm- Leach-Bliley Act (“GLBA”) that will provide a baseline for companies not subject to sectoral regulation. The Commission asserts in the Report that, despite FTC involvement in its development and enforcement, the proposed framework will be “self-regulatory.” Privacy By Design. The framework reiterates the FTC’s earlier call for adoption of “privacy by design,” explaining that companies should promote consumer privacy throughout their organizations and at every stage of product/service development. Practically, this means that companies should incorporate substantive privacy protection into their business practices, including through adoption of robust data security measures, reasonable limits on the collection of data, sound retention and disposal policies, and mechanisms for ensuring data accuracy. The FTC views these measures as being “consistent” with the policies outlined in the Obama Administration’s Consumer Privacy Bill of Rights, although “privacy by design” was notably absent from the White House White Paper. According to the FTC, these procedures and policies should be maintained through the life cycle of a company’s products/services, and might include the implementation of accountability mechanisms and of regular privacy risk assessments, although it does not provide anything more than generalized guidance about the desired type and level of such mechanisms and assessments.6 Choice. The FTC also calls for simplified consumer choice as part of the privacy framework. In order to lessen the burden of this requirement, the agency made clear that certain commonly accepted or obvious practices do not require consumer choice: companies will not need to provide choice before collecting or using consumer data for practices that are obvious from the context of the transaction or with the company’s relationship with the consumer, or as required or authorized under law. This approach reflects a potential expansion of the practices not requiring choice under the preliminary report’s framework. Where consumer choice is required, the FTC stresses that companies should offer the choice at the time and in the context in which consumers are actually making choices about their data, as opposed through the use of more traditional privacy policies posted on advertiser websites. The FTC suggests that, generally, companies should obtain express consumer consent before using consumer data in ways that are materially different than the prospective uses cited when the data were collected, or when collecting sensitive data for certain purposes. Transparency. The final aspect of the FTC framework focuses on the Commission’s aim to increase transparency in companies’ data practices. The FTC calls on companies to provide: “clearer, shorter, and more standardized” privacy policies that will allow consumers to better comprehend and compare privacy practices; “reasonable access” to consumers for data maintained about them, proportionate to the sensitivity of the data and the nature of its use; and expanded efforts to educate consumers.
Discussion of What Constituted "Harm" In the Report, the Commission reiterates its perspective that privacy-related harms go beyond economic or physical harm or unwarranted intrusions. Instead, the Report urges, the privacy framework should recognize a “more
6 The Report cites, as examples of how procedural safeguards might work in practice, the Commission’s recent settlement orders with Google and Facebook. The orders mandate privacy programs that must, at a minimum, contain procedures or controls addressing (1) the designation of personnel responsible for management of the privacy program; (2) risk assessments addressing employee training and management, and product design and development; (3) implementation of controls to address identified risks; (4) appropriate oversight of service providers; and, (5) continual revision and adjustment in light of regular testing and monitoring. See In the Matter of Google, Inc., FTC Docket No. C-4336 (Oct. 13, 2011) (consent order), available at http://www.ftc.gov/os/caselist/index.shtm.
PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE Page 4 expansive” range of harms that including those that might arise from unanticipated uses of consumer data. The FTC explains that, while imposing new privacy protections may be costly, it will ultimately help consumers and benefit businesses by encouraging and building consumer trust in the market, and that businesses are already marketing privacy as a competitive business advantage.
Expanded Scope of Consumer Data The Report notes concerns about the “decreasing relevance of the personally identifiable information (‘PII’) label,” referencing studies demonstrating consumer discomfort or objections to being tracked, regardless of the involvement or use of PII. The Report states that it was “appropriate” for the Commission to more comprehensively examine various types of data to determine whether they have privacy implications. As a result of its review since the preliminary report, the Commission’s framework incorporates a more wide-ranging scope of data, including any data that, while not yet linked to a particular consumer, computer, or device, may reasonably become so. The Commission encourages companies to de-identify data and recognizes in the Report that contractual restrictions on re-identification are generally adequate safeguards, even though it theoretically might be mathematically or practically possible to re-identify data. Accordingly, the Commission clarifies in the Report its “reasonable linkability standard.” Under this standard, in order to establish that data are not “reasonably linkable” to a particular consumer or device, a company must: (1) take reasonable measures to ensure de-identification of data; (2) publicly commit to maintain and use the data in a de-identified fashion; and (3) contractually prohibit downstream entities with which the company shares the data from attempting to re-identify the data.
“Take it or Leave it” Choice The Report addresses instances where consumer use of a particular service or product is contingent upon acceptance of the company’s data practices, which the Commission refers to as a “take-it-or-leave-it” privacy choice. The Commission notes that this approach is problematic from a privacy perspective, particularly in markets where consumers have limited choices, and might not offer consumers what the Commission would consider to be a “meaningful choice.” It is not clear that the FTC believes meaningful choice requires a “cost-less” choice, as some European regulators have advocated, or merely a more robust disclosure of costs associated with choice. Instead, the FTC suggests that these “one-sided transactions” may place consumers’ privacy interests at risk, and that “take-it-or- leave-it” choice is only acceptable for “less important products and services in markets with sufficient alternatives” and where the terms of the exchange are transparent and fairly disclosed.
Do Not Track The Report reiterates the Commission’s desire for a workable Do Not Track mechanism, and applauds industry efforts to improve consumer control over behavioral tracking. In encouraging industry development of the Do Not Track mechanism, the FTC reiterates that the mechanism should include five key principles: (1) the mechanism should be universally implemented to cover all parties that would track consumers; (2) the mechanism should be easy for consumers to find, understand, and use; (3) the choices should be persistent and not subject to easy or accidental override; (4) the system should be comprehensive, effective, and enforceable; and (5) the mechanism should opt consumers out of all collection of behavioral data for all purposes other than those consistent with the context of the interaction.
Deep Packet Inspection The Report singles out that the use of deep packet inspection (“DPI”) for advertising/tracking purposes as of particular concern to the FTC. The Report notes “general consensus” among commentators that DPI deployed for
PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE Page 5 marketing purposes is distinct from other forms of marketing practices employed by companies which have first-party relationships with consumers, and thus at a minimum should require consumer choice. The report does not address, however, the effects of this approach in skewing the market for Internet advertising to Internet sites and away from Internet providers. Despite the fact that Internet providers tend to have a closer relationship with consumers than the websites they visit, the FTC folds this analysis in with the framework’s general consideration of companies with first- party relationships tracking consumers across other websites, noting that DPI, like social plug-ins, cookies, and web beacons, should require consumer choice when it is deployed across other parties’ websites. FTC rejected the argument that a major cross-platform provider like Google can develop as comprehensive a picture of users' data as DPI would allow.
Affiliates and Cross-Channel Marketing The Report maintains the Commission’s view that affiliates are third parties, necessitating consumer choice before data transfer, unless the affiliate relationship is clear to consumers, e.g., through common branding. In instances where the relationship is not clear, the Commission suggests that consumer notification and consent would be necessary. The Commission agrees with commentators, however, that cross-channel or cross-platform marketing, wherein a company establishes a relationship through one medium and contacts a consumer through another, falls within the first-party marketing concept and would not require obtaining additional choice or consent.
Data Enhancement The FTC addresses in the Report how companies should view data enhancement, where companies append third- party-sourced data to data obtained directly from consumers. The Commission notes that requiring the first-party company to offer consumers choice over data enhancement would “impose costs and logistical problems that could preclude the range of benefits that data enhancement facilitates.” Instead, as the framework already suggests, companies seeking to share data relating to customers with third parties should offer consumer choice. Thus, the third-party sharing the data used to enhance the first-party’s data would be responsible under the framework for offering consumer choice.
Consumer Choice for First-Party Marketing The Report explains the Commission’s view that affirmative express consent is an appropriate safeguard for instances in which a company uses sensitive data for first-party or third-party marketing, and that special consideration must be given to protecting sensitive data. As a result, even companies which collected sensitive data through a first-party relationship should offer consumer choice before using any sensitive data for marketing. In instances where a company’s business model is predicated on targeting consumers based on sensitive data (e.g., data relating to financial affairs, health, or children), the FTC suggests that the company seek affirmative express consent prior to collecting data from those consumers.
Data Brokers The Commission defines data brokers as companies that “collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud.” The Report explains that the FTC has sought additional Congressional legislation addressing data brokers since 2009, and again requests that Congress develop legislation further regulating data brokers’ practices to increase transparency in the industry and to enhance consumer access and control over data held by data brokers.
PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE Page 6
At the same time, the Report suggests that the data broker industry should explore the idea of establishing a centralized website for data brokers to (a) identify themselves to consumers and (b) provide consumers with information about data collection, consumer access rights, and consumer choice.
Industry Efforts, Implementation, and Enforcement Notably, the Commission recognizes that industry has made progress since the preliminary report, including its response to the preliminary report’s call for “Do Not Track,” and urges industry to accelerate the pace of self- regulation. The FTC also explicitly states that the Report’s framework is not intended to serve as a “template for law enforcement actions or regulations under laws currently enforced by the FTC” in instances where the framework appears to go beyond existing legal requirements. The Commission also notes that it will view adherence to its proposed sector-specific codes of conduct “favorably in connection with its law enforcement work.” Nonetheless, the Report reflects a shift in the Commission’s interpretation of the FTC Act in the privacy and data protection context: whereas FTC privacy enforcement has traditionally been predicated on rooting out “deceptive” trade practices, the Report and recent cases suggest that the Commission is increasingly concerned about “unfair” trade practices as they relate to privacy.
Commissioner Rosch’s Dissent Commissioner J. Thomas Rosch dissented from the issuance of the Report. While noting that he agrees in several respects with the Report’s findings, and applauding the Report’s recommendations for congressional legislation, Rosch voiced concerns relating to several parts of the Report, including its use of language that hints at the prospect of future law enforcement. Rosch questioned the constitutionality of banning “take-it-or-leave-it choice” and noted that the Report adopted language most friendly to “consumer organizations and large enterprises” when labeling behavioral tracking as “unfair” and considering “reputational harm” as deserving of Commission redress. In particular, Rosch questioned the Report’s “apparent mandate” that ISPs use opt-in choice before deploying deep packet inspection, while not requiring the same of other large platform providers, suggesting instead that, for all large platform providers, affirmative express consent should be required only in instances where the provider actually seeks to use data to create detailed and comprehensive customer profiles.
If you have any questions regarding this update, please contact Andrew J. Strenio, Jr. (+1.202.736.8614, [email protected]), Edward R. McNicholas (+1.202.736.8010, [email protected]), Alan Charles Raul (+1.202.736.8477, [email protected]), Jonathan P. Adams (+1.202.736.8049, [email protected]), or the Sidley lawyer with whom you usually work.
The Privacy, Data Security & Information Law Practice of Sidley Austin LLP We offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes regulatory compliance lawyers, litigators, financial institution practitioners, healthcare lawyers, EU specialists, IT licensing and marketing counsel, intellectual property, and white collar lawyers. Sidley provides services in the following areas: . Privacy and Internet Litigation and Regulatory Advice . Data Breach, Incident Response, and Cybersecurity Advice . Global Data Protection and Information Security . Information Governance Assessments and Compliance Programs . International Data Transfer Solutions, Outsourcing and Cross-Border Issues . Cyberlaw, E-Commerce, Social Media, Cloud Computing and Internet Issues . EU, China and Japan Compliance Counseling . Gramm-Leach-Bliley and Financial Privacy
PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE Page 7
. HIPAA and Healthcare Privacy . Communications Law and Data Protection . Workplace Privacy and Employee Monitoring . Unfair Competition, Advertising and Consumer Protection . Website Policies Online Trademarks and Domain Name Protection . Records Retention, Electronic Discovery, Government Access and National Security
To receive future copies of this and other Sidley updates via email, please sign up at www.sidley.com/subscribe
BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. www.sidley.com
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas, London, Hong Kong, Houston, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto); Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas, Houston); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.
MULTI-JURISDICTIONAL GUIDE 2012 LIFE SCIENCES
Data protection and life sciences: impact of the proposed EU regulation
www.practicallaw.com/8-518-3359 William Long, Anna Pavlou and Jessica Walch Sidley Austin LLP
Rapid technological developments and globalisation have brought BACKGROUND new challenges for the protection of personal data. In response to these challenges, in January 2011 the European Commission In 2009, the Commission launched a review of current EU data (Commission) published a proposal for a new regulation to pro- protection law to consider whether it was still effective. Following tect individuals with regard to the processing and transfer of per- the public consultation, a number of issues were identified, sonal data (Proposal for a Regulation on the protection of indi- including the need to: viduals with regard to the processing of personal data and on the Clarify the application of data protection principles to new free movement of such data (proposed regulation)) to replace the technologies. current Directive 95/46/EC on data protection (Data Protection Increase legal certainty and lessen the administrative bur- Directive). dens on businesses through harmonisation of data protec- Analysis The ability to collect, analyse and transfer personal data, includ- tion rules. ing sensitive personal data used in clinical trials, adverse event Review and streamline the requirements applying to interna- reporting and medical research, is critical to the life sciences tional data transfers. industry and to progress and safety in medical science. Therefore, regulations controlling how these activities should be performed Strengthen the role of data protection authorities to ensure must be carefully examined and appropriately applied. better enforcement.
Adopt a coherent data protection legal framework applying If adopted in its current form, the proposed regulation will have to all sectors and providing for consistent and effective data a fundamental impact on the life sciences industry. It introduces protection. a more aggressive enforcement approach with fines up to 2% of a company’s annual worldwide turnover. Supervisory authori- The Commission published the proposed regulation on 25 ties can impose a temporary or definitive ban on processing per- January 2011. It will now go through the European legislative sonal data, enter premises and suspend data flows to a recipient process and is set to be adopted in 2014. The proposed regula- located in a non-EU member state or to an international organisa- tion will be enforceable in all member states two years after it tion. Further, any organisation aiming to protect the data protec- has been adopted. tion rights of individuals, such as consumer organisations, can submit a complaint to national data protection authorities and bring actions on behalf of individuals for non-compliance with CLINICAL TRIALS the proposed regulation. Establishing, managing and operating clinical trials present a number of challenges for life sciences companies from a data The life sciences industry is well advised to assess the practical protection perspective. impact of the proposed regulation on its activities and be actively involved in discussions on the proposed regulation as it moves Clinical trials involve numerous parties each with different roles through the EU legislative process, to ensure the final form takes and responsibilities, including sponsors, investigators, clini- into account the particularities of the industry. cal research organisations (CROs), clinical research associates, laboratories, imagers, statisticians and medical coders. It is not Against this backdrop, this article sets out the background to the always clear when each of these entities is considered a data con- proposed regulation, and examines the impact of the proposed troller, and therefore subject to existing data protection require- changes on the following areas of the life sciences sector: ments under the Data Protection Directive, or a data processor,
Clinical trials, including: which currently does not directly have regulatory obligations under the Data Protection Directive. data controllers and data processors; and
international transfers of clinical data. Additionally, the collection and processing of a patient ID number and patient identifiers, such as initials and date of birth, can Pharmacovigilance. alternatively be considered: Health data and consent. Anonymous data in some member states.
Medical research. Personal data in other member states.
A form of disassociated data partly subject to data protection rules.
© This article was first published in the Life Sciences multi-jurisdictional guide 2012 and is reproduced with the permission of the publisher, Practical Law Company. MULTI-JURISDICTIONAL GUIDE 2012 LIFE SCIENCES
Finally, clinical trials can involve transfers of both patient and the intended processing does not comply with the proposed regu- investigator personal data from the EU to sponsors and other lation, and in particular where risks are insufficiently identified service providers, such as CROs, located outside the EU. These or mitigated, it can prohibit the processing and make proposals transfers are subject to the restrictions on cross-border transfers to deal with any breach of data protection rules. Such processing under the current Data Protection Directive. activities will be made public on a register after consultation with the data protection authority (Article 34). Data controllers and data processors Under the Data Protection Directive, the qualification of entities The proposed regulation also requires the data controller to seek involved in a clinical trial as data controllers or data processors is the views of data subjects or their representatives on the intended critical as only data controllers are directly subject to regulatory processing of their health data (Article 33(4)). It is unclear how requirements. realistic this requirement will be in practice. For example, must a sponsor seek the views of all the clinical trial subjects? What The sponsor of a clinical trial (the pharmaceutical company) is clear is that carrying out data protection impact assessments, and the trial centre act, in most cases, as joint data control- consulting with national data protection authorities and seeking lers. The sponsor draws up the clinical trial protocol, provides the views of data subjects will significantly impact day-to-day guidance to the centres and verifies compliance by the centres activities of pharmaceutical companies involved in or sponsoring with the protocol. The trial centre carries out the trial in com- clinical trials. plete autonomy according to the sponsor’s guidelines, provides patients with information notices and obtains their consent. In International transfers of clinical data contrast, CROs are generally considered to be data processors. Clinical trials can involve the transfer of patient and investigator Therefore, separate data protection responsibilities are vested in personal data from the EU to the sponsor and a large number of the individual actors (Opinion of the Article 29 Working Party service providers located outside the EU. Such service providers (Opinion 1/2010)). can include the CRO and its affiliates located outside the EU, as well as laboratories, imagers, medical dictionary coders and Proposed changes. The proposed regulation keeps the cur- statisticians. rent distinction between data controllers and data processors.
Analysis However, it imposes a number of additional requirements on The proposed regulation maintains the restriction under the Data both. For example, both data controllers and data processors Protection Directive regarding the transfer of personal data to must maintain detailed documentation of the processing opera- non-EU member states that do not provide an equivalent level of tions, including details of the purposes, types of personal data, protection, for example, the US. The proposed regulation retains recipients, international transfers and time limits for retention of existing data transfer solutions, such as EU standard data pro- personal data (Article 28). tection clauses (also referred to as model contracts) and use of Binding Corporate Rules (BCRs), which consist of a set of data Similarly, both data controllers and data processors are required protection rules adopted by an international corporate group in to implement appropriate security measures and, where they compliance with EU data protection requirements. Currently only have over 250 employees, to appoint a data protection officer for data controllers in the EU can enter into model contracts as data a term of at least two years. exporters or adopt BCRs. An important change introduced by the proposed regulation is that data processors in the EU can also Further, companies will no longer be required to register with use these data transfer solutions, which could be an important national data protection authorities. This is currently common development, for example, for CROs and other service providers practice in many member states. As a result, it will not be neces- involved with clinical trials. sary for sponsors of clinical trials to register the clinical trial for data processing purposes with the data protection authority in the Interestingly, the proposed regulation also provides that specific member state where the trial is being performed. sectors (such as the healthcare or life sciences sectors) in a given country could be deemed to provide adequate data protection. However, the proposed regulation does require that where process- This could perhaps pave the way for recognising the US as hav- ing operations “present specific risks to the rights and freedoms ing adequate data protection laws such as The Health Insurance of data subjects by virtue of their nature, their scope or their pur- Portability and Accountability Act of 1996 (HIPAA). poses”, the controller or the processor, acting on the controller’s behalf, must carry out a data protection impact assessment of the A clinical trial sponsor established outside the EU could still be envisaged processing operation (Article 33). The type of informa- subject to all requirements laid down in the proposed regulation tion potentially constituting a specific risk is broad and includes: if it processes personal data of data subjects residing in the EU if the processing activities relate to “offering of goods or services Information on sex life, health, race and ethnic origin. to such data subjects or the monitoring of their behavior” (Article The provision of healthcare, epidemiological research or 34(5)). In this case the sponsor must also appoint a representa- surveys of mental or infectious diseases. tive to act on behalf of the controller. Based on the current word- ing of the proposal, pharmaceutical companies running clinical Personal data in large scale filing systems on children, trials in the EU may be considered as offering goods or services genetic data or biometric data. in the EU. If so, non-EU based sponsors of EU based clinical tri- Before processing personal data, the controller or processor must als will be subject to the new requirements under the proposed consult the data protection authority about the data protection regulation, including the appointment of an EU representative. impact assessment. If the data protection authority thinks that
FOR MORE about this publication, please visit www.practicallaw.com/lifesciences-mjg INFORMATION about Practical Law Company, please visit www.practicallaw.com/about/practicallaw Analysis - - - - - An important question for the life sciences www.practicallaw.com/about/practicallaw
Under the proposed regulation, the principles of of principles the regulation, proposed the Under ): www.practicallaw.com/lifesciences-mjg
All data pertaining to the health status of a data subject. Information about the registration of the individual for the provision of health services. Information about payments or eligibility for healthcare with respect to the individual. Information derived from testing or examination including biological samples. Identification of a healthcare provider or any information on medical history and clinical treatment. disease, disability, Preventative or occupational medicine, medical diagnosis, medical diagnosis, or occupational medicine, Preventative or treatment or the management of the provision of care where those data are processed healthcare services, and subject to the obligation of by a healthcare professional professional secrecy. in the area of public health, Reasons of public interest serious cross-border threats to such as protecting against standards of quality and safety for health or ensuring high medical devices. medicinal products or interest in areas such as social Other reasons of public protection. Article 81 data protection do not apply to data rendered anonymous in such a such in anonymous rendered data to apply not do protection data open leaves This identifiable. longer no is subject data the that way com a from identified be can individual an whether of question the bination of different pieces of information even where a patient numberis not used.identification For in example, the of context iden to possible be may it (ICSRs), Reports Safety Case Individual tify a given by patient the pieces putting of different information initials. and date birth hospital, example, for together, industry is whether key coded data, such as a patient identifi cation number, is personal data covered by EU data protection requirements. Member states currently have different opinions on this issue. For example, in Belgium and Sweden, key coded data (pseudo (such party third a if data personal considered are data) nymised data the re-identify to used be can that key a has physician) a as subject or patient. In this respect, the proposed regulation makes it clear that per sonal data relating to health should include a number or symbol assigned to an individual to uniquely identify the individual for health to relating data personal as included Also purposes. health are the following categories: data. Anonymous The proposed regulation introduces a specific processing personal health legaldata. Health data may basisbe processed for for ( This provision helps establish the legal basis to process personal data for pharmacovigilance purposes, reference to processing as personal data for it ensuring safety. This purpose the because activities pharmacovigilance cover to makes seems specific of reporting adverse events is to ensure high standards of quality and safety for medicinal products. The should, life nevertheless, sciences consider industry the pros and cons specific reference to pharmacovigilance activities. of having a Key coded data. ------) - - - - - ). ): Regulation Regulation ). In addition, all all addition, In ). about this publication, please visit about Practical please Law visit Company, Recital 33 of Directive Directive of 33 Recital and Regulation ( Regulation and
) ) (new pharmacovigilance leg pharmacovigilance (new ) Directive Directive 2010/84/EU amend FOR MORE FOR Opinion of the EDPS, 7.09.2009 (Case 7.09.2009 EDPS, the of Opinion Opinion of the EDPS, 2009/C 229/04, OJ and Guidelines on Pharmacovigilance for Medicinal for Pharmacovigilance on Guidelines Recital 23 of Regulation No. 1235/2010 No. Regulation of 23 Recital and ) INFORMATION At least one suspected adverse event report. tials, patient number, date of birth, age or age group or sex. date of birth, age or age group or sex. tials, patient number, medicinal At least one suspected active substance or product. nurse). Contact details for a healthcare professional must be must professional healthcare a for details Contact nurse). identifiable. available for the reporter to be considered identified by ini An identifiable patient. The patient can be An identifiable healthcare professional reporter. The An identifiable healthcare professional reporter. address or reporter can be identified by name or initials, pharmacist or qualification (for example, physician, dentist, Article 107, Code for Human Medicines Directive Medicines Human for Code 107, Article Code for Human Medicines Directive Medicines Human for Code ing Union legislation [on] Data Protection” ( Protection” Data [on] legislation Union ing 2010/84/EU guidance in this respect. In general terms, the new pharmacovigi new the terms, general In the respect. this in to guidance prejudice without “apply will it that provides legislation lance proc to possible be should “it that and Directive” Protection Data respect while system EudraVigilance the within data personal ess Balancing Balancing pharmacovigilance reporting and indus sciences EU life the for data task easy protection an been not has requirements much provide not does legislation pharmacovigilance new The try. matter in 2009. (See 23.09.2009 229, C 2008-402). The interaction between the new pharmacovigilance legislation and data protection rules was considered by the European Data Protection Supervisor (EDPS) who issued two opinions on this are collected and recorded according to the applicable EU and national data protection rules. Data protection and the new pharmacovigilance legislation complete as possible. However, holder or the local delegate marketing must also ensure authorisation that the information concerning the reporting healthcare professional and the patient Volume 9A specifies that the patient’s information must be as Medicinal Products in the European Union (Volume 9A) (Volume Medicinal Products in the European Union ensure that individual case reports contain the following mini ( information mum Products for Human Use, Volume 9A of The Rules Governing non-serious suspected adverse reactions that occur in the EU must must EU the in occur that reactions adverse suspected non-serious days. 90 within database same the to electronically submitted be Under existing guidance, marketing authorisation holders must authorisation holder must be submitted to the EudraVigilance data EudraVigilance the to submitted be must holder authorisation days 15 within Agency, Medicines European the by managed base, ( lishing a European Medicines Agency Medicines European a report to lishing obligations strict have companies reactions pharmaceutical adverse islation), suspected serious all particular, In events. adverse in the EU and that are to other countries reported the marketing (EU) (EU) 1235/2010 amending, as on 726/2004 (EC) Regulation use, for human products regards medicinal pharmacovigilance of estab and products medicinal of supervision and authorisation the new Pharmacovigilance new Directive ( Pharmacovigilance ing, on 2001/83/EC Directive as the regards pharmacovigilance, Community code relating to medicinal products for human use ( PHARMACOVIGILANCE particu presents events adverse report to data personal Processing lar issues for data Under the protection life companies. sciences LIFE SCIENCES LIFE MULTI-JURISDICTIONAL GUIDE 2012 MULTI-JURISDICTIONAL GUIDE 2012 LIFE SCIENCES
HEALTH DATA AND CONSENT Additionally, bodies conducting scientific research can publish or otherwise publicly disclose personal data if: In clinical trials conducted in the EU, data subjects must pro- vide informed consent before undertaking the trial (Directive The data subject has given consent. 2001/20/EC on the conduct of clinical trials). The publication of the personal data is necessary to present research findings or to facilitate research insofar as the Informed consent must be given in writing. If the trial subject is not interests or the fundamental rights or freedoms of the data able to write, consent, given orally and in the presence of at least subject do not override these interests. one witness, is accepted in exceptional cases, as set out in national legislation. The trial subject (or his legal representative if the subject The data subject has made the data public. is unable to give consent) must be informed of the objectives, risks and inconveniences of the trial, the conditions under which it is to be The practical consequences of the above exemptions are not conducted, as well as his right to withdraw from the trial at any time. entirely clear. For example, would placing sensitive health data on a social media platform qualify as being made public? Could Consent remains an important justification for processing - per the same be argued for a password protected patient forum? sonal data, including sensitive health data, under the proposed Would the situation change if the forum was sponsored by a phar- regulation (Article 9). The proposed regulation stipulates the maceutical company? conditions for consent and places the burden of proof on the data controller (Article 7). Where consent is provided in a written Also relevant to medical research, and many other life sciences statement concerning a different matter, the requirement to give activities, are the new rights data subjects will have under the consent must be clearly distinguished from the other matter. proposed regulation in respect of data portability (the right to transfer personal data to another provider) and the right to be for- Under the proposed regulation, consent does not provide a legal basis gotten (to have their data erased). Under the proposed regulation, for the processing where there is a “significant imbalance between controllers will be required to take all reasonable steps to inform the position of the data subject and the data controller”. Significant third parties that any links to the copy or replication of personal imbalance is not defined. Could such an imbalance exist between data must be deleted, on request from the data subject. trial subjects (patients) and pharmaceutical companies conducting Analysis clinical trials? If so, does this mean that informed consent given in While the proposed regulation provides an exemption from the the context of a clinical trial is no longer valid? The intention behind obligation to erase personal data for historical, statistical and sci- this provision is unclear and should be further clarified given the entific research purposes, in practice it may not always be clear impact it could have on the life sciences industry. when this exemption applies. Clearly, any ability for individuals to erase their personal data could have a significant impact on Data subjects also have the right to withdraw their consent and the validity of scientific findings in clinical trials, epidemio- request the erasure of their personal data (Articles 7 and 17, pro- logical studies and medical research. Such a right also appears posed regulation) (see below, Medical research). The life sciences contradictory to the acknowledgement in the proposed regula- industry must assess the practical consequences these requests tion that withdrawal of consent will not affect the lawfulness could have on their daily operations. Is it possible to continue of data processing based on the consent previously given by an using the information without processing the personal data? individual.
It is clear that the proposed regulation will significantly impact MEDICAL RESEARCH the life sciences industry and will require a new approach to data Medical research is a key activity of the life sciences industry processing and data protection. It is important for the life science and yet there is uncertainty about the ability to carry out scien- industry to consider its active involvement in the discussions on tific research under the Data Protection Directive. In particular, the proposed regulation as the draft text progresses through the it is uncertain whether personal data can be processed for sec- EU legislative process. Achieving the correct balance between ondary research without having to obtain further consent from the data protection rights of individuals while at the same time the patient. It also appears to be unnecessary and impractical to not impeding medical science and research, which is for the ben- apply the full data protection requirements to key coded research efit of all of society, is not easy but it is critical in the modern data where the recipient has no access to the key and therefore digital economy. cannot identify the individual.
The proposed regulation permits the processing of personal data for historical, statistical or scientific research purposes if these purposes cannot be fulfilled by processing data which does not permit identification of the data subject; and data enabling the attribution of information to an identifiable data subject is kept separately from the other information, if possible (Article 83). This would appear to be providing a legal ground to carry out scientific research on key coded data.
FOR MORE about this publication, please visit www.practicallaw.com/lifesciences-mjg INFORMATION about Practical Law Company, please visit www.practicallaw.com/about/practicallaw Analysis - [email protected] www.sidley.com +32 2 504 6419 +32 2 504 6401
ANNA PAVLOU Sidley Austin LLP T F E W Food, drug and medical device Food, drug and medical www.practicallaw.com/about/practicallaw
Athens, Greece www.practicallaw.com/lifesciences-mjg
Advising clients and trade associations on regulatory Advising clients and trade associations on products, and policy aspects of the marketing of health goods, as food and feed, cosmetics and other consumer marketing well as on pharmacovigilance, clinical trials, issues. authorisations, advertising and promotional field of phar Monitoring EU legislative processes in the maceutical, food and consumer law. Qualified. Areas of practice. compliance and enforcement. Recent transactions CONTRIBUTOR DETAILS about this publication, please visit about Practical please Law visit Company, [email protected] [email protected] www.sidley.com +44 20 7360 2061 +44 20 7626 7937 j www.sidley.com +32 2 504 6480 +32 2 504 6401
Sidley Austin LLP T F E W WILLIAM LONG JESSICA WALCH Sidley Austin LLP T F E W FOR MORE FOR Privacy, data security and information Privacy, Privacy, data security and information Privacy, England and Wales New York and Paris, registered with the Brussels and Paris, registered with the Brussels New York INFORMATION other EU and international data protection issues. other EU and international data protection information security, e-commerce and other regulatory information security, matters. and EU and international social media, data protection and privacy projects, particularly in the life sciences media financial services sectors; advising on social security and regulation, cross-border data transfers, data Advising international life sciences clients on a wide Advising international life sciences clients variety of social media, data protection, privacy, compliance programmes, and advising on anti-trust issues in a wide range of commercial activities. media, IT, including for Advising in the high tech sector, telecommunications and pharmaceutical companies, with a particular focus on issues relating to intellectual property protection. Various aspects of EU and competition law, including of EU and competition law, aspects Various EU litigation, merger control, multi-jurisdictional merger filings, cartel investigations, abuse of dominance cases, of DataGuidance’s Panel of data protection lawyers for the of DataGuidance’s pharmaceutical and financial services industries. Recent transactions Areas of practice. law. law; financial institutions regulatory; healthcare Forum. Member Co-founder of the Social Media Governance Qualified. law; anti-trust/competition and technology transactions. Recent transactions Qualified. Bar on the E-list Areas of practice. LIFE SCIENCES LIFE MULTI-JURISDICTIONAL GUIDE 2012