Darshan: Today's talk is going to be about GDPR and how that applies to pharma companies, to health tech companies. If you are a owner of a pharma company, how does it apply to you? If you are a general counsel for a pharma company, how does it apply to you?
Narrator: This is the DarshanTalks Podcast, regulatory guy, irregular podcast with host Darshan Kulkarni. You can find the show on Twitter @darshantalks or the show's website at darshantalks.com.
Darshan: So, GDPR, it's sort of, you've probably heard about it because we all got a bunch of different emails from Google and from Yahoo and from whatever else you use because a lot of those companies make their money by keeping information. GDPR is the mutually agreed General Data Protection Regulation. Came into effect on May 25th, 2018, and the idea was they would modernize laws that protect personal information of individuals. The goal was to harmonize data protection laws across Europe and give greater protection and rights to individuals.
Darshan: That's all well and good, and that's great. Actually, I'm a huge advocate of privacy, but there are problems. The problem is that they haven't clarified what this means, or the penalties have started coming in. If the penalties are already coming in and you don't know what it means, that seems unfair. Let's talk a little bit more about what GDPR is and how that applies to you.
Darshan: So, the goal of GDPR again was to protect consumer data and how it actually impacts businesses. The question is, are U.S. companies exempt from GDPR because of what's called the Data Shield or not necessarily because there are some rights around transferability of information? The consumer does also get the right to transfer personal data from one company to the other. So, that becomes a new right under GDPR. The consumer also gets the right to access their information so that they know what you know, and you have a certain amount of time as a business to produce that information.
Darshan: If you are a consumer, you get the right to correct the information that the company has. So, you can just, as a company, be like, "I'm going to ignore you." One of the most famous things that came out of GDPR was the "right to be forgotten." The right to be forgotten was the idea that at a certain amount of time, it goes from becoming information about me, which would be in the cloud, is detrimental to me, and I have the right to be forgotten by these systems.
Darshan: Then, there's the right to consent. Essentially, you, as a company, need to get my consent to be able to obtain, process my information. Part of it may all ... This is a huge undertaking, and you may need a data privacy officer to make all of this happen. So, one of the big overarching questions is, do patients own their own data under GDPR? No. The question is actually sidestepped. Patients may be able to control their data. There's no answer about whether they own their data, but meaningfully, what do you get different? The answer might be you might be able to get paid in exchange for that type of control. We aren't there yet, but CCPA is making some steps in that direction.
Darshan: So, why should I care? Does GDPR matter as a pharma company CEO? The final framework suggest that penalties could be up to $20 million, up to 4% of the total global turnover of the preceding year, whichever one is higher. So, if you are a large company, those penalties could be hugely problematic. So, yes, you should probably care about GDPR.
Darshan: So, the next question is, "Well, I'm a U.S. company. How is this that different from HIPAA?" First of all, wrong country. GDPR primarily applies to Europe. Number two, GDPR does this whole controller versus processor thing. In clinical trials, some sites get to be co-controllers, but they have to then claim the right to the data, which can become problematic. So, there's no equivalent of that. In the U.S., the closest you'd get is a covered entity and a business associate, but it's not quite the same thing. That's what HIPAA sort of draws the distinction.
Darshan: Unlike HIPAA, GDPR is not focused on just healthcare. The fines are generally significantly more like you mentioned. In the case of HIPAA versus GDPR, the penalties have generally gone towards companies who can afford it. In the case of GDPR, you also have seen penalties against schools. On the other hand, you've seen them against consultants and all the way up to huge tech companies. So, GDPR is being evenly applied which, for better or for worse, can be hugely problematic.
Darshan: How is GDPR different from CCPA? So, you can listen to my podcast on CCPA, but CCPA is a California law that's sort of what people are calling GDPR light. There are dozens upon dozens of differences between GDPR and CCPA. However, I'm going to talk about just three. GDPR applies to people, not even restricted to just EU residents. CCPA only applies to California residents. GDPR applies to controllers, including nonprofit organizations. For CCPA, you have to meet certain conditions. One of which is you have to be a for-profit company.
Darshan: Number two, you have to collect consumer personal information, or on behalf of which such information is collected, you have to determine the means and purposes of the processing, and you must be doing business in California, and then you have to meet one of these three thresholds actually. One is annual gross revenue in excess of $25 million alone or in combination, and you buy, receive for the business commercial purposes up to 50,000 or more consumers, households or devices and/or you derive 50% or more of your annual revenues from selling consumer personal information, i.e., primarily geared towards advertising agencies or companies that do huge amounts of advertising. GDPR has a specific obligation on processors while CCPA applies to any entity that controls or is controlled by the business.
Darshan: So, is this all great, right, because if you're a pharma company or you're a health tech company, you're not in the business of selling. You're in the business of sort of selling drugs. You're not sort of a advertising agency. That may or may not be wrong. There are certain exceptions in CCPA that make exceptions for HIPAA, but you as a pharma company, you as a health tech company may or may not be subject to those exceptions.
Darshan: So, is there a crossover between GDPR and HIPAA? Yes. If you are already controlling sensitive data, you have methods for detecting unauthorized changes to that PHI, and you encrypt the PHI at rest and in transit, you're already doing a lot of things that GDPR requires. So, does GDPR have a lot of crossover with CCPA? CCPA only covers ... Well, they both cover natural persons, not legal persons and controller-covered business have similar meanings. It's not identical, but they have similar meanings.
Darshan: So, what does all of this mean for pharma or for healthcare? In clinical trials, the sponsors is the controller for research and site is the controller for care, but this becomes circumstance-specific. If the site is a co-sponsor or if there's a clinical trial unit on the site, you could theoretically be in a situation of joint controllership, which has its own issues. The PIs are often employees in many states or in many countries. Since the PIs are not party to the agreement, they are the people to whom notice is provided. So, this becomes problematic sometimes.
Darshan: If you are a pharma company, companies will say that you may want to push back to a site wanting to be a controller since that comes with additional responsibility, and does that site really want to take on those responsibilities? Some sites may say yes. In France, the site is the processor. In Germany, the site is often a joint controller, but it could be said to be a separate controller. In Netherlands, you could be a separate controller as well. So, obviously, each country is treating GDPR differently. So, you need to be aware of what that country's methodology is.
Darshan: There are obviously implications if you're recruiting for clinical trials but even more implications if you are actually marketing your products. So, what complexities does this cause in clinical trials? What's interesting is that some patients can consent to participate in clinical trials, but the EDPB, which is the European Data Protection Board, says that patients aren't capable of consenting to collection of clinical data. So, this seems incongruent. This seems paternalistic, and that's going to be problematic.
Darshan: There's a whole other piece when you come to Brexit because the UK has implemented a new Data Protection Act, which largely includes all the provisions of GDPR. You've got the Information Commissioner's Office who will enforce it in the UK. In the UK, you can create a separate privacy consent, which is not included in the informed consent, and that can have its own implications as well. You need to have controls in place, and you need to have interpretations, et cetera, et cetera, et cetera. In the UK, you actually have Elizabeth Denham's office. She's the UK Information Commissioner, and she's in charge of data protection enforcement.
Darshan: So, if you are GDPR compliant, you still have to consider how you're going to handle the UK. You still have to consider how you're going to handle the U.S. So, GDPR helps gets you along the way, but it's not all the way there. Interestingly enough, there are some questions about how coded data will be handled by GDPR, so stay tuned. We'll find out more as time continues, but I hope you enjoyed this talk. Feel free to reach out if you have any questions. Again, you can find me @darshantalks on Twitter. You could reach out to me on my email if you wanted at [email protected] I look forward to hearing from you. Take care.
Narrator: This is the DarshanTalks Podcast, regulatory guy, irregular podcast with host Darshan Kulkarni. You can find the show on Twitter @darshantalks or the show's website at darshantalks.com.
