T-30: The Evolution of Privacy Protections in the US and EU
Independent GxP Consultant
Phoenix Select Regulatory Consulting, LLC United States
This report examines the evolution of laws and regulations in the EU and USA, with specific focus on changes since the 1980s, differences in the definitions of protected personal data/information, new laws/regulations, and how the global pharmaceutical industry can ensure compliance with changes.
Review of proposed and implemented laws/regulations was completed with focus on 1980-2018 to clarify internet and electronic records impacts. Review of government guidance and current laws/regulations was conducted to determine methods which should be employed to ensure compliance with regulations
The US and EU define personal information and data differently, with the EU category of “personal data” being much broader than the US’ categories of “personal identifiable information” (PII) or “protected health information” (PHI). Although it is commonly known that secondary or quasi-identifiers should be considered to be PII or PHI, they are not clearly defined within US legal frameworks and are often used as identifiers in clinical research studies with little to no requirements for additional protections to be put in place. In contrast, these elements are clearly identified as being personal data by the EU, thus requiring robust safeguards under the new GDPR. Due to the fact that US laws have been and continue to be developed to primarily protect persons from governmental overreach, while the EU focus is upon prevention of corporate overreach, the GDPR has also impacted the global pharmaceutical industry to a much greater degree than any recent laws or regulations enacted in the US. The history of data breaches, sharing information via the internet, failure to adequately identify and protect quasi-identifiable information, and sharing of consumer information between corporations and amongst global associates all played a role in spurring the EU to develop the GDPR. Although the GDPR is being implemented only in the EU, it has implications for all global operations and essentially necessitates that US-based entities conducting research domestically or abroad adhere to much stricter data collection, processing, and sharing requirements; have stronger electronic data protections; and report data breaches much sooner than current or historic US laws.
Due to the focus of the EU, the GDPR was developed to ensure that corporations do not collect, process, share or store information which is not strictly needed to perform necessary functions, or to which the individual has not consented. The rights of the person have also been safeguarded more robustly in the EU as the individual has been given the “right to be forgotten” and can request that data not be shared or processed. Moreover, the EU government now has to be notified of data breaches within very short time frames, and strict requirements are in place for the sharing of data internationally. In stark contrast, the US, which limits corporate collection and sharing of information to a much lesser degree, was unable to forward a bill as far back as 1995 which would have implemented some requirements similar to the GDPR. The impact of the GDPR, however, has been much more broad than it may have appeared at first blush, as it protects all EU citizens, regardless of residency, does not require that EU citizens identify themselves as such to an entity to be entitled to GDPR protections, and applies to all firms with a stable presence in the EU although they may not be a legally registered entity. The outcome of this Regulation, then, has been that all pharmaceutical firms with global clinical sites or CROs/vendors must meet much stricter requirements ranging from ensuring that study subjects are adequately informed, to ensuring that data is appropriately safeguarded and necessary contract language is in place with all entities. They must also assess all previous and studies ongoing at the time of GDPR implementation as there was no “grandfathering” for these studies. The final outcome of the GDPR, then, has been that it ultimately has forced many US firms to comply with EU regulation of corporate-individual interactions, in spite of the US’ history of not concerning itself much with this arena.