Big Changes Coming in EU Privacy Law
The European Union is about to make major changes in its privacy law that will have a significant impact on U.S. companies that do even modest amounts of business in Europe. On January 25, 2011, the European Commission (the EU’s executive branch) released a long-awaited Draft Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (pdf).
While it will likely be a year or more before a final regulation takes effect, and there will almost certainly be amendments along the way, American companies – including those involved in the field of personalized medicine, where personal data is paramount by definition – should start paying attention now, since they may have to change the way that they do business in Europe.
We will provide a more detailed analysis of the Draft Regulation at a later date. In the meantime, here are some of the key issues we are examining:
- It is significant that the Commission is acting by Regulation rather than Directive (as was the case with the current privacy law, enacted by Directive in 1995). A regulation is top-down, imposed uniformly throughout the EU, whereas a directive is adopted country-by-country, which gives individual nations the chance to make adjustments.
- The EU is taking a very aggressive approach to jurisdiction, or its authority to regulate—and impose penalties on—U.S. and other foreign companies that do business in Europe. The Draft Regulation would cover all data processing activities (very broadly defined) by non-EU companies that involve offering goods or services to EU data subjects or monitoring their behavior.
- Data subjects (also broadly defined) will have significantly more rights than under current EU law. For example, the company will have the burden of proving that every subject has given consent for the processing of their data for specified purposes. Consent is defined as “any freely given specific, informed and explicit [emphasis added] indication of will,” and can be withdrawn at any time. The subject will also have a controversial “right to be forgotten and to erasure.” This means that when the subject withdraws consent or “the data are no longer necessary” for the purposes for which they were collected, the company must render the data inaccessible, including on the Internet.
- Along with data pertaining to race or ethnic origin, political opinions, religion or beliefs and trade-union membership, the Draft Regulation identifies “genetic data” as category of personal data designated for special protection. (The Draft Regulation defines “genetic data” broadly to include “all data, of whatever type, concerning the characteristics of an individual that are inherited or acquired during early prenatal development,” thus presumptively sweeping in all genetic information as well as family medical histories and other related health information.) Special protections include impact assessment and prior authorization of data processing operations, and activities lacking sufficient identification or mitigation of risks to individuals may be prohibited.
These are just a few of the more important features of the 96-page, 91-Article Regulation.
Elsewhere, the Draft Regulation would create other new rights and responsibilities and reaffirm and/or strengthen many provisions of existing law, including the current restrictions on transferring data outside of the EU. Ironically, the Draft Regulation notes that the “practical challenges to enforcing data protection legislation” across boundaries and the “risk of different levels of protection…creat[ing] restrictions on cross-border flows of personal data” between jurisdictions. While the Draft Regulation may ease some of these concerns within the EU, global companies seeking to move personal data in and out of the EU face a different calculus.
The draft must now be reviewed by several Directorates of the EU Commission before being submitted for review and approval by the Parliament and Council. But while full implementation will take some time—more than a year in most estimates—the proposed changes are so dramatic and far-reaching that U.S. companies doing business in Europe will require at least that much lead time to plan their compliance.
The EU Commission is on the right track here. This is good medicine for the global personalized medicine industry.
Entities in the US and abroad would do well to deploy patient engagement software based on real time consent. In particular, any entity working with personal genetic data should anticipate being audited to prove authorized use – particularly if such information was monetized.
Countries with functional health care systems, that allow individuals to self-organize around their genetic and other personal data via real time consent, will end up the global leaders in personalized medicine.
Alice
So, what will be the difference with US, considering the HIPAA ?
As e-companies are not under HIPAA (they are not part of health care system), some say they can use private data more easily, they even would not need consent !
If this is true (it would surprised me), I don’t really understand how, and why:
“Countries with functional health care systems, that allow individuals to self-organize around their genetic and other personal data via real time consent, will end up the global leaders in personalized medicine” ?
The “leader”, most probably, will be the one able to use the data, isn’t it ? That imply to keep the contact with people to be able to join them afterward for further investigation. That do not means consent is the only way, even if it probably authorize you to contact them, afterward.