In-depth interview with BioFIT 2016 Steering Committee member, Cécile Théard-Jallu, Partner Attorney with De Gaulle Fleurance & Associés
1. You are a legal expert specialising in R&D and consortiums, technology transfer agreements, licensing deals and digital health. What regulations would you like to change or introduce to improve industry/academia collaborations and advance innovation in life sciences?
Well, many modifications would be welcome, too numerous to be listed here. However, if I had to give examples, experts primarily say that we need to clarify and simplify tax and social regulations. Despite their promising innovative projects, whether of a technological or service nature, businesses suffer from an entanglement of inconsistent regulations. These have continued to pile up over the years in a variety of countries, especially in France and have resulted in increasing their administrative burden. Projects and new companies issuing from industry/academia collaborations do not escape from this reality. One of the main weaknesses affecting these projects is the lack of sufficient financing. Introducing legal tools that would support financing more efficiently should be sought.
This said, some efforts are being made, including the recent reform on French contract law, which significantly updated French Civil code rules dating back to 1804. This will result in giving a legal nature to field practices sustained by business actors. This reform, (Ordinance no. 2016-131 of February 10th 2016) will become enforceable on October 1st 2016 and therefore needs to be digested by stakeholders urgently if this has not already been done. However, some questions remain unanswered by the reform. Once again, courts will have a role to play in clarifying a number of situations in order for contracting parties to be on the safe side.
2. You’ve been working on the new EU General Data Protection Regulation. With your extensive knowledge of the subject, what changes implemented by this regulation should actors in life sciences pay attention to?
Generally speaking, the General Data Protection Regulation (EU 2016/679 – April 27th 2016), known as the “GDPR” upholds and reinforces data protection rules that currently exist under the 1995 95/46/EC Directive. It also introduces a series of new principles aimed at protecting data subjects’ rights more efficiently and increasing data controllers and data processors’ obligations. This covers all types of activities leading to the processing of personal data, including data in the life sciences sector. The following rules fall into the general principles mentioned above:
a. Data privacy by design: Implementing appropriate technical and organisational measures, including security safeguards, meant to ensure compliance with EU data privacy rules, as of the date of determination of the means for data processing and the date of the processing itself.
b. Accountability: Becoming compliant and being in a position to demonstrate it. In a number of situations, data controllers must now conduct an impact assessment (by seeking the advice of the competent data protection officer, where designated). This applies for instance before processing sensitive data, such as data regarding health, where data processing is performed on a large scale.
c. The criteria for collecting data subjects’ consents have been reinforced, especially for sensitive categories of personal data such as health data.
d. Right of the data subject to be informed of a data breach.
e. Right of the data subject to data portability: The data subject is given the right, under certain circumstances, to receive his or her personal data, that he/ she provided to a controller, in a structured, commonly used and machine-readable format, with the right to transmit this data to another controller without hindrance from the first controller).
f. Right of the data subject to be forgotten: this is clarified by the GDPR with specific cases of application including if consent was first required for the processing. This right may be challenging to enforce with respect to data now circulating on social media, for instance, web sites dedicated to patients or healthcare professionals, or when the data is collected for the purpose of a clinical trial.
g. Under certain circumstances, the obligation for data controllers and data processors to recruit a data protection officer, where (i) the processing is carried out by a public authority (except courts); or if (ii) the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or if (iii) its core activities consist of processing sensitive data on a large scale. Controllers or processors shall otherwise not be bound to appoint a DPO unless required to do so by their national law.
More severe sanctions, including higher fines, will now possibly be taken against companies that breach these rules.
The GDPR shall enter into force in May 2018, which gives businesses a little more than a year and a half to make the necessary investments and become compliant.
3. Does the GDPR contain rules that are specific to the life sciences sector?
Yes. In addition to the general rules laid down by the GDPR or those relating to other activities, the GDPR has a specific approach to life sciences’ related data processing activities. Indeed, in the framework of EU law, health data is considered to be particularly sensitive and therefore deserves special protection when processed by businesses. The processing itself is prohibited in principle, unless it falls within a number of limited exceptions. Wellness or lifestyle data, in itself falls within the wider scope of common personal data and its processing is not forbidden in itself, unless this violates other EU data privacy law rules (breach of security, transfer of the data to a non-authorized third-party country, etc.).
Due to the wide range of personal data that may be considered as health data, this category has represented one of the most complex areas of sensitive data and one where there is a great deal of diversity and legal uncertainty among EU Member States. In the new GDPR, health data now benefits from its own definition, which will contribute to paving the way to a clearer landscape: “Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status“ (art. 4 (15) of the GDPR). However, it is still not totally precise and needs to be experimented with through projects in the field and case law.
This definition is quite broad as confirmed by Recitals 35 of the GDPR. For instance, health data can include:
- Revealing information about the past, present or future health status of a person, including when collected in the course of the registration for, or the provision of, health care services;
- Data deriving from the testing or examination of a body part or bodily substance, including from genetic data and biological samples (hence the possible connection with a connected device operating with an on-line app);
- Any information about a disease, disability, disease risk, medical history, clinical treatment or physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.
To determine whether one is dealing with health data or not, it is not relevant whether the device through which it is processed, is or not in itself a medical device (as legally defined by EU law). Similarly, the fact that the data concerning health is stored on the device or is transferred to an external store has no impact on its health data nature.
It is useful to note that through the GDPR, genetic data is also now considered part of the sensitive data category, while not classified as health data in itself.
4. Following this regulation, will there be consequences in the way collaborations and technology-transfer are conducted in life sciences?
Yes. As mentioned above, under EU law, health data is considered as sensitive because it deals with a particularly intimate piece of information about the data subject. As such, it can only be processed in very specific and limited circumstances that are expressly defined by EU law, more particularly Article 9.2 of the GDPR which lists exceptions, including:
- Preventive or occupational medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services; sensitive personal data may be processed for these purposes when it is processed by or under the responsibility of a professional who is subject to the obligation of professional secrecy under Union or Member State laws;
- Moreover, the processing of this sensitive data may be permitted if it is necessary for reasons of public interest in the area of public health or social protection or for scientific research purposes. From the standpoint of pharmaceutical laboratories and their partners, this legal basis will certainly be the most useful tool to accompany their personal data processing projects. Indeed, they often process and control health data in the course of their research and development activities. We can note that the “public interest” justification is generally the one used to conduct health personal data processing validly in the course of pharmacovigilance activities.
Until the GDPR becomes directly enforceable in Member State national laws in May 2018, the 95/46/EC EU Directive will continue to apply, allowing each Member State to define the specific data privacy rules to implement in the domain of health data (consistent with the general principles laid down by the Directive). Therefore, there is a lack of consistency among the various EU Member State related legislations as mentioned above.
We had hoped that through the GDPR, we would gain some harmonization in this domain (as, being a Regulation opposed to a Directive, its provisions will be directly enforceable into Member States’ laws without the need of any national applicable texts). However, the GDPR itself creates a specific regime about health data, by providing that “Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or health data” (Article 9.2 Paragraph 4 of the GDPR). In addition, Article 89 of the GDPR allows the European Union or EU Member States to provide for derogation with respect to the processing of personal data for scientific research purposes, as long as these derogations comply with certain conditions and safeguards for the rights and freedoms of data subjects.
Again, this may be a source of inconsistency between individual EU Member State laws despite the intention of global harmonization behind the GDPR. This will oblige businesses to check the content of, and comply with the Laws of each of the Member States in which they want to conduct their project and process data.
5. You have been a member of the BioFIT Steering Committee for two editions now and attended BioFIT in Strasbourg last year. What did you gain from these experiences?
Meeting actors from the life sciences sector and listening to them talk about their projects is always fruitful for a legal advisor as it helps to further understand these projects and more generally, sectorial tendencies in a concrete way. Biofit offers a very good opportunity for this type of exchange. It also allowed me to meet and exchange views with other lawyers specialised in life sciences from other EU countries. All of this is intellectually enriching and subsequently, this assists a lawyer in appraising the stakes behind his/her missions more efficiently.
6. And finally, the traditional question: Could you describe BioFIT in three words?
Innovation Accelerator Partnerships!