One of the European Parliament’s 20 committees, the Civil Liberties Committee (“LIBE”), voted on October, 21, 2013 on a proposed EU General Data Protection Regulation. The regulation includes an increased level of fines and new regulatory requirements (in case of certain international data transfers and disclosure requests for personal data by foreign courts or authorities). Companies should monitor these issues closely in the next couple of months. Most likely, after the plenary vote on November 18-21, the Parliament will push for rapid negotiations with the Council (which represents the governments of the individual member countries) and the Commission to obtain a decision on the final text of the proposed regulation before the Parliamentary elections and end of the current Commission mandate in May 2014. In Europe, the three institutions are involved in the law-making process. In principle, the Commission proposes new laws, and the Parliament and Council adopt them. The Commission and the member countries then implement them, and the Commission also ensures that the laws are properly applied and implemented.
What’s in store for health data specifically?
The EU Parliament proposes a compromise text on the EU Commission proposal for general data protection, including health data. The general principles of the proposed regulation would apply to health information, with health data being a category of sensitive personal data subject to extra controls. There are however specific provisions for processing of health data at articles 81 and 83.
Paraphrasing Article 81, when processing health data, companies must safeguard the patient’s interests and fundamental rights, to the extent that these are necessary and proportionate, and of which the effects shall be foreseeable by the data subject.
The principle of data minimization also applies, meaning that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. A data controller is someone who has a certain degree of control over the data processing activity. Data controllers can be either individuals or legal entities such as companies or government authorities. Examples of cases where the data controller is an individual include general practitioners, pharmacists, politicians and sole traders, where these individuals keep personal information about their patients, clients, constituents etc. Data controllers should retain the data only for as long as is necessary to fulfill that purpose. In other words, data controllers should collect only the personal data they really need, and should keep it only for as long as they need it.
The data minimization principle is not new. It derives from Article 6.1(b) and (c) of Directive 95/46/EC and Article 4.1(b) and (c) of Regulation EC (No) 45/2001, which provide that personal data must be “collected for specified, explicit and legitimate purposes” and must be “adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.”
In proposed Article 83 the Parliament imposes strict requirements for data processing in health research. These proposed requirements have led to an outcry from industry stakeholders because they believe the proposal would unduly limit the positive uses of health data in research, as you can see here in the joint statement of the Healthcare Coalition on Data Protection.
Software Developers AND Medical Device Manufacturers Should Design with Privacy in Mind
Privacy by Design is not a new concept. Privacy by Design means that privacy and data protection are embedded throughout the entire life cycle of technologies, from the early design stage to their deployment, use and ultimate disposal. What is new, however, is its scope. The Parliament proposes to expand general compliance obligations and “privacy-by-design”/“privacy-by-default” requirements in particular, to software and hardware manufacturers — regardless of whether they process personal data. So, software that captures health data must be compliant by default with the design requirements. The design requirements are not clearly defined, and companies should do their due diligence beforehand. Erik Vollebregt, an expert on EU medical devices regulations, has seen many companies dealing with these issues, and wrote a practical report explaining the pitfalls and strategies to help you comply with these design requirements. You may access that report here.
Further, producers and data processors (which will affect many cloud providers) must also “implement appropriate technical and organizational measures and procedures to ensure that their services and products allow controllers by default to meet the requirements of this regulation, in particular [privacy-by-design and privacy-by-default]” (emphasis added).
Companies might think that locating the cloud in countries outside the EU with more permissive laws would save them from the EU maze. It is unlikely that such strategies would make sense since the European Commission is already encouraging companies to locate their clouds in the EU.
So why are Europeans so gung ho about data protection?
First, unless you were stranded on an island with zero Internet access, you probably have read about whistleblower Edward Snowden’s allegations about US spying. Because of the Snowden revelations, the European Union has reacted and is reinforcing its privacy fortress.
For example, on October 23, 2013 the EU Parliament recommended the EU suspend its Terrorist Finance Tracking Program (TFTP) agreement with the US in response to the NSA’s alleged tapping of EU citizens’ bank data held by the Belgian company SWIFT. The EU-US TFTP agreement on the processing and transfer of bank messaging data to track terrorists’ financial flows became effective in August 2010. The US authorities’ access to these financial data is strictly limited by the TFTP deal. If proven, the NSA’s activities would constitute a clear breach of the EU-US agreement.
Second, data protection is explicitly protected as a constitutional right in Europe. Under the Lisbon Treaty of 2009, the protection of personal data is recognized as a fundamental right. While the US has a constitutional right to privacy, the concept has grown organically from a Supreme Court case (Griswold v. Connecticut), and privacy protections have not been developed as comprehensively as they have in the EU.
Third, as recently as World War II and its aftermath, many countries in Europe lived through the catastrophic consequences of what can happen when collected personal is shared with and by authorities without restriction.
Whether influenced by history, constitutional rights, or rapid technological advances, the EU will reinforce its data protection and privacy rules. Companies will need to invest in risk management. Government may seek disclosure for security purposes, but then in the EU companies would need to disclose those requests for personal data by foreign authorities.