data protection

I believe that data has the power to transform patient care. But do the legal and regulatory landscapes in Europe and around the world pose some sort of obstacle to digital health innovation in the medical technology sector? This is a hot topic right now as patients – indeed, all citizens – become increasingly aware of data security issues. Privacy and data protection have caught a tailwind in the United States in light of several large data breaches and the revelation of the mismanagement of citizens’ personal information. This has manifested in the passage of the CCPA in California, as well as the proposal of multiple other state and federal levels privacy bills. Conversely, a data protection regulatory framework has been in place in the EU for decades (the Data Protection Directive came into effect in 1995). However, with the passage of time and the incredible technological leaps we have seen over the past decade, the old framework was poised for a facelift. That came in the form of the GDPR. In my opinion, there is no question that the use of data has the potential and ability to provide better healthcare options to patients, ranging from monitoring to diagnosis, to patient counseling and treatment management. However, I think rather than view the GDPR and other regulatory instruments as barriers to entry or insurmountable hurdles, companies should instead shift their perspective. Perhaps data protection rules present an opportunity to rethink approaches and to find the correct balance between safeguarding individuals’ health data without creating significant practical and logistical hurdles. I addressed this issue at AdvaMed’s third annual Digital MedTech Conference in May. The event was a chance to discuss differences and similarities between regulatory approaches, and to put to bed some “fake news” surrounding digital health and data protection in...
On May 25, 2018, the GDPR became effective across the EU, simultaneously resulting in a 'consistent and homogenous application' of data protection rules across the Union (per Recital 10 of the Regulation). For data protection professionals at medical technology companies, the clarity brought by the GDPR has meant that resources can be redirected towards ensuring substantive privacy and security protections and away from more formalistic legal questions.... Okay, I'm just kidding. No, seriously, let's review what actually happened. After several decades of explaining to patients wishing to enrol in clinical investigations of experimental medical technology that by choosing to enrol, they are consenting to the collection of personal data about them for purposes of the research, data protection authorities decided that the GDPR doesn't allow this. Instead, they said, medical researchers should be relying on legal bases other than consent, like 'legitimate interests', for the processing of personal data in clinical investigations. Except, that is, in those member states where consent is still required for such data processing. In those member states, of course, you should still rely on consent. Clear enough?! Oh, and by the way, said the data protection authorities, we recognise that Recital 33 of the GDPR suggests that it is permissible for research subjects to broadly give their consent to 'certain areas of [future] scientific research', but even though the legislators wrote that, we don't think that's what they really meant. So, don't rely on that. Why? Because we said so. Actually, I find the guidance provided by data protection authorities on this question of the legal basis for further processing of personal data for 'secondary' research purposes was helpful. They pointed out that Article 5(1)(b) of the GDPR declares such further processing to 'not be considered to be incompatible with the initial purposes', provided the...