On April 26, 2023, the European Commission proposed the long awaited reform of the EU’s pharmaceutical regulations (see here to view our previous blogs on the subject). This blog post discusses the data protection aspects of the proposals, which relate to the data processing activities of the European Medicines Agency (“EMA”).
Legal basis – The proposal grants the EMA a broad right to use health data for its public health tasks, such as the evaluation and monitoring of medical products. As a result the EMA will likely have access to more data than the marketing authorization applicants. Indeed, the proposal explicitly provides that the EMA may consider information it gathers independently from the marketing authorization applicant.
Scientific research – Under the Commission’s proposal, the EMA will be entitled to perform “regulatory science activities” on the health data it receives. Regulatory science means, among others, scientific activities with regard to diseases and so-called “horizontal questions” intended to fill gaps that cannot be addressed through the data already in possession of the EMA. The effect of this proposal will be to provide a “Union law” under Article 10(2)(j) of Regulation 2018/1725 (the equivalent of the GDPR for EU institutions), which will allow the EMA to process health data without consent for scientific research.
The EMA’s regulatory science activities will be subject to a number of conditions, including:
- The processing must be justified and strictly required for the intended research.
- Appropriate safeguards, such as pseudonymization, must be in place.
- The general scope of the scientific research activities must be set out by the EMA Management Board, in consultation with the Commission and the European Data Protection Supervisor (“EDPS”).
- To the extent the EMA uses the data for the training, testing and validation of algorithms, it must keep documentation allowing for the verification of those algorithms’ accuracy. The documentation must be made available upon request to “interested parties”, including EU Member States.
- If the data used by the EMA originates from a Member State, Union body, third country or an international organization (but apparently not a private body), the EMA must make sure it is authorized by these bodies to use the data for its research.
Security – Although it does not impose specific security measures, the proposal indicates that the EMA has an obligation to keep its data secure and to implement cybersecurity best practices.
In comparison to earlier leaked versions of the proposal, the final proposal contains less substantive content addressing data protection issues. For example, provisions addressing the international transfer of personal data by the EMA to its peers in third countries (e.g., the FDA) have been scrapped, which risks prolonging regulatory uncertainty in this area. A previous proposed provision on the EMA’s access to the health data in the proposed European Health Data Space (“EHDS”) has also been dropped, probably because it was thought to be redundant. To learn more about the EHDS, please see here. This blog is based on the wording of the EU’s proposal published on April 26, 2023. This wording could significantly change during the legislative process. Our Dublin, Brussels, Frankfurt and London teams will continue to monitor this legislation. We will be hosting a webinar to discuss the impact on 9 May. To sign up for the webinar please click here.