On April 26, 2023, the European Commission proposed the long awaited reform of the EU’s pharmaceutical regulations (see here to view our previous blogs on the subject).  This blog post discusses the data protection aspects of the proposals, which relate to the data processing activities of the European Medicines Agency (“EMA”). 

Legal basis – The proposal grants the EMA a broad right to use health data for its public health tasks, such as the evaluation and monitoring of medical products.  As a result the EMA will likely have access to more data than the marketing authorization applicants.  Indeed, the proposal explicitly provides that the EMA may consider information it gathers independently from the marketing authorization applicant.

Scientific research – Under the Commission’s proposal, the EMA will be entitled to perform “regulatory science activities” on the health data it receives.  Regulatory science means, among others, scientific activities with regard to diseases and so-called “horizontal questions” intended to fill gaps that cannot be addressed through the data already in possession of the EMA.  The effect of this proposal will be to provide a “Union law” under Article 10(2)(j) of Regulation 2018/1725 (the equivalent of the GDPR for EU institutions), which will allow the EMA to process health data without consent for scientific research.

The EMA’s regulatory science activities will be subject to a number of conditions, including:

  • The processing must be justified and strictly required for the intended research.
  • Appropriate safeguards, such as pseudonymization, must be in place. 
  • The general scope of the scientific research activities must be set out by the EMA Management Board, in consultation with the Commission and the European Data Protection Supervisor (“EDPS”). 
  • To the extent the EMA uses the data for the training, testing and validation of algorithms, it must keep documentation allowing for the verification of those algorithms’ accuracy.  The documentation must be made available upon request to “interested parties”, including EU Member States.
  • If the data used by the EMA originates from a Member State, Union body, third country or an international organization (but apparently not a private body), the EMA must make sure it is authorized by these bodies to use the data for its research.

Security – Although it does not impose specific security measures, the proposal indicates that the EMA has an obligation to keep its data secure and to implement cybersecurity best practices.

In comparison to earlier leaked versions of the proposal, the final proposal contains less substantive content addressing data protection issues.  For example, provisions addressing the international transfer of personal data by the EMA to its peers in third countries (e.g., the FDA) have been scrapped, which risks prolonging regulatory uncertainty in this area.  A previous proposed provision on the EMA’s access to the health data in the proposed European Health Data Space (“EHDS”) has also been dropped, probably because it was thought to be redundant.  To learn more about the EHDS, please see here. This blog is based on the wording of the EU’s proposal published on April 26, 2023.  This wording could significantly change during the legislative process.  Our Dublin, Brussels, Frankfurt and London teams will continue to monitor this legislation.  We will be hosting a webinar to discuss the impact on 9 May.  To sign up for the webinar please click here.

Photo of Grant Castle Grant Castle

Grant Castle is a partner in London and Dublin practicing in the areas of EU, UK and Irish life sciences regulatory law. He supports innovative pharmaceutical, biotech, medical device and diagnostics manufacturers on regulatory, compliance, legislative, policy, market access and public law litigation…

Grant Castle is a partner in London and Dublin practicing in the areas of EU, UK and Irish life sciences regulatory law. He supports innovative pharmaceutical, biotech, medical device and diagnostics manufacturers on regulatory, compliance, legislative, policy, market access and public law litigation matters in the EU, UK, and Irish Courts.

He is one of the Co-chairs of Covington’s Life Sciences Industry Group and is Head of Covington’s European Life Sciences Regulatory Practice.

Grant regularly advises on:

  • EU and UK regulatory pathways to market for pharmaceuticals and medical devices, including in vitro diagnostics and on associated product life cycle management;
  • Pharmaceutical GxPs, including those governing pharmacovigilance, manufacturing, the supply chain and both clinical and non-clinical research;
  • Medical device CE and UKCA marking, quality systems, device vigilance and rules governing clinical investigations and performance evaluations of medical devices and in vitro diagnostics;
  • Advertising and promotion of both pharmaceuticals and medical devices; and
  • Pricing, reimbursement and market access for both pharmaceuticals and medical devices.

Grant also handles procedural matters before EU, UK and Irish regulators and UK and Irish market access bodies, where necessary bringing judicial reviews for his life sciences clients before the EU, UK and Irish Courts.

Chambers UK has ranked Grant in Band 1 for Life Sciences Regulatory for the last 18 years. He is recognized by Chambers UK, Life Sciences as “excellent,” “a knowledgeable lawyer with a strong presence in the industry,” who provides “absolutely first-rate regulatory advice,” according to sources, who also describe him as “one of the key players in that area,” whilst Chambers Global sources report that “he worked in the sector for many years, and has a thorough understanding of how the industry ticks.” He is praised by clients for his “absolutely first-rate” European regulatory practice. Legal 500 UK notes that he is “highly competent in understanding legal and technical biological issues.”

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.