The French Association of Medical Professionals in the Life Sciences Industry AMMIS (ammis.assoconnect.com) held an evening conference in Lyon, France on 29 June 2023.

The topic was 'Structuration and Innovative Use of Shared Health Data', with a special focus on RWE projects using AI for Predictive Diagnosis in Oncology. The event was hosted by the Cancer Research Institute Léon Bérard, part of Unicancer, the French Government Cancer Body for Research and Care, and the conference was followed by a cocktail dinner.

55 members of AMMIS attended the event: 40 on site, and 15 remotely via Zoom webinar. The event was recorded and the replay is available on AMMIS' website.

Bertrand Le Bourgeois, President of PharMarketing and of AMMIS, presented the activities of AMMIS and introduced the conference.

Then the speakers presented AI projects from the ground with real patient data, and demonstrated benefits, and convinced the audience of the clear benefits of using AI to improve research and healthcare. Personal Data Protection was of course part of the discussion as these projects involved processing millions of healthcare data points from patients.

Speakers were:

• Hugo Crochet, CIO, Centre Léon Bérard
• Dr Pierre-Etienne HEUDEL, MD, Medical Oncologist and Medical Subject Expert for IT Systems, Centre Léon Bérard
• Dr Loïc VERLINGUE, MD, Medical doctor at the Phase 1 unit, co-manager of the Data Unit, Centre Léon Bérard

Moderators:

• Dr David Pérol, MD, Director, Clinical Research Department, Centre Léon Bérard and Administrator, AMMIS
• Dr Mathieu Robain, MD, Scientific Director, Data Department, Unicancer and Administrator, AMMIS

All members of AMMIS can download the presentations and the video recording on ammis.assoconnect.com. We remind that annual subscription to AMMIS is 70 euros per person and gives access to all activities for free. AMMIS is a not-for-profit association with 200+ members created in 2018. AMMIS is the only Medical Affairs association referenced by the LEEM, the French trade association of pharma companies.

On 27 June 2023, the Council of Europe published new Model Contractual Clauses for the Transfer of Personal Data.

The Committee of Convention 108 (T-PD), during its 44th plenary meeting held in Strasbourg, France from 14 to 16 June 2023, adopted the first module of the Model Contractual Clauses for transborder data flows of personal data developed on the basis of Convention 108+, for data flows from data controller to data controller, which are now also publicly available. 

These much-awaited clauses have the potential to bridge similar transfer tools (such as the ones existing in the EU Member States, in Latin America, for Asean countries, and national ones, etc.) and to contribute to the convergence towards appropriate data protection standards globally.

The clauses are recommended to be used as adopted and are therefore ready for pre-approval by competent national authorities to be transposed in the nationally and regionally available set of transfer instruments, mechanisms for data controllers. To be fully exhaustive, they are to be complemented with two more modules soon to be adopted by the T-PD.

Our opinion at PharMarketing is that:

• For transfer of personal data from a country in EU/EEA/UK to a non adequate country, we recommend to use the SCCs
• For transfer of personal data between 2 data controllers from a country NOT in EU/EEA/UK, and if the country of origin didn’t already provide SCCs, the Clauses of the CoE can be used if the country has transposed it nationally.
• For transfer of personal data where either the data importer or the data importer is a data processor, from a country NOT in EU/EEA/UK, then specific advice needs to be obtained from the local authorities.

Read press release of the Council of Europe here : https://www.coe.int/en/web/dat...

Download the new Model Contractual Clauses here : https://rm.coe.int/t-pd-2022-1...

On 10 July 2023, the EU Commission approved a new EU-US Data Privacy Framework ('DPF').

Starting 11 July 2023, personal data can flow freely between EU/EEA and the US, as long as the US recipient organisation registers for the DPF on the website of the US Department of Commerce here. As for previous Privacy Shield, such organisations will need to have an annual audit be conducted by an independent organisation.

Before initiating the transfer of personal data t the US, the Data Exporter should first check that the recipient organisation is in the list of certified organisations here.

Alternatively, if the US recipient organisation is not registered with the DPF, the transfer of personal data can still take place using the Standard Contractual Clauses or other security mechanisms or waivers described in articles 46 and 49 of the GDPR.

According to the EU Commission, the new adequacy decision will allow “safe and trusted EU-US data flows.”

The recipient organisation in the US (the ‘data importer’) will have to self-declare itself as compliant with this new framework, as it was the case with the Privacy Shield 3 years ago.

What has changed in the DPF compared to the Privacy Shield?

US President Biden signed an Executive Order last year establishing a two-step redress mechanism to allow Europeans to enforce their rights before a Data Protection Review Court (DPRC). The new Data Protection Review Court will have the power to order deletion of data if it is found to be collected in violation of the new safeguards.

The US has also undertaken some efforts to limit access to EU data by US intelligence services to what is necessary and proportionate in an effort to allay the concerns raised by the CJEU in the Schrems II case.

These new features apply not only to data transfer to US organisations registered with the DPF, but also to data transfers to US organisations NOT certified with the DPF.

In other words, data transferred using the Standard Contractual Clauses will also be protected by these 2 new features.

Data subjects from EU/EEA will be able to file for redress through the Data Protection Review Court while obtaining enhanced U.S. privacy protections. Europeans will be able to lodge complaints free of charge, before their local data protection authority, without having to demonstrate that their data has been accessed by U.S. intelligence agencies.

Opinion of the European Data Protection Board (EDPB)

On 19 July 2023, the EDPB issued a press release with an information note for individuals and entities transferring data to the U.S. The EDPB said that there will be a first review of the DPF in 2024.

Max Schrems, the Austrian lawyer who got the Privacy Shield repealed in 2020, said he will contest this new Framework in 2024, read here.

The International Association of Privacy Professionals (IAPP), of which PharMarketing is a member, drafted a very simple and useful diagram summarizing what US organisations should do depending of their status:

• They are already registered with the Privacy Shield and want to 'upgrade' to the DPF: action must be taken before 13 October 2023.
• They did not register with Privacy Shield before and decide to go with the DPF now,
• They did not register with Privacy Shield before and decide not to go with the DPF now

This diagram explains also what exporters can do depending on whether they are based in EU/EEA, in the UK or in Switzerland

So What? Our recommendation at PharMarketing

If you are a US based organisation, or the US affiliate of an international organisation, we recommend that you evaluate carefullythe efforts versus the benefits of self- registering with the new DPF.

The efforts are significative, as:

• The first time you self-certify, you will basically have to implement data protection security measures very similar to those of the GDPR
• then you need to recertify each year, and to have every year an independent organisation perform an audit of your compliance with the DPF

If you are a small or mid-size US sponsor, we recommend that you don't register with the DPF but instead implement a Data Transfer Agreement with the EU Standard Contractual Clauses with each partner in Europe with whom you exchange personal data.

If you are a US service provider with clients or sub-contractors in Europe, even if your size is very small, it is certainly a good marketing argument to self-register with the DPF, as it will demonstrate to your partners in Europe that you provide a personal data protection equivalent to the GDPR.

Further reading:

• Data Privacy Framework website: https://www.dataprivacyframewo...
• EU Commission Press release: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en
• EU Commission questions and answers.
  
• EDPB opinion EDPB informs stakeholders about the implications of the DPF and adopts a statement on the first review of the Japan adequacy decision | European Data Protection Board (europa.eu)
• Information note from the EDPB Information note on data transfers under the GDPR to the United States after the adoption of the adequacy decision on 10 July 2023 | European Data Protection Board (europa.eu)

Still have questions on international data transfers? Contact us at contact@pharmarketing.net, we deal every day with data transfers for our clients.

The European Medicines Agency’s (EMA) Big Data Steering Group (BDSG) and the Heads of Medicines Agencies (HMA) published in July 2023 a draft reflection paper published on the use of Artificial Intelligence (AI) in the medicinal product lifecycle.

They ask for comments before 31 December 2023 and they will review first comments submitted at a stakeholders' meeting on 20-21 November 2023.

EMA and HMA say they view the use of artificial intelligence/machine learning (AI/ML) to develop and market drugs in a total product lifecycle and risk-based context. The reflection paper provides insights on when AI/ML technology may be used to develop products and how such technologies can be used in the postmarket setting.

Download the AI/ML draft reflection paper.

You have questions on AI/ML and compliance with ICH and/or data privacy? Contact us at contact@pharmarketing.net

PharMarketing signed 3 new clients this summer:

• The first is a clinical-stage oncology biotech based in Switzerland. Sandrine Rosso will act as their Data Protection Officer.
• The second is a US biotech using Artificial Intelligence and Machine Learning to develop new treatments for rare diseases. Bertrand Le Bourgeois will train them on Data Privacy.
• The third is a US biotech targeting NASH and starting a clinical study in Europe, America and Asia: Catalina Danila, PharmD will act as their external Data Protection Officer, Caroline Josse will be their EU Data Protection Representative and Dave Edwards will be their UK Data Protection Representative.

In addition, we signed 2 new contracts with existing clients:

• A Swiss oncology biotech asked us to act as their external DPO for their clinical studies: Caroline Josse will take this role.
• An Irish pharma company asked us to act as their external UK DPR: Dave Edwards will take this role.

As you can see, PharMarketing is developing quickly, therefore we are looking for full time employees or freelance consultants: If you have experience in clinical research and in quality, and if you are based in the EU//EA or in the UK, contact us at contact@pharmarketing.com

Since the adequacy decision was issued by the EU commission on 23 January 2019, Japan updated some of their local data privacy rules, which now allow for a better convergence between the Japan Data Protection Act and the EU GDPR:



• The right to object to a processing has been improved
• The obligation for an organisation to notify the Japanese data protection authority and the individuals has been strengthened
• The Japan Data Protection Act no longer excludes personal data that are “set to be deleted” within six months

Read the press release of the EDPB dated 18 July 2023 here.

Read the Report dated 3 April 2023 from the Commission to the European Parliament and the Council on the first review of the functioning of the adequacy decision for Japan, COM(2023) 275 final here.