Recent developments in international privacy laws have complicated the conduct of clinical trials outside of the United States. Since the privacy law of the European Union – the General Data Protection Regulation or “GDPR” – went into effect on May 25, 2018, many non-EU countries have enacted similar laws to allow for the unhindered flow of personal data from the EU to those countries. This has caused a ripple effect of GDPR-like laws worldwide, with unique versions making international business more difficult than ever before, and that difficulty is particularly felt in the conduct of medical research and clinical trials across national and regional borders. This article examines various aspects of the privacy laws of Brazil, the EU, Nigeria, Japan, Singapore, South Africa and South Korea relevant to the conduct of medical research.
One of the first questions asked when determining whether to conduct medical research is: which country’s privacy laws will apply to the project? To make that determination, it is necessary to look at the data covered by the law of the country at issue, the law’s territorial scope and whether the data received will be considered “de-identified” or “anonymized” per the country’s standard, thus making the privacy laws inapplicable. If the privacy laws do apply, many standard technical and organizational practices are common in order to achieve compliance with international laws. A key issue, however, is whether a local representative or data protection officer must be designated for a particular country, which can entail additional time and expense. The following are data points for countries in which we have most frequently recently encountered questions.
Brazil
Name of the law and commonly-used acronym: General Personal Data Protection Law (Brazil) 13709/2018 (“LGPD”)
Effective Date: August 16, 2020 (Penalties begin August 1, 2021)[1]
Types of data covered: Information regarding an identified or identifiable natural person[2]
Territorial Scope: LGPD applies to any processing operation carried out by a natural person or a legal entity of either public or private law, irrespective of the means, the country in which its headquarters is located or where the data are located, provided that:
- the processing operation is carried out in Brazil;
- the processing activity is aimed at the offering or provision of goods or services, or at the processing of data of individuals located in Brazil; or
- the personal data relates to data subjects who were in Brazil at the time of collection.[3]
Requirements to establish a local representative and/or Data Protection Officer: DPO appointment is required for controllers, not explicitly required for processors.[4]
Anonymization standard: Data is “anonymized” if a data subject cannot be identified, considering the use of reasonable and available technical means at the time of the processing.[5]
European Union
Name of the law and commonly-used acronym: General Data Protection Regulation (EU) 2016/679 (“GDPR”)
Effective Date: May 25, 2018[6]
Types of data covered: Any information relating to an identified or identifiable natural person (“data subject”); an “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.[7]
Territorial Scope: Territorial scope has two prongs:
- Processing of personal data in the context of the activities of an establishment of a controller or a processer in the EU, regardless of whether the processing takes place in the EU; and
- Processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to:
- the offering of goods or services to such data subjects in the EU (regardless of whether payment is required); or
- the monitoring of the behavior which takes place in the EU.[8]
Requirements to establish a local representative and/or Data Protection Officer: A local representative is required to accept complaints from data subjects if the controller or processor is not in the EU.[9] A data protection officer is only required if: (1) the processing is carried out by a public authority or body, (2) the core activities of the controller or processor involves the regular and systematic monitoring of data subjects on a large scale, or (3) the core activities of the controller or processor involves processing on a large scale of special categories of data and personal data relating to criminal convictions.[10]
Anonymization standard: Personal data is rendered “anonymous” if the data subject is no longer identifiable from any information that exists, even information not in the hands of the entity holding the data. Traditional coded data is considered “pseudonymized,” but not “anonymized,” and is still subject to GDPR if the key to re-associate the data with an identifier exists anywhere, even if it is not accessible to the entity holding the coded data.[11]
Japan
Name of the law and commonly-used acronym: Act on the Protection of Personal Information (“APPI”)
Effective Date: May 30, 2017[12]
Types of data covered: Information relating to a living individual which falls under any or each of the following items:
- Those containing a name, date of birth or other descriptions (meaning any and all matters (excluding an individual identification code) stated, recorded or otherwise expressed using voice, movement or other methods in a document, drawing or electromagnetic record) whereby a specific individual can be identified (including those which can be readily collated with other information and thereby identify a specific individual).
- Those containing an individual identification code.[13]
Territorial Scope: The APPI does not expressly address its territorial scope.
Requirements to establish a local representative and/or Data Protection Officer: Not explicitly required.
Anonymization standard: “Anonymously processed information” is information relating to an individual that can be produced from processing personal information in the manner prescribed by the statute so as neither to be able to identify a specific individual nor to be able to restore the personal information.[14]
Nigeria
Name of the law and commonly-used acronym: Nigeria Data Protection Regulation 2019 (“NDPR”) as further detailed by the Implementation Framework, November 2020
Effective Date: July 2019[15]
Types of data covered: Any information relating to an identified or identifiable natural person (“Data Subject”); an “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifiers such as MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.[16]
Territorial Scope: NDPR applies to:
- all transactions intended for the processing of Personal Data, to the processing of Personal Data notwithstanding the means by which the data processing is being conducted or intended to be conducted in respect of natural persons in Nigeria; and
- natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.[17]
Requirements to establish a local representative and/or Data Protection Officer: Data controllers must designate a Data Protection Officer per the NDPR, although the implementing regulations seem to indicate only some data controllers would be required to designate one.[18] While there is no requirement to designate a local representative, in some instances it may be required that the Data Protection Officer be located in Nigeria.[19]
Anonymization standard: Personal data is anonymous if it is not identified in the hands of the party holding it. Thus, coded data would be considered anonymized in the hands of an entity which does not possess the means to re-associate the data with an identifiable individual.[20]
Singapore
Name of the law and commonly-used acronym: Singapore Personal Data Protection Act of 2012
(“PDPA”)
Effective Date: Latest amended version effective February 1, 2021[21]
Types of data covered: Data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access[22]
Territorial Scope: PDPA applies to all organizations, foreign or domestic, that collect, use or disclose personal data in Singapore. Organizations that collect personal data overseas and host or process the data in Singapore will also be subject to the relevant obligations under the PDPA.
Requirements to establish a local representative and/or Data Protection Officer: Organizations subject to PDPA must designate a DPO.[23]
Anonymization standard: Coded data is considered anonymized if the holder does not have access to re-associate the data with an identifier.[24]
South Africa
Name of the law and commonly-used acronym: South African Protection of Personal Information Act (“POPIA”)
Effective Date: July 1, 2020[25]
Types of data covered: Information relating to an identifiable, living, natural person or identifiable juristic persons (i.e. legal entities)[26]
Territorial Scope: Where the responsible party is:
- domiciled in South Africa; or
- not domiciled in South Africa, but makes use of automated or non-automated means in South Africa (such as a controller outside of South Africa using a processor in South Africa to collect data about South Africans), unless those means are used only to forward personal information through South Africa.[27]
Requirements to establish a local representative and/or Data Protection Officer: “Responsible Parties” (the POPIA version of a controller) must designate an “Information Officer” (the POPIA version of a data protection officer) who must be located in South Africa. [28]
Anonymization standard: “De-identify,” in relation to personal information of a data subject, means to delete any information that:
- identifies the data subject;
- can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
- can be linked by a reasonably foreseeable method to other information that identifies the data subject.[29]
POPIA does not apply only if information is de-identified in a manner that it cannot be re-identified.[30]
South Korea
Name of the law and commonly-used acronym: Personal Information Protection Act (“PIPA”)
Effective Date: August 5, 2020[31]
Types of data covered: Any of the following information relating to a living individual:
- Information that identifies a particular individual by his or her full name, resident registration number, image, etc.;
- Information which, even if by itself does not identify a particular individual, may be easily combined with other information to identify a particular individual. In such cases, whether or not there is ease of combination shall be determined by reasonably considering the time, cost, technology, etc. used to identify the individual such as likelihood that the other information can be procured;
- Information under items (a) or (b) above that is pseudonymized in the manner described by the statute and thereby becomes incapable of identifying a particular individual without the use or combination of information for restoration to the original state (hereinafter referred to as “pseudonymized information”).[32]
Territorial Scope: Territorial scope is not directly addressed in PIPA.
Requirements to establish a local representative and/or Data Protection Officer: Each “personal information controller” must designate a privacy officer.[33]
Anonymization standard: PIPA encourages “pseudonymization” and pseudonymized data may be processed for scientific research without the consent of the data subject; however, pseudonymized data is still considered personal data and is still subject to the law. There is no expressed standard of anonymization that would remove personal information from the protection of the law entirely.[34]
Conclusion
This article provides just a taste of some of the newer international data protection laws and their key provisions applicable to international medical research. Gone are the days when companies could easily rely simply on subject consents or de-identifying data to HIPAA standards in order to address all privacy concerns. Many of these privacy laws apply directly to clinical trial sponsors outside of their jurisdictions. Compliance with the rush of new data protection laws across the world is complex and makes the conduct of medical research in international sites significantly more complicated. Clinical trial sponsors and academic medical centers performing international research should perform a thorough review of the privacy laws for each country in which they intend to enroll research subjects in order to avoid potential violations and stiff penalties.
[1] Angelique Carson, In rapid-fire reversal, Brazil effectuates privacy law immediately, iapp: The Privacy Advisor (Aug. 27, 2020), https://iapp.org/news/a/in-rapid-fire-reversal-brazil-effectuates-privacy-law-immediately/.
[2] General Personal Data Protection Law [LGPD],2018, No. 13,790 art. 5 (Braz.).
[3] Id. at art. 3.
[4] Id. at art. 5, 41.
[5] Id. at art. 5.
[6] Commission Regulation (EU) 2016/679, art. 99, 2016 O.J. (L 119) 1, 78.
[7] Id. at art. 4, 2016 O.J. (L 119) 1, 3-6.
[8]. Id. at art. 3, 2016 O.J. (L 119) 1, 3.
[9] Id. at art. 27, 2016 O.J. (L 119) 1, 24.
[10] Id. at art. 37, 2016 O.J. (L 119) 1, 33-34.
[11] Directive 95/46/EC, Recital 26; see also Directive 95/46/EC, art. 29; The Working Party, Opinion 05/2014 on Anonymisation Techniques WP 216, (Apr. 10, 2014), ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf.
[12] Act on the Protection of Personal Information (“APPI”), Act No. 65 of 2015, Preamble (Japan).
[13] Id. at art. 2(1).
[14] Id. at art. 2(9).
[15] Nigeria Data Protection Regulation (“NDPR”), art. 4.1 (2019).
[16] Id. at art. 1.3(xix) and 2.1
[17] Id. at art.1.2
[18] Id.at art. 4.1(2) and 3.4.
[19] Id. at art. 4.1(2),
[20] Id. at art. 1.3(xix) and 2.1
[21] Personal Data Protection Act (“PDPA”) No. 26 (2012) (Sing.).
[22] Id. at § 2.
[23] Id. at § 11.
[24] Id. at § 2.
[25] Protection of Personal Information Act (“POPIA”) of 2013 (S. Afr.), https://popia.co.za/.
[26] Id. at § 1.
[27] Id. at § 3(1)(b).
[28] Id. at § 56.
[29] Id. at § 1.
[30] Id. § 6(1)(b).
[31] Personal Information Protection Act (“PIPA”) No. 16930 Preamble (2020) (S. Kor.).
[32] Id. at art. 2(1).
[33] Id. at art. 31.
[34] Id. at art. 2(1) and 28-2.
Finis