After three years of deliberation, the European Council has agreed on its approach to data protection reform, allowing the council to initiate a trilogue with the European Parliament and Commission.

Background

The current rules governing data protection in the EU were adopted in 1995 under Directive 95/46/EC. However, there have been massive changes in how data is generated and used in the 20 years since the directive was adopted. In 1995, few Europeans had Internet access, now Internet access is commonplace and more data is being generated than ever before.

In 2012, the European Commission launched an effort to reform the laws governing data protection in the EU to provide better protection to citizens while making it easier for companies to access and share information. The commission's proposed reforms include a proposal for a regulation and directive on data protection.

Two years later, the European Parliament voted in support of the commission's proposed data protection reforms, saying the reforms will "make life easier for business and strengthen the protection of [EU] citizens. With Parliament support, the commission's proposal moved to the European Council for discussion.

Council Adopts Approach

Now, more than a year since the European Parliament gave its support to the commission's proposed data protection reforms, the European Council has agreed on a compromise text for the new data protection legislation. The three branches are now able to enter into trilogue negotiations to determine the final text of the rules.

Despite the lengthy delay at the European Council, Luxembourg's justice minister Felix Braz says the council is intent on finalizing the reform package by the end of 2015. Both the European Parliament and council seem eager to move forward, and have already scheduled the first trilogue negotiation for 24 June 2015.

Regulatory Impact

While the proposed reforms are broad and cover personal data in a multitude of areas, many provisions of the reforms will be particularly relevant to healthcare product companies and healthcare practitioners.

In particular, the proposed regulation introduces the concept of pseudonymization as a means of reducing "the risks for the data subjects concerned and help controllers and processors meet their data protection obligations." While general data protection principles still apply to pseudonymized data, certain precautions can be taken to ensure subjects cannot be identified, such as keeping the information required to identify subjects separate from pseudonymised data, only allowing authorized persons access to identifying information and ensuring "the individual(s) performing the pseudonymisation are not referenced in the meta-data."

In the council's proposed text, specific exemptions are made for additional processing of data, outside the initial purpose(s) for which the data was collected, for scientific research. Additionally, companies will not need to gain further consent from data subjects when data is processed for subsequent scientific research purposes.

Industry Reaction

Following the European Council's adoption of its general approach to data protection reform, the European Federation of Pharmaceutical Industries and Associations (EFPIA) released a statement welcoming the council's approach, calling the proposed text a "balanced view on [an] important and complex subject."

The new regulation is expected to save €2.3 billion for European companies through simplified oversight and the removal of some burdensome administrative requirements.

Statements by the European Council, Parliament and Commission, EFPIA Press Release