Timo Minssen, Claudia Seitz, Mateo Aboy, Marcelo Corrales Compagnucci

European Pharmaceutical Law Review, Volume 4 (2020), Issue 1, Page 34 - 50

Cloud-based technologies, big data, statistical signal processing algorithms, and Artificial Intelligence (AI) technologies are expected to play an increasingly important role in the medical field. Big data and AI-technologies rely on the cloud for data storage as well as for computational power and thus need effective and robust legal frameworks for international data transfer. Because of inconsistent data protection regulations, this is not always simple to achieve as it can be illustrated in the United States (US)-European Union (EU) context. Due to the lack of general data protection law at the federal level, the US currently does not have a general ‘adequacy decision’ from the European Commission to enable EU-US cross-border data transfers without the need for additional data protection safeguards under the General Data Protection Regulation. As a fallback, a ‘limited adequacy’ decision was adopted in 2016 on the so-called ‘EU-US Privacy Shield Framework’. This framework protects the fundamental rights of natural persons in the EU and allows the free transfer of personal data to companies that are certified under the EU-US Privacy Shield. However, the EU-US Privacy Shield has been recently contested at the Court of Justice of the European Union (CJEU). This paper analyses the EU-US Privacy Shield Framework, the associated legal challenges, and how these might affect organisations deploying or implementing cloud-based medical technologies relying on cross-border data transfers from EU data subjects.

Marcelo Corrales Compagnucci, Timo Minssen, Claudia Seitz, Mateo Aboy

European Pharmaceutical Law Review, Volume 4 (2020), Issue 3, Page 153 - 160

This paper analyzes the impact and associated legal challenges of cross-border data transfers in the pharmaceutical sector after the recent Court of Justice of the European Union (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II). In Schrems II, the CJEU invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield Framework. That said, the Court also found that the European Commission Decision 2010/87 on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries is still valid. The ruling has resulted in significant uncertainty and liability risks for organizations that depend on EU-US cross-border transfers of personal data, including pharmaceutical companies (data controllers) engaged in global clinical trials and their technology providers for endpoint collection and data transfer (processors). In light of these challenges, this paper discusses the need for a legally sound regulatory environment for data transfer. To mitigate risks and uncertainties, we stress the need for updated GDPR-compliant SCCs and SCCs guidelines and argue, inter alia, for the adoption of data protection frameworks which incorporate SCCs with a robust information security management system (ISMS) and a privacy information management system (PIMS) to ensure an appropriate level of data protection, as well as for sector specific transfer mechanisms including health data adequacy decisions and the need for GDPR certification and codes of conduct for cross-border transfers of clinical trial data.

Marcelo Corrales Compagnucci, Janos Meszaros, Timo Minssen, Arasaratnam Arasilango, Talal Ous, Muttukrishnan Rajarajan

European Pharmaceutical Law Review, Volume 3 (2019), Issue 4, Page 144 - 155

The pharmaceutical and healthcare sector is a prime target for cybercriminals around the world. These cyber-attacks represent significant challenges in the context of data protection and data security. The General Data Protection Regulation (GDPR) imposes strict rules regarding the processing and analysis of personal data. In conventional approaches, data analysts request data from various sources. Then, they anonymise or pseudonymise the data using various tools and techniques. These methods often use powerful algorithms to ensure a high level of security. However, these methods tend to either reduce the quality of data for further analysis or they expose the data while decrypting it for analysis. Homomorphic Encryption (HE) has recently been touted as the ‘Holy Grail’ of cryptography since it allows the analysis of big data sets without ever needing to decrypt and thus compromising the confidentiality of the data. This provides a whole new layer of protection and at the same time allows the processing of data for secondary use and scientific research. While HE is not a new technology, it is still in the early stages of development. In this piece, we will introduce a new automated tool for searching and analysing encrypted data using HE techniques, which is being developed within the scope of the EnergyShield project.

Timo Minssen, Claudia Seitz

European Pharmaceutical Law Review, Volume 3 (2019), Issue 4, Page 139 - 141

Behrang Kianzad, Timo Minssen

European Pharmaceutical Law Review, Volume 2 (2018), Issue 3, Page 133 - 148

Excessive pharmaceutical pricing represents one of the most contentious issues in legal and political discourse and has recently gained renewed attention by courts, competition authorities and political forces on both sides of the Atlantic. Balancing the public demand for affordable and accessible health-care with the need for sufficient incentives and a sustainable innovation system in the field of medicines also attracts a great deal of media and scholarly attention. Facing what seems to be a revival of competition law enforcement in this highly sensitive and complex environment it is of vital importance to keep up to date with the most recent developments. It is further crucial that the necessary debates are taking place within a well-informed and transparent environment that takes into account multiple factors, interests, responsibilities and concerns. This entails inter alia to consider various types of diseases (rare, neglected or blockbuster) treatment outcomes (cure or long dependency), as well as the economic complexities of successful innovation systems and higher societal goals such as sustainability, solidarity and fairness . Only then, will it be possible to devise well-balanced policies that allow relevant stakeholders to align their policies in order to achieve what society expects from the pharmaceutical innovation system: life-saving new therapies that are safe, efficient and accessible. This article depicts and discusses some of the latest cases and the underlying legal-economic and policy considerations.

Timo Minssen, Sven J.R. Bostyn

European Pharmaceutical Law Review, Volume 2 (2018), Issue 3, Page 169 - 173