BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.

LIFE SCIENCES DATA PRIVACY DAY

PALO ALTO

A p r i l 1 7 , 2 0 1 2

SIDLEY AUSTIN LLP

LIFE SCIENCES DATA PRIVACY DAY

TABLE OF CONTENTS

TAB

AGENDA 1

SPEAKER BIOGRAPHIES 2

FTC REGULATION AND DEVELOPMENTS – IMPACT ON THE LIFE SCIENCES INDUSTRY LAURA BERGER, FTC 3

1. FAQS - EU DATA PROTECTION REGULATION 2. THE PROPOSED EU DATA PROTECTION REGULATION AND LIFE SCIENCES WILLIAM LONG, SIDLEY AUSTIN 4

PRIVACY AND SECURITY – ENABLERS TO ADOPTION OF HEALTH IT DEVEN MCGRAW, CENTER FOR DEMOCRACY & TECHNOLOGY 5

1. LEGAL BEST PRACTICES FOR SOCIAL MEDIA AT PHARMACEUTICAL COMMUNICATIONS 2. INFORMATION GOVERNANCE ASSESSMENTS EDWARD MCNICHOLAS, SIDLEY AUSTIN 6

HIPAA, HITECH, AND KEY STATE LAW CONSIDERATIONS FOR LIFE SCIENCES COMPANIES ANNA SPENCER, SIDLEY AUSTIN 7

MANAGING DATA PROTECTION IN INTERNATIONAL CLINICAL TRIALS & OBSERVATIONAL

STUDIES JUDITH BEACH, QUINTILES 8

RESEARCH USE OF BIOSPECIMENS: PROPOSED CHANGES TO FEDERAL REQUIREMENTS GAIL JAVITT, SIDLEY AUSTIN 9

RECENT SIDLEY AUSTIN PRIVACY UPDATES 1. WHITE HOUSE ISSUES FIRST EVER ADMINISTRATION-LEVEL DATA PRIVACY

FRAMEWORK 2. FTC RELEASES FINAL REPORT ON CONSUMER PRIVACY 10

DATA PROTECTION AND LIFE SCIENCES: IMPACT OF THE PROPOSED EU REGULATION 11

in Silicon Valley

Life Sciences Data Privacy Day – April 17, 2012

1

8:30 am – 9:00 am

Arrival and Registration

9:00 am – 9:05 am

Welcome and Opening Remarks

Deborah Marshall, Global Coordinator, Emerging Companies and Venture Capital Practice, Sidley Austin LLP

9:05 am – 9:55 am

FTC Regulation and Developments – Impact on the Life Sciences Industry • Recent FTC enforcement actions • Current approach to regulation

Laura Berger, Senior Attorney, Division of Privacy & Identity Protection, FTC

10:00 am – 10:40 am

Reform of the EU’s Data Protection Directive – Impact on the Life Sciences Industry

• Detailing the proposed EU Data Protection Regulation • Update on review of EU Data Protection Directive • Application of EU data protection laws to life sciences • Adopting the accountability principle • Implementing privacy by design

William Long, EU Privacy, Data Security and Information Law Practice Sidley Austin LLP

10:40 am – 10:55 am

Coffee Break

10:55 am – 11:35 am

Health Information Technology (HIT) Developments and Consumer Perspectives

• Electronic medical records/meaningful use • Initiatives to expand regulation • Theories of liability • Issues with use of de-identification

Deven McGraw, Director, Health Privacy Project, Center for Democracy & Technology and Co-Chair, Privacy & Security Tiger Team, the Office of the National Coordinator for HIT, HHS

11:40 am – 12:20 pm

Dealing with Social Media • Data privacy issues with social media • Liability for user generated content (UGC) • Pharma regulatory requirements with social media

Edward McNicholas, Global Coordinator, Privacy, Data Security and Information Law Practice (Privacy Investigations, Assessments, and Litigation), Sidley Austin LLP

Sidley in Silicon Valley Life Sciences Data Privacy Day – April 17, 2012

2

12:20 pm – 1:10 pm

Lunch Break

1:10 pm – 1:20 pm

Remarks from Gail Maderis, President of BayBio

1:20 pm – 2:10 pm

Update on US Health Privacy Developments • Requirements under HITECH • Enforcement actions by state AGs under HITECH • Aggressive new state legislation (e.g., CA and Texas) • Issues with use of de-identified data

Anna Spencer, Global Coordinator, Privacy, Data Security and Information Law Practice (Medical Privacy and e-Health Records), Sidley Austin LLP

2:15 pm – 2:55 pm

Managing International Clinical Trials and Observational Studies and Data Privacy

• Application of international data protection laws • Creating and managing informed consents • Using data for research purposes • Data sharing and use of service providers • Data transfer solutions

Judith E. Beach, Ph.D., Esq., Senior VP, Senior Associate General Counsel for Regulatory & Government Affairs and Global Chief Privacy Officer, Quintiles

2:55 pm – 3:10 pm

Coffee Break

3:10 pm – 4:00 pm

Industry Panel Discussion

Moderator: David Ralston, Senior Director Business Conduct, Gilead Sciences

Damon Burrows, Vice President, Associate General Counsel, Allergan, Inc.

Ashley Gould, Chief Legal Officer, Vice President of Corporate Development, 23andMe, Inc.

4:00 pm – 4:45 pm

Breakout Sessions

4:50 pm – 5:00 pm

Concluding Remarks

5:00 pm – 6:00 pm

Cocktail Reception

DR. JUDITH E. BEACH Senior Vice President, Senior Associate General Counsel for Regulatory and Government Affairs, and the Global Chief Privacy Officer

Quintiles

Dr. Judith E. Beach is the Senior Vice President, Senior Associate General Counsel for Regulatory and Government Affairs, and the Global Chief Privacy Officer with Quintiles, a fully integrated biotechnology and pharmaceutical services provider offering clinical, commercial, consulting and capital solutions. Based in North Carolina, Quintiles has over 23,000 employees in offices in 60 countries. Dr. Beach’s responsibilities include providing legal counsel to Quintiles’ employees and customers on all aspects of food and drug law. She chairs the Company’s Council on Research Ethics (CORE), which provides guidance to the company’s research personnel on ethical issues related to all stages of drug development. Judy was recently appointed to the Editorial Advisory Review Board of the Food and Drug Law Journal.

As Quintiles’ global Chief Privacy Officer and Chair of the Council on Data Protection, Quintiles’ global internal privacy board, Judy coordinates the monitoring of the company's policies and procedures for protection of personal data. She serves on the company’s Privacy Incident Response Team (PIRT), which investigates and manages any privacy / security incidents. In addition, Judith founded and chairs the Carolina Privacy Officials Network (CPON), which is an informal group of privacy officials with North Carolina companies from a broad spectrum of industries. CPON, which is sponsored by Quintiles, serves as a forum for benchmarking and the development of industry standards and best practices and as a vehicle to contribute to public policy on data protection matters on a national and global scale.

Dr. Beach graduated cum laude from Georgetown University Law Center. She was an attorney with two Washington, D.C., law firms: Akin, Gump, Strauss, Hauer & Feld and Hyman, Phelps & McNamara, P.C., where she specialized in civil litigation and food, drug, and medical device law, respectively. She is admitted to the State Bars of Virginia, Maryland, District of Columbia and North Carolina and is admitted to practice before the United States Supreme Court. Prior to law school, Judith received her B.S. degree summa cum laude from Clemson University and her Ph.D. in Physiology and Pharmacology from Duke University. She was a Fellow in Reproductive Endocrinology at the University of California San Francisco, and then a clinical investigator at Walter Reed in Washington, D.C.

LAURA D. BERGER Senior Attorney, Division of Privacy and Identity Protection

Federal Trade Commission

Laura D. Berger is a senior attorney in the Division of Privacy and Identity Protection at the Federal Trade Commission. She enforces federal laws protecting consumers’ privacy. Her recent law enforcement work has focused on privacy in online social media and in other online contexts. She received a B.A. in English from Tulane University and a J.D. from the University of Michigan Law School.

Damon Burrows is Vice President, Associate General Counsel for Allergan, Inc. He began at Allergan in October, 2008 and is currently responsible for providing counsel on all regulatory, global manufacturing, clinical trials, promotion/marketing, and safety matters. Mr. Burrows also sits on the Policy Committee for the company and supports Allergan’s advocacy efforts at the state and federal levels.

Allergan is a $4.8 billion company focusing on eye care, neurosciences, medical dermatology, and urologics. The company is headquartered in Irvine, CA with a presence in over 100 countries worldwide. Prior to joining Allergan, Mr. Burrows worked in private practice for six years counseling healthcare companies, pharmaceutical companies, and medical device companies as an associate with Jenkens & Gilchrist and Of Counsel for Baker Donelson. Both offices were in Washington, DC. Mr. Burrows then served as Senior Counsel for five years at Hoffmann-La Roche, a $45 billion pharmaceutical and medical device company headquartered in Basel, Switzerland. Mr. Burrows received his Juris Doctor degree from the Catholic University of America in Washington, DC and is a member of the State Bar of California and the bar of the District of Columbia. Mr. Burrows resides in southern California with his wife and one year-old daughter.

Damon O. Burrows

ASHLEY GOULD Vice President Corporate Development and Chief Legal Officer

23andMe

As Vice President Corporate Development and Chief Legal Officer, Ashley leads 23andMe's legal and governmental affairs and oversees regulatory affairs, human resources and public relations. Prior to joining 23andMe in April 2007, Ashley was vice president, Legal Affairs at CoTherix, Inc., a public biopharmaceutical company acquired by Actelion Ltd. in January 2007. Previously, Ashley was associated with the law firms of Wilson Sonsini Goodrich & Rosati PC and O'Melveny & Myers LLP. Ashley received her JD from the University of San Francisco School of Law and her BS in Political Economy of Natural Resources from the University of California, Berkeley.

SIDLEY AUSTIN LLP

MATERIALS ONLY

GAIL H. JAVITT Counsel

Washington, D.C. 202.736.8980 202.736.8711 Fax gjavitt@sidley.com

PRACTICES • Food, Drug and Medical Device Compliance and

Enforcement • Food, Drug and Medical Device Regulatory

AREAS OF FOCUS • Clinical Trials • Compliance Counseling - FDA • Food and Drug Regulation • Medical Devices • Pharmaceuticals

ADMISSIONS & CERTIFICATIONS • District of Columbia, 1996 • Maryland, 2010

EDUCATION • Harvard Law School

(J.D., 1993, cum laude) • Johns Hopkins Bloomberg School of Public Health

(M.P.H., 2000) • Columbia University

(B.A., 1990, magna cum laude)

CLERKSHIPS • U.S. District Court, C.D. of California, Gary L.

Taylor

GAIL H. JAVITT is Counsel in Sidley’s Food and Drug Regulatory practice. She joins Sidley from her post as the Law and Policy Director at the Genetics and Public Policy Center, at Johns Hopkins University. At the Center she was responsible for developing policy options to guide the development and use of reproductive technologies and led an initiative to improve oversight of genetic testing quality.

Ms. Javitt currently serves as a Research Scholar in the Berman Institute of Bioethics at Johns Hopkins University. She has also served as adjunct professor of law at the Georgetown University Law Center, and at the Johns Hopkins School of Public Health, and has taught courses including Genetics and Law and Food and Drug Law. She was a Greenwall Fellow in Bioethics and Health Policy at Johns Hopkins and Georgetown Universities. Prior to her academic career, she was an associate at a Washington, D.C. law firm where she specialized in FDA regulatory issues. She served as law clerk to the Honorable Gary L. Taylor, U.S. District Court, Central District of California. She has written extensively on a variety of issues at the intersection of law, science, and policy including direct-to-consumer marketing of genetic testing and FDA regulation of biotechnology.

She holds the Juris Doctor (J.D.), cum laude, from Harvard Law School, a Masters of Public Health (M.P.H.) from the Johns Hopkins University and a B.A., magna cum laude, Phi Beta Kappa, from Columbia College.

PUBLICATIONS

• Javitt G., Carner K., “Must FDA Engage in Rulemaking to Regulate Laboratory-developed Tests?,” FDLI’s Food and Drug Policy Forum (2011)

Articles include:

GAIL H. JAVITT MATERIALS ONLY

SIDLEY AUSTIN LLP 2

• Javitt G., Katsanis S. H., Scott, J., Hudson, K. “Developing the Blueprint for a Genetic Testing Registry,” Public Health Genomics (epub ahead of print July 2009);

• Javitt G., Hudson K., “DNA Snoops,” Los Angeles Times, Jan. 27 (Op-Ed) (2009);

• Javitt G., “Sometimes I Feel Like a Motherless Child: Maryland’s High Court Confronts New Reproductive Realities,” Maryland Bar Journal XLI: 40-45 (2008);

• Kaufman, D.J., Katsanis, S.H., Javitt, G.H, Murphy, J.A., Scott, J.A., Hudson, K.L. “Carrier Screening for Cystic Fibrosis in US Genetic Testing Laboratories: A Survey of Laboratory Directors,” Clinical Genetics 74: 367-373 (2008);

• Katsanis, S.H., Javitt, G., Hudson, K., “A Case Study of Personalized Medicine,” Science 320: 53-54 (2008);

• Javitt, G., Berkowitz D., Gostin, L. “Assessing Mandatory HPV Vaccination: Who Should Call the Shots?,” Journal of Law, Medicine, and Ethics 36: 384-395 (2007);

• Javitt, G. “In Search of a Coherent Framework: Options for FDA Oversight of Genetic Tests,” Food and Drug Law Journal 62: 617-652 (2007);

• Hudson, K., Javitt, G., Burke, W., Byers P. “ASHG Statement on Direct-to-Consumer Genetic Testing in the United States,” The American Journal of Human Genetics 81: 635–637 (2007);

• Javitt, G., Hudson, K. “The Right Prescription for Personalized Genetic Medicine,” Personalized Medicine 4(2): 115-118 (2007);

• Javitt, G., “Old Legacies and New Paradigms: Confusing ‘Research’ and ‘Treatment’ and its Consequences in Responding to Emergent Health Threats,” Journal of Health Law & Policy 8: 38-70 (2005); and

• Javitt, G., Hudson, K., Stanley, E., “Direct-to-Consumer Genetic Tests, Government Oversight, and the First Amendment: What the Government Can (and Can’t) Do to Protect the Public’s Health,” Oklahoma Law Review 57: 251-302 (2004).

• Hogarth, S., Javitt, G., Melzer, D. “The Current Landscape for Direct-to-Consumer Genetic Testing: Ethical, Legal, and Policy Issues,” Annual Review of Genomics and Human Genetics 9: 161-182 (2008);

Book Chapters include:

• Hudson, K., Baruch, S., Javitt, G. “Genetic Testing of Human Embryos: Ethical Challenges and Policy Choices,” in Expanding Horizons in Bioethics (Arthur Galston, Christiana Peppard editors), Springer, Dordrecht (2005); and

• Merrill, R., Javitt, G. “Regulation of Gene Therapy by the U.S. Food and Drug Administration,” in Encyclopedia of Ethical, Legal, and Policy Issues in Biotechnology (Thomas J. Murray and Maxwell J. Mehlman, eds.), John Wiley & Sons., (2000).

• Javitt G., Hudson K., “Public Health at Risk: Failures in Oversight of Genetic Testing Laboratories,” Washington, D.C.: Genetics and Public Policy Center, (2006);

Reports include:

GAIL H. JAVITT MATERIALS ONLY

SIDLEY AUSTIN LLP 3

• Javitt, G., Suthers, K., Hudson, K., “Cloning: A Policy Analysis,” Washington, DC: Genetics and Public Policy Center (2005); and

• Baruch, S., Javitt, G., Scott, J., Hudson, K. “Reproductive Genetic Testing: Issues and Options for Policymakers,” Washington, DC: Genetics and Public Policy Center (2004).

SIDLEY AUSTIN LLP

WILLIAM RM LONG Counsel

London +44.20.7360.2061 +44.20.7626.7937 Fax wlong@sidley.com

PRACTICES • Financial Institutions Regulatory • Healthcare • Privacy, Data Security and Information Law

AREAS OF FOCUS • Consumer Protection and Unfair Trade Practices • Electronic Commerce • EU and International Privacy • FCPA/Anti-Corruption • Financial Industry and Payment Processing • Financial Information and Privacy Law • Financial Institutions Business Transactions • Financial Institutions Counseling • Financial Services Legislation • Global Financial Services • Healthcare Information and Privacy • Healthcare Regulatory • Information Security and Data Breaches • Internal Investigations • Internet, Social Media and E-Commerce • IT Procurement and Outsourcing • Life Sciences Transactions • Payment Systems • Retail Financial Services • Technology, Media and Privacy Law

ADMISSIONS & CERTIFICATIONS • England and Wales (Solicitor), 1993

EDUCATION • Queen Mary College, London

(LL.B., 1989) • Lancaster Gate, London

(LSF, 1991)

WILLIAM LONG is counsel in the London office of Sidley Austin LLP. He advises international clients on a wide variety of social media, data protection, privacy, information security, e-commerce and other regulatory matters. Mr. Long has experience with EU and international social media, data protection and privacy projects particularly in the life sciences and financial services sectors, advising on social media regulation, cross-border data transfer, data security and other data protection issues. He is a regular speaker on social media, data protection and e-commerce matters.

Mr. Long is a co-founder of the Social Media Governance Forum, a networking group of companies involved in social media, and was previously in-house counsel to one of the world’s largest international financial services groups as their e-Commerce counsel dealing with e-commerce and data protection matters. He has been a member of a number of working groups in London and Europe looking at the EU regulation of e-Commerce and data protection and spent a year at the UK’s Financial Law Panel (established by the Bank of England), as assistant to the Chief Executive working on regulatory issues with online financial services. He also writes extensively for a number of journals including Journal of Medical Research Law & Policy, Data Protection Law & Policy, Journal of Electronic Business Law, Journal of eCommerce Law and Policy and E-Finance & Payments Law & Policy. English Solicitor.

WILLIAM LONG

SIDLEY AUSTIN LLP 2

MEMBERSHIPS, PRESENTATIONS & ARTICLES

• Co-founder of the Social Media Governance Forum

• Previous Member of the Centre for European Policy Studies Working Group on eCommerce Regulation

• Article “New International Guidelines on the Transfer of Personal Health Data” – Medical Research Law & Policy

• Article “Data Security breaches: the changing legal landscape” – E-Finance Law & Policy - October 2008

• Article “Data Security and payments: dynamic Phorm of development” – E-Finance Law & Policy - April 2009

• Article on “Pharmacovigilance and Data Protection” – Data Protection Law & Policy – December 2010

• Article on EU Implementation of New Website Cookie Law – Data Protection Law & Policy – August 2011

• Presenter at European Data Protection Summit, London, May 2010

• Chair on healthcare session at 23rd Annual International Privacy Laws & Business Conference at St John’s College, Cambridge, July 2010

• Presenter at Data Protection Compliance Conference, London, October 2010

• Presenter at Data Protection and Financial Services Workshop, London, November 2010

• Presenter at IAPP Europe Data Protection Congress, Paris, November 2010 on data security issues

• Presenter on data protection and social media at the 5th DataGuidance European Data Protection Intensive in London in May 2011

• Presenter on data protection and social media at the 24th Annual International Privacy Laws & Business Conference at St John’s College, Cambridge University in July 2011

SIDLEY AUSTIN LLP

DEBORAH A. MARSHALL Partner

Palo Alto 650.565.7004 650.565.7100 Fax dmarshall@sidley.com

PRACTICES • Emerging Companies and Venture Capital • M&A and Private Equity • Technology Transactions

AREAS OF FOCUS • Digital Media and Entertainment • Internet, Social Media and E-Commerce • Life Sciences Transactions • Medical Devices • Pharmaceuticals • Private Equity and Venture Capital Funds

ADMISSIONS & CERTIFICATIONS • California, 1986

EDUCATION • New York University School of Law

(LL.M., 1985) • Northeastern University School of Law

(J.D., 1982) • Columbia University

(B.A., 1979, cum laude)

DEBORAH A. MARSHALL is a partner with the firm and concentrates her practice on strategic business counseling for emerging growth companies and investors at all stages of development, from start-up entrepreneurs to publicly traded entities and technology-based, multinational corporations.

Ms. Marshall has advised issuers, investors and investment banking firms in the internet, software, electronics, clean technology, media, entertainment, biopharmaceutical, genomics, medical device and diagnostics sectors. She has significant experience in venture capital financing, mergers and acquisitions, public offerings, private equity and strategic partnerships.

Ms. Marshall is a frequent speaker on issues related to venture capital, emerging growth companies, life sciences, public securities and entrepreneurship. She has been a guest lecturer on entrepreneurship at the University of California Berkeley Haas School of Business, as well as a member of the faculty of the Haas Business School’s Global Bio-Executive Program.

AWARDS & HONORS

• Ms. Marshall has been recognized in The Best Lawyers in America in Corporate, M&A and Securities Law each year since 2007.

• Ms. Marshall’s work as a corporate lawyer is highlighted in the 2007 Corporate and Finance version of The Legal 500 United States edition.

SELECTED PUBLICATIONS

• The Entrepreneur’s Guide to Business Law, 2nd Edition – contributions include Chapter 5 (“Structuring the Ownership”), Chapter 13 (“Venture Capital”) and Chapter 17 (“Going Public”)

SELECTED PRESENTATIONS

• Women in the Law Conference, Northeastern University School of Law (April 2009)

• Columbia University Women’s History Month Speaker Series: Women in Law (March 2009)

DEBORAH A. MARSHALL

SIDLEY AUSTIN LLP 2

• “Doing Well, Doing Good - An Introduction to Socially Responsible Investing” Merrill Lynch’s Women in the Know: Empowering Women Through Knowledge Series (April 2008)

• “Innovation and Growth Through Partnerships: Key Aspects of Collaboration Agreements,” GlobalBio Program, Haas School of Business (December 2006)

• “Duties of Directors in a Changing Landscape,” Practising Law Institute, Venture Capital 2004: Venture Creation, Management & Financing in the New “Post-Bubble” Market

• “M & A Transactions for Biotech Companies,” Practising Law Institute, Biotechnology & Pharmaceutical Law 2004: Patents & Business Strategies (November 2004)

• “Reconsidering the Limited Liability Company as a Vehicle for Emerging Growth Companies,” Practising Law Institute, 36th Annual Institute on Securities Regulation (November 2004)

• “Strategic Financing of Biotech,” University of California, Haas Business School, BioEntrepreneurship Certificate Program. Faculty member (May 2004)

• “Mergers-Acquisitions Case Study,” Practising Law Institute, Handling High Tech M&As In a Cooling Market (2001)

• “Latest Trends with Lockups and Other Underwriting Arrangements,” Practising Law Institute, 32nd Annual Institute on Securities Regulation (2000)

MEMBERSHIPS & AFFILIATIONS

• State Bar of California

• Advisory Board of the Women’s Technology Cluster (non-profit organization focused on entrepreneurship for women in technology), 1999-2006

• Visiting Committee for Northeastern University School of Law, 2001-2004

• Columbia University Campaign Council for Undergraduate Education, 2009 - Chair, Columbia University School of General Studies Annual Fund

DEVEN MCGRAW Director, Health Privacy Project

Center for Democracy & Technology

Deven McGraw is the Director of the Health Privacy Project at CDT. The Project is focused on developing and promoting workable privacy and security protections for electronic personal health information.

Ms. McGraw is active in efforts to advance the adoption and implementation of health information technology and electronic health information exchange to improve health care. She was one of three persons appointed by Kathleen Sebelius, the Secretary of the U.S. Department of Health & Human Services (HHS), to serve on the Health Information Technology (HIT) Policy Committee, a federal advisory committee established in the American Recovery and Reinvestment Act of 2009. She chairs the Committee’s Privacy and Security Workgroup (the “Tiger Team”) and serves as a member of its Meaningful Use and Information Exchange Workgroups. She also served on the Policy Steering Committee of the eHealth Initiative and now serves on its Leadership Council. She is also on the Steering Group of the Markle Foundation’s Connecting for Health multi-stakeholder initiative.

Ms. McGraw has a strong background in health care policy. Prior to joining CDT, Ms. McGraw was the Chief Operating Officer of the National Partnership for Women & Families, providing strategic direction and oversight for all of the organization’s core program areas, including the promotion of initiatives to improve health care quality. Ms. McGraw also was an associate in the public policy group at Patton Boggs, LLP and in the health care group at Ropes & Gray. She also served as Deputy Legal Counsel to the Governor of Massachusetts and taught in the Federal Legislation Clinic at the Georgetown University Law Center.

Ms. McGraw graduated magna cum laude from the University of Maryland. She earned her J.D., magna cum laude, and her L.L.M. from Georgetown University Law Center and was Executive Editor of the Georgetown Law Journal. She also has a Master of Public Health from Johns Hopkins Bloomberg School of Hygiene and Public Health.

SIDLEY AUSTIN LLP

EDWARD R. MCNICHOLAS Partner

Washington, D.C. 202.736.8010 202.736.8711 Fax emcnicholas@sidley.com

PRACTICES • Privacy, Data Security and Information Law • Complex Commercial Litigation

AREAS OF FOCUS • Consumer Protection and Unfair Trade Practices • Electronic Commerce • EU and International Privacy • Financial Information and Privacy Law • Healthcare Information and Privacy • Information Security and Data Breaches • Internal Investigations • Internet, Social Media and E-Commerce • National Security • Technology, Media and Privacy Law • Trade Secret and Unfair Competition Litigation

ADMISSIONS & CERTIFICATIONS • U.S. Supreme Court, 2004 • U.S. Courts of Appeals, various • U.S. District Court, District of Columbia, 1999 • U.S. District Court, District of Maryland, 1996 • District of Columbia, 1998 • Maryland, 1996

EDUCATION • Harvard Law School

(J.D., 1996, cum laude, Harvard Law Review Editor)

• Princeton University (A.B., 1991, summa cum laude, Phi Beta Kappa)

CLERKSHIPS • U.S. Court of Appeals, 4th Circuit, Paul V.

Niemeyer

EDWARD R. MCNICHOLAS is a partner in the Washington, D.C., office of the international law firm Sidley Austin LLP and a global coordinator of its Privacy, Data Security, and Information Law practice. His practice focuses on clients facing complex information technology, constitutional and privacy issues in civil and white-collar criminal matters. Mr. McNicholas concentrates his practice on trial and appellate representations of technologically-sophisticated clients including telecommunications carriers, electronic service providers, financial services companies, pharmaceutical manufacturers and other companies facing complex personal information issues.

Mr. McNicholas has significant experience with a wide-range of cutting-edge Internet and information law matters involving privacy and data protection, online brand protection, e-discovery, electronic surveillance, copyright, defamation, information security, cloud computing, trade secrets, social media, locational privacy, e-commerce, and national security. Mr. McNicholas and Sidley’s Privacy and Data Security practice were selected for Chambers USA: America’s Leading Lawyers for Business for 2008-2011 as well as Chambers Global for 2010-11, the 2011 Legal 500, and The International Who's Who of Internet, e-Commerce & Data Protection Lawyers 2011. He has also been recognized in Computerworld survey of “Best Privacy Advisers” as one of the “Top 25 Privacy Experts,” and Chambers USA 2010-11 also separately recognized Mr. McNicholas in nationwide litigation rankings for e-discovery.

Mr. McNicholas previously served as an Associate Counsel to President Clinton. In that capacity, he advised senior White House staff regarding various Independent Counsel, congressional and grand jury investigations, with a particular focus on issues of Executive Privilege and electronic discovery. He also previously served as a desk officer at the U.S. Office of Government Ethics, where he helped agencies establish effective ethics compliance programs.

EDWARD R. MCNICHOLAS

SIDLEY AUSTIN LLP 2

LITIGATION REPRESENTATIONS

Mr. McNicholas‘ litigation experience includes several matters before the Federal Trade Commission and other regulatory agencies, as well as considerable experience with arbitration proceedings and internal investigations. His major litigation representations include:

• In re: Google Inc. Cookie Placement Consumer Privacy Litigation, MDL No. 2358 (2012) – Representation of Internet advertising company, PointRoll, in litigation regarding cookies and browser settings.

• Turner v. Rogers (U.S. 2011) – Representation of amici Legal Aid Society of D.C. et al. in significant right to counsel appeal.

• MeadWestvaco Corporation v. Rexam PLC (E.D.Va. 2010-11) – Represented party regarding effect of French blocking statute on U.S. discovery requirements.

• Accusearch v. Federal Trade Commission (10th Cir. 2008) – Representation of the Office of the Privacy Commissioner of Canada as amicus curiae in appeal from privacy enforcement action.

• MDL 1791: In re National Security Agency Telecommunications Records Litigation - (N.D.Cal. and 9th Cir. 2006-11) Defense of AT&T against constitutional and statutory claims in multiple purported class actions related to alleged national security programs.

• Menges v. Walgreen Co. v. Blagojevich (Illinois state and federal courts. 2005-09) - Defense of Walgreens in suits related to whether pharmacists must dispense Plan B emergency contraception.

• Crawford v. Marion County Election Board (U.S. 2008): Represented the National Law Center on Homelessness and Poverty and a coalition of other national homelessness groups as amici curiae in this significant challenge to voter identification requirements.

• City of New York v. Fifth Avenue Presbyterian Church (S.D.N.Y., 2d Cir., U.S., 2002-07) – Successfully represented the Fifth Avenue Presbyterian Church in a dispute over its homeless ministry, where Sidley has successfully defended a permanent injunction in favor of our client.

• AT&T Corp. v. 2PrePaid Inc. (M.D. Fla. 2006) - Obtained damages and permanent injunction against unlawful Internet sales of counterfeit AT&T prepaid calling cards.

• Boothe v. Hanson (Texas District Court 2005) - Obtained a blanket injunction against an elusive Internet critic in a case involving extensive use of Internet forensics. See “As Angry Patients Vent Online, Doctors Sue to Silence Them,” Wall Street Journal, Sept. 14, 2005.

• AT&T Corp. v. CyberTelecom, Inc. (S.D. Fla. 2004) - Obtained preliminary and permanent injunctions against Internet distribution of counterfeit AT&T prepaid calling cards in a case involving extensive Internet forensic evidence.

• In re Microsoft Corp. Antitrust Litigation, MDL No. 1332 (D. Md.) - Represented Microsoft in competitor class actions including those brought by Netscape and Burst. These actions were dismissed with prejudice after the parties reached private resolutions.

• Physicians Interactive v. Lathian Systems, Inc. (E.D. Va. 2003) - Obtained preliminary injunction for plaintiffs alleging hacking of computer systems in order to obtain trade secrets. The action was dismissed after the parties reached a private resolution.

EDWARD R. MCNICHOLAS

SIDLEY AUSTIN LLP 3

COMMUNITY SERVICE

Mr. McNicholas frequently advises organizations that combat homelessness regarding complex constitutional issues at both the trial and appellate levels and before legislative bodies. His work for such organizations contributed substantially to the firm being awarded the 2004 Counsel Pro Bono Award by the National Law Center on Homelessness and Poverty.

Mr. McNicholas now serves as the Vice Chairman on the Board of Directors for the National Law Center on Homelessness and Poverty.

SELECTED ARTICLES AND OTHER PUBLICATIONS

Mr. McNicholas is a frequent commentator on privacy, data security, and information law issues and has written extensively on various information law and civil liberties topics for a variety of publications. He currently serves on the Advisory Board for the BNA Privacy & Security Law Report and one of his articles received a 2010 Burton Award for Legal Achievement. Many of his privacy articles are collected on the www.Sidley.com/InfoLaw site, including:

• “Privacy and Security,” in Business and Commercial Litigation in Federal Courts (3d Ed. 2011) (co-author of chapter on implications of privacy and data security laws for commercial litigation).

• Information Security and Privacy: A Practical Guide for Global Executives, Lawyers and Technologists (2011) (contributor) (ABA Section of Science and Technology Law publication).

• “Regulated Social Media: Practical Advice for Addressing Evolving Technologies in Regulated Industries,” by Edward McNicholas and Sabrina Ross, BNA’s Privacy & Security Law Report (June 14, 2010).

• “An Uneasy Peace: Maine’s Act to Prevent Marketing to Minors and the Continuing Problems of Privacy for Children and Teens,” by Edward McNicholas and Colleen Rutledge, BNA’s Privacy & Security Law Report (Sept. 14, 2009).

• “End of the Notice Paradigm?: FTC’s Proposed Sears Settlement Casts Doubt On the Sufficiency of Disclosures in Privacy Policies and User Agreements,” by Alan Raul, Edward McNicholas, et al., BNA’s Electronic Commerce & Law Report (July 15, 2009).

• “National Security Letters: Practical Advice For Understanding and Handling Exceptional Requests,” by Edward McNicholas, BNA Privacy & Security Law Report (March 30, 2009).

• “Assessing the EU Working Party’s Guidance on Harmonizing U.S. Discovery and EU Data Protection Requirements,” by Alan Raul, Edward McNicholas, et al., BNA Privacy & Security Law Report (March 9, 2009).

• “Competitive Privacy: Towards A New Area of Privacy Litigation?,” by Edward McNicholas and Jennifer Tatel, IAPP Privacy Tracker (July/August 2008).

• “A Path to Resolving European Data Protection Concerns With U.S. Discovery,” by Stanley W. Crosley, Alan Charles Raul, Edward R. McNicholas, et al., Privacy and Security Law (Oct. 2007).

DAVID RALSTON Senior Director of Business Conduct Gilead Sciences

David Ralston is Senior Director of Business Conduct at Gilead Sciences where his team advises the company on all aspects of sales and marketing promotional compliance for the company's product portfolio.

David previously served as Section Head of Abbott's Legal, Regulatory and Compliance section where his team advised on fraud and abuse, pricing, privacy and anti-corruption issues for the diversified healthcare business. His first position was with Schering-Plough where his main emphasis was on price reporting and compliance issues.

David has a BA from the University of Texas - Austin, a Masters in Public Health from UT Houston Health Sciences Center and his JD from the Law Center at the University of Houston where he focused his studies in the health law program.

SIDLEY AUSTIN LLP

ANNA L. SPENCER Partner

Washington, D.C. 202.736.8445 202.736.8711 Fax aspencer@sidley.com

PRACTICES • Healthcare • Privacy, Data Security and Information Law

AREAS OF FOCUS • Medical Devices • Healthcare Information and Privacy • Pharmaceuticals

ADMISSIONS & CERTIFICATIONS • Alabama, 1996 • District of Columbia, 2000

EDUCATION • Vanderbilt University Law School

(J.D., 1995) • Sewanee

(B.A., 1992, magna cum laude, Phi Beta Kappa)

CLERKSHIPS • Tennessee Court of Criminal Appeals, Jerry E.

Smith

ANNA L. SPENCER is a partner in Sidley Austin’s Washington, D.C. office whose practice focuses primarily on health care. Ms. Spencer works on regulatory and transactional health care matters, including privacy and security of health information, fraud and abuse compliance and investigations, drug pricing, as well as Medicare and Medicaid coverage and reimbursement. She regularly counsels a broad range of clients, including financial institutions, pharmaceutical and medical device manufacturers, health care providers, auditing firms, employers that sponsor group health plans, and entities that qualify as business associates, on healthcare information privacy and security issues. This includes assisting clients with respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and amendments made to HIPAA by the Health Information Technology for Economic and Clinical Health Act (“HITECH”). She also advises clients on various state health care privacy laws, including state health information privacy and marketing laws.

Ms. Spencer has significant experience in investigating and responding to data breaches and information security incidents. She has represented clients in connection with data breach reporting obligations under the new HITECH regulations for breaches of protected health information and defended health care providers in investigations initiated by the Office of Civil Rights, Department of Health and Human Services.

Ms. Spencer has advised numerous clients on privacy and security compliance issues associated with clinical trials, patient assistance programs, point-of-sale messaging, sales and marketing practices, and de-identification of data sets, among others. In connection with these matters, she frequently addresses emerging issues, such as the applicability of genetic information privacy law and HIPAA to tissue samples collected during clinical trials.

On behalf of covered entities and entities that qualify as HIPAA business associates, Ms. Spencer has developed multiple HIPAA privacy and security compliance and training programs. She has negotiated hundreds of Business Associate Agreements on behalf of various clients.

ANNA L. SPENCER

SIDLEY AUSTIN LLP 2

Ms. Spencer has spoken on privacy/security matters on behalf of numerous groups such as BNA and the American Conference Institute. She has authored a variety of articles on privacy/security issues, Medicare coverage, and fraud and abuse.

LIFE SCIENCES DATA PRIVACY DAY

Laura D. Berger FTC, Division of Privacy and Identity Protection April 17, 2012

Roadmap

• Background • FTC Privacy Report • FTC Health Breach Notification Rule • Endorsement Guides • Data Security • Recent Enforcement Actions

FTC Background • FTC is an independent law enforcement agency

• Consumer protection and competition mandate

• Section 5 of the FTC Act prohibits “unfair or deceptive

acts or practices”

• Commission brings law enforcement actions in federal or administrative court

• Commission also does policy work – public workshops, Congressional testimony, consumer education, and guidance to business

• Privacy has been a key consumer protection priority

Privacy Roundtables • Three public roundtables to explore privacy in light of new

technologies, including social media • Significant public participation

• 200 participants reflecting range of perspectives • Transcripts and comments on FTC’s website

Roundtable Themes

• Increased collection and use of consumer data • Lack of understanding and informed consent • Consumers are interested in privacy • Benefits of data collection and use • Decreasing relevance of PII/non-PII distinction

Privacy Report

• Issued Final Report, March 2012.

• Key elements: • Privacy by Design • Simplified Choice • Greater Transparency

• Easy to Use

• Persistent

• Effective

Do Not Track

Health Breach Notification Rule

• Background • Part of the American Recovery and Reinvestment Act of

2009 • Interim final rule • Only applies to entities NOT covered by HIPAA

Health Breach Notification Rule • Who is covered?

• Vendors of personal health records (PHRs) • You are a vendor of personal health records if you offer or

maintain a personal health record

• PHR related entities • You are a PHR related entity if you (1) offer products or services

through a website of a PHR vendor (2) access information in a PHR or (3) send information to a PHR

• Third-party service providers • You are a third-party service provider if you offer services to a

PHR vendor or PHR related entity involving the use, maintenance, disclosure, or disposal of health information

Health Breach Notification Rule

• What triggers notification?

• You must provide notice when there has been the unauthorized acquisition of PHR-identifiable health information that is unsecured and in a personal health record

Health Breach Notification Rule

• Under the FTC’s Rule, companies that have suffered a breach must:

• Notify everyone whose information was breached; • In some cases, notify the media; and • Notify the FTC

• More information available at: http://business.ftc.gov/privacy-and-security/health-privacy

Endorsement Guides and Social Media

Recently updated Endorsement and Testimonial Guides require disclosure of a connection between a seller and an endorser that might materially affect the weight or credibility of the endorsement

Application of Endorsement Guides to Blogging

• The proposed guidelines require bloggers to disclose not only when they are paid by a company, but also when they receive a free product.

• Blogs that promote products are consumer endorsements.

Four Points that Guide the FTC’s Information Security Enforcement • Information security is an ongoing process. • A company’s security procedures must be reasonable and appropriate in light of the circumstances.

• A breach does not necessarily show that a company failed to have reasonable security measures – there is no such thing as perfect security.

• A company’s practices may be unreasonable and subject to FTC enforcement even without a known security breach.

Anatomy of a FTC Investigation

• Finding cases • Pre-search • Civil Investigative Demand or access letter • Analyzing the facts • Litigation or consent negotiation (or closing letter) • Compliance and monitoring

FTC PRIVACY AND DATA SECURITY CASES

Questions?

http://business.ftc.gov/privacy-and-security

Laura Berger lberger@ftc.gov

April 2012

FREQUENTLY ASKED QUESTIONS ON THE PROPOSED EU DATA PROTECTION REGULATION

1. What is the Proposed EU Data Protection Regulation and why is it important?

The EU is in the process of reforming its data protection laws so that they are suitable for the modern digital economy. The current EU Data Protection Directive will be replaced by a new EU Data Protection Regulation (the “Proposed Regulation”). The Proposed Regulation is likely to be adopted in 2014. The aim behind the Proposed Regulation is to provide harmonised data protection laws across the EU and reduce some administrative burdens, such as removing the requirement to register with local Data Protection Authorities. The Proposed Regulation will have a significant impact on life sciences companies which use personal data in many activities including pharmacovigilance, clinical trials and medical research as explained further in these FAQs.

2. Which companies will be subject to the Proposed Regulation?

The Proposed Regulation will apply to all companies in the EU that process personal data (i.e. data that identifies a living individual) and so will include all life sciences companies. The Proposed Regulation will also apply to companies outside the EU that process personal data in connection with the offering of goods or services to data subjects in the EU, or that monitors their behaviour. This will mean that many life sciences companies outside the EU, such as in the US, will be subject to the requirements of the Proposed Regulation.

3. What are the penalties for not complying with the Proposed Regulation?

The Proposed Regulation introduces significant enforcement powers including fines of up to 2% of the annual worldwide turnover of a business for failure to comply with the Proposed Regulation. In addition, Data Protection Authorities will be able to apply fines to a potentially minor data protection breach and where no damage has been suffered by the data subject. Data Protection Authorities will also be able to carry out audits and to ban the processing of personal data. Individuals may bring damages claims for non-compliance while consumer groups and other representative bodies will be able to bring claims on behalf of individuals.

4. What are the main requirements for life sciences companies under the Proposed Regulation?

The Proposed Regulation introduces the concept of “Accountability” that is companies have to take responsibility for and to be able to demonstrate compliance with data protection requirements through implementing appropriate policies and measures. The measures include keeping a detailed record of all forms of data processing and verifying the effectiveness of the measures such as through internal or external audits.

The Proposed Regulation also requires that data protection impact assessments be conducted where the processing is likely to present specific risks, such as the processing of health data. This may have a significant impact on pharmaceutical companies, particularly as the company has to seek the views of individuals or their representatives on the data processing and must consult with the relevant Data Protection Authority where the impact assessment indicates a high degree

2

of risk. Where the Authority considers that the processing does not comply with the Proposed Regulation, such as where risks are not adequately identified, it can prohibit the data processing.

Importantly, businesses will also be required to appoint a data protection officer with “expert knowledge of data protection law and practices” where they have over 250 employees or where they monitor individuals. Data protection officers must be able to act independently and report directly to the management of the company. This requirement could result in significant additional costs for life sciences companies and some may use external consultants to fulfill this role.

5. Do individuals get new rights under the Proposed Regulation?

Yes, the Proposed Regulation will introduce a new “Right to be Forgotten” which will give individuals the right to request that their personal data be erased. There are some exceptions where it is necessary to retain the data for reasons of public interest and scientific research but many businesses are concerned about the scope and impact of this new right. In addition, there is a new “Right of Data Portability” which gives individuals the right to request that their personal data be transferred to a new provider.

6. What is the impact of the Proposed Regulation on data security?

The Proposed Regulation will require companies to report security breaches to a Data Protection Authority “without undue delay” and “where feasible” within 24 hours and to notify affected individuals if the security breach is likely to adversely affect them. The security breach requirements are likely to mean that companies will need to prepare in advance for possible security breaches by organizing data breach teams and procedures so the company can respond quickly.

7. Are international transfers of personal data permitted under the Proposed Regulation?

The Proposed Regulation continues the current restrictions on the transfer of personal data from the European Economic Area (“EEA”) to countries outside the EEA that are not considered to provide an adequate level of protection, which includes the US. The Proposed Regulation does try to make some of the possible legal mechanisms that can be used to permit such international transfers to be more flexible. For example, Binding Corporate Rules (“BCRs”) (i.e. a global internal data protection policy which is binding on the whole corporate group and approved by a relevant Data Protection Authority) can under the Proposed Regulation be adopted by both a data controller and a data processor whereas currently BCRs can only be adopted by a data controller. However, the continuing restrictions under the Proposed Regulation on the transfer of personal data from the EEA will need to be carefully considered by life sciences companies.

8. How does the Proposed Regulation affect Pharmacovigilance?

The Proposed Regulation specifically allows the processing of health data to be processed for “reasons of public interest in the area of public health including to ensure high standards of quality and safety for medicinal products or medical devices.” The reference to “safety” would appear to give a specific legal ground to process personal data for pharmacovigilance and, to the

3

extent it does this, is a welcome clarification. However, pharmacovigilance activities will be impacted by other requirements in the Proposed Regulation, for example: (i) personal data may not be collected beyond the minimum necessary and so it needs to determined what is the minimum data required for pharmacovigilance purposes; (ii) full documentation on personal data processed for pharmacovigilance will need to be prepared as well as data protection policies and other measures that take privacy by design into account; and (iii) data protection impact assessments may be needed for pharmacovigilance activities.

9. What is the impact of the Proposed Regulation on Clinical Trials?

Clinical trial activities, in addition to being subject to the requirements around data protection documentation and impact assessments referred to above, will also be subject to new requirements around obtaining consent for processing of personal data, for example in the patient informed consent form. The Proposed Regulation requires that consent must be given explicitly with the data controller having the legal burden of proving that the data subject has given valid consent. In addition, where the consent is to be given in a written declaration, the requirement to give consent must distinctly appear in the document, and be kept separate from consent to be given in the context of other matters. Also, consent is not valid where there is a significant imbalance between the position of the data subject and the data controller. This may cause uncertainty as there is arguably an inherent imbalance between the position of the individual patient and the pharmaceutical company carrying out the clinical trial.

Many of the requirements in the Proposed Regulation also apply to data processors (e.g. CROs) who will now be equally responsible for data protection compliance. This will require an examination of existing contracts with service providers involved in clinical trials to determine responsibility and liability for data protection obligations.

10. Does the Proposed Regulation cover Medical Research?

Personal data used in medical research will be subject to the requirements of the Proposed Regulation similar to other life sciences activities that use personal data such as pharmacovigilance and clinical trials. The Proposed Regulation does appear to permit health data to be processed for scientific research purposes where used in a key coded form. However, it is currently unclear whether key coded research data processed for an initial research purpose can be processed subsequently for a secondary research purpose which is not compatible with the purposes for which the data was collected for the initial research.

For more information on the application of the Proposed Regulation, please contact William Long, at Sidley Austin, London (wlong@sidley.com).

BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.

The Proposed EU Data Protection Regulation and Life Sciences

Life Sciences Data Privacy Day - April 17th 2012

William Long (wlong@sidley.com)

Proposed EU Data Protection Regulation

• Proposed EU Data Protection Regulation released on

Wednesday 25 January 2012 • Regulation will replace the existing EU Data Protection

Directive • Regulation expected to be adopted in 2014 following

consultation with Council of Ministers and European Parliament

• Regulation will have a significant impact on life sciences

companies

Summary of EU Legislative Process • Timeline until 2014

– Jan Philipp Albrecht MEP, Rapporteur (drafts person) with Axel Voss MEP acting as shadow Rapporteur

– 3 Parliamentary Committees LIBE (Civil Liberties, Justice and Home Affairs Committee), INCO (Internal Market and Consumer Affairs Committee) and ECON (Economic and Monetary Affairs Committee)

– Q4 2012: EP Committee vote and Council “General Approach”

– First half of 2013: “Trialogue” negotiations

– Q4 2013: Political Agreement

– 2014: EP Plenary adoption of the Regulation in its final form

• Delegated and Implementing Acts

– Once the Regulation is adopted, important details will need further adoption in the form of delegated acts or implementing acts

Proposed EU Data Protection Regulation • Application to Non-European businesses - the Regulation will apply

to non EU based businesses that offer good and services to individuals residing in the EU or monitor the data subjects behaviour

• Greater Enforcement – fines of up to 2% of the annual worldwide turnover of a business for failing to comply with the proposed Regulation requirements

• Class Actions – consumer organisations may bring class actions on behalf of individuals for non-compliance, even without their consent

• Consent – explicit consent of individuals must be obtained before their data can be processed, although this may be withdrawn at any time. There cannot be a significant imbalance between the position of the data subject and the data controller

• Transparency – controller must provide transparent and clear information on how data will be used

• Transfer of Personal Data from the EU – can only be made to countries outside the EU that have an adequate level of protection. Solutions include among others BCRs, Model Contracts and Safe Harbor

The question of the ability to transfer personal data internationally for compliance purposes to other entities or regulators is still of concern for life sciences companies

Proposed EU Data Protection Regulation • Privacy by Default/Design – measures must be in place to ensure that data

is: o processed which are necessary for each specific purpose o not retained beyond the minimum necessary o not made accessible to an indefinite number of individuals

• Right to be forgotten and right to data portability – obligation to delete users’ personal data it has made public and “to take all reasonable steps” to inform third parties that individuals’ personal data processed needs deleting and right to transfer personal data to another provider

• Data Protection Notifications – no longer a requirement for data controllers to notify Data Protection Authorities of their data processing activities

But new obligation to keep a detailed documentation on all the processing operations will increase compliance costs

• Data Protection Officers – requirement to appoint a data protection officer

when have more than 250 employees or if activities require monitoring of data subjects. A group may appoint a single data protection officer

Proposed EU Data Protection Regulation

• Data Protection Impact Assessments and prior consultation of DPA– requirement to conduct impact assessments where processing is likely to present specific risks (such as health data) and in such a case to seek the views of data subjects and consult with relevant supervisory authorities - this could be relevant to many activities of life sciences companies including clinical trials and other studies

• Pharmacovigilance – under the proposed Regulation health data may be processed under certain grounds including for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety for medicinal products or medical devices (Article 81)

• Medical Research – under the proposed Regulation personal data may be processed for historical, statistical or scientific research purposes if these purposes cannot be fulfilled by processing data which does not permit identification and the data enabling the attribution of information to an identifiable data subject is kept separately from the other information (Article 83)

Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.

For purposes of compliance with New York State Bar rules, Sidley Austin LLP’s headquarters are 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Doc. 5466368

Questions/Comments

B E I J I N G B R U S S E L S C H I C A G O D A L L A S F R A N K F U R T G E N E V A H O N G K O N G L O N D O N L O S A N G E L E S N E W Y O R K

P A L O A L T O S A N F R A N C I S C O S H A N G H A I S I N G A P O R E S Y D N E Y T O K Y O W A S H I N G T O N , D . C .

Privacy and Security –Enablers to Adoption of Health IT Deven McGraw Director, Health Privacy Project November 10, 2011

Health Privacy Project at CDT

Health IT and electronic health information exchange are engines of health reform with tremendous potential to improve health, reduce costs and empower patients.

Some progress has been made on resolving the privacy and security issues raised by e-health – but gaps remain and implementation challenges loom.

Project’s aim: Develop (papers) and promote (advocacy) workable privacy and security policy solutions for personal health information.

People want Health IT - but also have significant privacy concerns

Survey data shows the public wants electronic access to their personal health information.

But a majority - 67% - also have significant concerns about the privacy of their medical records (California Healthcare Foundation 2005; more recent focus groups and surveys confirm).

New London/Fair Warning recent on-line survey:

27.1% stated they would withhold information from their care provider based on privacy concerns.

27.6% said they would postpone seeking care for a sensitive medical condition due to privacy concerns.

>1 out of 2 persons said they would seek care outside of their community due to privacy concerns, and 35% said they would drive more than 50 miles to seek care.

http://www.fairwarningaudit.com/documents/2011-WHITEPAPER-US-PATIENT-SURVEY.pdf

Consequences of Failing to Act

Protecting privacy is important

Prevents harm

Good health care depends on accurate and reliable information

Without privacy protections, people will engage in “privacy-protective behaviors” to avoid having their information used inappropriately.

1 in 6 adults withhold information from providers due to privacy concerns. (Harris Interactive 2007)

Persons in poor health, and racial and ethnic minorities, report even higher levels of concern and are more likely to engage in privacy-protective behaviors. (CHF 2005)

Health IT Can Protect Privacy – But Also Magnifies Risks

Technology can enhance protections for health data (for ex., encryption; role-based access; identity proofing & authentication; audit trails)

But moving and storing health information in electronic form – in the absence of strong privacy and security safeguards – magnifies the risks

Thefts of laptops, inadvertent posting of data on the Internet, reports of internal “snooping”

Increased media attention to data captured on the Internet

Cumulative effect of these reports deepens consumer distrust

A Comprehensive Approach is Needed

Privacy and security protections are not the obstacle - enhanced privacy and security can be an enabler to health IT.

The essence of what we mean by “workable” protections

A comprehensive privacy and security framework is needed to facilitate health IT and health information exchange.

Fair information practices – strong data stewardship model; consent plays important role but is not linchpin

Sound network design

Accountability/Oversight

Fair Information Practices – Markle Common Framework Openness and transparency

Purpose specification and minimization

Collection limitation

Use limitation

Individual participation and control

Data integrity and quality

Security safeguards and controls

Accountability and Oversight

Remedies

Role for Individual Consent

Public debates about privacy protection until recently have focused almost exclusively on whether patients should be asked to authorize all uses of their information.

Individual control is an important component of fair information practices - but it is just one component.

Tends to provide weak privacy protection in practice (authorizations are either generally worded for brevity or too long)

“Next Generation” of Health Privacy

Build on HIPAA for traditional health care entities – no need to rip and replace (HITECH took the first step here)

Establish protections for health information that migrates outside of the HIPAA bubble

Address concerns raised by new HIT infrastructure (such as HIEs)

Essentially, hold all entities who handle health data accountable for complying with baseline protections

Agenda for the future

Successful implementation of new HITECH privacy provisions

Address issues raised by the use of HIEs or data exchange “intermediaries”

Are business associate rules sufficient?

Protections for health data that is outside the HIPAA bubble

Will new consumer privacy efforts (FTC & White House reports, HHS upcoming report on PHRs) pay off for health information?

Secondary data uses – for ex., comparative effectiveness research

Distributed data networks vs. centralization

Agenda for the future (cont.)

Policies for de-identified data – focus on robust methodologies, prohibit re-identification

Also – encouraging use of “less identifiable” data for routine purposes; possible interpretation of minimum necessary standard?

Better enforcement & active policy “stewardship” by regulators

Issuance of guidance, clarifications, FAQs

Safe Harbors?

Regulation of business associates

De-Identification Policy Challenges

“De-identified data” = data that meets HIPAA standard for deidentification (and is therefore not PHI)

Ensuring very low risk of re-identification – particularly through safe harbor standard - is getting more difficult due to increased availability of data

Statistical method for de-identification is meant to be flexible over time – but robustness depends on quality of statistical analysis

Safe harbor (removal of 18 specific data elements) will lose its potency over time

De-Identification Policy Challenges (2)

Data risk is contextual:

What other data does the data recipient have access to

What is the recipient’s motivation to re-identify or use inappropriately

HIPAA approach – particularly the safe harbor method – assumes a static environment and concludes that data can be deemed to raise a very low risk without consideration of this context

Less Identifiable = Less Risk

There are limits to whether true de-identification can be achieved – but this does not mean all data present equal risk

De-identifying or removing identifiers from data, or shielding identity through use of technology, provides additional protections for confidentiality and maximizes data use

Need More Use of “Anonymized” Data & More Data Anonymization Options

HIPAA permits use of fully identifiable data where “less identifiable” data would suffice

Health care operations, for example (quality assurance, credentialing, business analytics)

De-identified data is often not useful for research, public health, and quality purposes because too much data is removed

Limited data set (LDS) preserves more data – but still rigid and may not be

f l f i t t

CDT Recommendations on De-identification Review de-identification safe harbor

standard on regular basis to bolster its efficacy

Expand safe harbors?

Process for vetting statistical de-identification

Strengthen accountability for re-identification of de-identified data

Consider whether health data should ever be made publicly available (vs. solely through data use agreement)

CDT Recommendations on De-identification(2) Designate de-identification “Centers of

Excellence”

Consider increasing public transparency re: uses of de-identified data

Require recipients of de-identified data to adopt security protections

Questions?

Deven McGraw

202-637-9800 x115

deven@cdt.org

www.cdt.org/healthprivacy

BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.

Legal Best Practices for Social Media at Pharmaceutical Communications

Edward McNicholas

Social Media is Different

• Re-defined privacy boundaries for individuals – Both a private and a public space (home/office)

– Digital natives and generational challenges

• New definitions of “community” – Transparent peer influence

– Trusted relationships despite not meeting in person

• Unprecedented virtual footprint – Interconnected, interacting spheres of life

– Timelines and lingering content

• Distributed control

Continuing Technological Transformations

• Online behavorial tracking and targeting in a rapidly evolving “partner” eco-system

• Gamification of non-recreational content

• Virtual worlds

• Location-aware devices

• Augmented reality devices and mirror worlds

• Micro-transactions, “Freemium” pricing innovations

• Smart mobile payment systems

• User-generated, distributed creation of content

Pharma Companies Use Social Media

Social Media Challenges

• Internal Challenges

– Careless employees (talking trade secrets)

– Whistle-blower employees (exposing issues)

– Disloyal employees (posting confidential information)

• External Challenges

– Customers • Claiming injuries

• Seeking off-label information

– Civil Society Activists / Journalists

– Hackers

– Regulators

Is Regulation Catching Up?

“Social media is landscape-shifting. It converts the traditional two-party, adviser-to-client communication into an interactive, multi-party dialogue among advisers, clients, and prospects, within an open architecture accessible to third-party observers. It also converts a static medium, such as a website, where viewers passively receive content, into a medium where users actively create content.”

National Examination Risk Alert (January 4, 2012)

SEC Office of Compliance Inspections and Examinations

Is Regulation Catching Up?

“Because consumers increasingly use the Internet to search for information about medical conditions and treatments, firms may receive public requests for off label information about their products through, for example, product websites, discussion boards, chat rooms, or other public electronic forums that they maintain and over which they have full control. Firms may also encounter requests for off-label information on third-party sites (i.e., websites and other venues that are either entirely independent of a firm’s control and influence or not fully controlled by a firm).”

FDA Guidance for Industry: Responding to Unsolicited Requests for Off-Label Information About Prescription Drugs and Medical

Devices (December 2011)

Ad Age: “FDA Social-Media ‘Guidelines’ Befuddle Big Pharma”

US Social Media is Generally Unregulated

• Communications Decency Act Immunity, 47 U.S.C. § 230(c)

“No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

• Rules are different elsewhere. See, e.g., Sweden's Data Inspection Board (DIB)

• US Immunity not without limits: – FTC v. Accusearch Inc., 570 F.3d 1187 (10th Cir. 2009):

– Fair Housing Council v. Roommates.com, LLC, 521 F.3d 1157 (9th Cir. 2008)

– Doe v. SexSearch.com, 551 F.3d 412 (6th Cir. 2008) – affirmed dismissal for failure to state a claim, but did not adopt a reading of Section 230 that “potentially abrogat[ed] all state- or common-law causes of action brought against interactive Internet services.”

Financial Services Regulatory Analogs

• FINRA Guidance: Regulatory Notices 11-39, 10-06

– Retain records of communications on sites

– Establish policies and procedures

– Supervise electronic communications with procedures

– Prohibit employees from using social media outside of firm supervision

– Screen content from third-parties on social media sites

– Bar employees who present significant compliance risks

• National Association of Insurance Commissioners ("NAIC") Social Media Working Group Whitepaper

Financial Services Regulatory Analogs

• SEC OCIE Guidance: Risk-based protections:

• Usage guidelines, in light of site functionality

• Content standards

• Pre-approval requirements for social media content

• Monitoring, training, certification, and oversight resources

• Personal / professional site guidance

– Allowing any interaction? Depending on the circumstances, use of a “like” button could constitute a prohibited client “testimonial.”

– “Recordkeeping obligation does not differentiate between various media”

– Problem of “multiple overlapping procedures that apply to advertisements, client communications or electronic communications generally, which may or may not specifically include social media use.”

FTC Testimonial Issues

• Providing payment or other consideration for posts

– Free products are consideration

• Key is disclosure of connections

– Must disclose connections between advertisers and endorsers that might materially affect the weight or credibility of the endorsement

• Creating transparent policies

– Policies should address disclosure

– Require reviewers receiving any consideration to disclose

• FTC issues are in addition to FDA concerns Guides Concerning the Use of Endorsements and Testimonials in Advertising. 16 CFR Part 255.

FDA Regulatory Issues

• FDA’s Principal Position: Internet communications are subject to same statutory and regulatory provisions as traditional advertising and promotional labeling formats

• April 2009, the FDA issued 14 letters to major drug manufacturers citing sponsored links in violation of the Federal Food, Drug, and Cosmetic Act (“FDCA”) – letters mandated that companies’ search

advertisements -- the short text ads that run beside search engine results pages -- had to be rewritten to include risk information about each drug or removed

FDA’s Public Hearing – Nov. 2009

• General concept of Internet promotion: “positive or negative” • Topics identified by FDA:

– For what online communications are manufacturers accountable?

– How can manufacturers fulfill regulatory requirements in their Internet/social media promotion?

– What parameters should apply to the posting of corrective information on Web sites controlled by third parties?

– When is use of links appropriate? • “We are specifically interested in data and research on the use of

social media tools in promotion, including data from companies on their own experiences, the extent to which health care professionals and consumers are using and are influenced by various social media tools, and the impact of Internet and social media promotion on the public health.”

FDA Guidance: Responding to Unsolicited Requests for Off-Label Information

• Firm may respond to public unsolicited requests for off-label information only when the request pertains specifically to its own named product (and is not solely about a competitor’s product).

• Public response to public unsolicited requests for off-label information about firm’s own named product should only:

– Provide specific contact information,

– Convey that the use is unapproved or uncleared, and

– Not include any off-label information.

• Responding representatives must clearly disclose affiliation.

• Nothing promotional in nature or tone is allowed.

Open Regulatory Issues for Online Fora

• Will sponsor be held responsible for:

– Inadequate risk information or lack of fair balance

– Off-label discussion in which they do not participate

– Adverse event information

– Criticism of competitor’s product

• Will passive or active social media be allowed

– If passive, is selective moderation, censorship, or comment possible?

– If active, moderate discussion, possibly through pre-approval of posts

» Editorial policies regarding off-label promotion

» Posted terms of use and disclaimers

» Required balance of positive and negative comments

Social Media and EU Data Privacy

• Data privacy is a major concern with social media

• Under EU Data Protection Directive, a pharma company will likely be a data controller of personal data collected through social media applications

• Where sensitive personal data is processed, consent is likely required, but UGC may include data for a third party

• The proposed EU Data Protection Regulation sets out fines of up to 2% of annual worldwide turnover and class actions

• The proposed EU Data Protection Regulation also has a new right to be forgotten and a right of data portability (i.e. to transfer data to a new provider)

Social Media and EU Pharma Advertising

• Article 88(1) of Directive 2001/83 prohibits advertising to the general public of prescription-only medicines

• Current guidance on medicinal product advertising generally does

not address social media applications

• In UK, PMCPA has published on April 1, 2011 Q&A guidance document on Digital Communications

• In Sweden, pharma trade association (LIF) has published interpretative document on social media and ethical rules

Recipe For Employee Social Media Policy

• Reason for the policy—Impact on company and its reputation

• Company will speak for itself

– Others may not represent or appear to represent the company

– If mentioning the company, should state not speaking for it

• Prohibitions on supervisors and managers

– Prohibit initiation of social networking relations with employees/applicants

• Respect privacy and dignity of colleagues

• Protect trade secrets and protectable confidential business information

• Prohibit violation of harassment and discrimination policies

– Reference applicable policies

• Provide notice that, to the extent allowed by law, employees will be disciplined for violating the company's Social Media Policy

Best Practices for Risk Mitigation in Firm Social Media Projects

Dynamic, privacy by design review processes

- The functions, promise and challenge of social media are evolving too quickly for a one-time social media compliance project

- Processes to continually assess and respond to changes in technologies, uses, and regulatory guidance are essential

- Social media plans must be vetted by relevant stakeholders

- Appoint social media project owners and digital spokespersons

- Develop social media adverse event monitoring plan

- Develop social media approved response elements

- “Virtualized interactivity”

Best Practices for Risk Mitigation

Terms of use and privacy settings can help

- Provisions to protect from misuse and limit liability

- Help protect take down rights and procedures

- Customized micro-privacy policies

Review third party use of terms and conditions

- Prohibitions on the use of social media

- Ownership of data and IP

Disclaimers

- Clear and unambiguous

- Distinguish links to sites not under company control

- Specify audience and country specific limits

Best Practices for Risk Mitigation

Separate country web pages

- Establish one international domain name and then have a screen that directs users to content focused on a particular country

Restricted access areas, such as HCP communities

- Registration requirements

- Password control

- Watch IP and defamation issues

Best Practice and Risk Mitigation Policies and Employee training

- Keep policies broad and flexible

- Build monitoring into internal audit performance evaluation processes

- Ensure appropriate employee training particularly for those involved with content monitoring

Develop policies to cover aspects of specific channels e.g.

- Facebook

- Twitter

- Wikipedia

- You Tube

Top 10 Checklist Actively manage legal risk on social media sites

Design processes to requires early consultation with the legal and compliance teams before engaging in social media

Designate a social media project owner is in place

Ensure that systems and controls are in place to monitor content on external social media sites for misleading statements, off-label discussions, adverse events, and other inappropriate content

Continually monitor and engage with regulatory developments

Adequately train and resource employees

Assess third party terms and conditions thoroughly

Draft appropriate terms and conditions of use, privacy policies and take down procedures

Consider the use of multiple “sites” or restricting access to sites for different audiences

Remain aware of jurisdictional challenges

Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas, London, Hong Kong, Houston, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto); Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas, Houston); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.

For purposes of compliance with New York State Bar rules, Sidley Austin LLP’s headquarters are 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.

Any Questions ?

Ed McNicholas

eMcNicholas@sidley.com (202) 736-8010

www.Sidley.com/InfoLaw

This presentation has been prepared by Sidley Austin LLP as of April 15, 2012, for educational and informational purposes only. It does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers

should not act upon this without seeking personalized advice from professional advisers.

BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.

SIDLEY AUSTIN LLP

INFORMATION GOVERNANCE ASSESSMENTS Companies need to understand the rapidly evolving world of information law and to be able to assess whether they are exercising appropriate governance over personal data and other information assets. Sidley provides a range of privacy information governance assessments to establish and assist corporate data protection programs.

Data Protection Diligence Privacy diligence involves having Sidley attorneys evaluate a snapshot of a privacy / information governance program within a company or in a potential corporate acquisition. We guide clients in preparing a virtual data room and present a prioritized assessment of major privacy issues. This diligence can also be helpful for those who need to develop a rapid, privileged understanding of their compliance status and can be used to support self-verification for the US-EU Safe Harbor for data transfers.

Information Governance Gap Analysis An Information Governance Gap Analysis is designed to offer detailed, strategic guidance regarding the controls over information within an organization. It avoids the cost and delay of compiling a complex “data map,” and instead focuses on producing a privileged, legal risk-based report identifying and recommending solutions for gaps within an existing data protection program.

Information Governance Program Assessments A full information governance program assessment investigates the collection, use and movement of personal data within an organization and develops a detailed report analyzing how personal data is acquired, used, shared, and stored within an organization. These assessments can be very useful in understanding how well an existing privacy program is actually working and in demonstrating to regulators that privacy commitments are taken seriously and have been honored or that past breaches have been remedied.

Privacy Impact Assessments for Specific Products or Services Personal data issues in particularly complex or sensitive new products or marketing campaigns often merit focused attention. A project privacy impact assessment helps a business team understand and assess personal data flows, develop privacy-enhancing protections, and ensure legal compliance. Privacy impact assessments can help integrate “privacy by design” throughout a company’s products and services by modeling best practices.

For more information, please go to www.Sidley.com/InfoLaw or contact the attorney at Sidley with whom you normally communicate or Edward McNicholas, a global coordinator of Sidley’s Privacy, Data Security, and Information Law group, (202) 738-8010, eMcNicholas@sidley.com.

BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK SAN FRANCISCO SHANGHAI SINGAPORE TOKYO WASHINGTON, D.C.

HIPAA, HITECH, and Key State Law Considerations for Life Sciences Companies

Anna L. Spencer – aspencer@sidley.com 202-736-8445

Overview

• Setting the Stage – Big Picture

• HIPAA Fundamentals: Applicability and Requirements

• Key Considerations for Life Science Companies – PAPs, Marketing, Clinical Research and More

• De-Identification

• State Law Considerations

2

Privacy of Health Information

• Meaningful Use/Electronic Health Records (EHRs)

• Health Information Exchanges (HIEs)

• Office of National Coordinator (ONC) – Mobile Computing Devices

3

HIPAA’s Administrative Simplification: The Basics

• Health Insurance Portability and Accountability Act (HIPAA) - large statute covering many areas

• Three sets of regulations under Administrative Simplification

– Electronic Data Interchange

– Privacy

– Security

• Apply to Covered Entities and, as a result of HITECH, their Business Associates

• Governs the use and disclosure of Protected Health Information (PHI)

HITECH

• Health Information Technology for Economic and Clinical Health Act (HITECH)

• Part of the stimulus legislation signed into law in February 2009

• Ambitious goals for EHRs and a national HIT infrastructure

• Expanded the reach of HIPAA, created federal breach reporting requirements and increased penalties for violations

• Status of the Omnibus Rule

5

6

Heightened Enforcement and Penalties Under HITECH

• Requires that the HHS Secretary formally investigate any complaint of a HIPAA violation if a preliminary investigation indicates a possible violation due to “willful neglect”

• Empowers state attorneys general to bring civil actions in federal court on behalf of their citizens when the attorney general has reason to believe that an interest of one or more residents has been threatened or adversely affected by a person who violates HIPAA

• Increases penalties for noncompliance: – Criminal penalties will apply against a person (including an

employee or other individual) where PHI is maintained by a Covered Entity and the individual obtained or disclosed the information without authorization in violation of HIPAA

– Creates a tiered approach to civil monetary penalties for violations of HIPAA and HITECH (maximum penalty increased from $25k to $1.5 million)

7

Heightened Enforcement and Penalties Under HITECH (cont’d)

• Incentives for individuals to file complaints with the HHS Secretary and state attorneys general regarding alleged violations

– GAO Report recommending methodology for individual to receive percentage of CMPs (18 months after enactment)

– Establishment of methodology (3 years after enactment)

• Incentives for agency to investigate and prosecute violations

– CMPs and monetary settlements reinvested in OCR

• Requirement that Secretary periodically audit Covered Entities and Business Associates

• Breach reporting rule

Recent Enforcement Activity

• Recent Settlements

– BC/BS of TN (March 2012) – $1.5M and CAP

– UCLA Health System (July 2011) -- $865k and CAP

– Cignet (Feb. 2011) – $4.7M and CAP

• AG HITECH Litigation

– CT and VT actions against HealthNet for a massive data breach

– MN action against Accretive

8

HIPAA and HITECH Application to Pharmaceutical and Medical Device Manufacturers, Generally

• Manufacturers typically are not Covered Entities, so HIPAA does not directly apply – Exception: Direct consumer sales are a covered entity

activity

– But Note: Under HITECH, certain privacy and security standards will apply directly to manufacturers that operate as Business Associates

• Even so, there may still be HIPAA exposure for disclosures in violation of HIPAA

• Primary significance of HIPAA for manufacturers where there is no direct application is how it affects the manufacturer’s customers and whether PHI may be permissibly disclosed by the customer to the manufacturer

9

Exceptions to the Authorization Requirement

• In general, individual authorization is required to use or disclose PHI unless an exception applies

• Treatment, Payment and Health Care Operations (TPO)

• Disclosures for Facility Directories and to Persons Assisting in an Individual’s Care or Payment for Care

– Individual Agreement

• Public Policy Exceptions (next two slides)

10

Public Policy Uses/Disclosures

• Uses and disclosures for public health activities - prevent/control disease, injury or disability (e.g., CDC, FDA, OSHA, child abuse agencies) – Disclosures to a person subject to the jurisdiction of the

FDA with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety, or effectiveness of such FDA-regulated product or activity • Including to collect or report adverse events, product

defects or problems, or biological product deviations; to track FDA-regulated products; to enable product recalls, repairs, etc.; to conduct post-marketing surveillance

11

Public Policy Uses/Disclosures • Uses and disclosures for research purposes - if a Covered

Entity receives documentation that waiver of individual authorization requirements have been approved by an IRB or an equivalent body referred to as a Privacy Board – Use/Disclosure involves no more than minimal risks to privacy

of individual • Adequate plan to protect identifiers from improper use/disclosure

• Plan to destroy identifiers at earliest opportunity consistent with research unless there is a health/research justification for retention or retention required by law

• Adequate assurances that PHI will not be re-used or re-disclosed except as required by law, for authorized oversight of research or other research purposes

– Research could not practicably be conducted without PHI

– Research could not practicably be conducted without waiver

• Uses and disclosures of PHI (1) about decedents for research purposes and (2) for reviews preparatory to research without obtaining authorization if certain conditions are met

12

Special Rules for Marketing Activities • Marketing - to make a communication about a product or

service that encourages the recipients of the communication to purchase or use the product or service

• Prior Exclusions: A Covered Entity is not engaged in “marketing” when it communicates to individuals about: – Health-related products or services provided by, or

included in a plan of benefits of, the Covered Entity making the communication;

– The individual’s treatment;

– Case management or care coordination for the individual; or

– Directions or recommendations for alternative treatments, therapies, health care providers, or settings of care to the individual

• HITECH modifications

13

Marketing Restrictions Under HITECH

• Some of the most complex and technical provisions in HITECH

• Communication will not be considered a “health care operation” (and therefore authorization will be required) if the Covered Entity receives remuneration for the communication, unless: – The communication describes only a drug or biologic

currently being prescribed for the recipient of the communication and the payment received by the Covered Entity is a “reasonable amount” as defined by the HHS Secretary

• Exception for treatment communications – “Treatment” under the HITECH Proposed Rule

14

15

Restrictions on Disclosure and Sale of EHRs or PHI Under HITECH

• Generally prohibits receipt of direct or indirect remuneration by Covered Entities or Business Associates in exchange for PHI without an individual’s authorization

• Exceptions for: – Public health activities

– Research (price restricted to costs of preparing and transmitting data)

– Treatment of the individual

– Sale, transfer, or merger of one Covered Entity with another

– Providing remuneration to a Business Associate under a Business Associate Agreement for services rendered by the entity

– Providing an individual with access to his or her PHI

– Any other exception promulgated by the Secretary

• Effective 6 months after regulations promulgated

16

Manufacturer Activities Potentially Subject to HIPAA Restrictions

• Patient Assistance Programs (PAPs)

– Potential HIPAA implications: Manufacturer is likely not a Covered Entity, but the physician is

• Will physician be required to obtain patient’s authorization for release of PHI to the manufacturer?

• Does provision of PHI to facilitate enrollment in a PAP fall under the HIPAA treatment exception?

• Reimbursement assistance

– Potential HIPAA implications: Manufacturer is likely not a Covered Entity, but the physician is

• Will physician be required to obtain patient’s authorization for release of PHI to the manufacturer?

• Is a Business Associate Agreement needed?

17

Manufacturer Activities Potentially Subject to HIPAA Restrictions

• Financial support of refill reminders sent by pharmacies

– Potential HIPAA implications: Patient authorization is not required under HIPAA pre-HITECH

– Impact of HITECH marketing provisions? • Potential applicability of two exceptions

• Financial support of provider communications about alternative treatments

– Potential HIPAA implications: Patient authorization is not required under HIPAA pre-HITECH

– Impact of HITECH marketing provisions?

• Potential applicability of one exception

18

Research: Options for Permissible Uses and Disclosures

Waiver of authorization requirement by an IRB or Privacy Board

OR

Limited to information to develop research protocol OR

Limited to information about decedents

OR

“Limited data set” pursuant to Data Use Agreement

OR

Authorization

De-Identification

• De-identified Data – Two Methods:

• Delete an enumerated list of data elements, such as: – (1) Name, (2) Address, (3) Birth Date or Age, (4)

Telephone Number, (5) Medical Record Number, (6) Biometric Identifier, (7) Health Plan Number, (8) Occupation, (9) Photos, and (10) Employer

• Health information may be treated as de-identified even if all identifiers are not removed, but only if a person with appropriate statistical and scientific expertise determines that the risk of identification is very small

19

De-Identification: Additional Considerations

• Contractual restrictions

– Business Associate Agreement restrictions

• A Business Associate may use and disclose PHI as permitted by its Business Associate Agreement

– http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/544.html

• Guidance provides that Business Associates may de-identify PHI for their own purposes IF the BAA authorizes the Business Associate to do so

– Authorizations may be relevant as well

• HIPAA requires a statement about the potential loss of protection and secondary disclosures

• Nevertheless, some may be drafted in a way that restrict secondary uses or disclosures

20

De-Identification: Evolving Standards

• De-identification is not without risk

– Risk of re-identification

– Potential legal challenge

• 2010 Complaint to FTC alleging online pharmaceutical marketing violates consumer privacy

– Potential application of state law

• HITECH requires the Secretary of HHS to issue new guidance

– Some are pushing to make the standard stricter

21

State Law Preemption • HIPAA privacy and security requirements preempt contrary

state laws

– Exception: If the state law relates to the privacy of health information and is more stringent, the state law is not preempted

– In other words, Federal law sets the floor

• Distinguish between general state privacy laws that protect medical information and those that apply to particularly sensitive medical data

– Most of the former apply only to providers and plans and, therefore, do not reach manufacturers

• However, some general state privacy laws that protect the confidentiality of medical information apply to manufacturers (e.g., Texas, California)

– Most of the latter apply to any recipient, including manufacturers

22

Anna L. Spencer

aspencer@sidley.com 202-736-8445

This presentation has been prepared by Sidley Austin LLP as of April 17, 2012, for educational and

informational purposes only. It does not constitute legal advice.

Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.

23

Life Sciences Data Privacy Day - April 17, 2012

Managing Data Protection in International Clinical Trials &

Observational Studies

Judith E. Beach, Ph.D., Esq.

Senior Vice President & Senior Associate General Counsel; Global Chief Privacy Officer

2

Key International Privacy Laws – United States:

• “HIPAA 1” and “HIPAA 2” (HITECH Act) (applies to Protected Health Information held by a Covered Entity such as a clinical investigator)

• Security Breach Notification laws – Omnibus rule due in ~ 90 days • Federal Trade Commission (FTC) Act, Section 5 on Unfair or Deceptive

Trade Practices

– Europe:

• European Union Directive on Protection of Personal Data 95/46/EC

– Canada:

• 2001 Personal Information Protection and Electronic Documents Act (PIPEDA)

– Australia:

• Privacy Amendment (Private Sector) Act 2000

– Japan:

• Personal Information Protection Act (PIPA) 2003

European Data Protection Laws – Limit how we may use / process personal information about

individuals, regardless of where processing takes place

– “Processing” can take many forms, including:

• collecting, obtaining, recording, holding, sharing, combining, and even destroying personal information . . . anything you do with personal data.

– Personal Data lawfully processed must be adequately protected with organizational and technical measures

3

Transferring Clinical Trial Data Outside EU/EEA

• Lawfully collected in the country of origin (e.g., with consent) and

• With adequate level of protection provided by recipient

EU laws restrict export of

personal data UNLESS

• Certified to the US-EU Safe Harbor • Transfer to a «white-listed» country • Other transfers may require a specific,

detailed set of contractual obligations– EU Model Contracts / Data Transfer Agreements

• Binding Corporate Rules • De-identified / Key-Coded / Dummy /

Pseudonymized Study Subject Data

Adequate Level of Protection

4

Certification to U.S. - EU Safe Harbor – Certification to the US-EU Safe Harbor with annual

recertification • Transfers of personal data out of Europe to “harborites” in the US,

which are deemed by EU / EEA to provide an adequate level of protection: http://export.gov/safeharbor/

We Self-Certify Compliance With:

– Binding Corporate Rules (BCRs) – if the proposed EU Data Protection Regulation becomes the rule in all member states and the proposed “one-stop shop” DPA is retained, then BCRs should be considered by companies for transferring data out of Europe to all over the world.

5

U.S.- EU Safe Harbor Privacy Principles

– Notice

– Choice

– Data Integrity

– Transfers to Agents

– Access and Correction

– Security

– Enforcement

– Dispute Resolution

6

Data Protection: Privacy by Design - Technical and Organizational Measures

Access Controls / authorization procedures

Robust / mandatory privacy training

Encryption of laptops and portable

media

Encoding and stripping identifiers

De-identification and Aggregation

wherever possible

Robust data protection language in contracts

(including Model Contracts - Data

Transfer Agreements)

Proactive Vendor Management

Periodic privacy compliance reviews

(internal and vendors)

Regional and Country Specific

Privacy Programs

7

Managing Privacy Risks of Third-Party Vendors

Security Breach

• 39% of U.S. data breaches in 2010 involved third-party organizations such as outsourcers and contractors • From: Ponemon Institute. 2010 Annual Study: U.S. Cost of a Data

Breach, March 2011

Protect personal data

• Vetting vendors and including privacy certifications in vendor contracts • Require vendor privacy assessment questionnaires and / or

systems compliance audits • Include a Vendor Privacy Certification Standard in vendor contracts

Monitor

• Actively monitoring vendors throughout the relationship • Include the right in vendor contracts to conduct reviews • Require reporting of vendor privacy incidents

8

Potential Consequences of a Security Breach

Lawsuits, consent decrees and

fines/penalties (also criminal)

Disciplinary action against employees by

Human Resources, up to and including

dismissal

Poor public relations / harm to reputation

Harm or distress to the individual whose

privacy may have been violated

Loss of consumer or customer confidence

Breach of confidentiality provisions in

customer contracts

Potential for charges brought against

individual employees

Costly security breach notifications

to individuals, authorities & media

plus legal fees

9

Informed Consent in Clinical Research

Informed Consent Form The nature of the data to be processed about them

The purposes for which their data will be processed

To whom their data will or may be disclosed

How their data will be kept secure (e.g., key-coding, encryption)

How to exercise their rights as data subject to access, correct and (in some cases) obtain deletion or destruction of their data

Effect of withdrawal of consent on the use / disclosure of their data

ICF should inform prospective research participants of how their data will be used if they participate in the study, including:

10

Informed Consent in Clinical Trials

11

Compliance required with data protection laws of countries where data is collected AND where the data will be

processed

Global ICF templates developed by sponsors / CROs include data

protection language that is generally acceptable around the

world.

Adaptation of global templates to meet country-specific data protection requirements.

Examples of necessary modifications to a global ICF template:

Informed Consent in Clinical Trials

Specific statements of compliance with local data protection laws / regulations are required in some countries (e.g., Italy, France)

Data Protection Authorities & Ethics Committees in certain countries object to the use of participants’ initials in the their coded study identification number (e.g., Germany)

Requirements on the collection, storage & future use of genetic samples vary from country to country

12

Problems Arising With Respect to Opt-In Consent for Observational / Retrospective Studies: - Growing body of

evidence: • Opt-in Consent

may result in selection bias

• Opt-in Consent

may result in un-representative, incorrect, or misleading findings

In another study of consent bias on medical records, it was found that requiring written authorization for research use of the medical records resulted in substantial biases in etiologic and outcome studies, the direction and magnitude of which may vary according to the purpose of the research.

In one study, analyses confined to the hospital records of women who consented to the postal questionnaire survey showed a spurious finding concerning the provision of radiotherapy for women from underprivileged areas and uncertainty concerning the general provision of care due to small sample size.

Accordingly, research studies based on medical records, for the purpose of reviewing the coverage and equity of health care should, with appropriate safeguards, be recognized as a class of study for which individual patient consent is not required or even encouraged.

13

References on Selection Bias / Misleading Results – Macleod , U and Watt, CMW. The impact of consent on observational

research: a comparison of outcomes from consenters and non consenters to an observational study. BMC Medical Research Methodology 2008, 8:15doi:10.1186/1471-2288-8-15.

– Jocobsen SJ, Xia Z, Campion ME, Darby CH, Plevak MF, Seltman KD, Melton JL: Potential effect of authorization bias on medical records research. Mayo Clin Proc 1999, 74:330-338.

– Woolf SH, Rothemich SF, Johnson RE, Marsland DW: Selection bias from requiring patients to give consent to examine data for health services research. Arch Fam Med 2000, 9:1111-1118.

– Harris T, Cook DG, Victor C, Beighton C, DeWilde S, Carey S: Linking questionnaires to primary care records: factors affecting consent in older people. J Epidemiol Community Health 2005, 59:336-338.

– Dunn KM, Jordan K, Lacey RJ, Shapley M, Jinks C: Patterns of consent in epidemiologic research: evidence for over 25, 000 responders. American Journal of Epidemiology 2004, 159:1087-1094.

– Al-Shahi R, Vousden C, Warlow C: Bias from requiring explicit consent from all participants on observational research: prospective, population study. BMJ doi:10.1136/bmj.38624.397569.68 (13 October 2005).

14

Pseudonymization / Dummy / Key-Coding Data in Clinical Trials, Wherever Possible

15

DPAs & Ethics Committees: Determination on Case-by-Case Basis, Strictly Interpreted, & Rarely Challenged

Two unique identifiers

• To check that patients are not enrolling in the same study at different sites or different studies at same site

Dummy Data

• Increases error rates & risk to patients’ safety

Privacy Risk Very Low

• No reported incidents of improper re-identification of a study subject

Labs and ECGs?

• Lab & ECG results read & reported in specific age ranges & require other identifiers

Reasonably Balancing Risks to Patients’ Safety & Data Integrity?

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.

Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.

Prior results do not guarantee a similar outcome.

FEBRUARY 29, 2012

PRIVACY, DATA SECURITY AND INFORMATION LAW UPDATE White House Issues First Ever Administration-Level Data Privacy Framework On February 23, 2012, the Obama Administration released an important policy initiative embodied in a white paper setting forth a comprehensive privacy framework—the first such framework ever introduced by any administration. The white paper, titled Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (the “White Paper”), is the culmination of extensive policy development by the U.S. Commerce Department and the Federal Trade Commission. The White Paper also represents a significant U.S. response to the European Union’s proposed data protection regulation to replace the EU Data Protection Directive (95/46/EC). The White Paper has reasserted the U.S. position that the U.S. framework for data protection is substantively strong and worthy of “mutual recognition” by the EU, but it may also crystallize a clash between the EU conception of privacy as a fundamental human right and the U.S. conception of privacy as a value to be balanced against competing values (e.g., innovation, communication and economic growth). Perhaps the most important dimension of the White Paper is who, how and where it was issued: by announcing the White Paper in the White House with a statement by the President, it is intended to represent a presidential initiative; this could significantly elevate the stature of privacy and data protection issues in the overall hierarchy of federal policy.

Overall, the framework adopts a balanced approach to the contentious debate about privacy as a fundamental human right versus privacy as a hindrance to innovation. First, the White Paper expressly affirms the administration’s stated commitment to the Internet as an open, decentralized user-driven platform for communication, innovation and economic growth. It is important that the Paper acknowledges the clear benefits to consumers of promoting and preserving openness, flexibility and innovation in connection with collecting and using data. Second, while proposing relatively modest changes to U.S. privacy law, it essentially confirms that the existing model of U.S. privacy law is working reasonably well both to protect privacy and to promote innovation. And third, it recognizes that the substantive values underlying the U.S. approach to privacy as expressed in the framework itself are substantially equivalent to those expressed by the EU Data Protection Directive and the Asia-Pacific Economic Cooperation Privacy Framework.

The White Paper sets forth four “key elements” to protecting privacy. These elements include: (1) the first ever “Consumer Privacy Bill of Rights”; (2) development of “appropriate, legally enforceable codes of conduct” through the cooperation of private and public stakeholders; (3) Federal Trade Commission (“FTC”) enforcement of the Consumer Privacy Bill of Rights; and (4) “mutual recognition” and “enforcement cooperation” aimed at “global interoperability.” Among the more notable principles advanced in the White Paper are standards obligating companies to limit the overall amount of data they collect about consumers in a more “focused” manner, and to restrict the data they collect

PRIVACY, DATA SECURITY AND INFORMATION LAW UPDATE Page 2

and use in light of the “context” of their relationship with consumers. At the same time, the White Paper emphasizes that consumers also bear significant responsibility for managing the privacy of their own data.

Perhaps most significantly, the framework proposes to make industry privacy and security practice more consistent and useful to consumers through development of industry-wide codes of conduct and nationally standardized approaches to privacy disclosures and choices. Indeed, the White Paper overall expresses strong support for a unified, national approach to privacy and data security through federal standards and preemption of state laws. In particular, it argues that the patchwork of state data breach laws creates burdens without commensurate benefits, and that expansion of FTC enforcement authority would enhance standardization by strengthening the hand of a central federal regulator.

While the White Paper emphasizes the importance of national uniformity, it does not purport to replace or challenge the role or propriety of the sector-specific federal laws that currently comprise U.S. privacy and data security law. Indeed, the White Paper is a clarion confirmation that existing U.S. privacy framework is working well, and that case-by case-enforcement effectively protects consumers’ privacy.

White Paper Advocates Adoption of Consumer Privacy Bill of Rights The Consumer Privacy Bill of Rights purports to create a federal “baseline of clear protections for consumers and greater certainty for companies.” It represents an effort to unify existing U.S. privacy law, which is viewed by some observers—especially in the EU—as an uneven amalgam of sector-specific laws at both the federal and state levels. The White Paper asserts that, while the current U.S. framework is flexible and effective in certain regards, gaps in federal privacy protection exist in several sectors of the economy. The White House argues that the framework advocated in the White Paper will be consistent with President Obama’s regulatory review/cost-benefit Executive Order No. 13563, and thus provide greater certainty, promote innovation, and minimize compliance costs for businesses while giving consumers more tools for understanding and controlling how their personal data “flows in the digital economy.” Unfortunately, however, the White Paper does not explain how or why the policies it advocates would satisfy existing cost-benefit review standards. Nonetheless, by addressing standardization at a federal level, the White Paper’s endorsement of the Consumer Privacy Bill of Rights may move international perceptions of U.S. privacy law closer to the model of a comprehensive, omnibus approach to data privacy and protection seen in the EU and in other nations, including Argentina, Australia, Canada, Israel and New Zealand.

The Consumer Privacy Bill of Rights is based on Fair Information Practice Principles (“FIPPs”), a longstanding framework embedded in the federal Privacy Act of 1974 addressing privacy with respect to government agencies. The FIPPs approach is echoed in a number of state laws. As described in the white paper, the FIPPs embrace a “flexible” approach to evaluating the competing interests that underlie privacy in order to encourage innovation. As set forth in the Consumer Privacy Bill of Rights, these principles are:

• Individual Control: Consumers have a right to exercise control over what personal data companies collect from

them and how they use it.

• Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.

• Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.

• Security: Consumers have a right to secure and responsible handling of personal data.

• Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.

PRIVACY, DATA SECURITY AND INFORMATION LAW UPDATE Page 3

• Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

• Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

Consumer Privacy Bill of Rights Implementation Significantly, the Administration believes that the Consumer Privacy Bill of Rights can have an immediate and lasting impact on the regulatory landscape even if Congress does not pass legislation adopting it. The Administration intends for this framework to “serve as a template for privacy protections” in the U.S. Indeed, the Administration announced that it “will implement this framework without delay,” by charging the Department of Commerce to work with federal agencies “to convene stakeholders, including our international partners, to develop enforceable codes of conduct that build on the Consumer Privacy Bill of Rights.” This call to immediate action is perceived as an alternative to congressional action that is stymied by indecision over other privacy legislation, including a host of data breach notification and cybersecurity bills. The Administration is plainly looking to influence both consumers and companies to adopt the Consumer Bill of Rights as the prevailing set of common expectations that can be enforced by the FTC, state Attorneys General and plaintiffs’ lawyers through existing legal authorities.

Stakeholder Participation Will Guide Code of Conduct Development The White Paper outlines the Administration’s goal of initiating a multi-stakeholder process to produce enforceable codes of conduct implementing the Consumer Privacy Bill of Rights. The Administration announced in the White Paper its goal of involving stakeholders, including consumer groups and privacy advocates, in open and transparent forums directed by the National Telecommunications and Information Administration, the agency within the Department of Commerce charged with advising the President on telecommunications and information policy.

The purpose of these forums would be to arrive at a consensus on legally enforceable codes of conduct for each market or business context, so that consumers can be assured of a consistent approach to privacy among similar companies. The White House took care to note that private sector participation would be voluntary and companies would not be required to adopt a given code of conduct. While private sector participation would be voluntary, these codes of conduct will have far-reaching legal significance, as they create a new standard of “reasonable” privacy and security; deviation from the code could entail liability under existing law, negligence actions or trigger an FTC enforcement action. Ultimately, however, the codes of conduct are intended to give U.S. companies a role in developing clear standards and safe harbors regarding their compliance with U.S. privacy law.

Consumer Privacy Bill of Rights Enforcement Delegated to the FTC Under the Administration’s framework, the FTC would have potentially far-reaching rulemaking authority under the Administrative Procedure Act (“APA”) as well as enforcement powers over privacy issues. While the White Paper asserts that it intends to expand the FTC’s enforcement authority, it simply endorses the FTC’s recent de facto assumption of considerable privacy regulatory authority in high-profile enforcement actions against Google, Facebook, Twitter and other prominent companies, and clarifies the range of the agency’s authority. In proposing APA rulemaking authority for the FTC, the White Paper does not mention that this independent agency is not currently obligated to follow the cost-benefit principles set forth in Executive Order 13563 and in other Executive Orders governing regulatory review, although it has committed to do so voluntarily. As evidenced in recent congressional activity on data breach legislation, Congress will not easily agree to endow the FTC with new rulemaking authority.

The White House cites FTC enforcement as a critically important tool in ensuring that companies are accountable for adhering to their privacy commitments and that responsible companies are not disadvantaged by competitors who may

PRIVACY, DATA SECURITY AND INFORMATION LAW UPDATE Page 4

adopt less stringent privacy policies or practices. In the White Paper, the Obama Administration encourages Congress to provide the FTC and state Attorneys General with specific authority to enforce the Consumer Privacy Bill of Rights should it be adopted into law. It is unclear how this mandate would impact current FTC privacy enforcement trends under the FTC’s current Section 5 authority; the White House notes that the FTC and State Attorneys General have authority to enforce private-sector standards that are adopted by industry pursuant to its pre-existing legal authority.

In addition, the White Paper recommends permitting the FTC to grant a “safe harbor” from enforcement of the Consumer Privacy Bill of Rights to companies that adopt and follow a code of conduct that has been renewed and approved by the FTC. Companies that decline to adopt one of the codes of conduct or fail to seek FTC review of a self-created code would be subject to the general obligations imposed by the Consumer Privacy Bill of Rights. It is possible that the FTC would permit companies to use the award of “safe harbor” status as a point of competitive distinction in the digital marketplace.

Global Interoperability as an Administration Goal In the White Paper, the Administration recognizes that Internet commerce has been tremendously helpful for American companies, and states that its goal is improving international interoperability to provide consistent rules for personal data in the user-driven and decentralized online environment. The White Paper cites mutual recognition and enforcement cooperation, with a focus on effective enforcement and well-defined accountability mechanisms, as the two principles that underlie the administration’s approach to interoperability. The White Paper advocates for law enforcement cooperation to ensure that countries are able to protect their citizens’ rights when personal data crosses national boundaries. At the same time, it calls for the federal government to clarify global data protections and ensure flexibility that leads to commercial innovation. Its clear message is that the Executive branch must—and will—engage more with international counterparts on key data privacy issues.

Dogs That Didn’t Bark The White Paper is notable not only for its proposals, but also for its resounding silence on several high-profile privacy issues. For example, the White Paper does not mention the need for or the importance of protecting against dignitary or intangible harm resulting from privacy abuses, nor does it address “big data” issues, such as data mining and analytics, even though such practices have recently garnered considerable scrutiny in the U.S. (by members of Congress and the FTC) and abroad. While the framework would bolster FTC authority, the White Paper does not purport to present any Executive agency as a centralized privacy policy maker akin to Data Protection Authorities in the EU and elsewhere. And, interestingly, the White Paper makes no express attempt to claim EU-level “adequacy” for the U.S. data protection system.

The White Paper Follows a Year of Administration Data Privacy Activity The new White Paper does not come as a surprise. The Obama Administration has been working steadily towards this moment for more than a year. In October 2010, the administration launched an inter-agency committee to address issues relating to privacy and Internet policy.1 This was followed in December 2010, by the release of significant reports addressing the topic of consumer privacy prepared by the FTC2

1 White House Office of Sci. & Tech. Policy, White House Council Launches Interagency Subcommittee on Privacy & Internet Policy (Oct. 24, 2010),

and the Department of Commerce Internet

http://www.whitehouse.gov/blog/2010/10/24/white-house-council-launches-interagency-subcommittee-privacy-internet-policy. 2 Fed. Trade Comm’n, Preliminary FTC Staff Report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (Dec. 2010).

PRIVACY, DATA SECURITY AND INFORMATION LAW UPDATE Page 5

Policy Task Force.3

If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work.

In March 2011, the Obama Administration called for a “privacy bill of rights” and in November 2011, the administration announced that it will move forward in proposing privacy legislation. In December 2011, the administration released recommendations that included creating a privacy policy office in the Commerce Department and establishing clear guidelines for what kind of information can be collected about users and how companies can use the data. The new White Paper builds on these prior efforts. The Obama Administration has stated that it will work with federal agencies to convene stakeholders, including consumer groups, privacy advocates, and industry stakeholders, to develop enforceable codes of conduct building upon the Consumer Privacy Bill of Rights. The FTC is expected to release its own privacy report early this year.

The Privacy, Data Security & Information Law Practice of Sidley Austin LLP

We offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes regulatory compliance lawyers, litigators, financial institution practitioners, healthcare lawyers, EU specialists, IT licensing and marketing counsel, intellectual property, and white collar lawyers. Sidley provides services in the following areas: Privacy and Internet Litigation and Regulatory Advice Data Breach, Incident Response, and Cybersecurity Advice Global Data Protection and Information Security Information Governance Assessments and Compliance Programs International Data Transfer Solutions, Outsourcing and Cross-Border Issues Cyberlaw, E-Commerce, Social Media, Cloud Computing and Internet Issues EU, China and Japan Compliance Counseling Gramm-Leach-Bliley and Financial Privacy HIPAA and Healthcare Privacy Communications Law and Data Protection Workplace Privacy and Employee Monitoring Unfair Competition, Advertising and Consumer Protection Website Policies Online Trademarks and Domain Name Protection Records Retention, Electronic Discovery, Government Access and National Security

To receive future copies of this and other Sidley updates via email, please sign up at www.sidley.com/subscribe

BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.

www.sidley.com

Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas, London, Hong Kong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto); Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.

3 U.S. Dep’t of Commerce Internet Policy Task Force, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework (Dec. 2010).

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.

Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.

Prior results do not guarantee a similar outcome.

APRIL 3, 2012

PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE

FTC Releases Final Report on Consumer Privacy: Calls for Enhanced Practices and Further Congressional Action On March 26, 2012, the Federal Trade Commission (“FTC” or “Commission”) released its long-awaited report on consumer privacy, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers” (the “Report”).1 The Report presents the Commission’s conclusions drawn from its review of consumer privacy practices and regulations, including hundreds of comments from industry, consumer groups, and other stakeholders, following the FTC’s call for a new privacy “framework” in a December 2010 preliminary staff report (the “preliminary report”).2 This report was issued as a Commission document, rather than a staff draft, over the dissent of Commissioner J. Thomas Rosch. The key concepts advanced by the FTC include the following: privacy by design, meaningful consumer choice, and industry transparency. The Commission suggests that the framework provided within the Report should serve as a baseline model for business-consumer privacy expectations.

The Report states that the FTC will not proceed to enforce standards unless they already are part of existing law but clarification is lacking as to what that will mean in practice. By elaborating a baseline set of privacy expectations, the Report indicates that the FTC will continue its diminishment of the value of consumer-facing privacy policies. The Report also suggests that the Commission will increase its scrutiny of “unfair” privacy trade practices. Significantly, the Report offers no cost-benefit analysis to justify its new standards and does not acknowledge the importance of preserving innovation on the Internet as clearly as the FTC staff's preliminary report.3

The new Commission document appears to be considerably more regulatory in tone and intent than the preliminary staff report and the White House approach, although the Commission expresses the belief that its framework is “consistent” with the policies outlined in the Obama Administration’s Consumer Privacy Bill of Rights. The White House paper, titled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and

1 FTC, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (Mar. 26, 2012), hereinafter “Report,” available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf.

2 FTC, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (Dec. 1, 2010) (hereinafter “Report”), available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf. See Sidley Update: FTC Report Heralds Intensified Privacy Regulation (Dec. 16, 2010), available at http://www.sidley.com/sidleyupdates/Detail.aspx?news=4637.

3 For an overview of the privacy framework as it was proposed in the preliminary report, see Sidley Update: FTC Report Heralds Intensified Privacy Regulation (December 16, 2010), available at http://www.sidley.com/sidleyupdates/Detail.aspx?news=4637.

PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE Page 2

Promoting Innovation in the Global Digital Economy” (“Administration White Paper”), was released on February 23, 2012.4

The FTC intends the Report to help establish best industry practices and assist Congress in developing privacy legislation. The FTC also expects its Report to complement the Department of Commerce’s “parallel privacy initiative.”5 Notably, the FTC explains in the Report that it does not anticipate using the privacy framework elaborated within the Report as a predicate for future law enforcement actions under the FTC Act.

In the Report, the Commission urges companies to implement best practices—including making privacy the “default setting” for commercial data practices and providing consumers with control over the collection and use of their personal data—to protect consumers’ personal information, enhance trust, and stimulate commerce. The FTC suggests that “privacy by design,” “simplified choice for businesses and consumers,” and “greater transparency” should be the basic tenets of companies’ privacy practices.

The FTC plans to promote the implementation of the privacy framework through focusing on five major aspects of the framework. The FTC plans to work with the Digital Advertising Alliance and World Wide Web Consortium to advance international standards for Do Not Track, and with industry and the Department of Commerce to develop sector-specific codes of conduct as suggested in the Administration White Paper. The FTC asks the data broker industry to consider the creation of a centralized website to provide consumers with information about the industry and about how to access or exercise choice relating to their data. Finally, the FTC plans to host two public workshops in 2012: one workshop, on May 30, will focus on the development of improved privacy protections in the context of mobile services, including the adoption of short and effective privacy disclosures for use on mobile devices; the second workshop, scheduled for the second half of the year, will explore issues relating to how “large platform providers,” such as Internet Service Providers, operating systems, browsers, and social media, may comprehensively track consumers’ online activities.

The Report differs in several respects from the framework outlined in the preliminary report. First, the FTC will not apply the privacy framework to companies collecting only non-sensitive data from fewer than 5,000 consumers per year, so long as the companies do not share the consumer data with third parties. Second, the Commission revised its approach to how companies should provide privacy choices to consumers: the Report advocates a “context of the interaction” standard, under which companies would not be required to provide consumers with choice prior to collection of the consumers’ data for practices that are “consistent with the context of the transaction,” “consistent with the company’s relationship with the consumer,” or as required or authorized under law. In essence, this approach would favor first-party Internet advertisers and undercut third-party Internet advertisers and advertising networks and exchanges. Third, the Commission recommends that Congress consider enacting legislation to bring transparency for and control over information brokers’ practices, in addition to general, baseline privacy legislation. Fourth, and finally, the Report singles out the use of deep packet inspection for advertising/tracking purposes as a practice that is of special concern to the FTC. In particular, the FTC suggests that “large platform providers,” including internet service providers, browsers, and operating systems, might be subject to additional Commission scrutiny because of their ability to “comprehensively track” consumers.

The FTC Privacy Framework The FTC intends the final privacy framework to explain best practices for companies working with consumer data and to assist Congress as it considers privacy legislation. Although the framework excludes many small businesses, it 4 See Sidley Update: White House Issues First Ever Administration-Level Data Privacy Framework (Feb. 29, 2012), available at http://www.sidley.com/SidleyUpdates/Detail.aspx?news=5110.

5 The FTC notes in the Report that Commission and Department of Commerce staff have “communicated regularly” with respect to developing a “consistent approach to privacy protection.” Report at 3. The FTC also notes that the new framework reflects similar “international interest” in developing more inter-operable systems.

PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE Page 3

expressly applies to “all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties.” The FTC also took pains to ensure that the framework is seen as a complement to guidance existing under the Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Gramm-Leach-Bliley Act (“GLBA”) that will provide a baseline for companies not subject to sectoral regulation. The Commission asserts in the Report that, despite FTC involvement in its development and enforcement, the proposed framework will be “self-regulatory.”

Privacy By Design. The framework reiterates the FTC’s earlier call for adoption of “privacy by design,” explaining that companies should promote consumer privacy throughout their organizations and at every stage of product/service development. Practically, this means that companies should incorporate substantive privacy protection into their business practices, including through adoption of robust data security measures, reasonable limits on the collection of data, sound retention and disposal policies, and mechanisms for ensuring data accuracy. The FTC views these measures as being “consistent” with the policies outlined in the Obama Administration’s Consumer Privacy Bill of Rights, although “privacy by design” was notably absent from the White House White Paper. According to the FTC, these procedures and policies should be maintained through the life cycle of a company’s products/services, and might include the implementation of accountability mechanisms and of regular privacy risk assessments, although it does not provide anything more than generalized guidance about the desired type and level of such mechanisms and assessments.6

Choice. The FTC also calls for simplified consumer choice as part of the privacy framework. In order to lessen the burden of this requirement, the agency made clear that certain commonly accepted or obvious practices do not require consumer choice: companies will not need to provide choice before collecting or using consumer data for practices that are obvious from the context of the transaction or with the company’s relationship with the consumer, or as required or authorized under law. This approach reflects a potential expansion of the practices not requiring choice under the preliminary report’s framework.

Where consumer choice is required, the FTC stresses that companies should offer the choice at the time and in the context in which consumers are actually making choices about their data, as opposed through the use of more traditional privacy policies posted on advertiser websites. The FTC suggests that, generally, companies should obtain express consumer consent before using consumer data in ways that are materially different than the prospective uses cited when the data were collected, or when collecting sensitive data for certain purposes.

Transparency. The final aspect of the FTC framework focuses on the Commission’s aim to increase transparency in companies’ data practices. The FTC calls on companies to provide: “clearer, shorter, and more standardized” privacy policies that will allow consumers to better comprehend and compare privacy practices; “reasonable access” to consumers for data maintained about them, proportionate to the sensitivity of the data and the nature of its use; and expanded efforts to educate consumers.

Discussion of What Constituted "Harm" In the Report, the Commission reiterates its perspective that privacy-related harms go beyond economic or physical harm or unwarranted intrusions. Instead, the Report urges, the privacy framework should recognize a “more

6 The Report cites, as examples of how procedural safeguards might work in practice, the Commission’s recent settlement orders with Google and Facebook. The orders mandate privacy programs that must, at a minimum, contain procedures or controls addressing (1) the designation of personnel responsible for management of the privacy program; (2) risk assessments addressing employee training and management, and product design and development; (3) implementation of controls to address identified risks; (4) appropriate oversight of service providers; and, (5) continual revision and adjustment in light of regular testing and monitoring. See In the Matter of Google, Inc., FTC Docket No. C-4336 (Oct. 13, 2011) (consent order), available at http://www.ftc.gov/os/caselist/index.shtm.

PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE Page 4

expansive” range of harms that including those that might arise from unanticipated uses of consumer data. The FTC explains that, while imposing new privacy protections may be costly, it will ultimately help consumers and benefit businesses by encouraging and building consumer trust in the market, and that businesses are already marketing privacy as a competitive business advantage.

Expanded Scope of Consumer Data The Report notes concerns about the “decreasing relevance of the personally identifiable information (‘PII’) label,” referencing studies demonstrating consumer discomfort or objections to being tracked, regardless of the involvement or use of PII. The Report states that it was “appropriate” for the Commission to more comprehensively examine various types of data to determine whether they have privacy implications. As a result of its review since the preliminary report, the Commission’s framework incorporates a more wide-ranging scope of data, including any data that, while not yet linked to a particular consumer, computer, or device, may reasonably become so.

The Commission encourages companies to de-identify data and recognizes in the Report that contractual restrictions on re-identification are generally adequate safeguards, even though it theoretically might be mathematically or practically possible to re-identify data. Accordingly, the Commission clarifies in the Report its “reasonable linkability standard.” Under this standard, in order to establish that data are not “reasonably linkable” to a particular consumer or device, a company must: (1) take reasonable measures to ensure de-identification of data; (2) publicly commit to maintain and use the data in a de-identified fashion; and (3) contractually prohibit downstream entities with which the company shares the data from attempting to re-identify the data.

“Take it or Leave it” Choice The Report addresses instances where consumer use of a particular service or product is contingent upon acceptance of the company’s data practices, which the Commission refers to as a “take-it-or-leave-it” privacy choice. The Commission notes that this approach is problematic from a privacy perspective, particularly in markets where consumers have limited choices, and might not offer consumers what the Commission would consider to be a “meaningful choice.” It is not clear that the FTC believes meaningful choice requires a “cost-less” choice, as some European regulators have advocated, or merely a more robust disclosure of costs associated with choice. Instead, the FTC suggests that these “one-sided transactions” may place consumers’ privacy interests at risk, and that “take-it-or-leave-it” choice is only acceptable for “less important products and services in markets with sufficient alternatives” and where the terms of the exchange are transparent and fairly disclosed.

Do Not Track The Report reiterates the Commission’s desire for a workable Do Not Track mechanism, and applauds industry efforts to improve consumer control over behavioral tracking. In encouraging industry development of the Do Not Track mechanism, the FTC reiterates that the mechanism should include five key principles: (1) the mechanism should be universally implemented to cover all parties that would track consumers; (2) the mechanism should be easy for consumers to find, understand, and use; (3) the choices should be persistent and not subject to easy or accidental override; (4) the system should be comprehensive, effective, and enforceable; and (5) the mechanism should opt consumers out of all collection of behavioral data for all purposes other than those consistent with the context of the interaction.

Deep Packet Inspection The Report singles out that the use of deep packet inspection (“DPI”) for advertising/tracking purposes as of particular concern to the FTC. The Report notes “general consensus” among commentators that DPI deployed for

PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE Page 5

marketing purposes is distinct from other forms of marketing practices employed by companies which have first-party relationships with consumers, and thus at a minimum should require consumer choice. The report does not address, however, the effects of this approach in skewing the market for Internet advertising to Internet sites and away from Internet providers. Despite the fact that Internet providers tend to have a closer relationship with consumers than the websites they visit, the FTC folds this analysis in with the framework’s general consideration of companies with first-party relationships tracking consumers across other websites, noting that DPI, like social plug-ins, cookies, and web beacons, should require consumer choice when it is deployed across other parties’ websites. FTC rejected the argument that a major cross-platform provider like Google can develop as comprehensive a picture of users' data as DPI would allow.

Affiliates and Cross-Channel Marketing The Report maintains the Commission’s view that affiliates are third parties, necessitating consumer choice before data transfer, unless the affiliate relationship is clear to consumers, e.g., through common branding. In instances where the relationship is not clear, the Commission suggests that consumer notification and consent would be necessary. The Commission agrees with commentators, however, that cross-channel or cross-platform marketing, wherein a company establishes a relationship through one medium and contacts a consumer through another, falls within the first-party marketing concept and would not require obtaining additional choice or consent.

Data Enhancement The FTC addresses in the Report how companies should view data enhancement, where companies append third-party-sourced data to data obtained directly from consumers. The Commission notes that requiring the first-party company to offer consumers choice over data enhancement would “impose costs and logistical problems that could preclude the range of benefits that data enhancement facilitates.” Instead, as the framework already suggests, companies seeking to share data relating to customers with third parties should offer consumer choice. Thus, the third-party sharing the data used to enhance the first-party’s data would be responsible under the framework for offering consumer choice.

Consumer Choice for First-Party Marketing The Report explains the Commission’s view that affirmative express consent is an appropriate safeguard for instances in which a company uses sensitive data for first-party or third-party marketing, and that special consideration must be given to protecting sensitive data. As a result, even companies which collected sensitive data through a first-party relationship should offer consumer choice before using any sensitive data for marketing. In instances where a company’s business model is predicated on targeting consumers based on sensitive data (e.g., data relating to financial affairs, health, or children), the FTC suggests that the company seek affirmative express consent prior to collecting data from those consumers.

Data Brokers The Commission defines data brokers as companies that “collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud.” The Report explains that the FTC has sought additional Congressional legislation addressing data brokers since 2009, and again requests that Congress develop legislation further regulating data brokers’ practices to increase transparency in the industry and to enhance consumer access and control over data held by data brokers.

PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE Page 6

At the same time, the Report suggests that the data broker industry should explore the idea of establishing a centralized website for data brokers to (a) identify themselves to consumers and (b) provide consumers with information about data collection, consumer access rights, and consumer choice.

Industry Efforts, Implementation, and Enforcement Notably, the Commission recognizes that industry has made progress since the preliminary report, including its response to the preliminary report’s call for “Do Not Track,” and urges industry to accelerate the pace of self-regulation. The FTC also explicitly states that the Report’s framework is not intended to serve as a “template for law enforcement actions or regulations under laws currently enforced by the FTC” in instances where the framework appears to go beyond existing legal requirements. The Commission also notes that it will view adherence to its proposed sector-specific codes of conduct “favorably in connection with its law enforcement work.” Nonetheless, the Report reflects a shift in the Commission’s interpretation of the FTC Act in the privacy and data protection context: whereas FTC privacy enforcement has traditionally been predicated on rooting out “deceptive” trade practices, the Report and recent cases suggest that the Commission is increasingly concerned about “unfair” trade practices as they relate to privacy.

Commissioner Rosch’s Dissent Commissioner J. Thomas Rosch dissented from the issuance of the Report. While noting that he agrees in several respects with the Report’s findings, and applauding the Report’s recommendations for congressional legislation, Rosch voiced concerns relating to several parts of the Report, including its use of language that hints at the prospect of future law enforcement. Rosch questioned the constitutionality of banning “take-it-or-leave-it choice” and noted that the Report adopted language most friendly to “consumer organizations and large enterprises” when labeling behavioral tracking as “unfair” and considering “reputational harm” as deserving of Commission redress. In particular, Rosch questioned the Report’s “apparent mandate” that ISPs use opt-in choice before deploying deep packet inspection, while not requiring the same of other large platform providers, suggesting instead that, for all large platform providers, affirmative express consent should be required only in instances where the provider actually seeks to use data to create detailed and comprehensive customer profiles.

If you have any questions regarding this update, please contact Andrew J. Strenio, Jr. (+1.202.736.8614, astrenio@sidley.com), Edward R. McNicholas (+1.202.736.8010, emcnicholas@sidley.com), Alan Charles Raul (+1.202.736.8477, araul@sidley.com),

Jonathan P. Adams (+1.202.736.8049, jpadams@sidley.com), or the Sidley lawyer with whom you usually work.

The Privacy, Data Security & Information Law Practice of Sidley Austin LLP

We offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes regulatory compliance lawyers, litigators, financial institution practitioners, healthcare lawyers, EU specialists, IT licensing and marketing counsel, intellectual property, and white collar lawyers. Sidley provides services in the following areas:

Privacy and Internet Litigation and Regulatory Advice

Data Breach, Incident Response, and Cybersecurity Advice

Global Data Protection and Information Security

Information Governance Assessments and Compliance Programs

International Data Transfer Solutions, Outsourcing and Cross-Border Issues

Cyberlaw, E-Commerce, Social Media, Cloud Computing and Internet Issues

EU, China and Japan Compliance Counseling

Gramm-Leach-Bliley and Financial Privacy

PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE Page 7

HIPAA and Healthcare Privacy

Communications Law and Data Protection

Workplace Privacy and Employee Monitoring

Unfair Competition, Advertising and Consumer Protection

Website Policies Online Trademarks and Domain Name Protection

Records Retention, Electronic Discovery, Government Access and National Security

To receive future copies of this and other Sidley updates via email, please sign up at www.sidley.com/subscribe

BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.

www.sidley.com

Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas, London, Hong Kong, Houston, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto); Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas, Houston); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.

© This article was first published in the Life Sciences multi-jurisdictional guide 2012 and is reproduced with the permission of the publisher, Practical Law Company.

Analysis

MULTI-JURISDICTIONAL GUIDE 2012

LIFE SCIENCES

Data protection and life sciences: impact of the proposed EU regulation

William Long, Anna Pavlou and Jessica Walch Sidley Austin LLP

www.practicallaw.com/8-518-3359

Rapid technological developments and globalisation have brought new challenges for the protection of personal data. In response to these challenges, in January 2011 the European Commission (Commission) published a proposal for a new regulation to pro-tect individuals with regard to the processing and transfer of per-sonal data (Proposal for a Regulation on the protection of indi-viduals with regard to the processing of personal data and on the free movement of such data (proposed regulation)) to replace the current Directive 95/46/EC on data protection (Data Protection Directive).

The ability to collect, analyse and transfer personal data, includ-ing sensitive personal data used in clinical trials, adverse event reporting and medical research, is critical to the life sciences industry and to progress and safety in medical science. Therefore, regulations controlling how these activities should be performed must be carefully examined and appropriately applied.

If adopted in its current form, the proposed regulation will have a fundamental impact on the life sciences industry. It introduces a more aggressive enforcement approach with fines up to 2% of a company’s annual worldwide turnover. Supervisory authori-ties can impose a temporary or definitive ban on processing per-sonal data, enter premises and suspend data flows to a recipient located in a non-EU member state or to an international organisa-tion. Further, any organisation aiming to protect the data protec-tion rights of individuals, such as consumer organisations, can submit a complaint to national data protection authorities and bring actions on behalf of individuals for non-compliance with the proposed regulation.

The life sciences industry is well advised to assess the practical impact of the proposed regulation on its activities and be actively involved in discussions on the proposed regulation as it moves through the EU legislative process, to ensure the final form takes into account the particularities of the industry.

Against this backdrop, this article sets out the background to the proposed regulation, and examines the impact of the proposed changes on the following areas of the life sciences sector:

� Clinical trials, including:

� data controllers and data processors; and

� international transfers of clinical data.

� Pharmacovigilance.

� Health data and consent.

� Medical research.

BACKGROUND

In 2009, the Commission launched a review of current EU data protection law to consider whether it was still effective. Following the public consultation, a number of issues were identified, including the need to:

� Clarify the application of data protection principles to new technologies.

� Increase legal certainty and lessen the administrative bur-dens on businesses through harmonisation of data protec-tion rules.

� Review and streamline the requirements applying to interna-tional data transfers.

� Strengthen the role of data protection authorities to ensure better enforcement.

� Adopt a coherent data protection legal framework applying to all sectors and providing for consistent and effective data protection.

The Commission published the proposed regulation on 25 January 2011. It will now go through the European legislative process and is set to be adopted in 2014. The proposed regula-tion will be enforceable in all member states two years after it has been adopted.

CLINICAL TRIALS

Establishing, managing and operating clinical trials present a number of challenges for life sciences companies from a data protection perspective.

Clinical trials involve numerous parties each with different roles and responsibilities, including sponsors, investigators, clini-cal research organisations (CROs), clinical research associates, laboratories, imagers, statisticians and medical coders. It is not always clear when each of these entities is considered a data con-troller, and therefore subject to existing data protection require-ments under the Data Protection Directive, or a data processor, which currently does not directly have regulatory obligations under the Data Protection Directive.

Additionally, the collection and processing of a patient ID number and patient identifiers, such as initials and date of birth, can alternatively be considered:

� Anonymous data in some member states.

� Personal data in other member states.

� A form of disassociated data partly subject to data protection rules.

MULTI-JURISDICTIONAL GUIDE 2012

LIFE SCIENCES

Ana

lysi

s

INFORMATIONabout this publication, please visit www.practicallaw.com/lifesciences-mjg about Practical Law Company, please visit www.practicallaw.com/about/practicallaw

FOR MORE

Finally, clinical trials can involve transfers of both patient and investigator personal data from the EU to sponsors and other service providers, such as CROs, located outside the EU. These transfers are subject to the restrictions on cross-border transfers under the current Data Protection Directive.

Data controllers and data processors

Under the Data Protection Directive, the qualification of entities involved in a clinical trial as data controllers or data processors is critical as only data controllers are directly subject to regulatory requirements.

The sponsor of a clinical trial (the pharmaceutical company) and the trial centre act, in most cases, as joint data control-lers. The sponsor draws up the clinical trial protocol, provides guidance to the centres and verifies compliance by the centres with the protocol. The trial centre carries out the trial in com-plete autonomy according to the sponsor’s guidelines, provides patients with information notices and obtains their consent. In contrast, CROs are generally considered to be data processors. Therefore, separate data protection responsibilities are vested in the individual actors (Opinion of the Article 29 Working Party (Opinion 1/2010)).

Proposed changes. The proposed regulation keeps the cur-rent distinction between data controllers and data processors. However, it imposes a number of additional requirements on both. For example, both data controllers and data processors must maintain detailed documentation of the processing opera-tions, including details of the purposes, types of personal data, recipients, international transfers and time limits for retention of personal data (Article 28).

Similarly, both data controllers and data processors are required to implement appropriate security measures and, where they have over 250 employees, to appoint a data protection officer for a term of at least two years.

Further, companies will no longer be required to register with national data protection authorities. This is currently common practice in many member states. As a result, it will not be neces-sary for sponsors of clinical trials to register the clinical trial for data processing purposes with the data protection authority in the member state where the trial is being performed.

However, the proposed regulation does require that where process-ing operations “present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their pur-poses”, the controller or the processor, acting on the controller’s behalf, must carry out a data protection impact assessment of the envisaged processing operation (Article 33). The type of informa-tion potentially constituting a specific risk is broad and includes:

� Information on sex life, health, race and ethnic origin.

� The provision of healthcare, epidemiological research or surveys of mental or infectious diseases.

� Personal data in large scale filing systems on children, genetic data or biometric data.

Before processing personal data, the controller or processor must consult the data protection authority about the data protection impact assessment. If the data protection authority thinks that

the intended processing does not comply with the proposed regu-lation, and in particular where risks are insufficiently identified or mitigated, it can prohibit the processing and make proposals to deal with any breach of data protection rules. Such processing activities will be made public on a register after consultation with the data protection authority (Article 34).

The proposed regulation also requires the data controller to seek the views of data subjects or their representatives on the intended processing of their health data (Article 33(4)). It is unclear how realistic this requirement will be in practice. For example, must a sponsor seek the views of all the clinical trial subjects? What is clear is that carrying out data protection impact assessments, consulting with national data protection authorities and seeking the views of data subjects will significantly impact day-to-day activities of pharmaceutical companies involved in or sponsoring clinical trials.

International transfers of clinical data

Clinical trials can involve the transfer of patient and investigator personal data from the EU to the sponsor and a large number of service providers located outside the EU. Such service providers can include the CRO and its affiliates located outside the EU, as well as laboratories, imagers, medical dictionary coders and statisticians.

The proposed regulation maintains the restriction under the Data Protection Directive regarding the transfer of personal data to non-EU member states that do not provide an equivalent level of protection, for example, the US. The proposed regulation retains existing data transfer solutions, such as EU standard data pro-tection clauses (also referred to as model contracts) and use of Binding Corporate Rules (BCRs), which consist of a set of data protection rules adopted by an international corporate group in compliance with EU data protection requirements. Currently only data controllers in the EU can enter into model contracts as data exporters or adopt BCRs. An important change introduced by the proposed regulation is that data processors in the EU can also use these data transfer solutions, which could be an important development, for example, for CROs and other service providers involved with clinical trials.

Interestingly, the proposed regulation also provides that specific sectors (such as the healthcare or life sciences sectors) in a given country could be deemed to provide adequate data protection. This could perhaps pave the way for recognising the US as hav-ing adequate data protection laws such as The Health Insurance Portability and Accountability Act of 1996 (HIPAA).

A clinical trial sponsor established outside the EU could still be subject to all requirements laid down in the proposed regulation if it processes personal data of data subjects residing in the EU if the processing activities relate to “offering of goods or services to such data subjects or the monitoring of their behavior” (Article 34(5)). In this case the sponsor must also appoint a representa-tive to act on behalf of the controller. Based on the current word-ing of the proposal, pharmaceutical companies running clinical trials in the EU may be considered as offering goods or services in the EU. If so, non-EU based sponsors of EU based clinical tri-als will be subject to the new requirements under the proposed regulation, including the appointment of an EU representative.

Analysis

MULTI-JURISDICTIONAL GUIDE 2012

LIFE SCIENCES

INFORMATIONabout this publication, please visit www.practicallaw.com/lifesciences-mjgabout Practical Law Company, please visit www.practicallaw.com/about/practicallaw

FOR MORE

PHARMACOVIGILANCE

Processing personal data to report adverse events presents particu-lar data protection issues for life sciences companies. Under the new Pharmacovigilance Directive (Directive 2010/84/EU amend-ing, as regards pharmacovigilance, Directive 2001/83/EC on the Community code relating to medicinal products for human use) (Code for Human Medicines Directive) and Regulation (Regulation (EU) 1235/2010 amending, as regards pharmacovigilance of medicinal products for human use, Regulation (EC) 726/2004 on the authorisation and supervision of medicinal products and estab-lishing a European Medicines Agency) (new pharmacovigilance leg-islation), pharmaceutical companies have strict obligations to report adverse events. In particular, all serious suspected adverse reactions in the EU and other countries that are reported to the marketing authorisation holder must be submitted to the EudraVigilance data-base, managed by the European Medicines Agency, within 15 days (Article 107, Code for Human Medicines Directive). In addition, all non-serious suspected adverse reactions that occur in the EU must be submitted electronically to the same database within 90 days.

Under existing guidance, marketing authorisation holders must ensure that individual case reports contain the following mini-mum information (Guidelines on Pharmacovigilance for Medicinal Products for Human Use, Volume 9A of The Rules Governing Medicinal Products in the European Union (Volume 9A)):

� An identifiable healthcare professional reporter. The reporter can be identified by name or initials, address or qualification (for example, physician, dentist, pharmacist or nurse). Contact details for a healthcare professional must be available for the reporter to be considered identifiable.

� An identifiable patient. The patient can be identified by ini-tials, patient number, date of birth, age or age group or sex.

� At least one suspected active substance or medicinal product.

� At least one suspected adverse event report.

Volume 9A specifies that the patient’s information must be as complete as possible. However, the marketing authorisation holder or local delegate must also ensure that the information concerning the reporting healthcare professional and the patient are collected and recorded according to the applicable EU and national data protection rules.

Data protection and the new pharmacovigilance legislation

The interaction between the new pharmacovigilance legislation and data protection rules was considered by the European Data Protection Supervisor (EDPS) who issued two opinions on this matter in 2009. (See Opinion of the EDPS, 2009/C 229/04, OJ C 229, 23.09.2009 and Opinion of the EDPS, 7.09.2009 (Case 2008-402).)

Balancing pharmacovigilance reporting and EU data protection requirements has not been an easy task for the life sciences indus-try. The new pharmacovigilance legislation does not provide much guidance in this respect. In general terms, the new pharmacovigi-lance legislation provides that it will “apply without prejudice to the Data Protection Directive” and that “it should be possible to proc-ess personal data within the EudraVigilance system while respect-ing Union legislation [on] Data Protection” (Recital 33 of Directive 2010/84/EU and Recital 23 of Regulation No. 1235/2010).

The proposed regulation introduces a specific legal basis for processing personal health data. Health data may be processed for (Article 81):

� Preventative or occupational medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services, and where those data are processed by a healthcare professional subject to the obligation of professional secrecy.

� Reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety for medicinal products or medical devices.

� Other reasons of public interest in areas such as social protection.

This provision helps establish the legal basis to process personal data for pharmacovigilance purposes, as it makes specific reference to processing personal data for ensuring safety. This seems to cover pharmacovigilance activities because the purpose of reporting adverse events is to ensure high standards of quality and safety for medicinal products. The life sciences industry should, nevertheless, consider the pros and cons of having a specific reference to pharmacovigilance activities.

Key coded data. An important question for the life sciences industry is whether key coded data, such as a patient identifi-cation number, is personal data covered by EU data protection requirements.

Member states currently have different opinions on this issue. For example, in Belgium and Sweden, key coded data (pseudo-nymised data) are considered personal data if a third party (such as a physician) has a key that can be used to re-identify the data subject or patient.

In this respect, the proposed regulation makes it clear that per-sonal data relating to health should include a number or symbol assigned to an individual to uniquely identify the individual for health purposes. Also included as personal data relating to health are the following categories:

� All data pertaining to the health status of a data subject.

� Information about the registration of the individual for the provision of health services.

� Information about payments or eligibility for healthcare with respect to the individual.

� Information derived from testing or examination including biological samples.

� Identification of a healthcare provider or any information on disease, disability, medical history and clinical treatment.

Anonymous data. Under the proposed regulation, the principles of data protection do not apply to data rendered anonymous in such a way that the data subject is no longer identifiable. This leaves open the question of whether an individual can be identified from a com-bination of different pieces of information even where a patient identification number is not used. For example, in the context of Individual Case Safety Reports (ICSRs), it may be possible to iden-tify a given patient by putting the different pieces of information together, for example, hospital, birth date and initials.

MULTI-JURISDICTIONAL GUIDE 2012

LIFE SCIENCES

Ana

lysi

s

INFORMATIONabout this publication, please visit www.practicallaw.com/lifesciences-mjg about Practical Law Company, please visit www.practicallaw.com/about/practicallaw

FOR MORE

HEALTH DATA AND CONSENT

In clinical trials conducted in the EU, data subjects must pro-vide informed consent before undertaking the trial (Directive 2001/20/EC on the conduct of clinical trials).

Informed consent must be given in writing. If the trial subject is not able to write, consent, given orally and in the presence of at least one witness, is accepted in exceptional cases, as set out in national legislation. The trial subject (or his legal representative if the subject is unable to give consent) must be informed of the objectives, risks and inconveniences of the trial, the conditions under which it is to be conducted, as well as his right to withdraw from the trial at any time.

Consent remains an important justification for processing per-sonal data, including sensitive health data, under the proposed regulation (Article 9). The proposed regulation stipulates the conditions for consent and places the burden of proof on the data controller (Article 7). Where consent is provided in a written statement concerning a different matter, the requirement to give consent must be clearly distinguished from the other matter.

Under the proposed regulation, consent does not provide a legal basis for the processing where there is a “significant imbalance between the position of the data subject and the data controller”. Significant imbalance is not defined. Could such an imbalance exist between trial subjects (patients) and pharmaceutical companies conducting clinical trials? If so, does this mean that informed consent given in the context of a clinical trial is no longer valid? The intention behind this provision is unclear and should be further clarified given the impact it could have on the life sciences industry.

Data subjects also have the right to withdraw their consent and request the erasure of their personal data (Articles 7 and 17, pro-posed regulation) (see below, Medical research). The life sciences industry must assess the practical consequences these requests could have on their daily operations. Is it possible to continue using the information without processing the personal data?

MEDICAL RESEARCH

Medical research is a key activity of the life sciences industry and yet there is uncertainty about the ability to carry out scien-tific research under the Data Protection Directive. In particular, it is uncertain whether personal data can be processed for sec-ondary research without having to obtain further consent from the patient. It also appears to be unnecessary and impractical to apply the full data protection requirements to key coded research data where the recipient has no access to the key and therefore cannot identify the individual.

The proposed regulation permits the processing of personal data for historical, statistical or scientific research purposes if these purposes cannot be fulfilled by processing data which does not permit identification of the data subject; and data enabling the attribution of information to an identifiable data subject is kept separately from the other information, if possible (Article 83). This would appear to be providing a legal ground to carry out scientific research on key coded data.

Additionally, bodies conducting scientific research can publish or otherwise publicly disclose personal data if:

� The data subject has given consent.

� The publication of the personal data is necessary to present research findings or to facilitate research insofar as the interests or the fundamental rights or freedoms of the data subject do not override these interests.

� The data subject has made the data public.

The practical consequences of the above exemptions are not entirely clear. For example, would placing sensitive health data on a social media platform qualify as being made public? Could the same be argued for a password protected patient forum? Would the situation change if the forum was sponsored by a phar-maceutical company?

Also relevant to medical research, and many other life sciences activities, are the new rights data subjects will have under the proposed regulation in respect of data portability (the right to transfer personal data to another provider) and the right to be for-gotten (to have their data erased). Under the proposed regulation, controllers will be required to take all reasonable steps to inform third parties that any links to the copy or replication of personal data must be deleted, on request from the data subject.

While the proposed regulation provides an exemption from the obligation to erase personal data for historical, statistical and sci-entific research purposes, in practice it may not always be clear when this exemption applies. Clearly, any ability for individuals to erase their personal data could have a significant impact on the validity of scientific findings in clinical trials, epidemio-logical studies and medical research. Such a right also appears contradictory to the acknowledgement in the proposed regula-tion that withdrawal of consent will not affect the lawfulness of data processing based on the consent previously given by an individual.

It is clear that the proposed regulation will significantly impact the life sciences industry and will require a new approach to data processing and data protection. It is important for the life science industry to consider its active involvement in the discussions on the proposed regulation as the draft text progresses through the EU legislative process. Achieving the correct balance between the data protection rights of individuals while at the same time not impeding medical science and research, which is for the ben-efit of all of society, is not easy but it is critical in the modern digital economy.

Analysis

MULTI-JURISDICTIONAL GUIDE 2012

LIFE SCIENCES

INFORMATIONabout this publication, please visit www.practicallaw.com/lifesciences-mjgabout Practical Law Company, please visit www.practicallaw.com/about/practicallaw

FOR MORE

WILLIAM LONGSidley Austin LLPT +44 20 7360 2061F +44 20 7626 7937E wlong@sidley.comW www.sidley.com

Qualified. England and Wales

Areas of practice. Privacy, data security and information law; financial institutions regulatory; healthcare law. Co-founder of the Social Media Governance Forum. Member of DataGuidance’s Panel of data protection lawyers for the pharmaceutical and financial services industries.

Recent transactions � Advising international life sciences clients on a wide

variety of social media, data protection, privacy, information security, e-commerce and other regulatory matters.

� EU and international social media, data protection and privacy projects, particularly in the life sciences and financial services sectors; advising on social media regulation, cross-border data transfers, data security and other EU and international data protection issues.

Qualified. Athens, Greece

Areas of practice. Food, drug and medical device compliance and enforcement.

Recent transactions � Advising clients and trade associations on regulatory

and policy aspects of the marketing of health products, food and feed, cosmetics and other consumer goods, as well as on pharmacovigilance, clinical trials, marketing authorisations, advertising and promotional issues.

� Monitoring EU legislative processes in the field of phar-maceutical, food and consumer law.

ANNA PAVLOUSidley Austin LLPT +32 2 504 6419F +32 2 504 6401E apavlou@sidley.comW www.sidley.com

CONTRIBUTOR DETAILS

Qualified. New York and Paris, registered with the Brussels Bar on the E-list

Areas of practice. Privacy, data security and information law; anti-trust/competition and technology transactions.

Recent transactions � Various aspects of EU and competition law, including

EU litigation, merger control, multi-jurisdictional merger filings, cartel investigations, abuse of dominance cases, compliance programmes, and advising on anti-trust issues in a wide range of commercial activities.

� Advising in the high tech sector, including for IT, media, telecommunications and pharmaceutical companies, with a particular focus on issues relating to intellectual property protection.

JESSICA WALCHSidley Austin LLPT +32 2 504 6480F +32 2 504 6401E jwalch@sidley.comW www.sidley.com