Darshan: So we've all seen a situation where people are talking about GDPR, people are talking about HIPAA. Everyone understands what this means, yet there's a second set of laws that people are ignoring. People don't realize what's at stake. People don't understand where we're going. What's a common example of this, is the state laws. CCPA is the most common one of them. CCPA stands for the California Consumer Privacy Act. It's generally broader than HIPAA, and in terms of what constitutes a private data. It was passed in June 2018. It has some very, very onerous requirements and that some might say actually exceeds what HIPAA actually requires.

Narrator: This is the DarshanTalks Podcast. Regulatory guy, irregular podcast, with host Darshan Kulkarni. You can find the show on Twitter @darshantalks, or the show's website at darshantalks.com

Darshan: Let's start with what's actually covered. Under CCPA, the real name, your alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver's license, passport or other similar identifiers are all covered as personal information. Commercial information, including records of property, products or services purchased, obtained or considered would all be considered personal information under CCPA.

Darshan: If you went online and I'm looking at hopefully trying to buy something and looking up reviews of a house, I'm actually trying to buy a house, and I want to look at who's owned the house previously. The concern with that is if I land up in this situation, I may not be able to get that access, and that's appropriate for the privacy of the people before me. Geolocation data would be considered to be private. Audio, electronic, thermal data, olfactory data would be covered. This is really like next generation stuff when you say olfactory data or visual data would be considered to be personal information. I'm not even sure how you... how someone quantifies my olfactory data.

Darshan: Professional employment related information would be considered to be personal information. Education information would be considered to be personal information. So obviously there are going to be some serious ramifications in how employment occurs in California because of this law. And inferences drawn from any of the information that's previously been listed, I just listed out for you, and the impact on the consumer's preferences, characteristics, psychological trends, preference, dispositions, behavior, attitudes, intelligence and aptitudes would all be considered to be personal information. Interestingly enough, employee data is exempted so we've got to figure out what that actually means, how does this play out.

Darshan: So what are the implications? So businesses must disclose data collection sharing practices to consumers. Consumers have the right to request that that data be deleted. So again, if you think about GDPR, this is reminiscent of the right to be forgotten.

Darshan: Consumers have the right to opt out of the sale or sharing of their personal information. Makes sense. Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent. Makes sense. So that's a opt-out, sorry, opt-in sort of knocked out. Companies must allow consumers to choose not to have their data shared with third parties. So if you are, say Google who's coming up with a new system, you need to basically say, "Would you like to opt-in to these services?" And chances are, you could just put a geo fence around California and say anyone who's up here is subject to it. But theoretically, do you really want to start restricting it? Maybe you do, maybe you don't.

Darshan: Companies cannot refuse users equal service. This is an interesting one. Companies cannot refuse users equal service, but they can offer incentives to users who provide personal information. So this provision where you subject to change, but it gives you the ability to offer discounts to people who are willing to have their data shared or sold to third parties. This is different from what we've had before, but it basically lets you monetize your data. The only difference is someone else decides the price. Do you want that? Do you not? You've got to start to thinking through that.

Darshan: The California consumer has the right to find out what information a company collects about them within 45 days. If this includes information on what information they had, was it sold, who was it sold to. If it was sold to third parties over the last 12 months, it must give the names and addresses of those third parties. Since the rule covers the last 12 months, again, the companies need to start complying pretty much immediately.

Darshan: So this is all well and good. This is great, great. There's a law out there. Good to know. Why should I care? Are there penalties? So civil penalties can range from $2,500 for non-intentional violation to $7,500 for an intentional violation. So that basically means, well sometimes $100 doesn't seem like a lot of money, right? Now multiply that by a million records. That's suddenly a lot of money.

Darshan: What's interesting enough is CCPA also has a private right of action, which means that now users... If I live in California, I can actually sue a company that violates my rights and I could theoretically get a piece of the action, and that's hugely profitable. So if I was a company operating in California, I'd be careful of this.

Darshan: How is this different from GDPR? Again, there are dozens and dozens and dozens of differences, but it applies to people who are in Europe. It's not even restricted to EU residents. On the other end, for CCPA, it applies only to California residents. Under GDPR, it applies to controllers including nonprofit organizations. CCPA has a bunch of different factors, one of which is if it's a not-for-profit, you are exempt. I can list out a whole bunch of them. If you collect this information on our behalf of which such information... collect personal information.

Darshan: If you do business in California, you may actually be subject to it, and if you meet the following thresholds. You have annual gross revenues in excess of 25 million, alone or in combination, you annually buy, receive for the company's commercial purposes 50,000 or more records basically, or you derive 50% or more of your annual revenue from selling consumer personal information, you may be subject to CCPA.

Darshan: GDPR has specific obligations on processors. On the other hand, CCP applies to any entity that controls or is controlled by the business. So there are tons of exceptions.

Darshan: So is there any connection with HIPAA? Maybe it's not the same thing as GDPR. Does CCPA actually have a connection with HIPAA, because we know California in the US HIPAA, a US law. Well, CCPA actually creates an exemption designed around HIPAA. The statute says, "This title shall not apply to a covered entity governed by HIPAA to the extent that the covered entity maintains patient information in the same manner as PHI." Well, that sounds great, right? It means that if you're a hospital, you aren't subject to CCPA.

Darshan: The problem is it's not as simple as that, or at least a lot of lawyers are not taking it to be as simple as that. An organization that's otherwise subject to CCPA, such as a for-profit hospital entity operating in California and has more than 50,000 consumers or else gross revenues in excess of 25 million, they try to find shelter under HIPAA. But most attorney, the courts may not read it in the same way. They're worried that the organization may... The courts may look at the intent. And well you as a hospital doing this for patient health information or you're doing it for sales, or you're doing it for marketing? So is the organization exempt or is the purpose exempt? That's going to be interesting as well.

Darshan: What's interesting also is, is California the only state with these laws. So Nevada enacted a Senate bill, which also has certain similar provisions to CCPA. New York has two different laws that are trying to go down and protect individual's privacy. One is the Stop Hacks And Improve Electronic Data Security handling, which is called the SHIELD Act, and there's also the pending New York Privacy Act. Massachusetts has a similar CCPA bill. New Hampshire, Washington, Illinois, Oregon, Texas and Maryland are all in different versions off these privacy laws.

Darshan: CCPA is a harbinger, but it's not the only one and... Well, it's not the only one that's going to be around in a few months, in a few years. What is the problem with this? It means that you're getting a patchwork of laws. If you are a company that's operating across the US or even across the world, these types of patchworks of laws are hugely problematic because now you're trying to comply with different rules across different sectors, across different countries. That just becomes more and more problematic. Now if you start getting into different States, that's even more problematic.

Darshan: I would say that in the short term, you're going to see companies trying to deal with this patchwork of laws. In the longterm, and there was actually a Senate bill that I saw in the news being proposed, which is going to try to solidify privacy across the country. So we'll see how that plays out as well.

Narrator: This is the DarshanTalks Podcast. Regulatory guy, irregular podcast, with host Darshan Kulkarni. You can find the show on Twitter @darshantalks or the show's website at darshantalks.com.

Darshan: Today's talk is going to be about GDPR and how that applies to pharma companies, to health tech companies. If you are a owner of a pharma company, how does it apply to you? If you are a general counsel for a pharma company, how does it apply to you?

Narrator: This is the DarshanTalks Podcast, regulatory guy, irregular podcast with host Darshan Kulkarni. You can find the show on Twitter @darshantalks or the show's website at darshantalks.com.

Darshan: So, GDPR, it's sort of, you've probably heard about it because we all got a bunch of different emails from Google and from Yahoo and from whatever else you use because a lot of those companies make their money by keeping information. GDPR is the mutually agreed General Data Protection Regulation. Came into effect on May 25th, 2018, and the idea was they would modernize laws that protect personal information of individuals. The goal was to harmonize data protection laws across Europe and give greater protection and rights to individuals.

Darshan: That's all well and good, and that's great. Actually, I'm a huge advocate of privacy, but there are problems. The problem is that they haven't clarified what this means, or the penalties have started coming in. If the penalties are already coming in and you don't know what it means, that seems unfair. Let's talk a little bit more about what GDPR is and how that applies to you.

Darshan: So, the goal of GDPR again was to protect consumer data and how it actually impacts businesses. The question is, are U.S. companies exempt from GDPR because of what's called the Data Shield or not necessarily because there are some rights around transferability of information? The consumer does also get the right to transfer personal data from one company to the other. So, that becomes a new right under GDPR. The consumer also gets the right to access their information so that they know what you know, and you have a certain amount of time as a business to produce that information.

Darshan: If you are a consumer, you get the right to correct the information that the company has. So, you can just, as a company, be like, "I'm going to ignore you." One of the most famous things that came out of GDPR was the "right to be forgotten." The right to be forgotten was the idea that at a certain amount of time, it goes from becoming information about me, which would be in the cloud, is detrimental to me, and I have the right to be forgotten by these systems.

Darshan: Then, there's the right to consent. Essentially, you, as a company, need to get my consent to be able to obtain, process my information. Part of it may all ... This is a huge undertaking, and you may need a data privacy officer to make all of this happen. So, one of the big overarching questions is, do patients own their own data under GDPR? No. The question is actually sidestepped. Patients may be able to control their data. There's no answer about whether they own their data, but meaningfully, what do you get different? The answer might be you might be able to get paid in exchange for that type of control. We aren't there yet, but CCPA is making some steps in that direction.

Darshan: So, why should I care? Does GDPR matter as a pharma company CEO? The final framework suggest that penalties could be up to $20 million, up to 4% of the total global turnover of the preceding year, whichever one is higher. So, if you are a large company, those penalties could be hugely problematic. So, yes, you should probably care about GDPR.

Darshan: So, the next question is, "Well, I'm a U.S. company. How is this that different from HIPAA?" First of all, wrong country. GDPR primarily applies to Europe. Number two, GDPR does this whole controller versus processor thing. In clinical trials, some sites get to be co-controllers, but they have to then claim the right to the data, which can become problematic. So, there's no equivalent of that. In the U.S., the closest you'd get is a covered entity and a business associate, but it's not quite the same thing. That's what HIPAA sort of draws the distinction.

Darshan: Unlike HIPAA, GDPR is not focused on just healthcare. The fines are generally significantly more like you mentioned. In the case of HIPAA versus GDPR, the penalties have generally gone towards companies who can afford it. In the case of GDPR, you also have seen penalties against schools. On the other hand, you've seen them against consultants and all the way up to huge tech companies. So, GDPR is being evenly applied which, for better or for worse, can be hugely problematic.

Darshan: How is GDPR different from CCPA? So, you can listen to my podcast on CCPA, but CCPA is a California law that's sort of what people are calling GDPR light. There are dozens upon dozens of differences between GDPR and CCPA. However, I'm going to talk about just three. GDPR applies to people, not even restricted to just EU residents. CCPA only applies to California residents. GDPR applies to controllers, including nonprofit organizations. For CCPA, you have to meet certain conditions. One of which is you have to be a for-profit company.

Darshan: Number two, you have to collect consumer personal information, or on behalf of which such information is collected, you have to determine the means and purposes of the processing, and you must be doing business in California, and then you have to meet one of these three thresholds actually. One is annual gross revenue in excess of $25 million alone or in combination, and you buy, receive for the business commercial purposes up to 50,000 or more consumers, households or devices and/or you derive 50% or more of your annual revenues from selling consumer personal information, i.e., primarily geared towards advertising agencies or companies that do huge amounts of advertising. GDPR has a specific obligation on processors while CCPA applies to any entity that controls or is controlled by the business.

Darshan: So, is this all great, right, because if you're a pharma company or you're a health tech company, you're not in the business of selling. You're in the business of sort of selling drugs. You're not sort of a advertising agency. That may or may not be wrong. There are certain exceptions in CCPA that make exceptions for HIPAA, but you as a pharma company, you as a health tech company may or may not be subject to those exceptions.

Darshan: So, is there a crossover between GDPR and HIPAA? Yes. If you are already controlling sensitive data, you have methods for detecting unauthorized changes to that PHI, and you encrypt the PHI at rest and in transit, you're already doing a lot of things that GDPR requires. So, does GDPR have a lot of crossover with CCPA? CCPA only covers ... Well, they both cover natural persons, not legal persons and controller-covered business have similar meanings. It's not identical, but they have similar meanings.

Darshan: So, what does all of this mean for pharma or for healthcare? In clinical trials, the sponsors is the controller for research and site is the controller for care, but this becomes circumstance-specific. If the site is a co-sponsor or if there's a clinical trial unit on the site, you could theoretically be in a situation of joint controllership, which has its own issues. The PIs are often employees in many states or in many countries. Since the PIs are not party to the agreement, they are the people to whom notice is provided. So, this becomes problematic sometimes.

Darshan: If you are a pharma company, companies will say that you may want to push back to a site wanting to be a controller since that comes with additional responsibility, and does that site really want to take on those responsibilities? Some sites may say yes. In France, the site is the processor. In Germany, the site is often a joint controller, but it could be said to be a separate controller. In Netherlands, you could be a separate controller as well. So, obviously, each country is treating GDPR differently. So, you need to be aware of what that country's methodology is.

Darshan: There are obviously implications if you're recruiting for clinical trials but even more implications if you are actually marketing your products. So, what complexities does this cause in clinical trials? What's interesting is that some patients can consent to participate in clinical trials, but the EDPB, which is the European Data Protection Board, says that patients aren't capable of consenting to collection of clinical data. So, this seems incongruent. This seems paternalistic, and that's going to be problematic.

Darshan: There's a whole other piece when you come to Brexit because the UK has implemented a new Data Protection Act, which largely includes all the provisions of GDPR. You've got the Information Commissioner's Office who will enforce it in the UK. In the UK, you can create a separate privacy consent, which is not included in the informed consent, and that can have its own implications as well. You need to have controls in place, and you need to have interpretations, et cetera, et cetera, et cetera. In the UK, you actually have Elizabeth Denham's office. She's the UK Information Commissioner, and she's in charge of data protection enforcement.

Darshan: So, if you are GDPR compliant, you still have to consider how you're going to handle the UK. You still have to consider how you're going to handle the U.S. So, GDPR helps gets you along the way, but it's not all the way there. Interestingly enough, there are some questions about how coded data will be handled by GDPR, so stay tuned. We'll find out more as time continues, but I hope you enjoyed this talk. Feel free to reach out if you have any questions. Again, you can find me @darshantalks on Twitter. You could reach out to me on my email if you wanted at darshan@conformlaw.com I look forward to hearing from you. Take care.

Narrator: This is the DarshanTalks Podcast, regulatory guy, irregular podcast with host Darshan Kulkarni. You can find the show on Twitter @darshantalks or the show's website at darshantalks.com.