A.Social and Economic Role

Regulatory environment for platforms, online intermediaries, data and cloud computing and the collaborative economy

1.Online Platforms

a.Social and economic role

No comment

b.Transparency of online platforms

No comment

c.Use of information by online platforms

In your view, do online platforms provide sufficient and accessible information with regard to:

b) what use is made of the personal and non-personal data collected, including trading of the data to other platforms and actors in the Internet economy?

Yes

No

I don't know

Please explain your choice and share any best practices that you are aware of. 1500 character(s) maximum

In order to maintain public confidence in the use of health data, it will be important to actively engage with stakeholders, noting that data uses will evolve over time

Please share your general comments or ideas regarding the use of information by online platforms 3000 character(s) maximum

d.Relation between platforms and suppliers

No comment

e.Constraints on the ability of consumers and traders to move………

No comment

f.Access to Data

No comment

2.Tackling illegal content inline and the liability of online intermediaries

No comment

3.Data and cloud in digital ecosystems

a.Free flow of data

ON DATA LOCATION RESTRICTIONS

In the context of the free flow of data in the Union, do you in practice take measures to make a clear distinction between personal and non-personal data?

Yes

No

Not applicable

*Please explain why not

• Have restrictions on the location of data affected your strategy in doing business (e.g. limiting your choice regarding the use of certain digital technologies and services?)

Yes

No

Other reasons:

EFPIA members and their collaborators have reported situations where it has been difficult to share research data across borders due to different privacy protection and other obligations. Conversely, those Member Sates able to provide secure access to personal health data, and the ability to link data sets (under suitable protection conditions) are likely to attract increased investment and develop improved health services.

ON DATA ACCESS AND TRANSFER

• Do you think that the existing contract law framework and current contractual practices are fit for purpose to facilitate a free flow of data including sufficient and fair access to and use of data in the EU, while safeguarding fundamental interests of parties involved?

Yes

No

*Please explain your position 3000 character(s) maximum

EFPIA believes that the General Data Protection Regulation represents a basis for further work in developing the digital economy. The provisions for health and research-related uses are particularly important for EFPIA’s member companies. In its final form, the Regulation contains extensive reference to Member State law, confirming that the regulation of many data movements will have a national character. This is likely to perpetuate the existing complexity of the EU environment. We believe that, as part of the process of implementing the Regulation, the role of standards and codes of conduct should be fully-explored and that it is important that the European Data Protection Board is able progress harmonization when it is beneficial to do so in the interests of subject rights and the digital economy. EFPIA also considers that it will be important to develop to go beyond contracts and establish robust processes for societal accountability to ensure public trust in the use of big data. We believe this will be particularly important in the context of sensitive data such as health data.

• In order to ensure the free flow of data within the European Union, in your opinion, regulating access to, transfer and the use of non-personal data at European level is:

Necessary

Not necessary

• When non-personal data is generated by a device in an automated manner, do you think that it should be subject to specific measures (binding or non-binding) at EU level?

Yes

No

*Which of the following aspects would merit measures? between 1 and 4 choices

- Obligation to inform the user or operator of the device that generates the data

- Attribution of the exploitation rights of the generated data to an entity (for example the person / organisation that is owner of that device)

- In case the device is embedded in a larger system or product, the obligation to share the generated data with providers of other parts of that system or with the owner / user / holder of the entire system

- Other aspects:

Please specify

The answer to the question depends on the definition of “non-personal data”. We have responded on the basis that this term includes data relating to individuals from which direct identifiers have been removed. In addition to the “aspects” above, EFPIA would propose adding “measures supporting decision-making relating to an individual”. We would be ready to discuss further once the definition is clear.

• Please share your general comments or ideas regarding data access, ownership and use 5000 character(s) maximum

In the context of healthcare related data, the ownership of data should be clear (individual or those who generate data) and a regulatory framework should allow empowered and informed owners to allow for flow and subsequent use of data for research, remote patient monitoring (disease management ) and /or analytical exploitation.

ON DATA MARKETS

What regulatory constraints hold back the development of data markets in Europe and how could the EU encourage the development of such markets?

3000 character(s) maximum

Lack of a pan European standard with regard to common definition of what constitutes personal information and its use creates barriers with regard to flow of data; its protection; and aggregation for analytical and research purposes. These purposes can lead to societal and economic benefits with regard to the health of population, disease management and health system sustainability. EFPIA also supports efforts at EU level to improve societal accountability regarding the use of health data, recognizing the importance of trust. In general, EFPIA supports a regime which combines a high level of flexibility for re-use of health data for legitimate purposes with strong privacy protections. In EFPIA’s submission on m-health, the following were identified as barriers to the development of a market

•Unified data standards;

•Guidelines for anonymization of personal data;

•Data qualification systems;

•Connection of mHealth apps to a larger ecosystem to collect anonymized data of verified quality;

•Data dictionaries to define common health measures and to recommend acceptable/standard measurement units that allow apples-to-apples comparisons;

•Unique patient keys (i.e. pseudoanonymization), inasmuch as they don’t limit users’ confidence in anonymity, could be used to correlate outcomes deriving from different apps;

•Indication of data reliability (i.e. confidence intervals that arise from device limitations; each sensor or measurement device could be rated on a precision/accuracy scale);

•Storage of aggregated, anonymized data in a central secure repository;

•Mechanism to feed back the insights from big health data projects to the health ecosystem, including to app developers (as an incentive to collaborate);

•Clear and transparent communication to app users regarding the use of their data;

•Clear and transparent communication to create public awareness regarding the presence of such a repository and who has access to it. Members of the public should have a point of contact to address their queries and should have the ability to opt out at any time;

•Open access of the aggregated, anonymized data to researchers.

•Much more communication on success stories to foster public acceptance.

ON ACCESS TO OPEN DATA

Do you think more could be done to open up public sector data for re-use in addition to the recently revised EU legislation (Directive 2013/37/EU)? Open by default means: Establish an expectation that all government data be published and made openly re-usable by default, while recognising that there are legitimate reasons why some data cannot be released.

- Introducing the principle of 'open by default'[1]

- Licensing of 'Open Data': help persons/ organisations wishing to re-use public sector information (e.g., Standard European License)

- Further expanding the scope of the Directive (e.g. to include public service broadcasters, public undertakings);

- Improving interoperability (e.g., common data formats);

- Further limiting the possibility to charge for re-use of public sector information

- Remedies available to potential re-users against unfavourable decisions

- Other aspects?

In the area of health data, the extent of public sector ownership will vary depending on the structure of the system. It may be beneficial for the EU to encourage the development of data-sharing models in systems where ownership is part private/part public, with a view to maximizing the potential of data use. Generally speaking, EFPIA favours a data-sharing model which keeps access fees to a low level, considering the deterrent effect of excessive fee-stacking.

*Please specify

Do you think that there is a case for the opening up of data held by private entities to promote its re-use by public and/or private sector, while respecting the existing provisions on data protection?

Yes

No

*Under what conditions?

- in case it is in the public interest

- for non-commercial purposes (e.g. research)

- other conditions

*Please explain 3000 character(s) maximum

Within the pharmaceutical sector, we are committed to increased data availability, both to enhance public confidence and to advance science. Together with our US sister association, we have committed to a set of standards[1]. In many cases, such data disclosures have no implication for data protection, but the data protection risks do need to be assessed on a case-by-case basis. It is also important to note that the competition within the industry depends on incentives to innovate in developing new medicines. As a result, the public interest in disclosure needs to be balanced with the public interest in encouraging investment in research, with the underlying assumption that all data is made available over time. We believe that it is possible to strike that balance. At a practical level, it is important that data access regimes are not excessively costly or burdensome.

ON ACCESS AND REUSE OF (NON-PERSONAL) SCIENTIFIC DATA

Do you think that data generated by research is sufficiently, findable, accessible identifiable, and re-usable enough?

Yes

No

*Why not? What do you think could be done to make data generated by research more effectively re-usable? 3000 character(s) maximum

In the healthcare / life sciences context, lack of a common publication and data share standard as well as lack of a common accessible network / data bank is a barrier.

• Do you agree with a default policy which would make data generated by publicly funded research available through open access?

Yes

No

*Why not? 3000 character(s) maximum

ON LIABILITY IN RELATION TO ………………..

As a provider/user of Internet of Things (IoT) and/or data driven services and connected tangible devices, have you ever encountered or do you anticipate problems stemming from either an unclear liability regime/non –existence of a clear-cut liability regime? The "Internet of Things" is an ecosystem of physical objects that contain embedded technology to sense their internal statuses and communicate or interact with the external environment. Basically, Internet of things is the rapidly growing network of everyday objects—eyeglasses, cars, thermostats—made smart with sensors and internet addresses that create a network of everyday objects that communicate with one another, with the eventual capability to take actions on behalf of users.

Yes

No

I don't know

If you did not find the legal framework satisfactory, does this affect in any way your use of these services and tangible goods or your trust in them?

Yes

No

I don't know

Do you think that the existing legal framework (laws, or guidelines or contractual practices) is fit for purpose in addressing liability issues of IoT or / and Data driven services and connected tangible goods?

Yes

No

I don't know

Is the legal framework future proof? Please explain, using examples. 3000 character(s) maximum

Many points relevant to this section are included in EFPIA’s response to the Commission consultation on m-health[2]We would point, rather than to the legal framework, to the need for standards, integration and public education. There is also a need for clarity regarding the scope of different legislation. Please see below an excerpt from the earlier submission

“The pace of technology is moving rapidly, with apps and new devices emerging and merging all the time. Increasingly the boundary between consumer technology/ smart phones/watches etc. and medical devices will become less clear. Any application that makes claims to show improvements in health should certainly be required to substantiate these claims following similar rules pertaining to pharmacotherapy and medical devices. It would also be helpful to come up with some sort of classification to help consumers and patients make that distinction.

Strict enforcement of quality, privacy and security guidelines will be required for app-generated data to be used in Big Data projects. Certification could provide reassurance to users, but ultimately, lifestyle and well-being app developers should have some degree of freedom as long as they comply with the directives on medical devices. Until now, mHealth or eHealth applications falling under the Medical device definition are regulated as medical devices. Applications not falling under the scope of the medical device regulation are covered by general product safety regulations.

EFPIA believes that it is important to inform users about quality standards that are met with mHealth solutions, especially where these are developed and classified as a medical device. This should contribute to reassure users, promotes appropriate use of a given solution and enables mHealth solutions to become a more routine feature of individuals’ management of their health and of healthcare systems. EFPIA's experience with examples of software developed as a medical device, each smartphone upgrade must be thoroughly tested and approved for use with the software by the manufacturer, to ensure its safe use.”

As a user of IoT and/or data driven services and connected tangible devices, does the present legal framework for liability of providers impact your confidence and trust in those services and connected tangible goods?

Don’t know

In order to ensure the roll-out of IoT and the free flow of data, should liability issues of these services and connected tangible goods be addressed at EU level?

Don’t know

ON OPEN SERVICE PLATFORMS

What are in your opinion the socio-economic and innovation advantages of open versus closed service platforms and what regulatory or other policy initiatives do you propose to accelerate the emergence and take-up of open service platforms? 3000 character(s) maximum

An open service platform enables the unleashing of intellectual and innovative capabilities that can lead to the emergence of new disruptive and innovative business models leading to an information driven public and private services. This would create a positive economic impact (jobs, capital flow) as well as induce competition in existing services creating a positive virtuous cycle of innovation. A simple existing example is the availability of geo location information and the services that has enabled.

PERSONAL DATA MANAGEMENT SYSTEMS

The following questions address the issue whether technical innovations should be promoted and further developed in order to improve transparency and implement efficiently the requirements for lawful processing of personal data, in compliance with the current and future EU data protection legal framework. Such innovations can take the form of 'personal data cloud spaces' or trusted frameworks and are often referred to as 'personal data banks/stores/vaults'.

• Do you think that technical innovations, such as personal data spaces, should be promoted to improve transparency in compliance with the current and future EU data protection legal framework? Such innovations can take the form of 'personal data cloud spaces' or trusted frameworks and are often referred to as 'personal data banks/stores/vaults'?

Yes

No

I don't know

• Would you be in favour of supporting an initiative considering and promoting the development of personal data management systems at EU Level?

Yes

No

EUROPEAN CLOUD INITIATIVE

What are the key elements for ensuring trust in the use of cloud computing services by European businesses and citizens "Cloud computing" is a paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand. Examples of such resources include: servers, operating systems, networks, software, applications, and storage equipment. Reducing regulatory differences between Member States Standards, certification schemes, quality labels or seals Use of the cloud by public institutions Investment by the European private sector in secure, reliable and high-quality cloud infrastructures

No comment

• As a (potential) user of cloud computing services, do you think cloud service providers are sufficiently transparent on the security and protection of users' data regarding the services they provide?

Yes

No

Not applicable

*What information relevant to the security and protection of users' data do you think cloud service providers should provide?

Information on how they are ensuring protection of network and physical infrastructure. Information on how they enable users of cloud infrastructure to create protected / secure services and applications. Clarity on how and which locations they operate and manage the infrastructure. Undertaking audits and certifications via trusted third parties against standardized scope of service delivery, security measures.The existing EU model clauses dealing with the obligations of the data importer should provide a point of reference for setting out the necessary requirements.

As a (potential) user of cloud computing services, do you think cloud service providers are sufficiently transparent on the security and protection of users' data regarding the services they provide?

Yes

No

Not applicable

As a (potential) user of cloud computing services, do you agree that existing contractual practices ensure a fair and balanced allocation of legal and technical risks between cloud users and cloud service providers?