The general assumption that the Policy 0070 data releases were public data releases can be challenged since there is a mechanism to enforce the ToU, and this mechanism will continue to exist after the Agency moves to the Netherlands.
The European Medicines Agency (EMA) under its Policy 0070 makes anonymized clinical reports publicly available in two modalities. The first modality is that the information is made available on-screen to any user in a read-only mode through their data portal. The user cannot download the documents from the portal. The second modality allows the user to download the documents from the portal. In both of these modalities the user must accept the terms-of-use (ToU). The ToU have reasonable requirements, such as prohibiting the user from re-identifying trial participants.
The EMA has made clear that it will not accept any responsibility for the user’s compliance with the terms of the ToU. However, the EMA policy references the Contracts (Rights of Third Parties) Act of 1999 as a means through which sponsors can pursue users who do not follow the ToU. The ToU names the sponsors as being entitled to enforce the terms. Specifically, Section 5 of the ToU states:
The restrictions and conditions and the warranty and liability provisions of these Terms are also made for the benefit of any and all Applicants/MAHs and, accordingly, each such Applicant/MAH may in its own right enforce these Terms in accordance with the provisions of the Contracts (Rights of Third Parties) Act 1999.
This Act says:
a person who is not a party to a contract (a “third party”) may in his own right enforce a term of the contract if-
(a) the contract expressly provides that he may, or
(b)…, the term purports to confer a benefit on him.
This would allow a sponsor then to enforce the ToU even if the EMA will not enforce them itself.
As the Agency is moving to the Netherlands, one question is whether the Agency will change the governing law from England and Wales, as it is now, to the Netherlands ? If they do so, then there is an equivalent mechanism provided that the ToU clearly sets out the third party right in compliance with the Dutch Civil Code.
If a re-identification or attempted re-identification occurs then the sponsor can seek damages or an injunction to prevent participant harm from a re-identification that has already occurred.
To be able to enforce the ToU the sponsor would need to know the identity of the user and to know that they did indeed obtain the documents through the EMA portal. The EMA has historically declined to provide the identities of individuals who have registered with the EMA, nor provide the IP addresses of those who download or accessed the documents. The EMA must be collecting the registration information and is likely also collecting the IP address information for operating its networks and systems, although this information may be retained for a limited time. Nevertheless, the Agency can be compelled to provide this information through a court order to allow the enforcement of the ToU. Whether a sponsor would be willing to go down that route may be a function of the potential damages from a re-identification occurring or from the degree of harm due to a re-identification that has already occurred.
There can also be situations where an entity that re-identifies participants self-reveals itself by contacting the data subjects or publicizes the re-identification. In such a case the sponsor would already know who has re-identified its documents, although they would need to demonstrate that the documents were obtained through the Policy 0070 portal.
If there is a mechanism to allow the sponsors to enforce the ToU then arguably the documents are not released in the public domain, but can be treated as semi-public documents. That is the main distinction between a public data release and a semi-public data release: a semi-public data release has a known data user (or one who can be identified) and an enforceable ToU.
If the Policy 0070 data releases are indeed semi-public then the very conservative approaches that are currently being used by sponsors to anonymize that information may be relaxed. A different anonymization standard can be applied for semi-public data compared to public data. This different anonymization standard would result in higher data utility for the data users.
The anonymization standard for semi-public data would account for the fact that the data user has accepted the terms of use, and this would act as a deterrent for re-identification. Based on available evidence, known re-identification attacks are conducted by the media and academics [1]and arguably for these potential attackers a breach of an enforceable ToU would be a strong deterrent. In assessing the risk of re-identification, this contractual control would lead to a lower risk value, which in turn would lead to a reduction in the transformations needed to anonymize the information.
Whether sponsors would be willing to relax the anonymization standards in use given that the ToU can be enforced is an interesting question. The sponsors have generally taken a conservative approach to privacy protection thus far. Given the option of using a less conservative data sharing mechanism, it is not obvious that all of them will do so. However, that is an empirical question and should at least be considered by the sponsors.
The important message here is that the general assumption that the Policy 0070 data releases were public data releases can be challenged since there is a mechanism to enforce the ToU, and this mechanism will continue to exist after the Agency moves to the Netherlands.
[1] K. El Emam, E. Jonker, L. Arbuckle, and B. Malin, “A Systematic Review of Re-identification Attacks on Health Data,” PLoS ONE, vol. 6, no. 12, 2011.
Khaled El Emam, Privacy Analytics & University of Ottawa, and Ruth Boardman, Bird & Bird
2 Commerce Drive
Cranbury, NJ 08512