March 30, 2012

Commercially Confidential Information and Personal Data Agreement from Europe

by Howard E. Rosenberg, Ph.D.

data_protection.jpgThe general public's expectation for transparency in the regulation and assessment of the safety of medicines is characterized by the number of Freedom of Information Act ("FOIA") requests to FDA asking for detailed information regarding this data and the multitude of blog articles covering this subject matter. To some extent, public postings on FDA's website, particularly Drugs@FDA, has quelled the need for some FOIA requests. In Europe there is the same public pressure and an increasing trend for the release of information contained in the Marketing Authorization Applications ("MAAs") after they are granted. For example the release of clinical and safety data is regularly requested.

Feedback from initial European proposals found that in general the pharmaceutical industry had concerns regarding the release of contractual arrangements between companies, personal data of experts, and clinical and non-clinical data. Pharmaceutical companies also raised special concerns with regard to the disclosure of non-clinical data, while the release of clinical data was supported by most stakeholders.

The European Medicines Agency ("EMA") and the Heads of Medicines Agencies ("HMA") have now adopted a joint guidance document, providing, for the first time, a consistent Europe-wide approach to the identification of commercially-confidential information and personal data in a MAA. This "major step for transparency," will apply in the future to identify which parts of an application dossier can or cannot be released in response to requests throughout the regulatory authorities in the European Economic Area ("EEA"). This policy applies regardless of whether the product concerned was authorized using the centralized, mutual recognition or decentralized procedures.

The guidance document limits the scope of what information regulators will consider to be commercially confidential. The exceptions mainly relate to information about quality and manufacturing of a product, as well as about facilities or equipment and some contractual arrangements between companies. The document also sets out how personal data will be protected if it can lead to a person's identification, and gives further guidance on how to identify personal data relating to experts, staff or patients that should be redacted.

European Public Assessment Reports summarize the data in the MAA dossier, which is the primary source of information for a medicinal product and presents the discussions and conclusions of the scientific committee(s). The same principles for redaction of commercially confidential data and protection of personal data will apply when disclosing the Assessment Reports.

The decision still lies with the regulatory authorities when it comes to disclosure but efforts will be made to inform or consult the Marketing Authorization Holder ("MAH") prior to responding to a request of access to documents but will depend on the national legal framework concerned. Guidance is given by classifying the types of data in the Common Technical Document ("CTD") and detailing the corresponding section to be redacted. For example the Guidance provides:

  • CCI (Commercially Confidential Information): means any information which is not in the public domain or publicly available and where disclosure may undermine the economic interest or competitive position of the owner of the information and, in the main, cannot be released.
  • PPD (Protected Personal Data): where information relating to an identified or identifiable natural person ("data subject") means that the section may contain personal data that have to be protected and therefore, as a main rule, cannot be released or should be redacted before release.
  • CBC (Case-by-Case Analysis): means that the section may have commercially confidential information or personal data that must be protected, thus suggesting a case-by-case review prior to its possible release.
  • CBR (Can Be Released): means that all of the section can be released, always after preliminary review.
In a press release, the European Federation of Pharmaceutical Industries and Associations ("EFPIA"), the voice of the research-based pharmaceutical industry, welcomed the moves to remove perceived secrecy, as long as legitimate trade secrets are protected. Richard Bergström, EFPIA's Director General, stated:
Despite EFPIA's reservations, EMA has decided to also release non-clinical data (preclinical). An important consequence of the release of all this information is that we must update the concept of "regulatory data protection" (RDP), i.e. that second applicants cannot refer to submitted data until after 10 years. Similar provisions, but with different timelines, are in place in many countries around the world. As most of the data is now made public, the understanding must be that it is not the privacy of data that is protected, but the "reliance on data" that is not allowed. It is also important the international community agrees that interpretation, as the notion of "confidential data" is now markedly reduced.

Currently this should not be a concern in Europe as documents published within 10 years of the medicinal product's first authorization data are given "regulatory data protection" and cannot be used to support a generic application.