Ensuring Trust in Pharmaceutical Supply Chains by Data Protection by Design Approach to Blockchains
Keywords:blockchain, data protection by design, EU General Data Protection Regulation (GDPR), pharmaceutical supply chain, trust
Pharmaceutical supply chains are complex structures including various actors, and blockchains are seen as a promising solution to increase effectiveness and overcome some of the main challenges in these supply chains, especially the lack of trust. However, the European Union has set strict rules in the domain of pharmaceutical supply chains in order to protect patient safety and public health, and using blockchains brings further legal requirements to comply. Among these requirements, personal data protection is of utmost importance because it has been argued, for years, that blockchains and the EU data protection regime are in conflict by their natures. However, it is also claimed that when rightly designed and combined with other technological solutions, blockchains can offer great opportunities to enhance data protection. Nevertheless, blockchains’ potential in pharmaceutical supply chains has not yet been realized as most use cases are in the Proof of Concept or pilot stages.
This paper will examine the debates around blockchains and data protection with the objective of drawing constructive conclusions on whether blockchains solutions can be designed in data protection-enhancing ways and whether this can help realize blockchains’ potential in pharmaceutical supply chains, particularly by creating trust. For this purpose, this paper takes the example of an ongoing EU-funded innovative research project called PharmaLedger as a case study to concretize its theoretical examinations. This project is chosen since it gathers together a wide variety of stakeholders representing different interests and aims to create a digital trust ecosystem in healthcare, by providing a widely trusted platform that supports the design and adoption of blockchain-enabled healthcare solutions while accelerating the delivery of innovation that benefits the entire ecosystem from manufacturers to patients.
Clauson K, Breeden E, Davidson C, Mackey T. Leveraging blockchain technology to enhance supply chain management in healthcare. Blockchain Healthc Today. 2018;1. https://doi.org/10.30953/bhty.v1.20
Georgiev N, Yaşar B, Inari Castella S, et al. PharmaLedger deliverable 5.2: in-depth ethical and legal study. 2021. Available from: https://ec.europa.eu/research/participants/documents/download Public?documentIds=080166e5e26c7cd9&appId=PPGMS [cited 28 February 2022].
Finck M. Blockchains and data protection in the European Union. Eur Data Protect Law Rev. 2018;4(1):17–35. https://doi.org/10.21552/edpl/2018/1/6
Livitckaia K, Charles W, Larrañaga Piedra U, Niemerg M, Hasselgren A, Papadopoulou E. Blockchain application in healthcare sector. EU Blockchain Observatory and Forum; 2022. Available from: https://www.eublockchainforum.eu/sites/default/files/reports/eubof_healthcare_2022_FINAL_pdf.pdf [cited 28 February 2022].
PharmaLedger. 2022. Available from: https://pharmaledger.eu/ [cited 28 February 2022].
Schöner M, Kourouklis D, Sandner P, Gonzalez E, Förster J. Blockchain technology in the pharmaceutical industry. Frankfurt: Frankfurt School Blockchain Center; 2017. Available from: https://philippsandner.medium.com/blockchain-technology-in-the-pharmaceutical-industry-3a3229251afd [cited 28 February 2022].
Arviem AG. Quick guide to pharma supply chain visibility. Arviem AG; 2017. Available from: https://arviem.com/wordpress/wp-content/uploads/2017/10/Quick-Guide-to-Pharma-Supply-Chain-Traceability.pdf [cited 28 February 2022].
Hurley J. Creating a transparent supply chain for prescription drugs—InsideSources. InsideSources. 2017. Available from: https://insidesources.com/creating-transparent-supply-chain-prescription-drugs/ [cited 2 March 2022].
European Commission (EC). Pharmaceutical strategy for Europe. EC; 2020. Available from: https://ec.europa.eu/health/system/files/2021-02/pharma-strategy_report_en_0.pdf [cited 4 March 2022].
Bagozzi D, Lindmeier C. 1 in 10 medical products in developing countries is substandard or falsified. WHO; 2017. Available from: https://www.who.int/news/item/28-11-2017-1-in-10-medical-products-in-developing-countries-is-substandard-or-falsified [cited 4 March 2022].
McCauley A. Why big pharma is betting on blockchain. Harvard Business Review. 2020. Available from: https://hbr.org/2020/05/why-big-pharma-is-betting-on-blockchain [cited 7 March 2022].
Georgiev N, Van Der Eycken D, Castella S, et al. PharmaLedger deliverable 5.1: ethical and legal inventory. 2020. Available from: https://ec.europa.eu/research/participants/documents/downloadPublic?documentIds=080166e5d41d340b&appId=PPGMS [cited 9 March 2022].
Directive 2001/83/EC of the European Parliament and of the Council on the Community code relating to medicinal products for human use (November 6, 2011). Available from: https://www.ema.europa.eu/en/documents/regulatory-procedural-guideline/directive-2001/83/ec-european-parliament-council-6-november-2001-community-code-relating-medicinal-products-human-use_en.pdf [cited 4 May 2022].
Directive 2003/94/EC laying down the principles and guidelines of good manufacturing practice in respect of medicinal products for human use and investigational medicinal products for human use (October 8, 2003). Available from: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:262:0022:0026:en:PDF [cited 4 May 2022].
Directive 2011/62/EU of the European Parliament and of the Council amending Directive 2001/83/EC on the Community code relating to medicinal products for human use, as regards the prevention of the entry into the legal supply chain of falsified medicinal products (Falsified Medicines Directive) (June 8, 2011). Available from: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2011:174:0074:0087:EN:PDF [cited 4 May 2022].
Council of Europe Convention on the counterfeiting of medical products and similar crimes involving threats to public health (CETS No. 211) (MEDICRIME Convention) (2011). Available from: https://rm.coe.int/168008482f [cited 4 May 2022].
Commission Delegated Regulation (EU) 2016/161 supplementing Directive 2001/83/EC of the European Parliament and of the Council by laying down detailed rules for the safety features appearing on the packaging of medicinal products for human use (October 2, 2015). Available from: https://health.ec.europa.eu/system/files/2016-11/reg_2016_161_en_0.pdf [cited 4 May 2022].
Regulation 2020/1056 on electronic freight transport information (July 15, 2020). Available from: https://eur-lex.europa.eu/eli/reg/2020/1056/oj [cited 4 May 2022].
Regulation (EC) No 726/2004 of the European Parliament and of the Council of 31 March 2004 laying down Community procedures for the authorisation and supervision of medicinal products for human and veterinary use and establishing a European Medicines Agency (March 31, 2014). Available from: https://health.ec.europa.eu/system/files/2016-11/reg_2004_726_en_0.pdf [cited 20 April 2022].
Ciapponi A, Donato M, Gülmezoglu A, Alconada T, Bardach A. Mobile apps for detecting falsified and substandard drugs: a systematic review. PLoS One. 2021;16(2):e0246061. https://doi.org/10.1371/journal.pone.0246061
Regulation 2016/679/EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC  OJ L 119/1 (GDPR) (April 27, 2016). Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 [cited 20 April 2022].
European Parliament, Directorate-General for Parliamentary Research Services, Finck M. Blockchain and the general data protection regulation: can distributed ledgers be squared with European data protection law? Publications Office; 2019. https://doi.org/10.2861/535
EU Charter of Fundamental Rights. (October 26, 2012). Available from: https://fra.europa.eu/en/eu-charter [cited 20 April 2022].
Council of Europe, European Court of Human Rights, European Data Protection Supervisor, European Union Agency for Fundamental Rights. Handbook on European data protection law. Luxembourg: Publications Office of the European Union; 2018. https://doi.org/10.2811/343461
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive) (October 24, 1995). 31995L0046 - EN - EUR-Lex - European Union. Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12016P%2FTXT [cited 20 April 2022].
Center for Global Enterprise, Slaughter and May, Cravath, Swaine & Moore LLP. March of the blocks—GDPR and the blockchain. Digital Supply Chain Institute; 2019. Available from: https://www.dscinstitute.org/assets/documents/GDPR-and-Blockchain-March-of-Blocks.pdf [cited 14 March 2022].
Gaur V, Gaiha A. Building a transparent supply chain. Harvard Business Review. 2020. Available from: https://hbr.org/2020/05/building-a-transparent-supply-chain [cited 15 March 2022].
Article 29 Data Protection Working Party (WP29). “Guidelines on the right to data portability” 16/EN WP 242 rev.01. European Commission (EC); 2017. Available from: https://ec.europa.eu/newsroom/article29/items/611233 [cited 16 March 2022].
Mainelli M. Blockchain could help us reclaim control of our personal data. Harvard Business Review. 2017. Available from: https://hbr.org/2017/10/smart-ledgers-can-help-us-reclaim-control-of-our-personal-data [cited 17 March 2022].
Lyons T, Courcelas L, Timsit K. Blockchain and digital identity. EU Blockchain Observatory and Forum; 2019. Available from: https://www.eublockchainforum.eu/sites/default/files/report_identity_v0.9.4.pdf [cited 18 July 2022].
Zyskind G, Nathan O, Pentland A. Decentralizing privacy: using blockchain to protect personal data. 2015 IEEE Security and Privacy Workshops. 2015. https://doi.org/10.1109/SPW.2015.27
Article 29 Data Protection Working Party (WP29). “Opinion 04/2014 on anonymisation techniques” (2014) 0829/14/EN. European Commission (EC); 2014. Available from: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf [cited 18 March 2022].
Lyons T, Courcelas L, Timsit K. Blockchain and the GDPR. EU Blockchain Observatory and Forum; 2018. Available from: https://www.eublockchainforum.eu/sites/default/files/reports/20181016_report_gdpr.pdf [cited 21 March 2022].
Moerel L. Blockchain & data protection... and why they are not on a collision course. Eur Rev Priv Law. 2018;26(6):825–51. https://doi.org/10.54648/erpl2018057
Moerel L, Storm M. Blockchain can both enhance and undermine compliance but is not inherently at odds with EU privacy laws. J Invest Compl. 2021;22(2):122–32. https://doi.org/10.1108/JOIC-10-2020-0037
Commission Nationale Informatique et Libertés (CNIL). Solutions for a responsible use of the blockchain in the context of personal data. CNIL; 2018. Available from: https://www.cnil.fr/sites/default/files/atoms/files/blockchain_en.pdf [cited 22 March 2022].
Schrems II  Case C-311/18 (Court of Justice of the European Union). Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046 [cited 20 April 2022].
European Data Protection Board (EDPB). Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. EDPB; 2021. Available from: https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en [cited 26 April 2022].
European Commission. Standard contractual clauses (SCC). European Commission; 2022. Available from: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en [cited 18 July 2022].
Zetoony D. What exactly is a “transfer impact assessment” (TIA), and where the heck did it come from? Data Privacy Dish. 2022. Available from: https://www.gtlaw-dataprivacydish.com/2022/03/what-exactly-is-a-transfer-impact-assessment-tia-and-where-the-heck-did-it-come-from/ [cited 26 April 2022].
Neuburger J, Choy W. Practical law. 2019;(3). Available from: https://content.next.westlaw.com/practical-law/the-journal/practical-law-the-journal-transactions-business-july-aug-2019?transitionType=Default&contextData=(sc.Default)&navId=6105953F4C405848E6F2A965BE757D72 [cited 23 March 2022].
Bacon J, Michels J, Millard C, Singh J. Blockchain demystified. Queen Mary University of London School of Law; 2017. Available from: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3091218 [cited 25 March 2022].
Berberich M, Steiner M. Blockchain technology and the GDPR—how to reconcile privacy and distributed ledgers? Eur Data Protect Law Rev. 2016;2(3):422–6. https://doi.org/10.21552/EDPL/2016/3/21
Information Commissioner Office (ICO). Deleting personal data. ICO. Available from: https://ico.org.uk/media/for-organisations/documents/1475/deleting_personal_data.pdf [cited 28 March 2022].
Section 35 of the Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/679 und zur Umsetzung der Richtlinie (EU) 2016/680. Available from: https://www.bgbl.de/xaver/bgbl/start.xav?start=%2F%2F*%5B%40attr_id%3D%27bgbl117s2097.pdf%27%5D#__bgbl__%2F%2F*%5B%40attr_id%3D%27bgbl117s2097.pdf%27%5D__1661524539706 [cited 20 April 2022].
European Data Protection Board (EDPB). Guidelines 4/2019 on article 25 data protection by design and by default. EDPB; 2019. Available from: https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_201904_dataprotection_by_design_and_by_default.pdf [cited 29 March 2022].
OpenDSU. 2022. Available from: https://opendsu.com/ [cited 4 April 2022].
Software development with data protection by design and by default. Datatilsynet. 2022. Available from: https://www.datatilsynet.no/en/about-privacy/virksomhetenes-plikter/innebygd-personvern/data-protection-by-design-and-by-default/?print=true [cited 8 April 2022].
How to Cite
Copyright (c) 2022 Halid Kayhan
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Authors retain copyright of their work, with first publication rights granted to Blockchain in Healthcare Today (BHTY). Read the full Copyright Statement.