iliomad use case # 2: Interview with Roger Cepeda, founder of Medtech Law LLC
iliomad Health Data announced on January 17, 2023, its partnership with MedTech Law. Interview with Seamus Larroque, co-founder of iliomad and Roger Cepeda, founding attorney of MedTech Law LLC.
Roger Cepeda is an American lawyer. Roger has been a lawyer for over 25 years. Most of these years have been spent in supporting companies in the medical device, drug and biologic space. Seamus Larroque is “half-English, half-French, a little bit of Basque. A little bit of everything in fact!” Seamus has a legal background and was initially trained as a lawyer in France. Seamus started in pharma, in the regulatory domain and then headed the legal department of a consulting firm. Three years ago, he decided to co-found with Pierre Malvoisin, iliomad, a company specialized in data privacy for life sciences companies. This English-French conversation started with a simple question, to present their company in a few words …
Roger Cepeda: MedTech law is a recently formed and small legal consultancy company, with a focus on the areas in which I have worked for corporations: 1/commercial (such as an agreement to distribute a product in Europe or to hire a vendor to provide consulting services), 2/privacy, 3/regulatory (such as FDA post marketing obligations), and 4/ compliance (such as anti-bribery rules).
Seamus Larroque: iliomad provides privacy consulting services for Biotech, Medtech and Pharma companies. Our DNA lies in the privacy world, privacy applied to health data. I think that's what sets us apart from other types of companies. We have a regulatory approach, and we also have a technical approach to privacy.
We are convinced that data is the paradigm for medical development, so it's important to have a holistic approach to it.
📣 News ⎮ We are thrilled to announce our latest partnership with #MedtechLawLLC.
SL: When we first met MedTech Law, we immediately saw the opportunity through a partnership to create a stream of privacy services that would bridge the EU and the US. It's not really about the common points between us, it's how one or each company can help the other in bridging those two regions.
The second thing is more closely related to common grounds. It’s Medtech law’s unique compliance expertise in a very niche domain. And I think that's rare today to have people having such an experience in a niche domain. Roger’s resume speaks for itself: 25 years in this domain!
RC: From my perspective it's a similar story: the complementary skill sets were obvious. One side has local experience with US privacy rules while the other knows GPDR as a French company. For me France is the ultimate privacy standard. I’ve advised teams that if you’re compliant in France, you’re compliant everywhere! And you always need someone aware of local problems or strategies, someone who has the local understanding, experience and perhaps interaction with data protection authorities.
The way we met was through privacy. One of my friends told me to meet this Seamus. I assumed he was Irish, but she told me he is French! She said we were natural allies, telling me I’d understand the opportunity when we spoke. And she was right.
About “Data privacy”
RC: Data Privacy is a balance that has evolved from when the first American law was passed in 1996. It was the HIPAA statute and there was no enforcement until 1999. And first case was an identity theft matter, that had little to do with healthcare, but it was easier to prove under the HIPAA law than under the regular fraud rules at the time.
I believe in Europe the data directive was 1999 if memory serves, long before GDPR. Both continents were developing and there was a balance between a legitimate need for information and what safeguards were required. That has changed dramatically since social media and GDPR have shifted the balance, while healthcare remains a different situation from the perspective of regulators and data subjects .
SL: I see two things about Data Privacy, that comes from the three years now that we have been working in the domain. I would say Data Privacy means “opportunity” and “constraints”.
“Opportunity” because such a regulation will force companies to investigate their practices and internal structure to see how data is handled. They are forced to see where the data is collected, how it's collected and how it's hosted.
I would also say “constraint” because it's a difficult subject. There are some obligations, depending on what kind of role you play in data processing, I think the main difficulty would be to have everyone on board. Everyone from clinical operations, QA, Regulatory, Legal, and IT needs to understand the data the privacy topic and how to address it.
RC: “Confusion” is probably the main thing that I've been seeing. Like any new legal system there's a transition process, as people in industry learn it and learn how to work with it.
This might be the only example in healthcare, where I can tell you the most emulated legal system does not come from the US. It comes from Europe and part of it is due to a tension between them.
Confusion began in 2018, when GDPR went “live.” All companies running clinical trials in Europe and in the US had to update their research agreements to add a data protection addendum. Perhaps it is arrogance from Americans, but I think we are still years away from generally understanding GDPR on the US side, especially since individual states have passed GDPR-like rules while there is no change at the national level.
SL: You're right on this point Roger, “confusion” is the main word … there was confusion also in Europe! It's hard to understand how one regulation can apply to so many different industries, and I also think that's where the difficulty lies. If we talk about health data, which are sensitive data in our domain, the added requirements bring another layer of confusion.
RC: I see GDPR as a “turnkey” solution. It's a nice standalone rule set that doesn't rely on other European law, and it can be pulled out and adopted by another country that has a very different culture, such as United Arab Emirates.
The US doesn't have a robust privacy law, but even if it did, there would likely be several exceptions for special interest groups. And you’re seeing it at the state level because there is no national consensus, so the federal government, for political and other reasons, is unable to take action.
Clients wouldn't say GDPR and local laws clash, unless you're talking about California or one of the states that have implemented their own rule. The US HIPAA statute is silent on some of the things that are critical under the GDPR regulation. In the healthcare space, in the context of, say, an interventional clinical trial, there is usually a local authority who's overseeing the entire trial, including privacy matters.
Thanks to GDPR, there is a dynamic situation about privacy and people in the US are paying more attention because of Europe’s rules.
SL: I think that at the end, all those countries following the GDPR are already thinking about a global GDPR. UK has an equivalent and we know there are talks for a federal privacy law in the US, South America has also regulations … so I think it's already on its way each with their particular approach but to always focus on having more rights for people. More than a clash I would say we are going towards a homogenization.
At the end, if you want to have the perfect approach to Data Privacy … then have the French GDPR approach and you'll be fine everywhere!