Extracted from Law360
Transfers of personal data outside the European Union have generated much controversy over the past few years, particularly data transfers to the U.S.
On July 10, the European Commission formally approved the EU-U.S. Data Privacy Framework, or DPF, as a new tool for transferring personal data from the EU to the U.S.
The approval of the DPF recognizes that, although the U.S. has a different approach to data protection than the EU, personal data transferred to the U.S. under the DPF is considered to be adequately protected in line with the rules on international data transfers introduced by the EU General Data Protection Regulation.
Background
U.S.-based life sciences companies can be subject to the GDPR, even if they do not have any subsidiary, affiliate or other physical presence in the EU. This can be the case if, for example, a pharmaceutical or medical device company in the U.S. acts as a sponsor of a clinical study that is conducted in one or more EU member states with the help of local investigators or hospitals.
If the study involves monitoring or regular reporting on study subjects' health status — which will often be the case, given the nature of the study — the U.S.-based company or sponsor will likely be in the scope of the GDPR as far as the processing of study subjects' personal data is concerned.
The sponsor in the U.S. will want to have access to the study results for various reasons relating to its research activities, as well as for safety purposes.
Study results will typically include key-coded or pseudonymized personal data relating to study subjects that participate in the study, and the sponsor will not be given the key that is needed to reveal the identity of individual study subjects.
The European data protection authorities take the view that this data still constitutes "personal data" as the term is defined by the GDPR, although in a recent case, Single Resolution Board v. European Data Protection Supervisor, the Court of Justice of the EU appeared to take a different position.
Access to this data by the sponsor in the U.S. will be viewed as an international data transfer under the GDPR, which requires one of the data transfer solutions or derogations set out in Chapter V of the GDPR.
If the data is transferred without complying with Chapter V of the GDPR, both the sponsor receiving the data and the investigators or hospitals that initiated the transfer risk being subject to enforcement action by data protection authorities in the EU.
The Issue
The GDPR imposes restrictions on international data transfers and provides only limited options for justifying transfers of personal data to recipients in countries outside the EU.
For several years, many relied on the EU-U.S. Privacy Shield as the preferred transfer tool for sending study data collected in the EU to study sponsors in the U.S.
Some pharmaceutical and medical device companies, however, considered that this option was not available to them, based on controversial guidance issued by the Working Party 29, the predecessor of the current European Data Protection Board.
Instead, these companies would enter into the European Commission's standard contractual clauses, or SCCs, which provided contractual safeguards for personal data transferred from a controller in the EU to a controller or processor in a non-EU country.
In Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems in 2020, the Court of Justice of the EU decided to invalidate the EU-U.S. Privacy Shield, as a result of which it could no longer be used as a data transfer solution.
Shortly after that decision, in an attempt to address some of the concerns raised by the court — in particular regarding data access by foreign authorities — the European Commission revised and updated its SCCs.
The updated SCCs, which were published in 2021, introduce four modules catering to different transfer scenarios, namely controller-to-controller, controller-to-processor, processor-to-processor and processor-to-controller.
However, the European Commission's decision that implemented the updated SCCs, as well as the relevant regulatory guidance that has been published, both emphasize that the newest version of the SCCs can be used only for transfers of personal data to a controller or processor outside the EU, whose processing is not subject to the GDPR.
This means that, at least technically speaking, the updated SCCs are not a suitable solution for transferring study-related data that has not been fully anonymized to a sponsor in the U.S. whose data processing is subject to the GDPR.
The European Commission has announced that it plans to issue an additional and presumably simplified set of SCCs specifically for transfers to controllers or processors whose processing of personal data is subject to the GDPR, which would take into account the requirements that already apply directly to those controllers or processors under the GDPR.
To date, however, it is unclear when these additional SCCs will become available for use.
The EU-U.S. Data Privacy Framework to the Rescue
In the meantime, sponsors in the U.S. may want to consider joining the recently introduced DPF in order to provide coverage for the transfer of study-related data from Europe to the U.S.
Last July, the European Commission confirmed that the DPF ensures an adequate level of protection for personal data transferred from the EU to organizations in the U.S. that are included in the DPF list, which is maintained by the U.S. Department of Commerce.
The DPF provides individuals in the EU whose personal data is transferred to the U.S. with several data protection rights, e.g., the right to access their data, in addition to different redress possibilities in case they believe that their data may have been handled wrongly.
In order to rely on the DPF to effectuate transfers of personal data from the EU, an organization will have to self-certify its adherence to the DPF principles issued by the U.S. Department of Commerce and be able to demonstrate its compliance with those principles.
There are seven key DPF principles that apply to every certified company and that impose specific data protection obligations, such as requirements around purpose limitation, data minimization and data retention.
In addition, the DPF has 16 supplemental principles that may apply depending on the data transfer scenario. One of these supplemental principles specifically addresses data transfers in the context of pharmaceutical and medical products, and states the following:
- If a transfer from the EU to the U.S. involves study data that the investigator or hospital in the EU has key-coded with a view to protecting the identity of individual study subjects, the data in question is still personal data under EU law, and therefore it is covered by the principles — even if the company in the U.S. sponsoring the study does not have the key.
- Pharmaceutical and medical device companies in the U.S. receiving data originating in the EU do not have to comply with all the DPF principles in their product safety and efficacy monitoring activities, including the reporting of adverse events and tracking of patients/study subjects using certain medicines or medical devices, provided that adherence to the principles would interfere with regulatory compliance.
- Pharmaceutical and medical device companies in the U.S. are permitted to provide personal data from clinical studies conducted in the EU to regulators in the U.S. for regulatory and supervision purposes. They can also transfer the data to parties other than regulators, such as research organizations.
- If personal data collected for a particular clinical study is transferred to a U.S. sponsor under the DPF, the sponsor may use the data for a new scientific research activity if appropriate notice and choice are provided to the study subjects in scope.
It will not suffice for U.S.-based sponsors to have their names added to the DPF list in order to be considered compliant with the PDF principles; they will also have to implement specific measures and processes that aim to protect the rights of study subjects whose personal data is transferred from the EU. Examples include:
- A DPF privacy notice, which will have to inform study subjects about, e.g., the reasons why the sponsor is collecting their data and the purposes for which the data will be used, as well as any third parties that will have access to the data;
- Mechanisms for ensuring that study subjects in the EU can access their personal data, and for investigating study subjects' complaints and disputes in connection with the data transfer;
- Onward transfer contracts with third parties that will process transferred data, either as independent controllers or as processors acting on behalf of the sponsor; and
- Internal procedures for verifying the sponsor's own compliance with the DPF principles, via self-assessments or external compliance reviews.
Life sciences companies that are considering participating in the DPF should note that the same privacy activists who brought down the EU-U.S. Privacy Shield in the Schrems II case have already indicated that they might challenge the validity of the new DPF as well.
They appear to have doubts around, for example, the effectiveness of the DPF's redress mechanisms and of possible outcomes of complaints that may be initiated against data access practices of U.S. intelligence agencies.
However, a possible legal challenge of the DPF is likely to take several years, during which the DPF will remain available as a valid data transfer tool under the GDPR, unless and until the European Commission decides to repeal it.