Back in April, we reported on some new developments in European Union law that have implications for the life sciences industry. One of these developments was in the privacy area—the final approval of the EU’s new General Data Protection Regulation (GDPR). The GDPR will have enormous significance for medical research and practice, since it will govern the collection and use of health data related to EU citizens. This month has brought a complementary and equally significant development, this time dealing with the transfer of personal data—including health data—from the EU to the U.S.
On July 12, 2016, the European Union announced that it had formally adopted the long-awaited EU-U.S. Privacy Shield to permit the transfer of personal data from EU countries to the United States.
The starting point is that the EU judges this country’s fragmented privacy laws to be inadequate, so transfers of personal data (defined very broadly to include any identifiable data) about EU citizens to the U.S. is presumptively illegal. Until late 2015, U.S. companies and other entities could legally receive such transfers in three ways: by signing up for the U.S. Department of Commerce’s Safe Harbor Program, by obtaining the consent of the data subjects, or by using (without any variation) the protective contractual provisions approved by the EU. Then, in its October 2015 Schrems decision, the Court of Justice for the European Union (CJEU) struck down the Safe Harbor. The Privacy Shield is intended to replace the Safe Harbor. The other two means of data transfer remain available.
The transfer of data from the EU to the U.S. is significant to the life sciences community in at least a couple of respects. First, the EU privacy authorities view even intracompany transfers as within their jurisdiction, so the routine exchange of personnel data within a multinational company requires EU permission. In addition, medical and health research often involves the international transfer of data. If EU citizens are the source of the data, the EU’s restrictions on international transfer will come into play.
In Schrems, the CJEU was not concerned about the behavior of private organizations. The issue, rather, was U.S. government snooping in the wake of the Snowden revelations. Consequently, most of the EU-U.S. negotiations have concerned limiting and monitoring governmental access to data. Private businesses that have used the Safe Harbor will see few significant changes in what they have to do to comply.
The Privacy Shield mechanism will be the same as under Safe Harbor: U.S. businesses must certify annually to the U.S. Department of Commerce that their privacy practices comply with Privacy Shield principles. Companies may begin self-certifying on August 1. In response to EU complaints about lax Safe Harbor oversight, Commerce is supposed to conduct regular compliance reviews of self-certifying companies, with defaulters facing removal from the list and as-yet unspecified sanctions. As under the Safe Harbor, participating U.S. companies must be under the jurisdiction of the Federal Trade Commission (or one of a few other specified federal agencies), so non-profits are generally ineligible—a significant point for academic and foundation research organizations.
Substantively, the Privacy Shield principles amount largely to a stronger statement of their Safe Harbor counterparts. U.S. entities must display their privacy policies on their website. Among other things, a Privacy Shield-compliant company must offer people the opportunity to opt out of disclosure to third parties or use of their data for purposes other than that for which it was originally collected; must take reasonable and appropriate security measures; must take reasonable steps to ensure that the data is reliable; and must offer data subjects access to their data and the ability to correct or delete inaccurate data.
A few things are new. Most significantly, a U.S. Privacy Shield company that receives EU data can transfer it to a third party (regardless of whether the recipient is Privacy Shield-compliant) only under a contract that ensures Privacy Shield-level protections for the data after transfer. In addition, Privacy Shield companies must offer EU citizens free alternative dispute resolution by an independent provider in the EU or U.S.
There are also some specific provisions dealing with health data and medical research. Medical and health information falls into the “sensitive category,” which enjoys enhanced protection both under the Privacy Shield and the pending GDPR. The Privacy Shield requires “affirmative express consent (opt in)” from data subjects if health information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected. However, if data collected for one research study is properly transferred to a U.S. organization, that organization may use it in a new study if that possibility was disclosed at the time of the original data collection and consent. In addition, participants in “blinded” clinical trials do not have to be given access to their data, and their data ca still be processed even after they withdraw from the trial.
A couple of post-Privacy Shield uncertainties loom. The GDPR is expected to take effect in two years. Since the GDPR’s privacy protections are stricter than those of the Privacy Shield in some respects, U.S. Privacy Shield companies should expect more onerous privacy obligations when the GDPR comes into force. Another possible variable is what the United Kingdom will do with its privacy laws—currently governed by EU law—once Brexit is final. Presumably, the UK will maintain EU-level protections to facilitate commerce with the Continent, but that remains to be seen. A particular area of uncertainty is the fate of the UK’s current (pre-GDPR) health research regulations, which are generally more flexible than those of other EU countries.