With the recent ruling that the Safe Harbor programme is invalid under European law, life sciences companies will need to review their strategies when exporting patient data to the United States.
Life sciences companies that routinely transfer personal data (especially sensitive personal health data) from within the European Union (EU) to the United States commonly at least partly rely on Safe Harbor to validate such transfers. A recent case may require companies to reconsider that strategy.
In Maximillian Schrems v. Data Protection Commissioner (case C-362/14), the European Court of Justice (ECJ) ruled that the European Commission decision approving the Safe Harbor programme is invalid. It also ruled that EU data protection authorities do have the power to investigate complaints about transferring personal data outside Europe (whether by Safe Harbor–certified organisations or otherwise, but excluding countries deemed as having “adequate” data protection laws according the EU) and, where justified, can suspend data transfers outside Europe until their investigations are complete. As we described in our previous LawFlash, the European Commissioners plan to issue guidance to Safe Harbor–certified companies within the next couple of weeks.
In the meantime, life sciences companies that routinely transfer personal data, typically sensitive personal data, and rely on Safe Harbor should consider alternatives to Safe Harbor.
The ECJ declared that the European Commission’s decision to approve the Safe Harbor programme in 2000 is “invalid” on the basis that US laws fail to protect personal data transferred to US state authorities pursuant to derogations of “national security, public law or law enforcement requirements”. Further, EU citizens do not have adequate rights of redress where their personal data protection rights are breached by US authorities.
In the last two years, the European Commission and various data protection working parties have discussed ways to improve the Safe Harbor programme and strengthen rights for EU citizens where their personal data is transferred to the United States. Recently, the United States and EU finalised a data protection umbrella agreement to provide minimum privacy protections for personal data transferred between EU and US authorities for law enforcement purposes. The umbrella agreement will provide certain protections to ensure that personal data is protected when exchanged between police and criminal justice authorities of the United States and EU. The umbrella agreement, however, does not apply to personal data shared with national security agencies.
The powers of national data protection authorities are significantly strengthened by this decision. They could suspend some or all personal data flows into the United States in serious circumstances and where they have justifiable reasons for doing so. There is a risk that a data protection authority could order that data transfers by an international organisation outside Europe be suspended from that jurisdiction, whereas data transfers in other European jurisdictions are permitted. To mitigate this risk, the European Commission is entitled to issue EU-wide “adequacy decisions” for consistency purposes.
Many pharmaceutical and medical device companies are, themselves, Safe Harbor certified and/or they partner with or are affiliated to Safe Harbor–certified organisations. The categories of personal data transferred within the organisation or to third parties from within the EU to the United States include clinical trial data, data relating to unlicensed/compassionate use, health technology assessment data, transfers of value records for transparency reports, patient information enquiries for marketed products, and other patient and employee personal data. Often, but not always, patient data will be pseudonymised (i.e., where the individual can be reidentified with additional data) before being transferred outside Europe. Data protection laws, including restrictions against transferring the data outside Europe, continue to apply to pseudonymised data because the technique is viewed as privacy-enhancing rather than being effective to avoid data protection laws applying.
Safe Harbor–certified organisations should note that there are other options to transfer personal data to the United States, including ensuring that express consent is obtained for both primary and secondary uses and the use of Binding Corporate Rules or EU-approved model clause agreements. Organisations that partner with Safe Harbor–certified organisations may wish to discuss these other options with their partners. There is, however, a risk that this decision could affect Binding Corporate Rules or EU-approved model clause agreements (for the same ECJ concerns regarding national security). Relying on consent alone, however, can be problematic if the validity of consent is challenged as not being freely given (e.g., if it is a condition of a service or a benefit), it is not fully informed, or if consent is qualified or withdrawn.
Life sciences companies should consider using pseudonymisation techniques for patient data where possible and ensure that they obtain fully informed consent from the patients and other individuals who provide their personal data to the international export. Under the proposed new General Data Protection Regulation, consent will have to be freely given, specific, informed, and explicit. Consent cannot be inferred, it will need to be expressly given in advance of the transfer. This will narrow the circumstances where consent is valid compared to existing laws in many European countries.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers: