Cross-border data transfers in the life sciences arena are more common now than ever before. Companies operating within this sphere are being required to focus their attention on compliance with EU data protection laws, which place restrictions on the export of personal data to countries outside the EEA and in particular, the US. What’s more, significant penalties are likely to face those that do not comply. However, after a period of some delay and uncertainty, the European Commission has finally given the green light to the EU-US Privacy Shield, a new mechanism governing how personal data must be transferred across the Atlantic, and providing much-needed clarity for EU businesses.
With the transfer of significant amounts of personal data becoming increasingly common, compliance with EU data protection regulation is an important consideration for companies operating in the life sciences arena. For instance, clinical trial data often includes patient ID numbers and other patient identifiers, such as initials and dates of birth, which are regarded as personal data in some EU member states. Clinical trials regularly involve the transfer of such data, as well as investigators’ personal data, to clinical research organisations, sponsors, statisticians and other associates operating outside the European Economic Area (EEA). Organisations also routinely transfer employees’ personal data, including payroll and HR information, to international offices or headquarters outside the EEA.
Breach of EU data protection laws can carry significant penalties. In May 2016, two NHS trusts were fined £180,000 and £185,000 respectively by the UK Information Commissioner for two separate data protection breaches. Once the General Data Protection Regulation (GDPR), which is directly applicable in all EU member states, comes into force on 25 May 2018, the maximum penalties for non-compliance will increase substantially. The European Commission will have powers to fine companies up to 4% of global annual turnover or € 20m (whichever is higher) for serious data protection breaches and up to 2% or €10m for more minor breaches.
In this context, the introduction of the EU-US Privacy Shield (the “Privacy Shield”) should provide much-needed clarity for businesses transferring data to the US. The regulation of transfers of personal data from the EU to the US has been in a state of uncertainty since the European Court of Justice held in October 2015 that the previous Safe Harbour regime was invalid for failing to meet EU data protection standards, in large part due to concerns that data transfers were subject to US mass surveillance. However, following two and half years of negotiation, on 12 July 2016 the European Commission formally approved the Privacy Shield as a mechanism for governing the transfer of personal data between the EEA and the US for commercial purposes.
The Privacy Shield puts in place various measures to ensure that personal data transferred to US companies will be processed subject to appropriate safeguards. It achieves this by:
(1) imposing strong obligations on US companies handling and transferring personal data;
(2) protecting the fundamental rights of individuals and giving them clear and affordable mechanisms to take action against businesses which do not comply; and
(3) setting out limitations and safeguards on US Government access to personal data.
If a US company has self-certified within the first two months of the framework being activated (i.e. before 30 September 2016), it will have the benefit of a nine month grace period to come into compliance with the programme’s requirements. This grace period, which starts on the company’s certification date, allows that company time to negotiate amendments to their existing contracts and add appropriate Privacy Shield language in order to bring them into conformity. By way of example, if a company that shares personal data with two recipients became a member of the framework on 1 August 2016, it will have until 1 May 2017 to amend its contracts with those data recipients to ensure they are compliant.
Companies that have waited until 1 October 2016 or after to join are still able to self-certify with the US Department of Commerce. However, they would not have the benefit of the nine month grace period and must be able to verify that their contracts are in line with all of the Privacy Shield principles from the outset before data is transferred from the EU to the US
The approval of the framework ends months of uncertainty for European businesses that transfer data across the Atlantic. Even with Brexit on the horizon, the UK Information Commissioner has already said that the UK may have to adopt the EU data protection rules in order to trade with Europe post-Brexit. If not already underway, businesses are now advised to review their data transfers to the US to ensure that they are compliant, by either utilising the Privacy Shield or one of the other available mechanisms or derogations for legitimising the transfers.