On October 6 2015 the European Court of Justice (ECJ) ruled that the European Commission decision on the adequacy of the EU-US safe harbour framework is invalid.
The judgment followed a request from the High Court of Ireland that the ECJ should review:
- whether the decision prevents competent EU member state data protection authorities from investigating complaints alleging that a third country to which personal data is transferred does not ensure adequate protection; and
- whether the contested transfer of data should be suspended where appropriate.
The plaintiff, Mr Schrems, filed a complaint with the data protection commissioner in Ireland objecting to the transfer of his personal data from Facebook in Ireland to Facebook's parent company in the United States and its retention on the US Facebook servers. The data transfer was made according to the EU-US Safe Harbour Framework.
Schrems alleged that the transfer and retention of his personal data did not ensure an adequate level of protection, as the data held on the US servers was accessible to US public authorities for surveillance purposes.
The judicial review proceedings brought before the High Court of Ireland concerned the legality of the EU-US safe harbour framework and the decision adopted by the commission. The High Court asked the ECJ whether the data protection commissioner was bound by the safe harbour decision or whether the commissioner could conduct its own investigation concerning the legality of the transfer of personal data to a third country on the merits of the case.
In Maximillian Schrems v Data Protection Commissioner (Case C-362/14) the ECJ held that the competent data protection authorities of individual EU member states can investigate complaints from a data subject which alleges that its personal data has been transferred to a third country that does not protect its privacy, fundamental rights or freedoms.
The ECJ declared the commission's safe harbour decision to be invalid. The decision was based on the ECJ's conclusion that national security, public interest or law enforcement requirements in the United States grant the authorities public access to the personal data of data subjects that is transferred from the European Union to entities in the United States. The ECJ held that US public authorities are entitled to disregard the principles of the EU-US safe harbour framework without limitation where they conflict with national law requirements. Access by such authorities therefore compromises the essence of the fundamental right to respect for private life.
The ECJ decision could have far-reaching consequences for clinical trial sponsors that have relied on the framework to justify the transfer of patients' personal data and personal health data from clinical trial sites in the European Union to the United States. In light of this, pharmaceutical and medical device companies must adopt an alternative legal basis on which to transfer such data to the United States. One issue will be the decision's implications for marketing authorisations granted for medicinal products and conformity assessments of medical devices that were based on clinical data transferred to the United States for processing based on the grounds of safe harbour.
The transfer of personal data out of the European Union to third countries which do not provide an adequate level of protection of personal data is prohibited.
A number of exceptions to this general prohibition permit clinical trial sponsors to transfer personal data out of the European Union to the United States or to any other third country which does not offer an adequate level of protection. Prior to the ECJ's ruling, one such exception was the EU-US safe harbour framework.
The framework permitted clinical trial sponsors to transfer patients' personal data out of the European Union to an entity in the United States for processing if this entity participated in the voluntary self-certification of the framework. Compliance with these principles is controlled by the US Federal Trade Commission.
One consequence of the ECJ decision is that sponsors of clinical trials conducted in the European Union will no longer be permitted to rely on the framework as a valid legal basis to permit the transfer of clinical trial data to the United States for processing. Clinical trial sponsors must therefore adopt an alternative legal basis on which to transfer such data. For instance, such sponsors could obtain the trial patient's unambiguous consent to transfer the data to the United States.
It is unclear what, if any, implications the ECJ decision will have for clinical data that has been exported to the United States in reliance on the framework and subsequently relied on to support medicinal product marketing authorisation or demonstration of compliance by medical devices with applicable EU rules.
For further information on this topic please contact Elisabethann Wright or Ciara Farrell at Hogan Lovells by telephone (+32 2 505 0911) or email ([email protected] or [email protected]). The Hogan Lovells website can be accessed at www.hoganlovells.com.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
Elisabethann Wright, Ciara Farrell