BACKGROUND
U.S.-based life sciences companies can be subject to the European Union (‘EU’) General Data Protection Regulation (‘GDPR’), even if they do not have any subsidiary, affiliate or other physical presence in the EU. This can be the case if, for example, a pharmaceutical or medical device company in the U.S. acts as a sponsor of a clinical study that is conducted in one or more EU Member States with the help of local investigators or hospitals. If the study involves monitoring or regular reporting on study subjects’ health status – which will often be the case, given the nature of the study – the U.S.-based company/sponsor will likely be in scope of the GDPR as far as the processing of study subjects’ personal data is concerned.
The sponsor in the U.S. will want to have access to the study results for various reasons relating to its research activities as well as for safety (reporting) purposes. Study results will typically include key-coded or “pseudonymized” personal data relating to study subjects that participate in the study, and the sponsor will not be given the “key” that is needed to reveal the identity of individual study subjects. The European data protection authorities take the view that this data still constitutes “personal data” as this term is defined by the GDPR, although in a recent case before the Court of Justice of the EU (Case T-557/20), the Court appeared to take a different position.
Access to this data by the sponsor in the U.S. will be viewed as an international data transfer under the GDPR, which requires one of the data transfer solutions or derogations set out in Chapter V of the GDPR. If the data is transferred without complying with Chapter V of the GDPR, both the sponsor receiving the data and the investigators/hospitals that initiated the transfer risk being subject to enforcement action by data protection authorities in the EU.
THE ISSUE
The GDPR imposes restrictions on international data transfers and provides only limited options for justifying transfers of personal data to recipients in countries outside of the EU. For several years, many relied on the EU-U.S. Privacy Shield as the preferred transfer tool for sending study data collected in the EU to study sponsors in the U.S. Some pharmaceutical and medical device companies, however, considered that this option was not available to them, based on (controversial) guidance issued by the Working Party 29 (i.e., the predecessor of the current European Data Protection Board or ‘EDPB’). Instead, these companies would enter into the European Commission’s Standard Contractual Clauses (‘SCCs’), which provided contractual safeguards for personal data transferred from a controller in the EU to a controller or processor in a non-EU country.
In the 2020 Schrems II-case (Case C-311/18), the Court of Justice of the EU decided to invalidate the EU-U.S. Privacy Shield, as a result of which it could no longer be used as a data transfer solution. Shortly after that decision, in an attempt to address some of the concerns raised by the Court (in particular regarding data access by foreign authorities), the European Commission revised and updated its SCCs. The updated SCCs, which were published in 2021, introduce four modules catering to different transfer scenarios, namely controller-to-controller, controller-to-processor, processor-to-processor, and processor- to-controller. However, the European Commission’s decision that implements the updated SCCs, as well as the relevant regulatory guidance that has been published, both emphasize that the newest version of the SCCs can be used only for transfers of personal data to a controller/processor outside of the EU whose processing is not subject to the GDPR. This means that, at least technically speaking, the updated SCCs are not a suitable solution for transferring study-related data (which has not been fully anonymized) to a sponsor in the U.S. whose data processing is subject to the GDPR.
The European Commission has announced that it plans to issue an additional (and presumably simplified) set of SCCs specifically for transfers to controllers/processors subject to the GDPR, which would take into account the requirements that already apply directly to those controllers/processors under the GDPR. To date, however, it is unclear when these additional SCCs will become available for use.
THE EU-U.S. DATA PRIVACY FRAMEWORK TO THE RESCUE (?)
In the meantime, sponsors in the U.S. may want to consider joining the EU-U.S. Data Privacy Framework (‘DPF’) – the successor of the EU-U.S. Privacy Shield which applies since 10 July 2023 – to provide coverage for the transfer of study-related data from Europe to the U.S. The European Commission has recently confirmed that the DPF ensures an adequate level of protection for personal data transferred from the EU to organizations in the U.S. that are included in the ‘DPF List’, which is maintained by the U.S. Department of Commerce. The DPF provides individuals in the EU whose personal data is transferred to the U.S. with several data protection rights (e.g., the right to access their data) in addition to different redress possibilities in case they believe that their data may have been handled wrongly.
In order to rely on the DPF to effectuate transfers of personal data from the EU, an organization will have to self-certify its adherence the DPF “Principles” issued by the U.S. Department of Commerce and be able to demonstrate its compliance with those Principles. There are seven key DPF principles that apply to every certified company and that impose specific data protection obligations, such as requirements around purpose limitation, data minimization and data retention. In addition, the DPF has 16 “Supplemental Principles” that may apply depending on the data transfer scenario. One of these Supplemental Principles specifically addresses data transfers in the context of pharmaceutical and medical products, and states that:
- If a transfer from the EU to the U.S. involves study data that the investigator/hospital in the EU has key-coded with a view to protecting the identity of individual study subjects, the data in question is still personal data under EU law and therefore it is covered by the Principles – even if the company in the U.S. sponsoring the study does not have the key;
- Pharmaceutical and medical device companies in the U.S. receiving data originating in the EU do not have to comply with all the DPF Principles in their product safety and efficacy monitoring activities, including the reporting of adverse events and tracking of patients/study subjects using certain medicines or medical devices, provided that adherence to the Principles would interfere with regulatory compliance.
- Pharmaceutical and medical device companies in the U.S. are permitted to provide personal data from clinical studies conducted in the EU to regulators in the U.S. for regulatory and supervision purposes. They can also transfer the data to parties other than regulators, such as research organizations.
- If personal data collected for a particular clinical study is transferred to a U.S. sponsor under the DPF, the sponsor may use the data for a new scientific research activity if appropriate notice and choice are provided to the study subjects in scope.
It will not suffice for U.S.-based sponsors to have their name added to the DPF List in order to be considered “compliant” with the PDF Principles: they will also have to implement specific measures and processes that aim to protect the rights of study subjects whose personal data is transferred from the EU, for example:
- A DPF privacy notice, which will have to inform study subjects about e.g., the reasons why the sponsor is collecting their data and the purposes for which the data will be used, as well as any third parties that will have access to the data;
- Mechanisms for ensuring that study subjects in the EU can access their personal data, and for investigating study subjects’ complaints and disputes in connection with the data transfer;
- Onward transfer contracts with third parties that will process transferred data, either as independent controllers or as processors (“agents”) acting on behalf of the sponsor;
- Internal procedures for verifying the sponsor’s own compliance with the DPF Principles, via self-assessments or external compliance reviews.
Life sciences companies that are considering participating in the DPF should note that the same privacy activists that brought down the EU-U.S. Privacy Shield (in the Schrems II-case) have already indicated that they might challenge the validity of the new DPF as well. They appear to have doubts around, for example, the effectiveness of the DPF’s redress mechanisms and of possible outcomes of complaints that may be initiated against data access practices of U.S. intelligence agencies. However, a possible legal challenge of the DPF is likely to take several years, during which the DPF will remain available as a valid data transfer tool under the GDPR – unless and until the European Commission decides to repeal it.