As noted in my previous post on this topic, the Safe Harbor provisions were declared invalid by the European Court to Justice in October 2015.
This led to new negotiations between the US and the EU and in February 2016 a new framework agreement was reached, though there were still some concerns relating to deletion of data and two other provisions. Another advisory body in the EU felt that these protections were not robust enough. Another controversy arose after President Trump signed an executive order saying that the US Privacy Act does not apply to non-US citizens. This was aimed at the issue of sanctuary cities but seemed to also cover data privacy issues as an unintended consequence, which is being litigated.
In response to this, the US congress passed another law extending the US Privacy act to Europeans and gave them access to US courts. So as of now the US-EU Privacy Shield is in place but there are challenges at various levels. The European Commission is monitoring the situation and it is possible things will change and get more complex in the future. Nevertheless, the Privacy Shield is in place and can be used by US companies to comply with EU requirements. See their website at here and here.
A summary of the Privacy Shield is in the next section. In the US this is administered by the Department of Commerce. It includes data transferred from the EU and Switzerland to the US. Companies can voluntarily commit to the US Department of Commerce that they will comply with the requirements. As this commitment is made to the US government, it is enforceable by US law.
Here are the key requirements for US firms:
Informing individuals about data processing:
- A Privacy Shield participant must include in its privacy policy a declaration of the organization’s commitment to comply with the Privacy Shield Principles, so that the commitment becomes enforceable under U.S. law.
- When a participant’s privacy policy is available online, it must include a link to the Department of Commerce’s Privacy Shield website and a link to the website or complaint submission form of the independent recourse mechanisms that is available to investigate individual complaints.
- A participant must inform individuals of their rights to access their personal data, the requirement to disclose personal information in response to a lawful request by public authorities, which enforcement authority has jurisdiction over the organization’s compliance with the Framework, and the organization’s liability in cases of onward transfer of data to third parties.
Providing free and accessible dispute resolution:
- Individuals may bring a complaint directly to a Privacy Shield participant, and the participant must respond to the individual within 45 days.
- Privacy Shield participants must provide, at no cost to the individual, an independent recourse mechanism by which each individual’s complaints and disputes can be investigated and expeditiously resolved.
- If an individual submits a complaint to a data protection authority (DPA) in the EU, the Department of Commerce has committed to receive, review and undertake best efforts to facilitate resolution of the complaint and to respond to the DPA within 90 days.
- Privacy Shield participants must also commit to binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms.
Cooperating with the Department of Commerce
- Privacy Shield participants must respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield Framework.
Maintaining data integrity and purpose limitation:
- Privacy Shield participants must limit personal information to the information relevant for the purposes of processing.
- Privacy Shield participants must comply with the new data retention principle.
Ensuring accountability for data transferred to third parties:
- To transfer personal information to a third party acting as a controller, a Privacy Shield participant must:
- Comply with the Notice and Choice Principles; and
- Enter into a contract with the third-party that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party ceases processing or takes other reasonable and appropriate steps to remediate.
To transfer personal data to a third party acting as an agent, a Privacy Shield participant must:
- Transfer such data only for limited and specified purposes;
- Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;
- Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
- Require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
- Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and
- Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
Transparency related to enforcement actions
- Privacy Shield participants must make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC if the organization becomes subject to an FTC or court order based on non-compliance.
Ensuring commitments are kept as long as data is held
- If an organization leaves the Privacy Shield Framework, it must annually certify its commitment to apply the Principles to information received under the Privacy Shield Framework if it chooses to keep such data or provide “adequate” protection for the information by another authorized means
This is complicated and the comments above about Retention Policies and Notice and Choice Principles should be reviewed online at the website. There is a step-by-step section on how to join the Privacy Shield. It involves writing an SOP or set of SOPs covering the required topics, including: a privacy policy statement, creation of an independent recourse mechanism, state the location of the privacy policy and make it available to the public, ensure that a verification mechanism is in place to ensure all this is being done, pay the required fee, designate a person to handle this within the company and self certify that all of this is being done. This package is then sent to the US Department of Commerce.
This is obviously complex, arcane and legalistic and must comply with the US and EU (and Swiss) requirements. It should be handled by legal, privacy and compliance personnel within the company as well as anyone else who might be touched by this requirement.
Issues for Pharmaceutical Companies
Specifically for pharmaceutical companies, the website discusses various issues. These specific instructions include:
- EU member state privacy requirements apply to European data collected before transfer to the US. Privacy Shield requirements apply after transfer to the US. Research and other data should be anonymized where appropriate.
Comment: So the company must comply with the national/local requirements in each EU country and the Privacy Shield when the data is transferred to the US. Member state requirements differ in many cases.
- Where personal data collected for one research study are transferred to a U.S. organization in the Privacy Shield, the organization may use the data for a new scientific research activity if appropriate notice and choice have been provided in the first instance. Such notice should provide information about any future specific uses of the data, such as periodic follow-up, related studies, or marketing.It is understood that not all future uses of the data can be specified. Where appropriate, the notice should therefore include an explanation that personal data may be used in future medical and pharmaceutical research activities that are unanticipated. If the use is not consistent with the general research purpose(s) for which the personal data were originally collected, or to which the individual has consented subsequently, new consent must be obtained.
Comment: If research data is being transferred to the US for other purposes, including another study but also for follow up or marketing, there must be appropriate notice and approval by the EU citizens for this transfer. Since this cannot always be predicted there should be an explanation in the initial research or data collection that unanticipated uses may occur and, if appropriate, new consent obtained. Again, legal advice should be sought on this.
- If a person withdraws from a trial the data collected to that point may continue to be processed per the Privacy Shield requirements.
- EU data may be transferred to US regulators and to third parties such as company locations and other researchers.
- EU citizens in blinded studies do not have to be provided with access to data on their treatment if this is explained when the person enters the trial. They may receive it after the trial is completed.
Finally, for Drug Safety and Pharmacovigilance
This is the KEY section for those of us in PV.
A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration.
Comment: This may be viewed as being similar to the “out” that the US HIPAA requirements give to safety reporting in the US. All of these requirements in terms of notice, access, on ward transfer do not apply to Adverse Events reporting to FDA and other agencies. So the implication of this is that AE and presumably other safety related data may be transferred from Europe to the US by the company and then reported to FDA. In practice this means that most companies anonymize the safety data (both clinical trial and post-marketing) in terms of the patient/subject and, often, the reporter listing only a high level description (e.g. patient, family, attorney, health agency etc.).
Most companies and CROs have already put provisions such as this in place already for the old Safe Harbor system. Thus, companies and CROs should read through the new Privacy Shield requirements and update them as appropriate. In fact, the burden from this should not be substantial. So the bottom line is that if the company chooses to voluntarily participate in the Privacy Shield, they should examine the requirements which need to be put in place. Again, seek legal advice to ensure that all requirements are properly applied.
Some companies have done this already and you can see their certifications online. Here are few samples:
Conclusion
As noted, this is a tricky and complex area especially for companies working in many or all EU member states. This area is likely to change on both sides of the Atlantic over the next several months and years. As noted several times above, seek legal advice.