hero image
Data Security, Protection and the US-EU Privacy Shield: Part 2

As noted in my previous post on this topic, the Safe Harbor provisions were declared invalid by the European Court to Justice in October 2015.

This led to new negotiations between the US and the EU and in February 2016 a new framework agreement was reached, though there were still some concerns relating to deletion of data and two other provisions. Another advisory body in the EU felt that these protections were not robust enough. Another controversy arose after President Trump signed an executive order saying that the US Privacy Act does not apply to non-US citizens. This was aimed at the issue of sanctuary cities but seemed to also cover data privacy issues as an unintended consequence, which is being litigated.

In response to this, the US congress passed another law extending the US Privacy act to Europeans and gave them access to US courts. So as of now the US-EU Privacy Shield is in place but there are challenges at various levels. The European Commission is monitoring the situation and it is possible things will change and get more complex in the future. Nevertheless, the Privacy Shield is in place and can be used by US companies to comply with EU requirements.  See their website at here and here.

A summary of the Privacy Shield is in the next section. In the US this is administered by the Department of Commerce. It includes data transferred from the EU and Switzerland to the US. Companies can voluntarily commit to the US Department of Commerce that they will comply with the requirements. As this commitment is made to the US government, it is enforceable by US law.

Here are the key requirements for US firms:

Informing individuals about data processing:

Providing free and accessible dispute resolution:

Cooperating with the Department of Commerce

Maintaining data integrity and purpose limitation:

Ensuring accountability for data transferred to third parties:

To transfer personal data to a third party acting as an agent, a Privacy Shield participant must:

Transparency related to enforcement actions

Ensuring commitments are kept as long as data is held

This is complicated and the comments above about Retention Policies and Notice and Choice Principles should be reviewed online at the website. There is a step-by-step section on how to join the Privacy Shield. It involves writing an SOP or set of SOPs covering the required topics, including: a privacy policy statement, creation of an independent recourse mechanism, state the location of the privacy policy and make it available to the public, ensure that a verification mechanism is in place to ensure all this is being done, pay the required fee, designate a person to handle this within the company and self certify that all of this is being done. This package is then sent to the US Department of Commerce.

This is obviously complex, arcane and legalistic and must comply with the US and EU (and Swiss) requirements.  It should be handled by legal, privacy and compliance personnel within the company as well as anyone else who might be touched by this requirement.

Issues for Pharmaceutical Companies

Specifically for pharmaceutical companies, the website discusses various issues. These specific instructions include:

Comment: So the company must comply with the national/local requirements in each EU country and the Privacy Shield when the data is transferred to the US.  Member state requirements differ in many cases. 

Comment: If research data is being transferred to the US for other purposes, including another study but also for follow up or marketing, there must be appropriate notice and approval by the EU citizens for this transfer. Since this cannot always be predicted there should be an explanation in the initial research or data collection that unanticipated uses may occur and, if appropriate, new consent obtained. Again, legal advice should be sought on this.

Finally, for Drug Safety and Pharmacovigilance

 This is the KEY section for those of us in PV.

A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements.  This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration.

Comment: This may be viewed as being similar to the “out” that the US HIPAA requirements give to safety reporting in the US. All of these requirements in terms of notice, access, on ward transfer do not apply to Adverse Events reporting to FDA and other agencies. So the implication of this is that AE and presumably other safety related data may be transferred from Europe to the US by the company and then reported to FDA. In practice this means that most companies anonymize the safety data (both clinical trial and post-marketing) in terms of the patient/subject and, often, the reporter listing only a high level description (e.g. patient, family, attorney, health agency etc.).

Most companies and CROs have already put provisions such as this in place already for the old Safe Harbor system. Thus, companies and CROs should read through the new Privacy Shield requirements and update them as appropriate. In fact, the burden from this should not be substantial. So the bottom line is that if the company chooses to voluntarily participate in the Privacy Shield, they should examine the requirements which need to be put in place.  Again, seek legal advice to ensure that all requirements are properly applied.

Some companies have done this already and you can see their certifications online. Here are few samples:

Conclusion

As noted, this is a tricky and complex area especially for companies working in many or all EU member states. This area is likely to change on both sides of the Atlantic over the next several months and years.  As noted several times above, seek legal advice.

Related Articles