Trans-Atlantic Transfers of Health Data
Since the Covid 19 Pandemic, clinical trials have become more popular across the globe. A potential stumbling block for organisations sponsoring or engaging in clinical trials is trans-Atlantic transfers of health data.
Background
Prior to the Schrems II ruling in 2020, a mechanism to permit the transfer of data from the European Union (EU) to the United States (US) existed known as the Privacy Shield. The ruling of Schrems II invalidated the Privacy Shield because of concerns around the access to data by the U.S. National Security Agency (or NSA) and other U.S. intelligence authorities. Doubt was also raised about the level of oversight the NSA had on sensitive data when using other transfer mechanisms such as Standard Contractual Clauses (SCCs). Thus, the ruling essentially imposed the obligation on organisations transferring data from the EU to the US to complete a data transfer impact assessment (DTIA) in advance of transferring data to the US. In this DTIA, the parties need to assess whether the NSA or other U.S. government agencies may have access to the data following transfer or in transit, and if so, what supplementary measures the parties will put in place to safeguard the data.
Recent and Future Developments
After the Schrems II case the European Commission released revised SCCs for which the deadline for implementation was December 2022. As a consequence, organisations that have older contracts using the SCCs should ensure that they have already updated, or are in the process of updating as soon as possible, those contracts to use the new version of the SCCs.
In 2022 the EU and US agreed to a proposed data protection framework which would hopefully make it easier for organisations to transfer data from the EU to the US. Experts believe that the framework has a healthy chance of being ratified into law, however, Max Schrems has warned that he will take action if he feels the framework does not provide adequate protection to subject’s rights and freedoms.
What HewardMills says
Companies engaging in clinical trials and who are active in the life sciences sector should adhere to the following key steps:
- Identify which data flows and data processing activities are subject to the GDPR;
- Establish an internal GDPR compliance policy;
- Update website privacy policies and other external-facing privacy notices;
- Draft data protection agreements with processors;
- Customise SCCs for various transfer scenarios; and
- Assist with DTIAs.
Whilst these steps may seem onerous, it is important to remember that the end goal of the majority of clinical trials is to make advancements in healthcare and improve the health and wellbeing of people across the world, and without proper adherence to data protection laws this may be put in jeopardy.
