In July 2020, the European Court of Justice dealt a major blow to organisations that transfer personal data to the US and other jurisdictions, primarily with the striking down of the EU-US Privacy Shield. The judgment also raised wider concerns for organisations relying on Standard Contractual Clauses (SCCs).
In this article, Penny Bygraves of Veale Wasbrough Vizards LLP considers what this actually means for organisations within the Pharmaceuticals and Life Sciences sector who export personal data to the US and beyond and what the implications are for data transfers into the UK, if the transition period with the EU ends without a decision that the UK’s data protection laws are adequate.
Implications for the Pharmaceuticals and Life Sciences Sector in the UK
Improving data transfers (eg by improving efficiency with which clinical trial results are shared or increasing the size of biobank populations) has been identified as key to ensuring the continuation of rapid developments we are seeing in the fields of predictive diagnostics, medicines and therapeutics. For example, the new NHS England Genomic Medicine Service (offering future opportunities for cell and gene therapies) will benefit from access to the latest cutting edge technologies, which empower scientists (through better integration of data) to discover more efficient medicines faster. We have seen this already in the clearer targeting strategies and reduction in clinical trial lengths demonstrated in the context of the coronavirus (COVID-19) vaccine. These demands are to be considered amongst a developing regulatory landscape.
Organisations operating within the Pharmaceuticals and Life Sciences sector will need to review any specific arrangements where they rely on the Privacy Shield, or the SCCs, to permit transfers of personal data outside the UK. This includes within group structures, as well as third party IT outsourcing and cloud storage arrangements. They should consider whether an adequacy assessment needs to be carried out and/or whether supplemental measures need to be implemented.
In particular, organisations need to look out for arrangements with large corporations who provide cloud services, or otherwise store or transfer data (such as Google or Microsoft), to see if they have updated their data protection terms. Often, these will require organisations to take some form of action to ensure that they are valid and apply to their agreement, so be aware that you may have to click a link, or request a specific agreement/set of terms in order to comply.
The Legal Background to the Schrems II Decision
Under data protection law in the UK, organisations cannot transfer personal data outside of the UK or the EEA, without ensuring that the personal data is safeguarded in the same way that it would be if it remained in the EEA or UK. There are some exceptions to this (such as where the individual has provided explicit consent to the transfer, after being made aware of the risks), but most large scale transfers rely on one of the following methods of securing equivalent protections.
The first of these is where the EU has issued an “adequacy decision”. This means that the EU has assessed the laws of the relevant country and declared that they provide sufficient protections to allow a transfer.
Other options include SCCs, or Binding Corporate Rules (BCRs), both of which seek to place contractual safeguards on data being transferred which offer equivalent protections.
The US does not have an adequacy decision as such, but it did have the Privacy Shield. This was a voluntary code that US organisations could sign up to, which purported to ensure information protection met EU standards.
The Court found that the law in the US around surveillance and general privacy of citizens meant that, effectively, US organisations could not guarantee equivalent protections to personal data, even when complying with the Shield.
This means that organisations in the EEA (and the UK) can no longer rely on the Shield to transfer personal data to the US. Organisations can still rely on SCCs and BCRs in principle. However, organisations are required to carry out an assessment to ensure that safeguards are in place and put in place supplemental measures where appropriate.
What Are the Options?
All international transfers that rely on SCCs or BCRs will need an assessment of the protections offered by the law of the recipient country, with a conclusion that the level of protection offered by the SCCs or BCRs is equivalent to that provided by the GDPR, or details of additional safeguards that have been put in place.
The European Data Protection Board (EDPB) – a body which provides advice and guidance on European data protection law – has recently published guidance on what this assessment might look like and what sorts of safeguards could be put in place following the assessment (if the third country is deemed inadequate). It stresses that any assessment, or additional necessary safeguards identified, should be considered on a case-by-case basis as there is no ‘one-size-fits-all’ solution.
How to Carry Out an Assessment
Whilst not being definitive, the guidance does set out some key requirements which should be met and also identifies some key steps in the process. For example:
The exporter (ideally with the help of the local importer) must identify any laws or practices in the third country that undermine the effectiveness of the specific safeguard relied upon (ie SCCs).
The EDPB has provided a non-exhaustive list of information sources which could be relied on when carrying out the assessment, including resolutions and reports from intergovernmental organisations and UN bodies.
The assessment should focus on the particular transfer in question and the specific transfer tool relied on, ie it need not become an assessment of the entire data protection landscape in the third country.
The assessment must be thoroughly documented to ensure that you can demonstrate the basis for the decision that was taken, when required.
What If the Assessment Deems the Third Country ‘Inadequate’?
If the assessment determines that local laws undermine appropriate safeguards, then unless ‘supplementary measures’ can be put in place, the transfer must not go ahead, or if already being carried out, then the transfer must be suspended or terminated.
These are measures which may be adopted to raise the protection level to the EU standard and otherwise permit the transfer (despite the third country being deemed inadequate).
The EDPB has provided a non-exhaustive list of what these measures may include, such as encrypting the data and ensuring ‘encryption keys’ are managed and retained solely outside of that third country by the exporter and/or adopting additional contractual safeguards, requiring the recipient to resist requests from law enforcement agencies.
However, such options may not be practical in many cases. For example, encryption may work if the data is simply being stored in the US but not if it needs to be accessed or viewed there.
Whilst a helpful starting point and guide, the guidance and examples are worded cautiously to avoid amounting to definitive solutions and the EDPB reiterates that each data sharing scenario must be considered on a detailed case-by-case basis to determine what (if any) supplementary measures are appropriate in the circumstances.
Not a ‘One-Off’ Requirement
The guidance states that the protection afforded to data in the third country should be continuously monitored on an ongoing basis to ensure there have been no developments that may reduce the protection. What this specifically requires is not specified – for example, does this require repeat assessments, or how frequently should this be re-examined?
This is Likely to be Hugely Costly and Impractical for Organisations, So What Else Can Be Done?
The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has confirmed that it will continue to regulate using a risk-based and proportionate approach and is still considering the effect of the decision.
Organisations should consider taking stock of their international transfers and reviewing any that might be high risk. Where personal data is clearly at risk, action should be taken to mitigate this where possible, such as encrypting the data and otherwise looking at where supplementary measures may be needed and what these could be.
What Will Be the Impact of Brexit?
In the event of a ‘no-deal-Brexit’, and there being no ‘adequacy decision’ forthcoming from the European Commission in respect of the UK, then there will be imminent action required – which organisations should start thinking about now. If SCCs are relied on, you should prepare to be involved in an adequacy assessment, for example, if requested by your EEA partner. Now is the time to consider how these requirements will be met, such as the practicalities of carrying out and documenting the adequacy assessment, whether to put in place SCCs for transfers into the UK, as well as identifying and adopting any necessary supplementary measures required.
We have focused on recent developments around international data transfer requirements. However, regardless of whether the UK gets an adequacy decision, there will likely be additional steps that you will need to take for data protection compliance following the end of the Brexit transition period. For example, some organisations may need to appoint a representative in the EU and make changes to their data protection documentation.
For specialist legal advice regarding data protection and international transfers please contact Sam Curtis on 0117 992 9716 or Penny Bygrave on 07909 681 572 at the VWV Information Law team.