Understanding the New “EU-US Data Protection Framework”
EU-US Adequacy Decision: What You Need to Know
July 17 2023
On October 6, 2015, the Court of Justice of the European Union (CJEU), prompted by Maximilien Schrems, laid bare a number of substantial flaws in the 2000 Safe Harbor agreement, ultimately leading to its invalidation. Its successor, the Privacy Shield, was introduced in February 2016, and by July 2016, it was fully operational. However, its reign was short-lived. A number of French organizations, including La Quadrature du Net, challenged the agreement in the General Court of the European Union on October 25, 2016. Their concerns proved valid when, in July 2020, the CJEU struck down the Privacy Shield’s adequacy decision. This decision previously allowed data to freely flow between the European Union and U.S. operators adhering to its data protection principles without additional formalities.
Unique Features of the “EU-US Data Protection Framework”
The “EU-US Data Protection Framework” differs from previous arrangements. US companies must commit to detailed privacy obligations and self-certify via the US Department of Commerce’s website, beginning July 17, 2023. This process is a fundamental part of the new framework.
“EU-US Data Protection Framework”: A Paradigm Shift for Life Sciences
For the life sciences sector, the “EU-US Data Protection Framework” ushers in significant changes. Unlike earlier agreements, pseudonymized research data can now be transferred from the EU to the US, a first in the history of international data transfer.
Impact on Life Sciences
The EU-U.S. Data Protection Framework introduces significant changes for the Life Sciences as shown below:
- Anonymize data when suitable. EU laws apply pre-transfer, DPF principles post-transfer.
- Personal data from one study may be reused with appropriate initial notice and consent. Future use not aligned with original research purposes requires new consent.
- Participant withdrawal does not always negate processing of data previously collected.
- EU clinical trial data may be provided to U.S. regulators for regulatory and supervision purposes.
- “Blinded-study” participants forego data access during trial can request access post-trial.
- Organizations do not have to apply certain DPF principles in their product safety and efficacy monitoring if adherence to principles interferes with regulatory compliance.
- Transfers to the U.S. of “key-coded” EU personal data are covered by DPF principles.
Understanding the Pros and Cons
The new agreement comes with a mixed bag of pros and cons. Benefits include the ability for data to flow freely and the elimination of the need for additional safeguards or Transfer Impact Assessments (TIAs). However, companies face the challenge of certification, bearing its associated costs, and potential business risks due to possible non-compliance. Also, the future stability of this decision is yet to be determined, leaving the door open for potential reversal.
How Does This Framework Reshape Your Future?
While the landscape changes, it’s vital to adapt to the new environment. Until your vendors are certified, continue to utilize Standard Contractual Clauses and TIAs. Consider undertaking the self-certification process, but always prioritize the protection of data subjects. This decision places data protection at the forefront of international business operations.
While no organization is yet certified, the existing recommendations of implementing SCCs and performing TIAs remain in place. As the certification system starts operating, it’s worth checking if your vendors are certified and consider getting certification yourself, weighing the pros and cons. Remember, the priority should always be the protection of data subjects.
That’s all for now. Stay tuned for more updates on this important development!