The earthquake: Invalidating the Privacy Shield and clinical research (Now, what?)

If you need a service of a lawyer in France for better understand the french law contact us www.pharmaspecific.com Transcription : Hello everyone, this is Manon Durand, health lawyer with Pharmaspecific. Today, we are going to talk about the protection of personal data through the invalidation of the privacy shield. Since you couldn’t miss this information, the privacy shield has recently been invalidated by the Court of Justice of the European Union. Before starting, I would like to remind you that you can find all our legal information on our Pharmaspecific training website to keep you informed of the latest news in the field of clinical research. If you have a question of legal order, you can also ask me about it on the same platform to get an answer. So let’s start right away on the topic of the day. As a reminder, the privacy shield was agreed in the field of personal data protection law negotiated between 2015 and 2016 between the European Union on the one hand, and the United States of America on the other hand. The privacy shield consisted of a series of provisions that regulated the protection of personal data that was transferred from a member state of the union to the United States, which in fact made it possible to transfer data without having to resort to the various protection mechanisms that are provided for today by the GDPR. In particular, the standard contractual clauses, binding corporates rooms etc…

The privacy shield had itself been put in place following the invalidation of the safe harbor by the European Court of Justice, which in October 2015 issued a first decision in which it considered that the safe harbor did not provide an adequate level of protection. Following this decision, the privacy shield was put in place to compensate for the failings of the safe harbor by adding additional guarantees for the individuals concerned. However, in a ruling handed down on July 16, 2020, the Court of Justice ruled that the privacy shield mechanism also did not make it possible to compensate for the limitations of U.S. law. According to the Court, the privacy shield system was not sufficiently independent from the US executive branch since US public authorities can access and use personal data transferred from the European Union. All this actually stems from the fact that the Cloud Act was passed in 2018, which is a law that in fact gives US companies full legitimacy to transfer their customers’ data independently of their hosting territory to any US judge who would request it without the owner or the country of residence or the country storing the data being informed. The Court of Justice considers that such access and use by the U.S. authorities therefore does not meet requirements equivalent to those expected under European Union law by what is known as the principle of proportionality, since surveillance programs based on U.S. regulations are not limited to what is strictly necessary. Therefore, since the privacy shield system does not ensure an adequate level of protection, the adequacy decision rendered in 2016 was then overturned by the Court of Justice and the transfers of personal data can therefore no longer be made freely to organizations located on US soil, even if they are members of the privacy shield.

So, if you need to transfer personal data to a company located on U.S. soil, you must have sufficient guarantees, particularly with the help of the various tools put in place by the RGPD. As a clinical project manager, several verifications must therefore be made. First, it is necessary for you to make an assessment of the personal data that may fall under this scenario, particularly in cases where you use tools hosted in the United States. You must also be vigilant on this point because even large platforms like Microsoft are concerned by these new rules. You should therefore find out about the measures adopted by the hosters of all your work tools and check whether their personal data protection policies are adapted to the requirements of the RGPD and, if not, turn to European solutions. Then, if you are in connection with a clinical study whose sponsor is located in the United States, you must ensure that no transfer of data that will be collected in the European Union, such as patient data contained in the case report forms for example, is made to the United States without having put in place standard contractual clauses with this sponsor. These contractual clauses should be very precise on the measures adopted to guarantee the security of the transfer and I strongly recommend that you put in place an encryption solution for such transfers. You also have the site of the CNIL which proposes model contract clauses that can be used as a basis for setting up this tool. Finally, you should contact the DPO of your company in order to modify the different documents required by the CNIL.

For example, processing records and impact analyses to bring them into line with the new measures you will have adopted. That’s it, you are now informed of the reasons for the invalidation of the privacy shield and the consequences for your company and your clinical study. For any additional information, please do not hesitate to refer to our legal watch or to contact me to seek legal advice. Thank you for listening to this podcast and feel free to share it with those who might be interested in this topic. As for us, we’ll see you soon for a new podcast.