Invalidation of Safe Harbor, what to do?
You have studies underway and you transfer some information in the US, either the promoter or subcontractors (eCRF, CRO, patient reimbursement, or other)? Did you know that the trade agreement between the European Economic Area and the United States had been invalidated and that personal data transfers made under the Safe Harbor framework were not allowed? Here concretely what this means for your tests.
1. What happened?
The Safe Harbor was one of the possible means for US companies to legally transfer the European Economic Area data to the United States. The Safe Harbor was a set of principles to be respected to which US companies adhered voluntarily. These principles were based on people information, the opportunity to oppose the transfer of a personal data or the use of his data for a different purpose, the need for explicit consent for so-called sensitive data, right access and correction and data security. The list of companies that have joined the Safe Harbor was available on the website of the US Department of Commerce. However, the European Court of Justice (ECJ) has invalidated this agreement on October 6, 2015. In fact, it was highlighted by the ECJ that US public authorities could access data without ensuring effective legal protection to concerned persons. Indeed, US companies are required to comply with the requirements of US laws and therefore not to apply the provisions of the Safe Harbor that are opposite to them. The National Commission for Data Protection and Liberties (CNIL-France) and its European counterparts (G29) came together and asked the European institutions and the governments concerned to find legal and technical solutions before January 31, 2016. Here are the two releases of the CNIL-France on it here and there.
2. Prohibition of personal data transfer
According to Articles 68 and 69 of the edited Data Protection Act of 6 January 1978, personal data transfers abroad are prohibited except in the case where the country in which the receiving company offers a sufficient level of data protection.
As for the US, transfers that were made on the basis of Safe Harbor are indeed illegal. However, other solutions exist, we will detail below. Beware; the G29 is currently analyzing the impact of the Safe Harbor invalidation by the Justice European Court on these tools. So it is not sure that these tools can still be used if they also asks for safety issues in their turn.
In view of the CNIL-France statements, for now, data already transferred is not affected; it is still waiting the deliberations of the relevant authorities. However, new transfers will no longer be made.
3. What data is concerned?
The definition of personal data is as follows according to the CNIL-France:
“Any information related to an individual who might be identified, directly or indirectly. For example: a name, a photo, a fingerprint, a postal address, an email address, a telephone number, a social security number, an internal number, an IP address, a computer login, a voice recording, etc.
Note: For these data to no longer be considered personal, they should be made anonymous so that the concerned person identification must be impossible: hidden names, blurred faces, encryption, etc.
Warning: if it is possible to identify a person by crosscutting several information (age, gender, city, diploma, etc.), or by the use of various technical means , the data is still considered personal.”
If it is about a biomedical research (BMR) study for a medicinal product, a medical device, a cosmetic or tattoo product or other BMR out of health product, if the transfer concerns the data of an undergoing biomedical research persons and datas are in the in line with part 1.2.3 of the MR-001, the transfer is still possible because it is not a personal data.
If it is about a non-interventional study on the performance study of a medical device in vitro diagnostic (MD IVD) and that, in accordance with the MR-002, only anonymous or encoded data of the participants to non-interventional study of MD IVD performance are transmitted outside the EU, then the transfer of this data is possible.
However, as part of these studies within the scope of the MR-001 or MR-002, the personal data of investigators and their team members are also transferred through their CV, contact information … This information, as for their part, are not anonymous and do constitute personal data. Their transfers to the United States are therefore prohibited.
If it is about another type of study or a study that does not meet the reference methodologies of the CNIL-France, the CNIL-France has assessed the nature of these data transfers and provides a transfer authorization. These transfers are not affected at this time.
4. Other solutions
There are two other solutions to implement data transfers to the United States:
- If the standard contractual clauses have been adopted. These are the contract models adopted by the European Commission governing data transfers. Two types of contracts are available:
- Transfer of personal data from a data controller to another data controller.
- Transfer of personal data from a data controller to a subcontractor.
These contract models differ in the responsibilities of both parties. According to the edited Data Protection Act of 6 January 1978, the data controller is the person, public authority, agency or body that determines its purposes and means. The sub-contractor, is any outside person handling personal data under the instructions and under the authority of the controller.
In the first case, both parties are responsible for one another and against those involved in the event of a dispute.
In the second case the data exporter is responsible to the people involved in the event of a dispute. However, the data exporter may turn against the data importer in the event of a dispute.
These contracts should be discussed with the legal departments of the various companies involved.
- If the companies internal rules or Binding Corporate Rules (BCR) were adopted. These rules constitute a code of conduct in the context of data transfers within the same company or the same group. It therefore concerns the multinationals that transfer data to third countries. Again, you have to find out with the legal department of your company if you are affected by these rules.
If such contracts or rules of conduct have been put in place and that your study is consistent with other provisions of the MR-001 and MR-002, then the data transfer is possible.
Here is an overview of the rules defining the exchange of personal data in the United States to date. This will change soon and the CNIL-France said to disseminate information notes shortly to clarify the situation. Similarly, a new agreement must be reached before January 31st 2016, perhaps a “A 2nd Version of Safe Harbor” more demanding than the previous or other devices to transfer data safely. On the Clinical Research blog, we will follow this closely and we will not fail to inform you of any news concerning personal data transfers.
This article is an analysis of releases of the CNIL-France. We are not lawyers, if ever you have questions, I would urge you to contact a lawyer specialized in these issues. The firm Delsol Advocates has, for example, a “Sciences of alive” in French (“Sciences du vivant”) department here.
- Transfer of personal data outside the EU here
- Data Protection Act there
- Methodologies of references here
If you liked this article, I invite you to click on “I like” or share with your CRA and project Manager colleagues and friends.
Also, visit Pharmaspecific website : http://www.pharmaspecific.fr and discover our activities.
You can also visit the Facebook page of « blog de la recherche clinique » and the « Pharmaspecific » and click on “I like” to support us.