The EU-US Privacy Shield, the replacement agreed between the European Commission and US authorities to the Safe Harbor Regime (struck down by the CJEU in 2015), allows for the transfer of personal data from EU Member States to US organisations with adequate safeguards, in accordance with the obligations required by the General Data Protection Regulation (2016/679). The Privacy Shield allows US organisations to self-certify their compliance with a range of privacy principles under a self-regulated regime (the Privacy Shield Principles).
A number of serious questions have been raised as to the adequacy of the Privacy Shield and whether it actually protects personal data to the required standard in the EU/EEA. Much of the criticism of the Privacy Shield centres around the self-certification requirement and the lack of independent regulatory oversight, which could potentially lead to companies technically being documented as Privacy Shield compliant, despite having little to no ongoing monitoring of their data protection policies and practices. It is understood that, until recently, the US had not yet appointed sufficient officials to handle complaints made by data subjects regarding the processing of their personal data under the Privacy Shield. As such, it is unsurprising that the Privacy Shield is currently under challenge.
Against this backdrop, it was somewhat unexpected that, at Bitkom's 5th Privacy Conference (September 2019), a senior official from the US Department of Commerce suggested that the US may seek to add clinical trial and drug data as "permitted personal data" that can be transferred pursuant to the Privacy Shield Principles. This would be in order to encourage cooperation between the US and EU/EEA in the fields of medical research. Whilst EU officials met US Commerce Secretary Wilbur Ross as part of the third annual evaluation of the Privacy Shield publishing its report in October 2019, there is no mention of this extension in the European Commission's Annual Report into the adequacy of the Privacy Shield. The Privacy Shield has permitted, for some time, self-certification for the transfer of pharmaceutical and medical product related data without any additional obligations over and above the Privacy Shield Principles. This does not include drug safety or drug efficacy clinical trial data as, although this is deemed to be personal data in the EU, it is not in the United States.
The position under both the Privacy Shield and the US Department of Commerce's position are completely at odds with the current restrictions on the processing of health data in the EU/EEA. Pursuant to GDPR, health data is "special category data", and requires additional protections to safeguard the rights of data subjects adequately. It is not clear how the current Privacy Shield Principles or the suggested extension would meet the additional protections required for the processing of "special category data" under GDPR, and whether such an extension to the Privacy Shield would be compliant with GDPR. As the Commission's Annual Report did not confirm whether the current Privacy Shield Principles are sufficient to meet the regulatory obligations to process health data under GDPR, we would urge caution against the transfer of pharmaceutical or medical product related data pursuant to the Privacy Shield.
However, it is important to note that not all types of clinical trial data constitute "personal data", according to the definition under GDPR. The Privacy Shield, as currently drafted, confirms that where appropriate, clinical data that is to be used for pharmaceutical research should be anonymised. Fully anonymised data is not personal data, and therefore not in the scope of GDPR. Crucially, key coded data which allows the principal investigator to uniquely code the research data so as not to reveal the identity of individual data subjects is not provided to pharmaceutical companies sponsoring such research (the key remains with the researcher). As such, the transfer from the EU to the United States of data coded in this way would not, according to the United States or the Privacy Shield, constitute a transfer of personal data that would be subject to the Privacy Shield Principles, which is at odds with the position adopted in the EU.
Regardless of whether the EU authorities decide that the Privacy Shield is adequate, it is unclear whether the current Privacy Shield Principles are sufficient to permit the processing of personal health data without further safeguards being put in place. In view of this, any extension of the current Privacy Shield should not be actioned lightly. Unless one of the specific circumstances listed in Article 9(2) of GDPR are present, we would recommend that any transfers of health data are key coded until there is further guidance from the European Commission and/or the CJEU.