First published in our Biotech Review of the year – issue 8.

As many biotech companies will be aware, the data protection landscape has changed considerably over the past decade, not least the specific ways in which personal data can be transferred across borders. In July 2020, for example, the European Court of Justice appeared to upend the transfer of data to the US almost overnight when it struck down the EU-US Privacy Shield, which had itself emerged from the wreckage of Safe Harbour.

Crucially, the striking down of the Privacy Shield in the Schrems II decision threw up a number of questions, and heightened obligations, for the significant number of biotech companies that are reliant on standard contractual clauses (SCCs) when exporting data outside if the EEA. But, as we enter 2021, what are the implications for biotech?

The current routes

Before delving into the decision and its implications, it may be helpful to look at the framework for transferring personal data more generally. Currently, if biotech companies are transferring personal data out of the EEA to a country considered by the European Commission to ensure an adequate level of personal data protection, they do not have to consider further compliance steps for the transfer. If there is no adequacy decision for the recipient country, appropriate safeguards are required. Failing this, companies may try to rely upon one of the limited exceptions under the legislation.

The two most common appropriate safeguard mechanisms are: SCCs, which are clauses approved by the European Commission and signed by the EEA data exporting and non-EEA data importing entities; or binding corporate rules (BCRs) for transfers between multinational group companies.

As the European General Data Protection Regulation (GDPR) applies in the UK, the transfer framework is the same for transfers of personal data out of the UK, and companies will be able to rely on the same mechanisms that they put in place to comply with the GDPR following Brexit. But when it comes to transfers from the EEA into the UK, appropriate safeguards are required unless the European Commission issues a UK adequacy decision, or a limited exception applies. At the time of writing, the clock is still ticking on an adequacy decision.

Our shields are down

Adequacy, it might be argued, will be the watchword of the data protection world for the next few years. Indeed, the Privacy Shield was, itself, a 2016 adequacy decision that held that its predecessor lacked sufficient protections. It too fell, however, when the CJEU considered the US government surveillance programmes to conflict with EU law, failing to grant individuals sufficient rights before the courts against US authorities.

The upshot was that many biotech companies quickly looked to put SCCs in place. But recent Guidance raises questions as to whether these are, indeed, the quick fix solution that many had hoped.

In particular, the part of the Decision that has raised the most questions is the fact that it requires data exporters and importers to verify, before a transfer, whether the EU level of data protection is respected in the recipient country. If not, the exporter (say a company conducting research in France) needs to implement “supplementary measures” to protect the data in the recipient country (say the United States, where the company commissioning the research is based). If equivalence with the EU data protection standard cannot be achieved, transfers must stop.

When it comes to what constitutes “supplementary measures”, the European Data Protection Board Guidance[1] has provided examples of what these could look like; separating them into technical, contractual and organisational. Accompanying guidance on “Four Essential European Guarantees”[2] to factor into assessing the data protection environment of a recipient country has also been provided, and clarity guidance on how the Decision applies to BCRs is expected as well.

The Guidance raises significant challenges. The task of carrying out a risk assessment of a recipient country’s data protection laws from an EU perspective is something that companies are grappling with. The main technical measures stated in the Guidance – encryption, pseudonymisation and splitting data up – may affect data usability. Some of the contractual measures, such as obliging a data importer to certify that the laws in the recipient country do not require it to operate back door access to personal data, may be ineffective where the importer is prevented from disclosing this information under applicable laws. Moreover, the objective approach to the assessment that is advocated by the Guidance appears to be contrary to the more risk-based approach that runs throughout the GDPR.

How to get to the other side?

Biotech companies will already have gone some way in mapping and considering their international data transfers, as part of GDPR compliance. They may also have taken data minimisation steps. Further actions could now include: documenting their approach to the steps in the Guidance; building sections into vendor due diligence questionnaires around data access in recipient countries; expanding data protection impact assessments to cover risks around personal data access and security in other countries; and encrypting/ pseudonymising particular data sets before transfer, to the extent possible. Bolstered obligations can be added to contracts with service providers/collaborators in countries outside of the EU and UK around confidentiality and access to data, though some may be ineffective under applicable laws.

That said, the threshold for ensuring a compliant transfer of personal data using the SCCs has been greatly raised by the Decision and Guidance, and it is difficult to see how the requirements can be complied with fully without significant resources (including input from local lawyers).

Hopefully a different approach to privacy under the Biden administration can pave the way towards a Privacy Shield successor, and clear the congestion for transfers to the US. In the meantime, biotech companies should monitor for further developments in this area (including the new SCCs updated for GDPR purposes, expected early this year) and consider how they can build as much of the Guidance as they can into their current practices.

——————-
[1] https://edpb.europa.eu/sites/edpb/files/consultation/edpb_ recommendations_202001_supplementarymeasurestransferstools_en.pdf
[2] https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_ recommendations_202002_europeanessentialguaranteessurveillance_en.pdf