Currently in relation to personal data, and particularly health data, there are a number of mechanisms available to allow the transfer of such data from the European Union (EU) to countries outside the EU (Third Countries) under the European Data Protection Directive (95/46 EC) and member state laws.
The EU General Data Protection Regulation (2016/679) (GDPR) which applies from the 25th May 2018, simplifies the mechanisms available to protect the rights of individuals in relation to international data transfers.
Although express consent is one mechanism that enables the transfer of data from the EU to Third Countries, there are other mechanisms that adduce the protection of the rights of individuals in relation to their personal data and these include the fact that the Third Country is “approved” by the European Commission or that the parties have entered into EU approved standard contractual clauses or that there is in place approved Binding Corporate Rules (BCR). In addition, for transfers from the EU to the USA, as well as from Switzerland to the USA, there is the Privacy Shield framework.
The Life Sciences sector is used to addressing the sharing of personal data and particularly health data between group organisations and third party processors or controllers. The withdrawal of the United Kingdom from the EU (Brexit), however, raises concerns about the position of the UK post Brexit and whether or not it will be deemed an “adequate” country for the purposes of data sharing or will be deemed a “Third Country”.
During the second half of 2017 a number of statements were made by the European Commission regarding data transfer mechanisms that are causing concern, namely that Privacy Shield is under review, that Third Countries that have been deemed “adequate” are also under review and finally that the standard contractual clauses are the subject of a review in the European Court of Justice as a result of the case brought by Max Schrems against Facebook. On a positive note during 2017 new guidelines were published around the approval mechanism for BCR in anticipation of GDPR.
On the 9th January 2018 the European Commission published a “notice to stakeholders” confirming that as from the 30th March 2019 when the UK withdraws from the EU the UK will become a “Third Country” in that it will not be a member of the EU. The obvious consequence of such a position is that any existing data transfer mechanisms such as use of the standard contractual clauses or model clauses will not be applicable since their language defines the UK as a member of the EU and a “Data Exporter” whereas after the withdrawal date the UK will be not “Data Exporter” but rather “Data Importer”.
Existing data sharing agreements will now need to be reviewed as it is unlikely that the UK will be deemed an “adequate” country prior to the withdrawal date.
For Life Science companies, it is worth stepping back and reviewing the current requirements for international data transfers and any actions necessary to anticipate the consequences of Brexit in light of the above European Commission notice.