Safe Harbor Is Invalid What Is It and What Shall We Do? White Paper. by Jessica Santos, Ph.D. November 2015

Transcription

1 White Paper Catalysts driving successful decisions in life sciences. Safe Harbor Is Invalid What Is It and What Shall We Do? by Jessica Santos, Ph.D. November

2 On October 6, 2015, the Court of Justice of the European Union (CJEU) declared invalid the EU/U.S. Safe Harbor program. 1 The Swiss data protection authority subsequently declared invalid the Swiss/U.S. Safe Harbor program. 2 EU regulators have been criticizing the FTC s absent role as a privacy regulator and the challenging redress ability for EU citizens since the birth of Safe Harbor. What Is Safe Harbor? The Safe Harbor program is a mechanism that permits personal data to be transferred from EU to U.S. companies that had self-certified compliance with Safe Harbor principles. The EU Data Protection Directive restricts transferring personal data from Europe to countries that do not ensure an adequate level of legal data protection. The U.S. is determined as inadequate by the European Commission because the U.S. does not have a comprehensive data protection law or a regulator. Instead, U.S. data law varies by industry, e.g., financial, health, transport or communications. In 2000, after EU-U.S. negotiations, Safe Harbor 3 principles were agreed to in which companies would annually self-certify with the U.S. Department of Commerce and include Safe Harbor principles in their online public privacy policies. This agreement helped extend the U.S. Federal Trade Commission s (FTC) enforcement powers for any unfair or deceptive consumer practices listed in public privacy policy and data practices. What Does Safe Harbor Invalidation Mean? The invalidation means companies can no longer rely on Safe Harbor principles to transfer personal data from the EU to the U.S., including intercompany transfer or via service providers or other third parties. Why now? EU regulators have been criticizing the FTC s absent role as a privacy regulator and the challenging redress ability for EU citizens since the birth of Safe Harbor. In a two-year-old case forced to the EU s highest court by Austrian privacy campaigner Max Schrems, the CJEU ruled that the European Commission s trans-atlantic data protection agreement enacted in 2000 was invalid because it does not adequately protect consumers in the wake of the Snowden revelations. For Facebook, which has been placed at the center of this case by Schrems, the decision means that the Irish data protection authority (DPA) will be forced to investigate his claims and Facebook s data protection practices. 4 How Urgent Is This? On October 16, a group of European data protection authorities (known as the Article 29 Working Party) issued a statement confirming that transfers under Safe Harbor are no longer valid and indicated that at the end of January 2016 they may start taking enforcement action against companies who are still transferring data without a valid legal basis. In the meantime, individual data protection authorities and various clients have already started making enquiries to companies concerning their data transfers to the U.S. Given the large number of EU companies that have been relying on Safe Harbor, the EU data protection authorities take serious enforcement action against all companies at the beginning of February 2016 might not be guaranteed. However, companies need to show they are taking prompt action to implement alternative measures to enable data transfers to the U.S. in compliance with EU law. What Does the Transfer of Personal Data Entail? The concept of a transfer of data to the U.S. is broad and includes: Sharing data with third parties in the U.S. Hosting data on servers physically located in the U.S. (whether those servers are

3 Under EU law, personal data also includes any information relating to an identifiable individual, even if the individual is identified only by a pseudonym. administered by intercompany units or a third-party service provider) Allowing remote access to the data from the U.S. (even if the data at rest remains in the EU) Under EU law, personal data is not limited to data that is personally identifiable information or PII, in the U.S. It also includes any information relating to an identifiable individual, even if the individual is identified only by a pseudonym (such as a randomly generated identifier associated with a cookie). Therefore, most data file research companies use of pseudonymous IDs and study data are classified as personal data. In addition, healthcare data are classified as sensitive personal data even there is no personal name or contact details in the data file. What Are the Alternatives? The alternatives to Safe Harbor will be: Obtaining unambiguous explicit consent from data subjects to their data being transferred to the U.S. Using standard contracts approved by the EU (known as standard contractual clauses or model clauses) to have contractual protection for the data transfer Putting in place formal arrangements for intragroup transfers (known as binding corporate rules) Consequences for each option are as follows: Consent seems to be the easiest option. It is also a valid option provided that consent is freely given and the wording of the consent is sufficiently clear, but it will not be appropriate for some data subjects (such as employees). Consent also can be withdrawn, so having a back-up plan for those who withdraw consent is essential. Most companies collect consent through the method of users ticking the box that says I agree to these terms and conditions, which is heavily challenged by DPAs and consumer groups, as few data subjects read and fully understand the terms and conditions content. Finding single data records from a large data file would be a difficult if not impossible task. Most data protection authorities interpret this derogation very restrictively, and companies should expect to be challenged if they seek to place reliance on consent alone. Model clauses (also known as standard contractual clauses or model terms) are standard terms that are approved by the European Commission for transferring data to the U.S. Standard model clauses adduce an adequate safeguard for data transfer for the privacy rights of individuals as stated in Article 26(4) in the EU Data Protection Directive. 5 Although they cannot be altered, model clauses recognize that companies using them regarding personal data transfers to countries (including the U.S.) outside the European Economic Area are offering adequate protection to the data. Model clauses impose obligations to both the data exporter and data importer. Model clauses may not be appropriate in all cases, and they may require broader changes to the way in which a company operates (i.e., the data would have to be collected by the EU group company so that the contract reflects how data flows actually operate). There are two EU standard model clauses contracts controller-to-controller transfer and controller-to-processor transfer. It is not clear at the moment whether model clauses need to be implemented per company, per project or per transfer. Companies implementing model clauses must be clear on their position as data controller or data processor in each transfer. Binding corporate rules (BCR) are developed by the Article 29 Working Party to allow multinational corporations, international organizations and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law. The BCR must apply generally throughout the corporate group irrespective of the location of the members, the nationality of the individuals whose personal data is being processed or any other criteria or

4 The environment of consequences for safe harbor invalidation changes very quickly. consideration. Two elements must be stressed for BCR implementation binding nature and legal enforceability. BCRs are appropriate only for transfers to intercompany groups and cannot be used for transfers outside the group. They require companies data rules to be sent to at least one EU country Data Protection Authorities (DPAs) for review and approval. BCRs can involve a multiyear process with high external legal costs in addition to strictly applied EU rules to all members of the corporate group as well as each employee within it. Safe Harbor is in negotiation with EU and the FTC; however, it may take years and will not be ready in time to be inspected by EU data protection authorities. In addition, forthcoming EU General Data Protection Regulation (GDPR) 7 should have a clear definition on pseudonymous data and its implications. Which Is the Best Alternative? Each option has its pros and cons. It is strongly advised that companies start with an internal due diligence process. A thorough understanding on their data assets, data flow, and the position of the data controller and data processor for each transfer is an essential first step. If the volume of personal transfer from the EU to U.S. is minimal, companies might wait for the development of Safe Harbor 2.0. Another option could be restricting transfers of data in identifiable form. If aggregated data is sufficient for the business objective, e.g., group sales figure, is an individual sales record absolutely essential? Another possibility is to avoid transfers to the U.S. completely? Data localization law is already implemented in Russia, 8 and this trend will continue. Cloud providers with an EU data center instead of U.S. or directly transferring between EU clients and the EU vendor instead of routing through the U.S. are some options worth exploring. If personal transfers are all within the group and group members are all willing to conform to EU standards, BCR can be a once-andfor-all option. Senior management buy-in will be crucial for implementing BCR, followed by training for all individual employees, especially in countries that do not have strict privacy legislation and cultures. Model clauses will be the best option for companies with large data transfer volumes and multiple data imports and exports. It is advisable to generate a list of large data transfer partners, including clients, vendors and intercompany subsidiaries, and start to implement model clauses with the partner with highest data transfer volume. Last Thoughts Finally, the environment of consequences for safe harbor invalidation changes very quickly. Companies are advised to take a proactive approach instead of waiting for DPA enforcement actions. 1. Safe harbor is invalid but not illegal; it cannot be used as the only mechanism for personal data transfer from the EU to U.S. 2. Healthcare data are classified as sensitive personal data by the EU, even without personal contact details. 3. Check that your privacy policy clearly indicates that data storage or transfer could be in the U.S. 4. Explicit consent is not a trouble-free card but is easy to implement in some circumstance, especially for companies with a well-managed sample database. 5. Model clauses seem to be most feasible option at this time. 6. Internal and external due diligence on data flow is vital at this point, it can be seen by DPAs as actions from companies before January Involve legal and privacy department as early as possible for risk assessment exercise.

5 References 1 pdf/ /cp150117en.pdf 2 Switzerland is not a member of the European Union, but the US operates a separate Safe Harbor program that allowed personal data to be transferred from Switzerland to the US. This document refers to EU companies for brevity, but the steps set out here should also be taken in relation to group companies in Switzerland. While the Swiss data protection regime is similar to the European Union regime there are some differences; for this reason, it is important to legal if any transfers by Swiss companies are required oct/06/safe-harbour-european-court-declare-invaliddata-protection 5 contractual_clauses_en.pdf 6 safe-harbour-2-0-framework-begins-to-capsize-asjanuary-deadline-nears/ 7 en.htm 8 news.php?idnews=189

6 For more information, please visit About Kantar Health Kantar Health is a leading global healthcare consulting firm and trusted advisor to many of the world s leading pharmaceutical, biotech and medical device and diagnostic companies. It combines evidence-based research capabilities with deep scientific, therapeutic and clinical knowledge, commercial development knowhow, and brand and marketing expertise to help clients evaluate opportunities, launch products and maintain brand and market leadership. Kantar Health deeply understands the influence of patients, payers and physicians, especially as they relate to the performance and payment of medicines and the delivery of healthcare services. Our advisory services, built on a solid foundation of market research and data, span three areas critical to bringing new medicines and pharmaceutical products to market commercial development, clinical strategies and marketing effectiveness. Kantar Health operates in more than 40 countries and employs more than 600 healthcare industry specialists and practitioners, including a high number of medical doctors, epidemiologists, PhDs, PharmDs and pharmacists, and biologists, biochemists and biophysicists. We work across the product lifecycle, from preclinical development to launch, and are experts at bringing multiple stakeholders together to advance the commercialization of pharmaceutical products. Our team acts as catalysts to successful decision making in the life sciences industry, helping our clients prioritize their product development and portfolio activities, differentiate their brands and drive product success post-launch. Kantar Health is part of Kantar, the data investment management division of WPP. About the Author Jessica Santos, Ph.D. Dr. Jessica Santos is the Global Compliance Director in Kantar Health, the largest custom market research company focused on the life sciences industry. She is primarily responsible for providing oversight and support across the 40+ Kantar Health global offices in the areas of regulation, interaction with clients, suppliers and others within Kantar Health, Kantar and WPP. Dr. Santos is responsible for maintaining, anticipating and coordinating all activities with regard to compliance laws/regulations, industry guidelines, pharamcovigilance and client contracts, defining and driving the execution of Kantar Health s Quality Strategy our approach to measuring and improving our quality efforts. Dr. Santos is an experienced statistician, analyst, methodologist and market research scientist. She gained her reputation through her publications and professional committee work in the industry. She is a frequent speaker and contributor in major conferences and has a Ph.D. in Marketing, an MRS fellowship and Chartered Marketer status. Dr. Santos is a member of UK Research Ethics Committee, EphMRA, BHBIA and PMRG Government Affairs Committee, reviewer and co-chair of ISPOR, and MRS Professional Development Advisory Board and Examiner. If you would like us to act as catalysts for you, contact us at