The world of data transfers was turned upside down last July with the European Court of Justice's (CJEU) decision in the Schrems II case. Given the global nature of the life sciences sector and the need for data to flow around the world for various reasons, including to and from clinical trial sites to sponsors, CROs and other third parties, the impact of this decision and the subsequent changes in the law should not be underestimated.
Data transfers
Under the GDPR there is a general prohibition on transfers of personal data to jurisdictions outside the EEA (and now the UK under the UK GDPR) that do not provide an adequate level of protection for that data, unless certain conditions are met. This could include, for example, personal data about employees, study participants, patients or healthcare contacts among others.
There are safeguards that can be put in place to legitimise these transfers, and these include:
- adequacy decisions
- standard contractual clauses issued by the European Commission (SCCs)
- standard data protection clauses (approved by a supervisory and the European Commission)
- binding corporate rules
- Certification Mechanisms
- Codes of Conduct
- various derogations for ad hoc scenarios (eg consent of the individual, contract necessity).
You can read more about the current state of data transfer rules here.
Schrems II
Prior to July 2020 there was another adequacy transfer mechanism in place that was core to enabling the highway of transfers to certified US recipients (including lots of life sciences businesses): the Privacy Shield. However, this transfer mechanism was dramatically struck down by the CJEU in its decision in the Schrems II case. The repercussions of this for life sciences organisations, particularly those headquartered or with a presence in the US and carrying out clinical trials across Europe, has been huge as they have had to look for a new way of protecting any data transferred from the EEA/UK to the US.
A big part of the Schrems II decision is that the CJEU not only invalidated the Privacy Shield but also more generally assessed the viability of the other appropriate safeguarding mechanisms for data transfers. It looked not just at the US but at any non-EEA jurisdiction not subject to an adequacy.
The CJEU ultimately decided that the SCCs remained a valid mechanism for transfers. However, it found that their validity was subject to additional requirements, including the need for exporters to carry out an assessment of the adequacy of protection of importing jurisdictions considering both laws and practice and, where necessary putting in place further supplementary safeguards. Where supplementary measures cannot address the risks, the transfer cannot go ahead.
New SCCs
Given the decision in Schrems II, the SCCs have become a crucial tool for businesses in the life sciences sector to comply with EU and UK data protection laws and protect transferred personal data. The 'old' versions of the SCCs pre-date the GDPR so were on borrowed time. The European Commission released a new, modular version of the SCCs covering different transfer scenarios (eg processor to processor, processor to controller) in June 2021, which seeks to update the SCCs in line with the GDPR and also deal with some of the issues raised in the Schrems II decision (eg they deal with supplementary measures).
These new SCCs became valid for use on 27 June 2021. Organisations can continue to incorporate the old SCCs into new agreements until 27 September 2021, and have until 27 December 2022 to update existing agreements to include the new SCCs. This means that life sciences businesses will need to carry out a contract review to identify where they are relying on the old SCCs currently, and begin the necessary process to update these agreements.
The UK regulator, the ICO, has not approved the new SCCs so they cannot currently be used for any transfers of personal data going from the UK. The ICO has said that it is working on producing its own new SCCs (drafts for consultation are expected at some point this summer), but until they are finalised, life sciences businesses needing to transfer any personal data outside of the UK should continue to use the old versions of the SCCs.
It is not clear how aligned the ICO's new SCCs will be with the EC clauses meaning some tweaks may be required for the UK. We can only hope that that common templates can be used (find out more about the new SCCs here).
The UK also received an adequacy decision from the European Commission in July 2021, meaning that life sciences businesses with data flowing from the EU to the UK do not need to use additional transfer mechanisms.
What's next for life sciences businesses?
Organisations in the life sciences sector with significant global data transfers are facing a substantial amount of work to ensure their transfers are compliant, with the potential for impact on contract lead times.
It will be important to involve key stakeholders including sales, legal, marketing, clinical and compliance teams to ensure all transfers are identified and that there is buy-in across the business for what will likely need to be a carefully managed compliance project.
Here are some suggested steps for life sciences organisations to start taking now:
- start the process of knowing your transfers
- verify the transfer tool currently relied upon for these transfers (eg old SCCs)
- for SCCs, identify which module or modules will be relevant (this will involve working out the exporting and importing parties' roles as controller/processor etc)
- carry out assessment of the law and practices in force in the importing countries that may impinge on the effectiveness of the SCC safeguards regarding the data being transferred
- identify and adopt any supplementary measures if the assessment shows the effectiveness of the SCCs may be impinged by that law or practice relevant to the data transfers at issue
- thoroughly document the assessment and the supplementary measures put in place to enhance protection offered by the SCCs.
As mentioned, it will be necessary to update contracts to the new SCCs either after 27 September 2021 for new transfers or changes to existing transfers and by the 27 December 2022 for all other existing contracts containing the old SCCs.
While it may seem as though 18 months is a long way off, it will likely come around very quickly for life sciences organisations, particularly those with complex transfers where potentially hundreds or even thousands of contracts may be affected. We therefore strongly recommended not delaying this process too long.
Find out more
To discuss the issues raised in this article in more detail, please reach out to a member of our Data Protection & Cyber team.
