Decoding Digital Health: Trans-Atlantic Transfers of Health Data
The Ropes & Gray Decoding Digital Health podcast series discusses the digital health industry and related legal, business and regulatory issues. In this episode, Digital Health Initiative co-lead and health care partner, Christine Moundas, interviews health care partner and member of the digital health group, David Peloquin. They discuss the legal challenges and potential solutions that health care and life sciences companies face when transferring health data from Europe to the U.S.
Christine Moundas: Welcome to Decoding Digital Health, a Ropes & Gray podcast series focused on legal business and regulatory issues impacting the digital health space. I am Christine Moundas, a partner in Ropes & Gray’s health care group and co-chair of our digital health practice.
Today, we are going to explore some of the challenges and potential solutions that pharmaceutical, medical device, digital health companies, and a wide range of health care providers frequently experience when transferring health data from Europe to the U.S. These challenges largely arise from the data privacy law of the European Union, the General Data Protection Regulation (or GDPR), and its post-Brexit counterpart in the UK, known as the UK GDPR.
I’m joined today by David Peloquin, a partner in Ropes & Gray’s health care practice and member of our digital health group. He has a great deal of experience in advising health care and life sciences clients on cross-border data transfer issues in connection with his practice in clinical research and data privacy.
David, thank you for joining us today. Could you talk a little bit about why this is such an important issue for health care and life sciences companies?
David Peloquin: Of course, and thanks for that nice introduction, Christine. Cross-border transfers of personal data are an important issue for many of our health care and life sciences clients because many health care activities, particularly in the area of clinical research and telemedicine, are increasingly international. Indeed, in the Financial Times, there was an article by Robert Eiss of the U.S. National Institutes of Health describing how GDPR’s restrictions on cross-border data transfers has complicated the NIH’s ability to obtain data from studies funded by NIH that contain European participants.
This arises because the general rule under GDPR is that personal data cannot be transferred out of the EU or UK to a country that has not been determined by the European Commission to offer adequate data protection legislation unless the parties completing the transfer satisfy one of the mechanisms for transfer established by GDPR, such as Standard Contractual Clauses (or SCCs). The United States, along with the majority of countries located outside the EU and UK, have not been found by the European Commission to offer adequate data protection legislation. This means that most trans-Atlantic data transfers of personal data must satisfy one of the GDPR’s transfer mechanisms. This has numerous everyday applications in the life sciences and health care sector, and I receive several questions on this issue each day from Ropes & Gray’s health care and life sciences clients. I will give a few common scenarios that implicate cross-border transfer restrictions here to help clarify the issues.
As one example, it is increasingly the norm for clinical trials to take place in multiple regions simultaneously, thus necessitating the cross-border transfer of clinical study data in connection with the trial. Frequently, you may have a biotech company that is located solely in the United States that quickly becomes subject to the GDPR’s restrictions on cross-border data transfers because the company sponsors a clinical trial that has sites located in the EU or UK. In order to access the study subject-level data generated in the trial, which will be necessary to perform analyses needed for regulatory approval of the product under study, the biotech company will need to navigate the GDPR’s restrictions on cross-border data transfers. Also important to note is that GDPR applies not just to health data but to all personal data, and thus transfers of investigator data or clinical study staff data from investigators in the EU to the trial sponsor in the U.S. will also be subject to GDPR’s limitations on cross-border data transfer.
While the issue of cross-border data transfers often arises in clinical trials, its application in health care is by no means limited to that fact pattern. The issue also frequently arises for U.S. health care providers, like hospitals, that engage in research collaborations or consortia that involve institutions located in the EU and UK. In these cases, even if the U.S. health care provider is not itself interacting with study subjects located in the EU or UK, or sponsoring the research, the U.S.-based researchers will often need to receive data sets from their collaborating institutions in the EU and UK. The transfers of these data sets will be subject to the GDPR’s limitations on cross-border data transfer, even if the data sets are in a “coded” or “pseudonymized” format whereby the U.S. institution cannot re-identify the data.
Another emerging area, especially in the digital health space, is telemedicine. Here, again, you may have a U.S.-based health care provider that interacts with patients or physicians located in the EU or UK to provide a telemedicine encounter or physician-to-physician consultation. Even if the U.S.-based health care provider accesses EU or UK records remotely from a location in the U.S. and never downloads the patient’s files from the EU or UK, the mere viewing of files containing personal data from a U.S. location by the U.S.-based physician would be considered a data transfer for purposes of GDPR.
A final area to watch out for is data processed by vendors. A key aspect of the territorial scope of GDPR is that its jurisdictional reach is agnostic as to the citizenship or residency of a data subject. Rather, GDPR applies to all personal data that are processed in the context of an establishment of an entity in the EU or UK, such as a physical location of an entity in those countries, even if the data subjects in question are not EU or UK citizens or residents. This means that if a U.S. life sciences company or health care provider engages a vendor in the EU or UK as its processor to process U.S.-originating data, those data become subject to GDPR in the hands of the vendor, and the vendor needs to comply with the cross-border transfer restrictions to transfer the data back to the U.S. In this way, U.S. health care providers that collect only U.S.-origin data can unwittingly become subject to GDPR restrictions on cross-border data transfers when they choose to hire a vendor, like a clinical laboratory or data analytics provider that is located in the EU or UK.
Christine Moundas: Thanks so much for that, David. You know, what I was trying to think about really is: Is this a new issue? My understanding is that these restrictions on cross-border data transfer have actually been part of the EU data protection law for nearly 30 years. Why is this still such an issue today in the health care and life sciences sector?
David Peloquin: You’re 100% correct on that, Christine, that the restrictions on cross-border transfer have existed in EU law since the passage of the Data Protection Directive in 1995, which, of course, was the predecessor EU data protection law to the GDPR.
There are a few key reasons why the importance of this issue has increased for U.S.-based health care providers and life sciences companies since the effective date of the GDPR in 2018.
- First, as I mentioned a moment ago, GDPR treats key-coded data, which the GDPR calls “pseudonymized data,” as personal data subject to the law. Under the prior law in the EU, there was more ambiguity on this point and certain EU countries treated key-coded data as falling outside the scope of the law, meaning that those countries did not view the transfer of key-coded data in the context of research studies as subject to the cross-border transfer restrictions. Because much of the data used in the course of research activities are pseudonymized, the GDPR’s clarification that pseudonymized data remain subject to the law suddenly brought many trans-Atlantic data transfers within the scope of the law.
- A second change brought about by GDPR is that it introduced substantial fines of up to the greater of 4% of an entity’s annual revenue or 20 million Euros for non-compliance as well as a private right of action. The prospect of these significant penalties has made many EU- and UK-based health care organizations much more attuned to the cross-border data transfer restrictions than they were previously. Before the advent of GDPR, my experience was that many EU-based hospitals and universities did not focus on compliance issues related to cross-border data transfers—since the GDPR took effect, these entities are much more focused on cross-border transfer restrictions.
- In addition, in the midst of the COVID-19 pandemic in the summer of 2020, the Court of Justice of the European Union (or CJEU) issued its decision in the Schrems II case that invalidated the EU-U.S. Privacy Shield as a mechanism of transferring personal data from the EU to the U.S. The EU-U.S. Privacy Shield, of course, was a program whereby companies in the U.S. could self-certify with the U.S. Department of Commerce as adhering to a set of privacy principles agreed to by the U.S. government and European Commission as providing adequate protection of personal data. The CJEU opinion’s rationale for invalidating the Privacy Shield in the Schrems II decision largely focused on concerns about access to data by the U.S. National Security Agency (or NSA) and other U.S. intelligence authorities. This ruling had implications for entities that were not Privacy Shield-certified because in addition to expressing concerns about Privacy Shield itself, the CJEU, in its opinion, expressed concern about access by the NSA to data that were transferred to the U.S. using other transfer mechanisms, like the Standard Contractual Clauses (or SCCs). The CJEU’s decision thus essentially required all entities transferring personal data to the U.S. to complete what’s called a “data transfer impact assessment” prior to the transfer. In this data transfer impact assessment, the parties need to assess whether the NSA or other U.S. government agencies may have access to the data following transfer or in transit, and if so, what supplementary measures the parties will put in place to safeguard the data. This change has caused EU and UK entities to focus on the transfer requirements and request that U.S. organizations provide them with assistance in conducting transfer impact assessments and implementing supplementary measures to safeguard data following transfer. This is particularly the case in the life sciences and health care sector, because much of the data processed in these sectors are sensitive data, like genomic data or biometric data, to which EU organizations apply heightened scrutiny when making a transfer.
Christine Moundas: It’s clear that these issues just continue to become more and more complicated over time. What recent developments, in particular, have occurred in this area that U.S. life sciences companies and health care providers should be aware of?
David Peloquin: There are several recent developments that have occurred in this space with which health care providers and life sciences organizations engaged in cross-border data transfers should familiarize themselves.
First, the European Commission released revised Standard Contractual Clauses in June 2021. These SCCs are a mechanism that two parties can use to transfer data from the EU to the U.S. The compliance date for updating existing contracts to use the revised version of the SCCs occurred on December 27, 2022. Thus, entities that have older contracts using the SCCs should ensure that they have already updated, or are in the process of updating as soon as possible, those contracts to use the new version of the SCCs.
If we stick with the SCCs for a minute, one notable aspect of the revised SCCs is that they technically cannot be used for transfers of personal data from the EU to an entity located in the U.S. that is directly subject to the GDPR. This seems a really odd result if you think about it, because many entities located in the U.S. that receive data from Europe are themselves directly subject to GDPR because they fall within the GDPR’s extra-territorial scope. For example, most clinical trial sponsors that sponsor trials in the EU or telemedicine providers offering services in the EU would be directly subject to GDPR, and thus, these entities technically cannot use SCCs as a means of cross-border data transfer. Nevertheless, many entities directly subject to GPDR continue to use SCCs for transfers due to the lack of a viable alternative, despite the fact that the SCCs’ text on its face says that they cannot be used with entities directly subject to GDPR. In a set of FAQs that was released in May of last year, the European Commission acknowledged this issue and said it anticipates issuing a new set of SCCs in the near future for transfers to entities that are directly subject to GDPR. This means that U.S. entities that are directly subject to GDPR and currently rely on SCCs for transfers, may in 2023 need to undertake a new round of negotiations with counterparties to put in place a new, further revised set of SCCs.
Also to note for entities that transfer data from the UK, the UK has released its own SCCs in March 2022, which are known as the International Data Transfer Agreement (or IDTA). This IDTA has two flavors: a stand-alone agreement and an addendum to the EU SCCs. As of September of last year, new contracts that involve cross-border transfers of personal data subject to UK GDPR must use either the stand-alone IDTA or the addendum to the EU SCCs. Entities must update their existing contracts that rely on EU SCCs for UK data to include these UK-specific contracts by March 21, 2024.
Another important development in 2022, and perhaps the most important development, was the announcement in March that year by the Biden Administration and the European Commission of an agreement in principle on a Trans-Atlantic Privacy Shield Framework. The goal of this framework is to re-instate a reinvigorated EU-U.S. Privacy Shield as a means for U.S. companies to self-certify compliance with the Privacy Shield principles and again be able to receive personal data from the EU without putting in place another means of transfer. In a promising sign, the Biden Administration released an Executive Order to implement this framework in October of last year, and less than a month ago, on December 13, 2022, the European Commission issued a draft adequacy decision to implement this framework. The draft adequacy decision is currently under review by the European Data Protection Board, which is expected to issue an opinion on the draft in the first half of 2023. After that, the decision will need to be formally adopted by the European Commission before it takes effect and before the revised Privacy Shield is available as a mechanism of data transfer.
Key to note for health care providers and universities, is that like its predecessor, the revised Privacy Shield will be available only to entities that are subject to the jurisdiction of the U.S. Federal Trade Commission or U.S. Department of Transportation, and thus, most nonprofit organizations will not be able to self-certify to the revised Privacy Shield. Nevertheless, the revised Privacy Shield should be helpful even for organizations that cannot self-certify to it. This is because the revised framework addresses the key concerns of the CJEU in the Schrems II decision. The revised framework does this by (i) limiting access to personal data by U.S. intelligence agencies to that which is necessary and proportionate, (ii) introducing redress mechanisms for EU persons against U.S. intelligence agencies that access their data, including through creation of a new Civil Liberties Protection Officer and U.S. Data Protection Review Court, and (iii) providing redress mechanisms in the EU against Privacy Shield-certified organizations that fail to comply with the framework. Organizations conducting data transfer impact assessments can takes these mechanisms into account when conducting their assessments and attempting to convince EU entities of the adequacy of the safeguards in place to protect personal data following transfer to the U.S.
I should note that like the previous Privacy Shield, it is likely that the new Trans-Atlantic Privacy Framework will be subject to challenge by Max Schrems and potentially other privacy advocates in the EU once finalized. Thus, U.S. organizations will want to follow these developments carefully.
A final key development that we expect in 2023 for the life sciences and health care community is that the European Data Protection Board is expected to issue a long-awaited guidance document on scientific research and GDPR. This document is expected to address many of the questions that researchers have grappled with for years with respect to GDPR, including the issues of cross-border data transfer.
Christine Moundas: So, David, taking this all into account, what successful strategies have you seen employed by U.S. life science companies and health care providers to comply with GDPR’s cross-border transfer provisions?
David Peloquin: The most important strategy I see in ensuring successful transfers is to start early in planning compliance strategies for transfers. When a company begins planning an activity that involves EU or UK data, be it a clinical trial with sites in the EU or UK, or participation in a multi-national research consortium, or engagement of a vendor in the EU or UK, entities should start mapping data flows and identifying the compliance mechanism that will be used to legitimize cross-border transfers, such as SCCs. The biggest mistake I see is that U.S. companies often start from the assumption that all data they will receive are fully anonymized, and thus, not subject to cross-border transfer restrictions. These companies frequently discover late in the process, once business discussions are well underway, that personal data will indeed be transferred in connection with the arrangement and the EU or UK counterparty will insist on a robust data transfer impact assessment. This data transfer impact assessment will often be time-consuming and could delay the business negotiations or transaction.
Christine Moundas: That’s really helpful for folks to understand. How do you help life sciences and health care clients in navigating cross-border data transfer issues?
David Peloquin: I think, Christine, that U.S.-based clients need to evaluate cross-border data transfers in the context of a larger GDPR and data privacy compliance program. There are several concrete steps involved in putting together such a compliance program, and we regularly assist clients with each of these. Key steps include (i) identifying which data flows and data processing activities are subject to GDPR, (ii) establishing an internal GDPR compliance policy, (iii) updating website privacy policies and other external-facing privacy notices, (iv) drafting data protection agreements with processors, (v) customizing SCCs for various transfer scenarios, and (vi) assisting with data transfer impact assessments. For this last piece, it is important to work with counsel that understands health data flows and can address appropriate safeguards that are often used in the health care sector, such as pseudonymization, while also understanding the challenges of re-identification posed by certain types of health data, like genomic data or biometric data.
I should also note that while we’ve been focused on the EU and UK today, many other jurisdictions around the world, including China, Japan and Brazil, also restrict cross-border transfers of personal data. While the specific requirements of each law differ, the same strategies that are used to assist with compliance with EU-U.S. data transfers can also be helpful in analyzing transfers from other jurisdictions. I frequently partner with our Ropes & Gray colleagues in our Europe and Asia offices, as well as our network of local counsel, to assist U.S. companies in complying with these other laws.
Christine Moundas: Thank you, David, for this insightful discussion today—this is definitely a lot to unpack. For our listeners, we appreciate you tuning in to our Decoding Digital Health podcast series. If we can help you navigate any of these issues that we've been discussing today, please don't hesitate to get in touch with David, myself or your usual Ropes & Gray advisor.
For more information about our digital health practice and other topics of interest in this space, please feel free to visit ropesgray.com/digitalhealth. You can also sign up for our mailing list as well as get invitations to our digital health-focused events. Finally, you can subscribe to this series wherever you listen to podcasts, including Apple, Google and Spotify. Thanks again for listening.