Clinical trials conducted in Europe: Compliance of data transfers outside the UE

Transfer of personal data outside the European Economic Area are governed by a dense legal and regulatory framework, supplemented, and specified by recommendations issued by the European Commission. In the context of clinical trials conducted in Europe, compliance requires perfect mastery of the requirements of the General DataProtection Regulation (GDPR), with focus on the modalities that establish a risk-based approach.

‍

‍Data flows subject to the GDPR outside the EU

Since the Court of Justice of the European Union (CJEU) issued its ruling in the “Schrems II” case, European directives require companies making international transfers to ensure that personal data transferred to a third country benefit from a level of protection essentially equivalent to that guaranteed by European law.

A risk-based approach

The provisions of the GDPR require organizations to analyze and consider potential problems with the legislation or practices in the third country, and to address them accordingly within the framework of its requirements. The assessment of the adequacy of safeguards remains primarily the responsibility of the exporter and importer of personal data.

This risk-based approach now applies to all areas, including clinical trials. Greater vigilance is required in this context, given the transfer of sensitive data (patient health data).

The operational stakes are high when it comes to making the collected data accessible to a recipient outside the European Economic Area (EEA) to subsidiaries, for example to execute a contract with subcontractors located outside the EU, or to host this sensitive personal data on servers located abroad.

‍Obligations to be respected

The European Commission assesses the criticality of certain states in terms of data security and decides, based on several criteria, to consider the state as guaranteeing an adequate level of data protection.

When there is no adequacy decision, it is possible to transfer data outside the EU if and only if the controller has provided appropriate safeguards. These safeguards are, for example, a high level of data security and the guarantee of the rights of data subjects.

It is therefore up to those organizations subject to the GDPR to put in place protection and safeguard measures in keeping with the existing risk in the country to which they transfer the personal data collected.

‍Guidelines for addressing these issues

The GDPR provides for the implementation of several safeguards to ensure a sufficient and appropriate level of data protection. These safeguards must be binding and approved and may take the form of standard contractual clauses (SCC), codes of conduct or certification methods.

The two most commonly used safeguards in the life sciences context are standard contractual clauses and the Binding Corporate Rules.

The contract models for the transfer of personal data adopted by the European Commission have been revised recently. This is the commonest appropriate safeguard. The new SCCs combine general clauses with a module approach to address various transfer scenarios.

The purpose of the standard contractual clauses is to ensure that the controller or processor located outside the EU and not subject to an adequacy decision by the European Commission has implemented technical or organizational measures to ensure a sufficient level of privacy and security for the data transfer.

Added to this are binding corporate rules for multinational companies in force in several countries. The Binding Corporate Rules (BCR) constitute a code of conduct defining the policy and strategy of a group of companies with respect to personal data transfers. They make it possible to provide adequate protection for data transferred to non-EU countries between the various entities that make up the group.

‍Impact analysis is needed for building processing that complies with the GDPR and respects privacy. The DPIA (Data Protection Impact Assessment), also known as PIA (Privacy Impact Assessment), addresses the processing of personal data likely to generate a high risk for the rights and freedoms of those concerned. Analysis of these guarantees is part of the DPIA.

Constantly changing regulations : The new EU-U.S. Data Privacy Framework

On October 7th 2022 U.S President Biden signed an Executive Order that should usher a new EU-U.S. Data Privacy Framework that will regulate how US intelligence agencies may collect data from Eu citizens. This new framework will also create new mechanisms to address any claims that personal information was collected or handled in violation of either U.S law or the framework. With the U.S Order now signed, the European Commission is expected to prepare a draft adequacy decision for review by member governments and the European Data Protection Board. The final step on the EU side will issuing a final adequacy opinion declaring that the new framework is GDPR compliant. The road to more legal certainty with regards to EU- U.S. data transfers is still long.

With these ever changing regulatory landscapes, data transfers mechanisms call for legal and technical expertise in this field.  EU data exporters and non-EU data importers need to monitor future developments and adapt their compliance programs accordingly.

In this perspective, it is efficient to rely on legal expertise such as that proposed by iliomad, which is able to map the various transfers of personal data, identify the appropriate Standard Contractual Clauses and perform a data protection impact assessment. Vigilance measures are accordingly associated with each level of risk to translate this detailed approach for all transfer operations. In this respect, iliomad has acquired extensive experience within the healthcare industry to assist each party involved (sponsor, site, vendor) in complying with the GDPR and facing the various related obligations [1].