The European Court of Justice (ECJ) declared the Privacy Shield invalid in its ruling (C-311/18) on 16 July 2020. We have summarized here what this can mean for you and your company.
Data protection, the exchange of data and what has to be considered – I know that this is not a very funny or entertaining topic. Nevertheless, it is one of great importance, especially in the healthcare market. Why?
Because in our healthcare market, doctors and industry personnel deal with patients’ personal data on a daily basis and transmit it online, whether for clinical studies, sending medical images (DICOM) to CoreLabs or to obtain a second opinion from medical experts for screening purposes or to check the suitability of a patient for a particular treatment – sometimes across several continents. And here comes the problem:
Following the rejection of the Safe Harbor Agreement in October 2015, the replacement Privacy Shield, which was a self-certifying mechanism for U.S. companies to comply with privacy requirements when transferring personal data from the EU to the United States, was declared invalid in July 2020.
European personal data not protected in the USA: U.S. government may use communications providers to monitor foreign individuals
The reason: the ECJ found that the US surveillance programmes allow the US authorities to carry out large-scale surveillance activities that do not comply with the principles of European standards, in particular with regards to necessity and proportionality. An example of this is the hotly debated Section 702 of the FISA (Foreign Intelligence Surveillance Act), a key provision of the FISA Amendments Act of 2008, which allows the U.S. government, with the help of electronic communications service providers to conduct targeted surveillance of foreign persons located outside the United States in order to obtain foreign information.
Furthermore, the mechanism of the so-called “ombudsperson” embedded in the Privacy Shield does not actually offer a realistic possibility for the persons concerned to bring their legal dispute before an independent court, as provided for in the Charter of Fundamental Rights of the European Union.
The problematic situation was clearly expressed by Mr. Schrems, the founder of the NOYB-European Center for Digital Rights, who stated during a hearing before the EU Commission on September 3: “(…)we have a fundamental clash of laws. We have in the European Union, the Charter of Human Fundamental Rights and in the US, FISA (…) there is a legal clash (…) having two different obligations on the legislative level, in the US to have surveillance and in the EU the obligation to privacy (…)“.
Why could this be a problem for European companies?
Well, the answer is simple: If you and your company rely on service providers for the exchange of European patient data, then you need to check:
1. where are the data hosted – US or EU?
2. where is the company located processing your data?
If you host your patient data on US servers, or utilize services from a data processor which has its headquarters located in the USA your data is at risk to be surveilled.
The question now is what the European data protection authorities will do about it. It must be remembered that the European Court of Justice’s ruling obliges the authorities to act as the ruling is binding. Their measures are under discussion and must be awaited.
So we are not only dealing with a complex legal situation that makes it difficult for the industry to operate and make clear decisions, but also with questions such as: Are the standard contractual clauses sufficient or should supplementary measures be taken? At present, we also do not know what the consequences of the measures to be taken by the data protection authorities will be.
Will data from your EU patients be transferred to the USA?
I am often surprised when I speak to senior clinical or business managers in the healthcare industry who have to manage the transfer of personal data of patients, such as medical images as part of clinical monitoring or study projects. Often, they have little knowledge of the current discussions regarding data transfer between the EU and the US – often they don’t even know in which country their project data is hosted. Also, the term “anonymized” data is often used incorrectly, because in fact, data is usually only pseudonymized, which has completely different legal consequences than anonymization.
I can clearly recommend any manager who manages the transfer of personal patient data: Make every effort to understand where the relevant data is hosted and whether it is hosted by a U.S. or EU entity that handles the data, so that you can assess how much of a risk the U.S. authorities are monitoring.
The solution: Hosting European patient data on European servers using European providers
It is clear that it will be almost impossible to prevent the US authorities from monitoring EU-US data transfers and that it will take years, if ever possible, to resolve these issues legally.
Therefore, for the security of the privacy of our patients in Europe in the context described above, it is strongly recommended to ensure that the data is hosted in Europe by a European company as data processor – only then will the US authorities not have access to the data.
And guess what, yes, that is exactly what we offer at ClinFlows: ClinFlows only uses dedicated servers located in Europe to process data – because the security of the patient data we process is our top priority.
And we promise you: We will continue to monitor the recommendations of data protection authorities to ensure that appropriate mechanisms are implemented and that our services remain secure for all parties involved.
About the author:
Uwe Gladbach is a biomedical engineer, who started his career as a perfusionist in open heart surgery back in the 90ties. In more than 25 years he gained experience in the medical device industry in various positions, covering clinical research, as well as sales and operations in global positions. Uwe is the CEO and founder of ClinFlows, which offers e-solutions for clinical workflows.
One reply on “ECJ invalidates Privacy Shield – what does this mean for you and your company?”
[…] secure solution here can be provided by web-based clinical decision support tools, such as our GDPR-compliant online solution decidemedical, which has been used by the medical device industry for ten […]