If Washington State’s My Health My Data Act (“MHMDA”) “turned the beat around” on drug and device makers, then the Schrems I and II decisions by the European Court of Justice had companies on both sides of the Atlantic singing “Why Can’t We Be Friends?”

The recent Data Privacy Framework between the United States and the European Union (“EU-U.S. DPF”) can help drug and device manufacturers reduce data transfer friction between the EU and U.S. for now. Time will tell if the new framework is here to stay or if it will be struck down like its predecessors after an inevitable legal challenge.

This update examines the EU-U.S. DPF certification requirements and offers tips to companies looking to make use of the European Commission’s recent adequacy decision to enable data transfers.

What is the EU-U.S. DPF?

The EU-U.S. DPF establishes Principles that organizations must comply with in order to import data from the EU to the U.S. under the recent EU Commission adequacy decision. Self-certifying to the framework demonstrates that company data protection and privacy practices offer an adequate level of protection as established in Regulation (EU) 2016/679 (“General Data Protection Regulation” or “GDPR”). The framework has its U.S. origins in Executive Order 14086 ‘Enhancing Safeguards for U.S. Signals Intelligence Activities’ signed by President Biden on October 7, 2022.

Totaling more than one-hundred pages, the EU-U.S. DPF rivals the length of GDPR itself. However, much of the framework consists of recitals of the practices of U.S. governmental bodies (e.g., NSA, DOJ) to describe how their practices properly balance the right to privacy with the public need to combat crime and terrorist activities.

How do U.S. organizations (or companies) participate?

A U.S. organization who wishes to participate in the EU-U.S. DPF must:

• be subject to the investigatory and enforcement powers of the Federal Trade Commission (the “FTC”), the Department of Transportation (the “DOT”) or another statutory body that will effectively ensure compliance;
• publicly declare its commitment to comply with the Principles;
• publicly disclose its privacy policies in line with these Principles; and
• fully implement them.¹

Organizations may “self-certify” their compliance with the EU-U.S. DPF by providing information relating to their privacy practices to the Department of Commerce.²

Organizations will find that updating their privacy policies and certifying compliance is the easy part. Fully implementing the Principles and preparing to demonstrate their compliance is where the real work begins.

What are the Principles?

The seven Principles³ of the EU-U.S. DPF are:

1. Notice. The notice requirement includes thirteen sub-requirements, including information about:

1. 1. the organization’s participation in the EU-U.S. DPF with a link to, or the web address for, the Data Privacy Framework List [to be created and maintained by the Department of Commerce];
   2. the types of personal data collected and, where applicable, the U.S. entities or U.S. subsidiaries of the organization also adhering to the Principles;
   3. the purposes for which it collects and uses personal information about them;
   4. how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints;
   5. the type or identity of third parties to which it discloses personal information, and the purposes for which it does so;
   6. the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States,
   7. the possibility, under certain conditions, for the individual to invoke binding arbitration, and more.

2. Choice. In part, the Principle of Choice includes offering individuals the opportunity to opt-out of having their personal information be

1. 1. 1. disclosed to third parties; or
      2. used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individuals.

3. Accountability for Onward Transfer. Certifying companies must, before transferring personal information, enter into contracts with third-party controllers that provide that personal data may only be processed for limited and specified purposes consistent with the consent provided by the individual. The contract must require the recipient to: (i) provide the same level of protection as the Principles, and (ii) to notify the organization if it makes a determination that it can no longer meet this obligation. The contract must also state that when the third-party controller can no longer meet its obligations, it ceases processing information, or takes other reasonable and appropriate steps to remediate. Data processing agreements meeting required criteria will be needed for transfers to a third-party acting as an agent of the certifying company.

4. Security. Organizations must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

5. Data Integrity and Purpose Limitation. Personal information must be limited to the information that is relevant for the purposes of processing.

6. Access. Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles (except in situations where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy).

7. Recourse, Enforcement, and Liability. Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. Organizations must respond to an individual within 45 days of receiving a complaint.

Considerations for Medical Device and Drug Manufacturers

Along with the seven Principles that apply generally, there are specific considerations for medical device and pharmaceutical manufacturers. For instance, information collected in a clinical trial may be used for a new scientific research activity, “if appropriate notice and choice have been provided in the first instance.”⁴ A general notice of additional scientific use of the data may suffice, but where the notice does not adequately anticipate the new use, then new consent must be obtained. Similarly, if a patient withdraws from a clinical trial with data shared under the EU-U.S. DPF, any data collected prior to the patient’s withdrawal may be used if it was made clear to the participant in the notice he or she signed when they agreed to participate. ⁵

The Principles also accommodate “Blinded Studies,” where the participants would not be able to exercise their Right of Access to their individual study information due to the structure of the data collection, as long as the participant agrees to forego this right as a condition of participating in the study.⁶Transfers of data to comply with U.S. regulatory requirements are also allowed under the Framework and transfers of similar data to parties other than regulators must comply with the requirements of the Notice and Choice Principles referenced above.⁷ Similarly, drug and device manufacturers do not have to apply the Principles of Notice, Choice, Accountability for Onward Transfer, and Access to their reporting of adverse drug or device events. ⁸

Key Takeaways

• Participating in the EU-U.S. DPF requires submitting a certification of compliance to the U.S. Department of Commerce. An organization may self-certify or be certified by an outside organization.
• Certifying requires that the organization have the policies and procedures in place to adequately implement their requirements under the Framework.
• The Framework takes into consideration some of the special circumstances that apply to clinical trials and adverse event reporting requirements under U.S. law.
• Similar frameworks for Switzerland (“Swiss-U.S. DPF”) and the United Kingdom (“UK Extension to the EU-U.S. DPF”) became available to companies on July 17, 2023.

Conclusion

The new EU and U.S. framework for trans-Atlantic information sharing will provide immediate benefits to drug and device manufacturers with operations in Europe who are able to self-certify and take advantage of the adequacy decision. However, we anticipate that many companies will continue to lean on other data transfer mechanisms such as standard contractual clauses and data transfer impact assessments while awaiting the results of anticipated legal challenges.