The Court of Justice of the European Union declares invalid the European Commission’s Safe Harbor Decision and its implications on the transfer of clinical data to the U.S
On 6 October 2015, the Court of Justice of the European Union (“CJEU”) ruled that the European Commission Decision on the adequacy of the EU-U.S Safe Harbor Framework (“Safe Harbor Decision”) was invalid.
This judgment follows a request from the High Court of Ireland that the CJEU review whether the Safe Harbor Decision has; (i) the effect of preventing the competent data protection authorities of the EU Member States from investigating a complaint alleging that a third country to which personal data is transferred does not ensure an adequate level of protection and, (ii) where appropriate, from suspending the contested transfer of data.
Background to the case
The plaintiff in this case, Mr. Schrems, filed a complaint with the Data Protection Commissioner in Ireland objecting to the transfer of his personal data from the Irish entity of Facebook to Facebook’s parent company in the U.S and the related retention of his personal data on the servers of the U.S entity of Facebook. The transfer of Mr. Schrems’ data was made on the basis of the EU-U.S Safe Harbor Framework.
Mr. Schrems alleged that the transfer and retention of his personal data did not ensure an adequate level of protection as the data held on the servers in the U.S was accessible to public authorities in the U.S for surveillance purposes.
The judicial review proceedings brought before the High Court of Ireland concerned the legality of the EU-U.S Safe Harbor Framework and the Safe Harbor Decision adopted by the European Commission. The High Court of Ireland referred to the CJEU the question whether the Data Protection Commissioner was bound by the Safe Harbor Decision or if the Data Protection Commissioner could conduct its own investigation concerning the legality of the transfer of personal data to a third country on the merits of the case.
Ruling of the CJEU
Today’s ruling of the CJEU in Case C-362/14, Maximillian Schrems v. Data Protection Commissioner provides that the competent data protection authorities of the individual EU Member States are entitled to investigate a complaint from a data subject who alleges that their personal data has been transferred to a third country that does not protect their privacy and the fundamental rights and freedoms.
The CJEU also declared the European Commission Safe Harbor Decision to be invalid. The decision was based on the Court’s conclusion that national security, public interest, or law enforcement requirements in the U.S permit public authorities to have access on a generalised basis to the personal data of data subjects transferred from the EU to entities established in the U.S. The CJEU held that the public authorities in the U.S are entitled to disregard the principles adopted by the EU-U.S Safe-Harbor Framework without limitation where those principles conflict with national law requirements. Access by such authorities, therefore, compromises the essence of the fundamental right to respect for private life.
Consequences for clinical trial data
The CJEU ruling could have potentially far-reaching consequences for sponsors of clinical trials that have relied on the EU-U.S Safe Harbor Framework to justify the transfer of patients’ personal data and personal health data from clinical trial sites in the EU to the U.S. In light of this ruling, pharmaceutical and medical device companies must adopt an alternative legal basis on which to transfer such data to the U.S. One issue among many will be the implications of the ruling for marketing authorisations granted for medicinal products and conformity assessment of medical devices that were based on clinical data transferred to the US for processing on the grounds of safe harbor.
EU-U.S Safe-Harbor Framework
It is recalled that the transfer of personal data out of the EU to third countries which do not provide an adequate level of protection of personal data is prohibited. The U.S is one example of such third countries.
There are a number of exceptions to this general prohibition which would permit sponsors of clinical trials to transfer personal data out of the EU to the U.S or to any other third country which does not offer an adequate level of protection of personal data. Until the ruling of the CJEU today, one of those exceptions was the EU-U.S Safe-Harbor Framework.
The EU-U.S Safe-Harbor Framework permitted sponsors of clinical trials to transfer patient personal data out of the EU to an entity in the U.S. for processing if this entity participated in the voluntary self-certification U.S-EU Safe Harbor Framework. Compliance with these principles is controlled by the U.S. Federal Trade Commission.
Impact of the CJEU ruling on the transfer of clinical data
One consequence of the ruling delivered by the CJEU is that sponsors of clinical trials conducted in the EU will no longer be permitted to rely on the EU-U.S Safe-Harbor Framework as a valid legal basis to permit the transfer of clinical trial data to the U.S; for processing. Sponsors of clinical trials must, therefore, adopt an alternative legal basis on which to transfer such data. For instance, such sponsors could obtain the unambiguous consent of the trial patient to the transfer of such data to the U.S.
It is currently unclear what, if any, implications the CJEU decision will have for clinical data that has been exported to the US in reliance on the EU-U.S Safe-Harbor Framework and subsequently relied on to support marketing authorisation of medicinal products or demonstration of compliance by medical devices with applicable EU rules.