As we reported last year, the invalidation of the EU-U.S. Privacy Shield on July 16, 2020 is forcing the hand of U.S. companies which access the personal data of EU residents to find a new, lawful mechanism by which to do so in accordance with EU data protection laws. One such alternative – the use of the EU’s standard contractual clauses (SCCs) (a/k/a “Model Clauses”) – was recently bolstered by much-needed proposed updates to the clauses themselves.

Many U.S.-based life sciences companies outsource their clinical trial needs to laboratories outside of the U.S., including labs located in the European Union (EU). Others conducting clinical trials in the U.S. may be involved with the collection and processing of EU patients’ data in some other capacity. Despite the benefits of such international cooperation, these arrangements trigger an array of compliance obligations for U.S. companies under a number of EU laws[1], including the General Data Protection Regulation (GDPR) and its rules pertaining to data processing activities.

The novel coronavirus has upended business operations on a global scale, and mitigation efforts continue to be implemented to help organizations stay afloat during this unprecedented pandemic. On March 19th, the European Data Protection Board (EDPB), an informal working group comprised of representatives of each of the national data protection authorities in the EU, issued a statement regarding data processing activities during this public health crisis, emphasizing that while data protection rules should not hinder the fight against COVID-19, it is still imperative that certain prescribed steps be taken to ensure the protection of personal data.

Despite the global angst preceding the GDRP’s effective date, there’s been seemingly little news about enforcement efforts against noncompliant businesses. But, the reality is that EU regulators have been very busy working behind the scenes. As of February, 2019, nearly 100,000 claims under the GDPR have been lodged with EU national data protection authorities (“DPAs”), many relating to telemarketing and promotional e-mails. Similarly, just over 40,000 data breaches were reported to the DPAs; and 255 investigations into EU cross-border processing activities were initiated, mostly as a result of complaints filed by individuals.

Outside GC Member Stephan Grynwajc continues to keep a close eye on the fate of the EU-U.S. Privacy Shield data-sharing arrangement. 

U.S. companies handling the personal data of EU residents should now be familiar with the requirements of the General Data Protection Regulation (GDPR), the new data protection law covering all countries in the EU, which went into effect on May 25, 2018. News about the GDPR has been plentiful, including Outside GC’s own alerts. However, compliance with EU privacy laws does not end with this regulation. There are other EU legislations covering privacy matters outside of the GDPR, such as the E-Privacy Directive 2002/58/EC of 2002 (a/k/a the “Cookies Directive”) and the “national derogations” of individual EU member state laws which impose additional responsibilities for U.S. companies that use the personal data of its residents as part of their business activities.

The future of the EU-U.S. Privacy Shield data-sharing arrangement is shaky at best. On June 12, 2018, a resolution was passed by the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs (LIBE) calling for the suspension of the Privacy Shield, unless the U.S. demonstrates full compliance with the requirements of the program by September 1, 2018. And today, following the recommendation of the LIBE, Parliament itself voted 303 to 223 (with 29 abstentions) in favor of suspension “unless the U.S. is fully compliant” by September 1st.

The European Parliament took this action in response to a number of recent data breaches affecting Privacy Shield Certified-U.S. companies, causing concern over the effectiveness of the regulatory oversight of the framework, as well as well as over the sufficiency of the Shield’s certification requirements which are designed to protect the personal data of EU residents. If suspended, certified U.S. companies will no longer be able to leverage the benefits afforded to them by the Privacy Shield, forcing them to find new compliance mechanisms by which to transfer data from the EU in order to satisfy the requirements of the GDPR.

Complying with the EU’s New Data Privacy Law

On May 25, 2018, the European Union (EU)'s General Data Protection Regulation (GDPR) comes into force, broadening the scope of privacy obligations for companies doing business in or with Europe. The GDPR applies to all businesses that collect and use personal information of EU residents, including organizations located outside the EU.

U.S. companies, including Data Processors in the United States, may be subject to the GDPR if they offer products or services to EU residents or if they monitor the behavior of such residents even if they do not have a physical presence in the EU.