EU-US Adequacy Decision: What You Need to Know

As you probably know, here at MyData-TRUST, instead of relaying basic news, we take the time to thoroughly analyze and come to you with a real impact assessment. Having said that, we have some exciting news to share! On July 10, the EU Commission issued an Adequacy Decision effective immediately, declaring that the US now provides an adequate level of protection for personal data transferred from the EU to companies participating in the EU-US Data Protection Framework (DPF).

This is a significant development considering the history of EU-US data protection arrangements, such as the Safe Harbor Agreement (2000-2016) and the Privacy Shield (2016-2020), both of which were invalidated due to concerns about US surveillance laws. After three years of negotiation, the new EU-US Data Privacy Framework is now in place, though it's not clear yet how long this will last.

So, what does this mean? Can personal data flow freely and safely from the EEA to the US without further conditions or authorizations? And how does this decision impact the life sciences sector? Let's explore.

So, what's new?

While it is called an Adequacy Decision, the EU-US Data Privacy Framework is unique. Unlike the Adequacy Decisions for countries like the UK or Switzerland where the entire legal framework is recognized as adequate, the new arrangement requires US companies to join the EU-US DPF. This means going through a self-certification process and committing to comply with a detailed set of privacy obligations before the data can be safely sent to them.

How to get certified?

US companies can perform the certification at the US Department of Commerce's website starting July 17, 2023. Companies that maintained their Privacy Shield certifications and wish to certify for the DPF must comply with the EU-US DPF Principles by updating their privacy policies by October 10, 2023.

?We are supporting our clients in this certification process. If you are interested, feel free to reach out our team for support

How does this impact the UK and Switzerland?

This agreement does not apply to the UK and Switzerland. They will have different agreements, which are currently under finalization. No transfers of personal data can take place until the anticipated adequacy regulations come into force (exact date not yet known).

Implications for Life Sciences

The EU-U.S. Data Protection Framework introduces significant changes for the Life Sciences as shown below:

• Anonymize data when suitable. EU laws apply pre-transfer, DPF principles post-transfer.
• Personal data from one study may be reused with appropriate initial notice and consent. Future use not aligned with original research purposes requires new consent.
• Participant withdrawal does not always negate processing of data previously collected.
• EU clinical trial data may be provided to U.S. regulators for regulatory and supervision purposes.
• “Blinded-study” participants forego data access during trial can request access post-trial.
• Organizations do not have to apply certain DPF principles in their product safety and efficacy monitoring if adherence to principles interferes with regulatory compliance.
• Transfers to the U.S. of “key-coded” EU personal data are covered by DPF principles.

Final thoughts

While no organization is yet certified, the existing recommendations of implementing SCCs and performing TIAs remain in place. As the certification system starts operating, it's worth checking if your vendors are certified and consider getting certification yourself, weighing the pros and cons. Remember, the priority should always be the protection of data subjects.?Read more about the DPF over here

Sign up to our free LinkedIn LIVE addressing this topic