Lost on the High Seas without a Safe Harbor or a Shield? Navigating Cross-Border Data Transfers in the Pharmaceutical Sector After Schrems II Invalidation of the EU-US Privacy Shield

European Pharmaceutical Law Review (EPLR), 4(3):153-160

10 Pages Posted: 28 Jan 2021 Last revised: 10 Apr 2021

See all articles by Marcelo Corrales Compagnucci

Marcelo Corrales Compagnucci

Centre for Advanced Studies in Biomedical Innovation Law (CeBIL), Faculty of Law, University of Copenhagen

Timo Minssen

University of Copenhagen - Centre for Advanced Studies in Biomedical Innovation Law (CeBIL) - Faculty of Law

Claudia Seitz

University of Ghent, Faculty of Law

Mateo Aboy

LML, University of Cambridge

Date Written: October 5, 2020

Abstract

This paper analyzes the impact and associated legal challenges of cross-border data transfers in the pharmaceutical sector after the recent Court of Justice of the European Union (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II). In Schrems II, the CJEU invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield Framework. That said, the Court also found that the European Commission Decision 2010/87 on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries is still valid. The ruling has resulted in significant uncertainty and liability risks for organizations that depend on EU-US cross-border transfers of personal data, including pharmaceutical companies (data controllers) engaged in global clinical trials and their technology providers for endpoint collection and data transfer (processors). In light of these challenges, this paper discusses the need for a legally sound regulatory environment for data transfer. To mitigate risks and uncertainties, we stress the need for updated GDPR-compliant SCCs and SCC guidelines and argue, inter alia, for the adoption of data protection frameworks which incorporate SCCs with a robust information security management system (ISMS) and a privacy information management system (PIMS) to ensure an appropriate level of data protection, as well as for sector specific transfer mechanisms including health data adequacy decisions and the need for GDPR certification and codes of conduct for cross-border transfers of clinical trial data.

Keywords: GDPR, Data transfer, Schrems II case, data protection, data security, Privacy Shield, Standard Contractual Clauses (SCCs), pharmaceutical sector

Suggested Citation

Corrales Compagnucci, Marcelo and Minssen, Timo and Seitz, Claudia and Aboy, Mateo, Lost on the High Seas without a Safe Harbor or a Shield? Navigating Cross-Border Data Transfers in the Pharmaceutical Sector After Schrems II Invalidation of the EU-US Privacy Shield (October 5, 2020). European Pharmaceutical Law Review (EPLR), 4(3):153-160, Available at SSRN: https://ssrn.com/abstract=3705604

Marcelo Corrales Compagnucci (Contact Author)

Centre for Advanced Studies in Biomedical Innovation Law (CeBIL), Faculty of Law, University of Copenhagen ( email )

Karen Blixens Plads 16
Copenhagen, Copenhagen DK-2300
Denmark

HOME PAGE: http://https://research.ku.dk/search/?pure=en%2Fpersons%2F662698

Timo Minssen

University of Copenhagen - Centre for Advanced Studies in Biomedical Innovation Law (CeBIL) - Faculty of Law ( email )

Karen Blixens Plads 16
Copenhagen, 2300
Denmark
+46 708 607517 (Phone)

HOME PAGE: http://jura.ku.dk/cebil/staff/profile/?pure=en/persons/381631

Claudia Seitz

University of Ghent, Faculty of Law

Mateo Aboy

LML, University of Cambridge ( email )

Trinity Ln
Cambridge, CB2 1TN
United Kingdom

HOME PAGE: http://www.lml.law.cam.ac.uk/people/Research-Scholars-Associates/Prof-mateo-aboy

Do you want regular updates from SSRN on Twitter?

Paper statistics

Downloads
106
Abstract Views
475
rank
341,514
PlumX Metrics