July 14, 2016 business, News No Comments

Pharmaceutical and biotech companies can now transfer personal data from EU to the U.S.

eu-US_flagsThis week the EU Commission decided that the proposed EU-U.S. Privacy Shield will provide a sufficient level of protection in connection with transfer of personal data from EU and EEA member countries to the U.S.*

  • Came into force immediately on July 12th, 2016
  • Companies can apply for the EU-U.S. Privacy Shield as of August 1st, 2016
  • Easier to transfer data between Europe and the U.S for global organisations

*The decision was published in the Official Journal of the European Union July 12, 2016 and it came into force with immediate effect.


Safe Harbour Principles declared invalid last year

In September last year the European Court of Justice declared the Safe Harbour Privacy Principles invalid. The Safe Harbour Principles was based on a system of self-certification allowing EU based organisations to transfer personal data to U.S. organisations, who had obtained the certificate.
Back in September the Court of Justice, among other, considered that the EU Commission had not decided whether the U.S. in fact ensured an adequate level of protection. Following this judgement the EU Commission and U.S. authorities have been working intensively on agreeing on a substitute for the Safe Harbour Principles, which have now finally resulted in the EU-U.S. Privacy Shield[1].


How does this affect you?

By obtaining an EU-U.S. Privacy Shield certificate pharmaceutical and biotech companies may transfer personal data on healthcare professionals and other personal data such as HR information from their EU entities to their U.S. entities and to other organisations such as sub-suppliers and contractors provided that these have obtained the EU-U.S. Privacy Shield certificate as well.

Signing EU model contracts[2] are also an option that provides a legitimate basis for transfer of personal data from EU to the U.S. However, signing EU model contracts can be quite comprehensive as they are signed between two entities and on a case by case basis, whereas the EU-U.S. Privacy Shield certificate will provide for transfer of personal data for multiple purposes and with multiple organisations


What is the big picture?

In .S. the decision will be published in the U.S. Federal Register and following the U.S. Department of Commerce will begin managing the new system. The EU-U.S. Privacy Shield is based on a system of self-certification by which U.S. organisations commit to a set of privacy principles[3] issued by the U.S. Department of Commerce. As of August 1, 2016 U.S. companies will have the opportunity to apply for the EU-U.S. Privacy Shield certificate.


[1] http://ec.europa.eu/justice/data-protection/files/privacy-shield-adequacy-decision_en.pdf

[2] http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm

[3] http://ec.europa.eu/justice/data-protection/files/privacy-shield-adequacy-decision-annex-2_en.pdf



Written by Caroline Erup Widriksen