No EU-US adequacy decision – what next for personal data transfers between the EEA and the United States?

Based on the current EU-US Data Privacy Framework, MEPs voted against greenlighting an adequacy decision for personal data transfers between the EU and the US. But as frustrating as that may be for US companies, what’s important is that US pharmaceutical research organisations focus on conducting Transfer Impact Assessments (TIAs) and use GDPR compliance frameworks, such as Standard Contractual Clauses, until the next steps become clearer within the EEA.

Every day large amounts of personal data are transferred cross-border and stored and processed in different countries. The ability to transfer personal data across borders can be a key driver of innovation, productivity and economic competitiveness as long as there are adequate safeguards, and these transfers fully respect the right to the protection of personal data and the right to privacy.

The General Data Protection Regulation (EU GDPR) protects the personal data of EEA citizens. It travels with the data, meaning that the rules protecting personal data continue to apply regardless of where it ends up. Thus, for the GDPR to allow the transfer of personal data outside of the EU, the receiving country must have a framework that demonstrates that they can provide the same level of protection as if they were transferring data within the EEA.

But what is an adequacy decision, and why is it so sought after?

The GDPR provides different ways a non-EEA country can frame data transfers and demonstrate that they can protect personal data and the right to privacy under the GDPR throughout the data’s lifecycle.

A non-EEA country, often referred to as a third country, may be declared by the European Commission as offering adequate protection – known as an adequacy decision. Thus, personal data can be transferred to a company in a third country without the data exporter being required to provide further safeguards or being subject to additional conditions. In other words, the transfers to an ‘adequate’ third country will be comparable to data transmission within the EEA.

What has been the arrangement for international data transfers between the EU and the United States?

The adequacy decision on the EU-US Privacy Shield was adopted in July 2016 and allowed EU-US data transfer to companies certified in the US under the Privacy Shield. In July 2020, the Court of Justice of the European Union decided, in its Schrems II decision, that the EU-US Privacy Shield was no longer valid and that any company using this scheme for transatlantic exchanges of personal data between the EU and the US was doing so illegally.

In October 2022, the White House announced a new data transfer framework, the Data Privacy Framework. In December 2022, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework.

Unfortunately, in April 2023, after scrutiny of the EU-US Data Privacy Framework, the European Parliament advised the European Commission against granting the United States an adequacy decision. MEPs argued that although the EU-US Data Privacy Framework improved on previous frameworks, it needs to provide more safeguards and be future-proofed by demonstrating the implementation of the rules. The US Intelligence Community is still updating its practices based on the new Data Privacy Framework; thus, the EU cannot fully assess its implementation.

Can EU personal data be transferred and stored in the US?

Yes, if the appropriate safeguards are in place.

What options are available to US companies without an adequacy decision?

Without an Adequacy Decision, a transfer can occur by providing appropriate safeguards and on the condition that enforceable rights and effective legal safety nets are available for individuals. Such appropriate safeguards include:

Binding Corporate Rules

Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA in compliance with the GDPR. BCRs are drafted by the company, then reviewed by the supervisory authorities in the EU Member States and finally submitted to the European Data Protection Board.

(EDPB) for approval. BCRs, once approved, are legally binding and applicable to every Group member. They expressly confer enforceable rights on data subjects regarding processing their personal data.

Standard Contractual Clauses

Standard contractual clauses (SCCs) are standardised and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations under the GDPR. They can be incorporated by controllers and processors into their contractual arrangements with other parties, for instance, commercial partners, to comply with the requirements of the GDPR for transferring personal data to countries outside of the EEA.

Unlike Binding Corporate Rules, data exporters can use SCCs without needing prior authorisation (for the data transfer or the clauses used) from a data protection authority. However, the burden of proof lies with the data exporter to verify that the local importer (outside the EEA) complies with the SCC obligations. Thus, with the European Commission’s updated SCCs in 2021, all organisations must carry out a Transfer Impact Assessment (TIA), which forms part of the contract between the parties (see below for further information about SCCs and TIAs).

If a transfer of personal data is necessary to a third country that isn’t the subject of an adequacy decision and if appropriate safeguards are absent, a transfer can be made under derogations for specific limited situations, for example, where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer.

What should US biopharmaceutical companies wanting to transfer personal data out of the EEA do next?

Data Protection and privacy regulations worldwide are constantly changing, and companies must closely monitor developments. If you work with a GDPR compliance consultancy, they can advise you on any actionable changes and help you always stay on the right side of the Data Protection regulations.

Until the adoption of a future adequacy decision between the EU and the US, biopharmaceutical organisations should continue to focus on the existing transfer mechanisms, such as the European Commission’s Standard Contractual Clauses for international data transfers (SCC).

However, as mentioned above, international data transfers now require additional steps, including complex Transfer Impact Assessments (TIAs). Getting to grips with this process can take time and effort, potentially leading to delays in your research project.

A clinical trial data protection consulting service such as Pharma Data Protection can do the heavy lifting, saving you time and money. We provide you with up-to-date information and advice on GDPR-compliant cross-border transfer frameworks and guidance on carrying out a TIA during the set-up of each clinical trial and/or vendor transfer.

Talk to us about your cross-border transfer requirements

Related articles

What are your ongoing GDPR data requirements when closing a clinical trial?

Clinical Trial GDPR Compliance: Key GDPR considerations often overlooked by non-EEA clinical trial sponsors

The EEA and UK continue to pack a punch in the clinical trial arena – but what does this mean for sponsors from a data protection perspective?

European Commission Adopts Adequacy Decision for EU-US Data Privacy Framework — a Note of Caution

Data protection concerns: Will the UK’s new data protection bill upset the EU-UK adequacy agreement?

What to look for when outsourcing to a GDPR compliance consultancy

Challenges of GDPR compliance for clinical trials spanning multiple international borders – a case study

Business Benefits of Data Protection and Data Privacy in Clinical Trials in Europe

The Role and Responsibilities of the GDPR Data Protection Officer

Records and documentation of data processing activities, sharing and retention are mandatory under GDPR. What does this mean for pharmaceutical clinical trials in Europe?

Outsourcing Data Protection. A biotech client’s perspective

Data Protection and Data Privacy Training are Mandatory under GDPR

What is Data Mapping, and why is it essential to GDPR compliance?

If a pharmaceutical company complies with the EU Clinical Trials Regulation, do they automatically comply with the GDPR?

What is a Data Protection Impact Assessment, and why is it a requirement of GDPR?

GDPR and HIPAA – what’s the difference?

The importance of GDPR compliance for European clinical trials