Lost on the High Seas without a Safe Harbor or a Shield? Navigating Cross-Border Data Transfers in the Pharmaceutical Sector After Schrems II Invalidation of the EU-US Privacy Shield

Corrales Compagnucci, Marcelo; Minssen, Timo; Seitz, Claudia; Aboy, Mateo

Lost on the High Seas without a Safe Harbor or a Shield? Navigating Cross-Border Data Transfers in the Pharmaceutical Sector After Schrems II Invalidation of the EU-US Privacy Shield

Mark

Corrales Compagnucci, Marcelo ; Minssen, Timo ^LU ; Seitz, Claudia and Aboy, Mateo (2020) In European Pharmaceutical Law Review 4(3). p.153-160

Abstract: This article analyzes the impact and associated legal challenges of cross-border data transfers in the pharmaceutical sector after the recent Court of Justice of the European Union (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II). In Schrems II, the CJEU invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield Framework. That said, the Court also found that the European Commission Decision 2010/87 on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries is still valid. The ruling has resulted in significant uncertainty and liability risks for organizations that... (More); This article analyzes the impact and associated legal challenges of cross-border data transfers in the pharmaceutical sector after the recent Court of Justice of the European Union (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II). In Schrems II, the CJEU invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield Framework. That said, the Court also found that the European Commission Decision 2010/87 on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries is still valid. The ruling has resulted in significant uncertainty and liability risks for organizations that depend on EU-US cross-border transfers of personal data such as pharmaceutical companies (data controllers) engaged in global clinical trials and their technology providers for endpoint collection and data transfer (processors). In light of these challenges, this paper discusses the need for sustainable practices and a legally sound regulatory environment for data transfer. To mitigate risks and uncertainties, we stress the need for updated SCCs guidelines and argue inter alia for the adoption of contractual frameworks which incorporate SCCs with a robust information security management system (ISMS) and a privacy information management system (PIMS) to ensure an appropriate level of data protection. (Less)

Please use this url to cite or link to this publication: https://lup.lub.lu.se/record/9981c32d-99a7-4065-8a46-0fe55922be6d

author

Corrales Compagnucci, Marcelo ; Minssen, Timo ^LU ; Seitz, Claudia and Aboy, Mateo

publishing date

2020-11-12

type

Contribution to journal

publication status

published

subject

Law

keywords

Health law, Hälsorätt

in

European Pharmaceutical Law Review

volume

4

issue

3

pages

8 pages

publisher

Lexxion

ISSN

2511-7157

language

English

LU publication?

no

id

9981c32d-99a7-4065-8a46-0fe55922be6d

date added to LUP

2020-12-16 13:06:23

date last changed

2020-12-21 14:32:09

@article{9981c32d-99a7-4065-8a46-0fe55922be6d,
  abstract     = {{This article analyzes the impact and associated legal challenges of cross-border data transfers in the pharmaceutical sector after the recent Court of Justice of the European Union (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II). In Schrems II, the CJEU invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield Framework. That said, the Court also found that the European Commission Decision 2010/87 on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries is still valid. The ruling has resulted in significant uncertainty and liability risks for organizations that depend on EU-US cross-border transfers of personal data such as pharmaceutical companies (data controllers) engaged in global clinical trials and their technology providers for endpoint collection and data transfer (processors). In light of these challenges, this paper discusses the need for sustainable practices and a legally sound regulatory environment for data transfer. To mitigate risks and uncertainties, we stress the need for updated SCCs guidelines and argue inter alia for the adoption of contractual frameworks which incorporate SCCs with a robust information security management system (ISMS) and a privacy information management system (PIMS) to ensure an appropriate level of data protection.}},
  author       = {{Corrales Compagnucci, Marcelo and Minssen, Timo and Seitz, Claudia and Aboy, Mateo}},
  issn         = {{2511-7157}},
  keywords     = {{Health law; Hälsorätt}},
  language     = {{eng}},
  month        = {{11}},
  number       = {{3}},
  pages        = {{153--160}},
  publisher    = {{Lexxion}},
  series       = {{European Pharmaceutical Law Review}},
  title        = {{Lost on the High Seas without a Safe Harbor or a Shield? Navigating Cross-Border Data Transfers in the Pharmaceutical Sector After Schrems II Invalidation of the EU-US Privacy Shield}},
  volume       = {{4}},
  year         = {{2020}},
}

Lund University Publications

LUND UNIVERSITY LIBRARIES

Lost on the High Seas without a Safe Harbor or a Shield? Navigating Cross-Border Data Transfers in the Pharmaceutical Sector After Schrems II Invalidation of the EU-US Privacy Shield