Transferring data outside the EU: the Court of Justice sets new boundaries (and why it matters for the medical devices sector)
The MDR (Medical Devices Regulation) needs data. It needs them for clinical evaluations (defined as a "systematic and planned process to continuously generate, collect, analyse and assess the clinical data" in art. 2 n. 44), for clinical evidence (to be proven through data and clinical evaluation, art. 2 n. 51) for post-market surveillance (which consists in "actively and systematically gathering, recording and analysing relevant data", art. 83 par.2).
No doubt that data are a key element of the proper functioning of software as a medical device (hence the MDCG 2019-16 Guidance on Cybersecurity for medical devices issued in December 2019).
For this reason, all economic players operating in the medical device sector should be aware of the contents of the recent ruling of the Court of Justice of July 16, 2020, case C-311/18, the so-called Schrems II judgment, which has been widely discussed. The facts are rather complicated, so it’s worth starting from the beginning.
Background to the Schrems II judgment
It all starts in 2013, when Austrian Maximillian Schrems submits a request to the Irish Data Protection Authority to block the transfer of data made by Facebook Ireland to its US parent company under the EU-US Data Transfer Agreement, called ‘Safe Harbor’. According to Schrems, European citizens completely lose control of their data as they arrive in the United States, as US legislation seems to allow extensive data controls, without any regard for transparency and without allowing European residents to exercise their rights. The case arrives before the Court of Justice, which declares the Safe Harbor invalid in the "Schrems I" judgment of 2015.
The ruling creates a regulatory void for all companies that have always used suppliers such as Google, Amazon, Mailchimp and others. New negotiations are therefore quickly initiated and on July 12, 2016 - immediately after the approval of the Gdpr - the so-called Privacy Shield, implementing Decision 1250/2016, is adopted. This agreement for the transfer of data between Europe and the United States, unlike its predecessor, offers European citizens greater transparency and new tools to interact with overseas authorities.
But Schrems' battle continues
The Austrian activist (which is becoming one of Zuckerberg's nightmares) initiates a new cause based on two aspects:
- The Privacy Shield, despite having introduced more transparent tools, does not allow European citizens to appeal to an ordinary third-party judge in case of violation of their rights; this deficiency does not respect the guarantees provided for by European law;
- The Standard Contractual Clauses (SCC) provided by Directive 95/46/EC and the Gdpr (widely used in agreements between private companies including Facebook itself) to make non-EU data transfers compliant do not have the legal force to restrict the large-scale surveillance programs regulated by the Foreign intelligence surveillance act (Fisa), and the Presidential Executive Order 1-2-333 through which U.S. security agencies collect information.
In other words, the data controller and the processor who intend to carry out a data transfer outside the EU must verify on a case-by-case basis the existence of suitable guarantees for the protection of personal data in the recipient's country and provide additional guarantees if those provided by SSCs are not deemed sufficient. This rule - certainly not being easily enforceable - applies to all transfers outside the EU, not only for data sent to the USA.
Effects of the Schrems II judgement
The ruling is a bombshell for all, especially for the (many) medical device companies that use American providers (such as Google or Amazon, etc.) or that, even through other platforms, send data to the parent company or to other subjects outside the EU, be they patient data (which, besides, are data relating to health) or doctors and/or prospects data. Same considerations apply to all subjects working in international research.
Possible solutions for medical devices
In light of the invalidation of the Privacy Shield, the European Data Protection Board analyzed various scenarios and suggested some possible solutions in the statement “the European Data Protection Board publishes FAQ document on CJEU judgment C-311/18 (Schrems II)” of 24 July 2020.
What should a company that transfers data to the U.S. under standard contractual clauses (CCS) do?
The Edpb notes that the Schrems judgment found that US law (i.e. Section 702 FISA and EO 12333) does not guarantee a level of protection that is substantially equivalent to the EU. It follows that the European company will be able to transfer personal data on the basis of the SCCs only after having carried out a case by case assessment of the legislation of the country of destination and the level of protection of the legal framework itself. If the analysis shows that the level of protection is lower than in the EU, the company should introduce additional safeguards.
If despite the additional measures, it is concluded that the same level of protection cannot be ensured as in the EU, the company is required to suspend or terminate the transfer of personal data. If it intends to continue the transfer, the company must notify the competent Supervisory Authority (SA).
What should a company that transfers data to the U.S. under Binding corporate rules (BCRs) do?
Considering that the American law is a stronger legal instrument than the BCRs, in this case too it will be necessary to evaluate on a case-by-case basis the need to include supplementary measures (in addition to the BCRs) to raise the level of protection. As above, if it is concluded that, even with the additional measures, it is not possible to achieve guarantees similar to the EU, the transfer will have to be suspended. If the company intends to keep transferring data despite this conclusion, it must notify its competent SA.
Can a company transfer data under the additional tools provided by art. 46 GDPR?
Article 46 of the Gdpr provides that data can also be transferred through other instruments including binding instruments between public authorities, codes of conduct, certification mechanisms. These have not been analysed in the Schrems II judgment: therefore in principle they can be used. Nevertheless, given the broad scope of the judgment, the Edpb has stated that it is studying the consequences of the judgment on these instruments as well.
Can a company rely on one of the derogations of art. 49 GDPR to transfer data to the US?
Art. 49 of the Gdpr establishes that when there is no adequacy agreement or it is not possible to apply the provisions of art. 46, data can be transferred under certain specific conditions (consent, performance of a contract, public interest reasons, judicial defense, vital interests of the person concerned, public register). The Edpb declares that it is possible to apply Article 49 provided that the requirements contained in the Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 are strictly adhered to.
Can a company continue to use Standard Contract Clauses or Binding corporates rules to transfer data to third countries other than the US?
The Edpb specifies that the principles of the Schrems judgment apply to all transfers outside the EU, so it will be up to the EU company transferring the data and the non-EU company receiving the data to assess whether the legislation of the third country guarantees the same level of protection as the EU, in order to determine whether the guarantees provided by the CSCs or BCRs can be respected in the country where the data is transferred.
If not, it will be necessary to assess whether supplementary measures can be provided. Contact should then be made with the data importer to verify the contents of the legislation in their country and make an assessment. If the level is not adequate, the company should terminate the transfer or continue it after informing the SA. The Edpb also specifies that privacy authorities at international level will collaborate in order to avoid divergent decisions.
What are the supplementary measures that companies can use?
The supplementary measures to be introduced should be decided on a case-by-case basis, taking into account all the circumstances of the transfer and following the assessment of the legislation of the third country. While acknowledging that it is the primary responsibility of the data exporter and data importer to make this assessment and provide the necessary additional measures, the Edpb is currently analyzing the Court's judgment to determine the type of measures that could be provided in addition to SCCs or BCRs, whether contractual, technical or organizational measures. In essence, the Edpb is further examining what these additional measures could consist of and will provide more guidance.
If the company uses a Data Processor, how does the company know if the Data Processor transfers data to the USA?
In this case the Edpb suggests to carefully check the contents of the contracts stipulated with the Processors under art. 28 Gdpr to verify where the data actually go. It is also necessary to identify any sub-processors and verify whether they have been duly authorized in the contracts. On this point, the Edpb draws attention to the fact that a wide variety of IT solutions may involve the transfer of personal data to a third country (for example, for storage or maintenance purposes).
In the event that the contract pursuant to art. 28 Gdpr provides for the transfer to the U.S. or another third country, what should the company do?
If the data is transferred to the United States and no additional measures can be provided to ensure a level of protection substantially equivalent to that guaranteed in the EU, nor can the derogations provided for in Article 49 Gdpr be applied, the only solution is to negotiate an amendment or additional clause to the contract to prohibit transfers to the United States. Similarly, if data are transferred to another third country, the adequacy of the third country's level of protection must be verified and, if that level is not adequate, the transfer must be terminated.