Recent Developments in European Law with Implications for the U.S. Life Sciences Industry
The last several months have seen several developments in European privacy and intellectual property that have significant implications for life sciences interests—both commercial and academic—in this country. Here is a brief review:
1. Final Approval of Pending EU General Data Protection Regulation
On April 14, 2016, the Parliament of the European Union gave final approval to the long-discussed GDPR. It will replace the current regime of country-by-country laws under the 1995 Data Protection Directive. Whereas an EU Directive requires implementation by individual EU member states, the GDPR is a Regulation (much like a federal law in this country) that will take immediate effect in all EU countries in the spring of 2018.
Key features include:
• The GDPR applies to all controllers and processors of EU citizen data, regardless of where located.
• It requires 72-hour notification of a data security breach to the relevant national Data Protection Authority and, in most cases, to subjects.
• DPAs can fine violators up to 4% of gross revenues.
• Personal data can be collected only for “specified, explicit and legitimate purposes” and can be processed only in ways that are compatible with those purposes.
• “Accountability”: the controller is responsible and must be able to demonstrate compliance with law.
• In most cases, data collection requires specific, informed, and unambiguous affirmative consent—opt-out is insufficient; “explicit” consent is required for “sensitive” data such as health information. Consent can be withdrawn at any time and must be demonstrable on demand; it must be as easy to withdraw consent as to give it.
• Subjects must be given free access to their data within one month of their request.
• Parental consent is required to collect data from children under age 16.
The GDPR has a number of complex provisions relating to health and other scientific research. Overall—and despite the more onerous provisions just described—the collection, use, and transfer of data for research purposes may actually be a little easier under the GDPR than it has been under the Data Directive and the accompanying national laws and regulations. One important change is that research privacy will become more uniformly regulated, an improvement over the current country-by-country patchwork of sometimes conflicting rules. Substantively, the GDPR will create a number of research exceptions from generally-applicable requirements. I will analyze these provisions in detail in an upcoming post.
2. Death of EU-U.S. Department of Commerce Safe Harbor
Under the current Data Directive, there have been three ways to transfer data pertaining to EU citizens outside of the EU: (1) by using (without any changes) EU-specified “standard contractual clauses”; (2) by data recipients enacting “binding corporate rules”—provisions in a company’s charter that guarantee EU-level privacy protections for the data; or (3) by sending the data to a country that the EU has determined provides adequate privacy protection. Transfer could also be done with a high level of individual consent. Where consent was not feasible, transfer to the U.S. was almost impossible: U.S. companies found the contractual clauses far too onerous, companies are very reluctant to mess with their charters, and the EU does not believe that this country has adequate privacy laws. The Safe Harbor agreement was negotiated between the EU and the U.S. Department of Commerce to mitigate the problem. U.S. companies could certify to the Commerce Department that they met EU-type privacy standards and could then lawfully receive personal data transfers from the EU.
Then, in its October 16, 2015 Schrems decision, the Court of Justice of the European Union (the EU’s Supreme Court) struck down the Safe Harbor program as violating the European Charter of Human Rights.
The CJEU was motivated not by any concern about abuses in ordinary business or research transactions, but by Snowden-style worries about U.S. government snooping. Note: these developments have had no effect on non-profit organizations in this country, since they were not eligible for the Safe Harbor in the first place.
3. Safe Harbor 2.0?
After Schrems, the EU (through an expert group called the Article 29 Working Party) decided it would not enforce the decision until January 31, 2016, giving the U.S. and EU time to put new rules into effect. The parties quickly agreed in principle to reach new safeguards, but negotiations bogged down.
Then, just in the nick of time, an agreement was reached on a new EU-U.S. Privacy Shield.
A draft text was released on February 29, 2016. Key features include:
• The U.S. State Department will appoint an ombudsman (actually, it will be an ombudswoman) to deal with Schrems issues.
• 28 EU national Data Protection Authorities must approve the Shield (there is considerable doubt here; see below); it must survive CJEU scrutiny (talking heads think it will, but who knows); and the EU Commission must issue a final decision on its adequacy.
• At the private company level, the substance does not seem that different from the former Safe Harbor, with attention to GDPR principles—this is not surprising, since the big problem in Schrems was paranoia about U.S. government snooping.
• Companies must commit—in a published policy—to greater transparency in data collection and handling; the Shield will require self-certification with annual renewal.
• Companies will be fully responsible for the conduct of their third-party data service providers.
• Companies must respond to EU citizen complaints within 45 days, provide free alternative dispute resolution, and agree to binding arbitration before a “Privacy Shield Panel.”
• Companies transferring human resources data will be subject to national DPAs where the subjects live.
• U.S. Commerce Department commits to vigorous enforcement, including referrals to national DPAs.
• There will be a “right to erasure” of previously collected data in many cases, including childhood or sensitive data (such as health), which the CJEU has already found to be a fundamental human right.
The Article 29 Working Party has already criticized the Shield for providing inadequate protection against U.S. government surveillance. While this opinion does not have the force of law, it is likely to have great influence on the national DPAs who must approve the deal. Unless and until the Privacy Shield is finally ratified, standard contractual clauses and binding corporate rules are the only approved methods of transfer (absent individual consent).
4. European Patent with Unitary Effect (EPUE)
It looks like we will finally have a true European patent. Currently, under the European Patent Convention, the European Patent Office in Munich (not an EU institution) can apply a single standard to grant “bundles” of national patents effective in participating European countries. However, these patents have to be enforced on a country-by-country basis and the standards can vary significantly. This has created massive inefficiencies and uncertainties for participants in patent-heavy industries like the life sciences.
The EPEU will be a true EU-wide patent. It will be granted by the EPO under existing EPC standards, so nothing will change with respect to the criteria for patentability. But a EPUE will have automatic effect in 25 participating EU countries. Enforcement will be through a unified EU patent court with first instance (trial) and appellate levels. The new system will take effect on ratification of the Patent Court Treaty by 13 members, including France (done), Germany, and the United Kingdom. (For complex reasons of EU law, the patent court required a separate treaty). So far, nine down and four to go. There has been a big fight over which languages patents can be filed in (English, French, and German are allowed). Amazingly, Spain withdrew from the whole deal when Spanish failed to make the list. Optimists see the EPUE system taking effect in 2017