DUBLIN – The ongoing legal uncertainty surrounding the transfer of data from European research institutions or companies to international partners shows little sign of resolution, despite the urgency of the COVID-19 pandemic, which has engendered an extraordinary collaborative response from the global scientific community.
Device makers may see privacy legislation in California and other U.S. states as a source of regulatory balkanization, but that very same problem is cropping up in the international arena. In addition to the European General Data Protection Regulation (GDPR), privacy requirements are popping up in Brazil and elsewhere, and Eric Bowlin, a partner at Deloitte Risk & Financial Advisory, told attendees on a virtual symposium that the best approach might be to base a compliance program on general principles.
The Court of Justice for the European Union (CJEU) has invalidated the EU-U.S. Privacy Shield, a mechanism designed to ensure the privacy of EU citizens’ data when conveyed to other nations in a manner consistent with the EU’s General Data Protection Regulation (GDPR). Makers of drugs and devices are not without recourse in transferring patient data to the U.S. for clinical trials conducted in Europe, but industry must revisit their standard contractual clauses to ensure those protocols provide the necessary privacy provisions, or face fines that could amount to tens of millions of euros.
U.S.-based device makers have been grappling with FDA cybersecurity requirements for some time, but now the European Union (EU) is working on cybersecurity regulations as well. Throw in privacy requirements by the state of California and the EU’s General Data Protection Regulation (GDPR), and device makers are facing an increasingly complicated world of enforcement and litigation.