Newsletter 45 October 2022

On 7 October 2022, More than six months after an "agreement in principle" between the EU and the US, US President Joe Biden has signed the long-awaited Executive Order that is meant to respect the European Court of Justice's (CJEU) past judgments. This is meant to overcome limitations in EU-US data transfers. While this new Data Transfer Framework would make business much easier between Europe and US, Schrems, the Data Protection Authority of Baden-Württemberg andGerman Members of the European Parliament say that it is not the end of it. Explanations:


The new EU-U.S. privacy framework would replace a previous deal, known as the Privacy Shield, which the European Union’s top court ruled illegal in July 2020 following a complaint from Austrian lawyer Max Schrems about American surveillance programs.


Following this so called 'Schrems II' ruling, organisations wanting to transfer personal data from EU/EEA/UK to the US have to enter a lengthy process to implement one of the waivers permitted by the GDPR to make such a data transfer compliant with GDPR. One of the most popular tool uses is the Standard Contractual Clauses release by the EU Commission in June 2021, but there are still some situations where it's not clear which waiver can be used. So, a ne EU-US Framework would be welcomed by all as it would make the business much easier for everybody.


Why was the Privacy Shield repealed by the CJEU in 2020?


You might be aware that US laws give the possibility to US surveillance agencies (e.g. CIA, FBIA, etc.) to access any data base anywhere in the world, as long as it is operated by a US company. And this is legal.


In other words, even if you requested from Microsoft SharePoint to have the servers located in Germany, US agencies will have the right to access and see your documents and data. And this is clearly against the respect of the privacy of data subjects, not mentioning the breach of intellectual property.


The CJEU required (1) that US surveillance is proportionate within the meaning of Article 52 of the Charter of Fundamental Rights (CFR) and (2) that there is access to judicial redress, as required under Article 47 CFR.


Why does Schrems say that the New Framework does not fit the bill?


Biden's new Executive Order seems to fail on both requirements, say Schrems in its article.


An executive order is not a law: it is an internal directive by the US President within the federal government.


Indeed, even if the new executive order uses the wording of EU law "necessary" and "proportionate" as in Article 52 CFR, US still allows the continued surveillance of Europeans.


The Executive Order is meant to also add redress in 2 steps and with the 2nd step being a "Data Protection Review Court”. Nevertheless, this court will not be a "Court" but a body within the US government's executive branch.


The other challenge will be with US about implementation of limitations that respect privacy rights of non-US persons as US congress will have to re-authorize FISA 702 in 2023.


Dr. Stefan Brink, Commissioner of the LfDI, the Data Protection Authority of Baden-Württemberg, said"the provisions of the Executive Order reveal significant shortcomings.  [We see] considerable legal uncertainties despite the pleasing development and the issuance of the Executive Order":

  • The question arises to what extent an executive order can be an effective instrument.
  • Compliance with a mere executive order is not enforceable.
  • Is not clear how the Executive Order relates to other existing US regulations such as the Cloud Act.
  • The interpretation of the legal concept of proportionality is different in Europe and the USA, soit remains unclear when access for national security remains permissible from the point of view of the USA.
  • Significant requirements are imposed on the submission of a complaint by EU Data Subjects.
  • Complainants are also expressly informed whether they have been the subject of intelligence activities by the US authorities.
  • The CJEU had demanded the end of this unjustified surveillance: the change of system required by the court does not take place.


Also, German Members of the European Parliament criticised the proposed EU-US Data Privacy Framework, stating that "further legislative measures in the (U.S.)" will be necessary. Read article from Netzpolitik here


Next steps will be the feedback and decision from Europe about the Executive Order after their review but it will not be before spring of 2023.


What should you Do?

Our advice is to wait and see. Don't rush on this new framework when it is eventually approved by both parties. Instead, wait for the turbulence settle down a bit before going a lengthy self-certification process.


For advice please contact us at contact ( at ) pharmarketing.net


7 Oct 2022: In an explanatory note published by the U.K. Department for Digital, Culture, Media and Sport (DCMS), the department’s secretary of state, Michelle Donelan, noted progress between the U.K. and U.S. toward an adequacy agreement. 


She welcomed U.S. President Joe Biden’s executive order implementing the EU-U.S. Data Privacy Framework. The DCMS said the U.K. “intends to work expediently” to review its improved safeguards and new redress mechanism, formally consult the U.K. 's Information Commissioner Office (ICO) for an opinion, and prepare to present adequacy regulations before Parliament in early 2023 with guidance for organizations and individuals.


For more questions, contact our UK Data Protection experts:

  • Dave Edwards d.p.edwards ( at ) pharmarketing.net
  • Julianne Hull j.m.hull ( at ) pharmarketing.net
  • Maria Veleva m.i.veleva ( at ) pharmarketing.net


On 21 October 2022, the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) released the M11 Guidelines for Clinical Trial Protocols for public consultation. 


The Protocol Template states in section 10.4 on page 49 that the sponsor of the clinical trial should 'Describe how personal data will be protected and any measures that should be taken in case of a data security breach.


PharMarketing GDPR Life Sciences welcomes that this will apply in all countries in the World and will add privacy protection in countries where data protection laws are not so stringent as in the EU/EEA/UK.


But the GDPR doesn't request to indicate such security measures in contracts nor in information notices, so it creates a New Requirement. and a new burden for sponsors and CROs. 


Also, such measures in case of data breach will vary depending on the origin of the breach (cyberattack, email sent to the wrong person,...), if it happened at a site, at a CRO or at the sponsor, and depending on the severity of the personal data breach for the patients!


In other words, the data privacy language will probably be 2 to 10 pages long!


We also note that the Template advises to provide details on the Informed Consent Process in section 10.3.


PharMarketing provided feedback to the ICH on this matter.


For more information on this topic, contact us at contact ( at ) pharmarketing.net


Nigeria released its draft Data Protection Bill on 4 October 2022!


This Law, similar to the EU GDPR establishes the Nigeria Data Protection Commission and gives citizens rights to their personal data. The Act restricts the processing of Sensitive Data (art. 32). Data controllers and data processors of major importance shall designate a Data Protection Officer (art. 34). 


Access the draft bill here.


New Data Protection Obligations under Quebec's Bill 64 came into force on September 22nd 2022 for Private Organisations:


  • Privacy officer appointments, 
  • Mandatory data breach notification, 
  • Biometric information system registration and 
  • Data subject consent exceptions. 


Additional requirements will take force in 2023 and 2024.


Read more here in French here.

Read more here in English here.


27 Sept - FDA released a draft Document to harmonize human subject protections with revised Common Rule of HHS.


Some of the revision will improve information of Patient on Data Privacy:


In the first proposed rule, the Informed Consent Form format will be revised and would include a statement that private information or biospecimens collected during research may be used for commercial profit, and a notification of whether the research subject would share in the profit.


In a second proposed rule, FDA seeks to harmonize its cooperative research requirements with those in the Common Rule, which requires a single IRB review process for multisite research conducted in the US, with some exceptions. 

Proposed rule: Protection of Human Subjects and Institutional Review Boards

Proposed rule: Institutional Review Boards; Cooperative Research


According to the Cyberspace Administration of China (CAC), a security assessment must be conducted in the following situations:


  • Transfer of important data.
  • Transfer of personal information by a critical information infrastructure operator.
  • Transfer of personal information by a data exporter processing 1 million or more individuals.
  • Accumulative transfers of personal information exceeding 100,000 individuals since Jan. 1 of the preceding year.
  • Accumulative transfers of sensitive personal information exceeding 10,000 individuals since Jan. 1 of the preceding year.
  • Other situations where relevant Chinese laws and regulations require security assessments.


Cross-border data transfers cover the following scenarios:

  • An entity collects or generates data during its operation in China and stores or transfers such data outside China.
  • An entity or individual outside China has remote access to data collected, generated and stored in China by searching, downloading, retrieving or exporting the data.


Self-assessment is a must-have step for completing the legal procedures for cross-border data transfer.

When carrying out the self-assessment, the data exporter is required to consider and address a number of crucial issues.


The guidelines contain a template self-assessment report, which requires the data exporter to provide a wide range of information, including, among others:

  • a brief description of the self-assessment,
  • the corporate, investment and business model as well as the data center and IP address of the data exporter,
  • the purpose, category, volume, sensitivity and related industry sector of the data to be transferred outside China and whether there will be onward data transfers,
  • description of data protection capabilities of both the data exporter and foreign data recipient,
  • outline of the data protection regime of the foreign country where the overseas data recipient is based, and
  • key terms of the cross-border data transfer agreement.


The data exporter is also required to analyze the risks associated with the contemplated cross-border data transfer, based on which a conclusion should be made.


Read more in the article from Barbara Li, IAPP here.


  1. A CRO has the patient's contact details and their pathology in order to organise their transport from their home to the hospital for clinical trial visits: it is compliant: 

In most of the countries it is compliant; in some countries like France it is not compliant and you need either to get a specific authorisation from the local data protection authority or conduct a Risk Analysis.

  1. A data breach happened in our organisation today and the risk to the private life of the data subjects in the EU/EEA/UK could be important: I need to notify the local Data Protection Authority within: 

72 hours, weekends and public holidays included.


Share by: