The
UK-US Data Bridge becomes law, and takes effect on 12 October 2023.
On 21 Sept., U.K. Secretary of State for Science, Innovation and Technology Michelle Donelan laid regulations in the U.K. Parliament, giving effect to a U.K.-U.S. Data Bridge. The decision was based on her determination that the U.K.-U.S. Data Bridge "maintains high standards of privacy for U.K. personal data."
The regulations will take effect on 12 October 2023. The U.K. government also published a series of supporting documents, which include an explainer, fact sheet and more than 130 pages of detailed analysis of U.S. privacy safeguards relevant to the U.K.-U.S. Data Bridge.
With the Data Bridge, organizations in the U.K. will be able to transfer personal data to U.S. organisations certified to the "U.K. Extension to the EU-US Data Privacy Framework" without the need for further safeguards, such as international data transfer agreements (the U.K. version of the EU's standard contractual clauses or binding corporate rules), or using other waivers from article 46 or 49 of the GDPR.
There are requirements for both U.K. and U.S. organizations in order to implement the Data Bridge, such as updating privacy policies and certifying to the Data Privacy Framework List.
A key benefit is that from 12 Oct., U.K. organizations will no longer need to perform Transfer Impact Assessments ('TIA'), a thorough and time consuming exercise, when it relates to U.S. surveillance laws and practices. Same benefit of course also for organisations based in the EEA and exporting personal data to the US.
Important: Data bridges are not reciprocal, therefore they do not allow the free flow of data from other countries to the UK. Instead, a data bridge ensures that the level of protection for UK individuals’ personal data under UK GDPR is maintained."
It is interesting to note that the UK speaks of 'bridge', but doesn't say that the US Data Privacy Framework is 'adequate' with the UK Data Privacy Act, unlike the EU Commission.
For advice on personal data transfers from the UK to the US and how it can impact your business, contact our UK Data Protection consultant Dave Edwards at
d.p.edwards@pharmarketing.net
On 12 August 2023, India passed its Digital Personal Data Protection Act (DPDPA) into Law. India also started setting up the Data Protection Board.
The DPDPA borrows a lot of principles from the GDPR, but there are also significant differences. The DPDPA is still subject to further rulemaking, so it will be interesting to see how it evolves in the next years.
On 12 August 2023, India passed its Digital Personal Data Protection Act (DPDPA) into Law.
But it is just the start of a journey, as the DPDPA is still subject to further rulemaking.
India started setting up the Data Protection Board.
The DPDPA applies to all personal data processed in India, but only in electronic form. (personal data in paper format doesn't fall under the DPDPA).
It applies to personal data processed outside of India, but only if the goal is to offer products or services to people in India.
The law has the notion of Data Controller as in the GDPR, but it is called 'Data Fiduciary'.
The definition of 'Data Processor' si the same as in the GDPR, but here, the Data Processor does not have a liability to data protection: the responsibility lies on the Data Fiduciary when they engage a sub-contractor.
A data subject is called a 'Data Principal'.
The DPDPA doesn't put more obligations on sensitive data.
But instead it creates a category of 'Significant Data Fiduciary', which is a Fiduciary which processes on a regular basis large volumes of personal data and also sensitive data. In this sense, hospitals, clinics, payers, sponsor of medical research and any organisation processing large volumes of patient data would be deemed as 'Significant Data Fiduciary'. Such Fiduciaries must put more attention on their privacy practices.
The following don't fall under the DPDPA:
* Personal data publicly available: so professional contact details of healthcare professionals found on hospital websites can be used without any problem, same if a citizen exposes its personal data on social media.
* Data necessary for medical research (unless its objective is to make a decision about the patient)
* Startups
Legal basis include:
* consent of the Principal
* some legitimate objectives
* legal obligation
* medical emergencies
* healthcare
* police/military
* employment
The DPDPA doesn't include 'the existence of a contract' and 'legitimate interested as vali legal basis, unlike the GDPR: this might cause difficulties to organisations who use these legal basis elsewhere in the world.
Information to be provided to data subjects is not as detailed as in the GDPR.
Children: the age when a child can give its own idependent consent is 18.
Principals have the following rights:
- Right of access
- Right of modification
- Right of deletion
- Right of Grievance Redressal
- Right to nominate a next of kin
- Right to withdraw consent
But there are limitations to data principals' rights: Data Principals have no rights on:
- personal data they decide to make public
- personal data collected for research purposes that are not used to make decisions specific to data principals.
- personal data collected by employers
- personal data collected for legal obligation.
In other words, the DPDPA doesn't give as much control on their personal data as the GDPR or other similar laws. Look for more clarification in the future as the Indian Government will release specific rules.
For any question on what the DPDPA means for your organisation, contact us at contact@pharmarketing.net
- Is it mandatory to appoint a Data Protection Officer (DPO) when you do clinical research?
Yes, it is mandatory to appoint a DPO if you do clinical research
This applies whether you are the sponsor of the research or a sub-contractor:
download the document below "Why is it mandatory to draft a DPIA and appoint a DPO for clinical research?"
- Is it mandatory to have a Certified Healthcare Hosting for clinical research?
No, it is not mandatory to have a Certified Healthcare Hosting for clinical research