Quick Refresher: As established by the EU GDPR when it first took effect in May 2018, any company that handles the data of any EU citizens – whether or not that company is based in the EU – must adhere to stringent GDPR regulations regarding data privacy and protection. Data can include anything from name, email address, medical information or biospecimens. But now that the UK is withdrawing from the EU and no longer covered by the GDPR as an EU Member State, what does that mean for data privacy and the flow of clinical study data, such as adverse events reports, samples and central lab data?
What Happens to Data Protection Services and Appointment of UK Entities as Sponsor Representatives under GDPR?
Amidst the many uncertainties raised by a hard Brexit, questions exist as to what steps US sponsors should take to ensure their study data continues to move across borders without interruption – in particular, whether the current data representative services agreements with their CROs will be, well, moot or functional after Brexit. We at CA have noticed that many of the CROs party to our client’s data representative services agreements (agreements by which one engages a CRO to perform a sponsor’s EU data controller obligations and appoints the CRO to be its EU DPR under the GDPR) enter into them using their UK entities. Questions about the validity of these agreements will not be definitively answered until after the UK strikes a deal with the EU, or, alternatively, the UK crashes out of the EU with no deal. For now, the sponsor can only attempt to prepare and plan for any possible Brexit outcome as the future is unknown. It is clear that no US sponsor study data can be processed in the EU without a validly appointed data protection representative (again, this appointment is a longstanding EU and now a GDPR requirement for US sponsors with no EU presence), but it is not clear whether or not the remaining EU member states will accept or recognize the appointment of a UK CRO.
Remember, the UK will still need to comply with GDPR, even though it’s no longer a member state of the EU due to GDPR’s extraterritorial reach. However, in the absence of a Brexit deal, the UK will become a “third country” and will be tasked with proving to the EU that its data protection laws (the UK Data Protection Act, more below) are “adequate”, or compliant with GDPR standards to allow for seamless data transfers to the UK from the EU.
A best practice for companies would be to carefully track the impact of Brexit on processing data of EU citizens in the next 50 or so days. The UK Information Commissioner’s office has published some helpful information. If it seems like the company’s data flows might be negatively impacted by a no-deal Brexit or the UK’s status as a third country with no adequacy rating, then the company should consider implementing contract-based mechanisms that would help mitigate any interruptions in data sharing. In some instances – but not all – certain contractual clauses could be drafted to allow data transfers from the EU to the UK. The EU model contact clauses, which can be used to amend existing agreements to ensure adequate, can be found on the European Commission website.
How does the UK Data Protection Act Differ from the EU GDPR?
The EU GDPR expressly allowed/encouraged the member states to pass local data protection legislation that augmented and worked in tandem with GDPR standards. Germany and the UK were two of the member states that had their local legislation at the ready and right away, the UK Data Protection Act of 2018 was passed. The UK DPA of 2018 Chapter 2 expressly adopts all GDPR definitions and supplements it, and Chapter 3 applies to certain types of “…personal data to which the GDPR does not apply (see Section 21), and makes provision for a regime broadly equivalent to the GDPR for such processing.”
Is the UK ready to amend its legislation to allow uninterrupted transfer of personal data after March 29, 2019?
Yes. The UK government has an existing Department for Digital, Culture, Media and Sport (we have nothing like this in the US, but we should!) and they have a legislative amendment ready to go. It seems as if the UK domestic law will preserve GDPR standards, by amending the UK DPA of 2018 so that “obligations and rights that organisations and data subjects have become familiar with will stay the same”. It also appears likely that the UK will deem all EU Member States and EEA countries as “adequate” – a rating meaning that the territory employs an appropriate or “adequate” level of data protection safeguards – with the hope that the data flows between the UK and the EU and EEA countries will continue with minimal disruption.
The new legislation is called the “EU (Withdrawal) Act of 2018 (EUWA) and it will retain the GDPR in UK law and make changes necessary to ensure that the UK obtains the “adequacy decisions” its businesses and its government (law enforcement and security agencies need to transfer data too) will need to continue to function after March 29, 2018. EUWA is not final but the technical notice it filed in September 2018 was encouraging in that it anticipates “no deal” and therefore could actually be functioning on Day 1. See, “Data Protection if there’s no Brexit deal”.
Contracts Associates is prepared to help your company successfully navigate the possibility of a no deal Brexit. Our team of attorneys will work to help your company uphold its legal duties and obligations to EU sites and vendors by drafting new contract template terms as needed. We encourage you to contact our office with any questions at 781-598-8000 or by emailing our CEO, Colleen Sproul, at cms@contractsassociates.com