The SCHREMS II CASE
Data transfer from the EEA to third countries - The finding of an adequate level of protection
The protection of personal data and its interaction with the MDR and IVDR
Needless to say, the 5G era is groundbreaking, both economically and technologically. However, it also brings challenges to legislators worldwide, including in the European Union.
No one would contest that an adequate level of protection for the treatment of personal data is to be guaranteed when the latter is at stake, but how would this desired level of protection play against the unstoppable advance of medical devices’ related technology?
We see that technological advances have led to having software included in almost everything we use on a daily basis, and medical devices are no different. Tons of patient data are gathered in such softwares, and this may vary from habits - healthy or not -, cardiac pulse evolution, calories consumed, etc.
This inevitably requires for more and more medical device manufacturers to be aware and respect EU data protection provisions. Furthermore, considersing that the medical devices industry is international by its very nature, how would the international transfer of patient data for purposes such as clinical investigations, trouble shooting, or cloud storage be regulated by the EU law after the CJEU Schrems II judgment?
MDR – IVDR – GPDR Altogether
According to Erik Vollebregt (2020), “The MDR and IVDR require you to manage risks with safety principles in mind, and the EU’s General Data Protection Regulation (“GDPR”) is no different: like the MDR and IVDR, it requires risk management as a design factor”.
In the European Union, privacy and physical integrity are recognized as fundamental rights of patients and users. This is, besides, reflected in both requirements set out by the MDR and the GDPR. In fact, this constitutes one of the reasons why manufacturers should integrate the MDR/IVDR design processes with those under the GDPR; tackling, hence, both regulations together and not as independent fields, which they are certainly not. The respect of the area of cybersecurity, for instance, depends on securing compliance with both GDPR and MDR.
The Schrems II case
“According to settled case-law, the very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law. Thus, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data,does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter” (Court of Justice of the European Union, 2015, par.95).
Considering that every single medical device company that works internationally has some connection to substance outside the EEA, or uses cloud services that transfer data outside the EEA, the CJEU Schrems II judgment may be of interest to our readers.
The CJEU confirmed in this judgment that “the GDPR does apply to a commercial transfer of personal data between two economic operators (terminology that also can be found in the MDR, for instance in Chapter II, where the obligations of economic operators are entrenched), even if the personal data is also processed by the authorities of the third country in which the recipient is established for the purpose of public security, defence, and national security, for example by intelligence services” (Vollebregt, E, 2020).
Having addressed the above, we need to stress the fact that the GDPR provides for several possibilities for international transfers to validly take place. However, the Schrems II case analyzed the following two:
- The EU-US Privacy Shield: Self-certification program whereby US companies can be granted recognition for their adequate data protection, permitting personal data transfers to these specific US companies;
- Standard Contractual Clauses (SCCs): Two sets of non-country specific model clauses drafted by the European Commission that both the sender and the receiver need to sign (and thus adhere to) prior to any transfer (Fransen, T., Bruynseraede, M., 2020).
The judgment declared the EU-US Privacy Shield invalid as the Court found US surveillance programs disproportionate in their interference with data protection rights set forth by EU law. This is because the surveillance programs based on those provisions are not limited to what is strictly necessary.
Then, the CJEU examined the validity of SCCs and stated that sufficient personal data protection is reached through it. However, the Court stressed the fact that a case-by-case evaluation is required every time for the entities concerned.
European Data Protection Board – Recommendations after the Schrems II case
6 Steps to GDPR compliance of international data transfers
On November 10, 2020, the European Data Protection Board (EDPB) published a set of recommendations in relation to international data transfers. These guidelines are addressed to any data exporter, especially subsequent to the Shrems II judgement of the CJEU. These guidelines are of particular interest to manufacturers who, through certain medical devices they had placed on the EU market, process personal data, which is subsequently transferred to a country outside of the EU. For instance, a software classified as a medical device that can collect vast amounts of personal data of EU citizens and transfer it to a third country, where it is either stored, processed or modified.
The 6 steps to GDPR compliance that EDPB recommends to data exporters are:
1. Know your transfers.
If you are a company that processes personal data of EU citizens, you should map all the data transfers that occur and know exactly where this data goes. This will allow you to ensure that the importing country (the country where the data arrives) grants an essentially equivalent level of protection to the level of protection in the EU. Additionally, you may only transfer data that is adequate, relevant and limited to what is necessary. In short, your data processing should be fully compliant with the GDPR principles, prior to its transfer to third countries.
2. Verify the transfer tool your transfer relies on. Your transfer tool can be:
a. An adequacy decision issued by the Commission in relation to a certain third country or a region of a third country. If you rely on this tool, you do not need to take further steps, apart from monitoring that the decision remains valid;
b. An appropriate safeguard among the ones listed in Article 46 of the GDPR, such as binding corporate rules, standard contractual clauses or an approved code of conduct – if you perform regular and repetitive transfers;
c. Derogations – for occasional transfers under strict conditions (Article 49 GDPR).
3. Assess the legislation of the third country you are transferring the data to.
By doing this, you assess whether there are certain factors that might undermine the level of protection granted by the transfer tool you are relying upon. Such factors include the existence of an unproportionate requirement to disclose personal data to public authorities and the lack of effective judicial redress afforded to the data subjects.
4. Identify and adopt supplementary measures.
If, by conducting this assessment, you conclude that the level of protection of personal data granted in the third country is not essentially equivalent to the one in the EU, you should take certain additional (and effective) measures, in order to ensure this equivalence. If you fail to do so, or if the measures turn out to be ineffective, you must suspend or terminate that data transfer.
5. Take any formal procedural steps, according to the transfer tool you are relying upon.
In this regard, national Supervisory Authorities will remain active and provide further guidelines for data exporters.
6. Re-evaluate regularly the level of data protection in the third country.
Even if your assessment of the level of protection granted by the third country had a favourable result, you should remain vigilant and re-evaluate it regularly. This is because the legislation of the third country may change, or this protection might be affected by other factors.
Carlos Francisco Marín Barrios and Maria-Alexandra Enescu
Regulatory Affairs Department
If you are a Medical Device or IVD manufacture and you are concerned by data protection issues, please contact us at Obelis.net and our experts will solve your doubts!Get in touch
- Court of Justice of the European Union. (2015). Judgment of 6 October 2015, Schrems, C‑362/14, EU:C:2015:650
- Court of Justice of the European Union. (2020). Judgment of the Court (Grand Chamber) 16 July 2020. Retrieved on 09/12/2020 from http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=9980744
- Vollebregt, E. (2020). The EU Court’s Schrems II judgement – urgent revisiting of international personal data transfer mechanisms. Medical Devices Legal.com. Retrieved on 09/12/2020 from https://medicaldeviceslegal.com/2020/07/23/the-eu-courts-schrems-ii-judgement-urgent-revisiting-of-international-personal-data-transfer-mechanisms-required/
- Klaw (2020). The impact of Shrems II case on personal data. Retrieved on 09/12/2020 from https://www.klaw.be/news/posts/2020/august/the-impact-of-the-schrems-ii-case-on-personal-data/
- Charter of fundamental rights of the European Union (26/10/2012). Official Journal of the European Union C 326/391. Retrieved on 09/12/2020 from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT
- European Data Protection Board (2020). Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Retrieved on 09/12/2020 from https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf