At Red Line we ensure that your business has the best Pharmacovigilance support in the industry

News Archive > News Story

Goodbye "Safe Harbour", Hello "Privacy Shield"

EU data protection laws prohibits the movement of personal data to non-EU countries, unless that country ensures adequate levels of data protection are in place equivalent to those of the EU.

The 8th principle of the EU Data Protection Act 1998 states:

‘Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.’

The safe harbour agreement was made between the European Commission and the US government in 2000, whereby US companies could store EU customer data provided they adhered to the following principles:
  • Notice - Individuals must be informed that their data is being collected and  how it will be used. They must also provide information about how individuals can contact the organization with any enquiries or complaints.
  • Choice - Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
  • Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
  • Security - Reasonable efforts must be made to prevent loss of collected information.
  • Data Integrity - Data must be relevant and reliable for the purpose it was collected for.
  • Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
  • Enforcement - There must be effective means of enforcing these rules.
These principles were designed to prevent organisations from disclosing or losing personal information. In the US companies could opt-in by ‘self-certifying’ their intention to abide by the principles and answering 15 additional questions raised within the Directive.

Unfortunately, self-certification was voluntary and only organisations regulated by the US Federal Trade Commission or the Department of Transportation were able to participate. This resulted in a large number of American institutions being excluded from this requirement.

A number of organisations in subsequent years expressed concerns over the ability of the US to provide sufficient oversight of this ‘self-regulated’ scheme and their overall commitment to privacy was brought into question.

The Patriot Act 2001 (which came into force after the September 11 attacks, to strengthen security), allows the FBI to search telephone, email and financial records without a court order; including access to business records, including library and financial records, as well as a host of other controversial proviso’s.

In June 2011, Gordon Frazer, Microsoft’s managing director, dropped a bombshell by stating that cloud data, regardless of its location, was not protected against the Patriot Act.

In October 2015, the High Court of Ireland ruled the US does not offer sufficient protection against surveillance by public authorities.  The court held that US companies were bound to disregard, without limitation, the protective rules laid down by Safe Harbour and held that the Safe Harbour principles were therefore invalid because they did not require all organisations working with EU data to comply with it.

Earlier this month, the EU and US announced a new framework to provide EU citizens with greater protection of their data through the EU-US Privacy Shield. The US has provided assurances that clearer limitations, safeguards and oversight of the mechanisms used to store and use this data will be implemented across all US organisations. The policy will be reviewed annually and EU authorities will play a constructive role in supporting this new agreement.
We wait in anticipation of further details of the new scheme still to be announced.

Professional enquiry handling to support the safe and effective use of your products.
Ease the regulatory burden and keep compliant with current pharmacovigilance legislation.
Product safety through surveillance of published articles and case reports.
Confident staff to support the pharmacovigilance process.
METS Contact us on 0330 1359 436 Copyright © 2020 Red Line Ltd (Registered in England & Wales : 07395811)
[LIVE: 336] Build by Red Line IT