Abstract
The Courts of Justice of the European Union (CJEU) held in its July 2020 Schrems II decision that, in order for entities in other countries to import personal data from the European Economic Area (EEA), the importer must be able to provide data protections ‘essentially equivalent’ to those the EEA offers under its General Data Protection Regulation. The CJEU expressed particular concern that United States’ national security intelligence gathering laws prevent U.S.-based entities from providing such protections. This decision has sharply limited the sharing of clinical research data from the EEA to the United States. After describing the pertinent aspects of the Schrems II decision, this article evaluates U.S. national security intelligence gathering frameworks, including Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333. The article then leverages recent draft guidance from the European Data Protection Board to explain how entities may be able to adopt widely used contractual and technical measures, such as data pseudonymization, to provide ‘essentially equivalent’ protections in the clinical research context.
Highlights
** Mark Barnes, J.D., L.L.M, is a partner in the Boston office of Ropes & Gray and Visiting Lecturer at Yale Law School
This article aims to demystify the Schrems II decision by laying out the requirements that Schrems II has established, evaluating U.S intelligence laws and their potential effect on clinical research, and arguing that the combination of the European Union’s ‘standard contractual clauses’ (SCCs) and pseudonymization of research subject data will result in protections that are ‘essentially equivalent’ to those available under E.U. law
The Courts of Justice of the European Union (CJEU) found in Schrems II that ‘surveillance programmes based on Section 702 of the Foreign Intelligence Surveillance Act (FISA) and on E.O. 12333 are not covered by requirements ensuring, subject to the principle of proportionality, a level of protection essentially equivalent to that guaranteed’ by E.U. law.[52]
Summary
Both the Charter of Fundamental Rights of the European Union (‘the Charter’) and the GDPR govern the protection of Europeans’ personal data. Director of the Civil Liberties and Privacy Office of the National Security Agency, before European Member States data protection authorities (Nov. 20, 2014), https://www.nsa.gov/Portals/70/documents/about/civil-liberties/resource s/EU_DPA_Comissioners_Remarks_20141113.pdf. The FISC provides a level of independent oversight, the FISC’s certifications are time-limited and the threats targeted are national-security related, all factors the CJEU indicated were favorable in La Quadrature du Net.[51] the CJEU found in Schrems II that ‘surveillance programmes based on Section 702 of the FISA and on E.O. 12333 are not covered by requirements ensuring, subject to the principle of proportionality, a level of protection essentially equivalent to that guaranteed’ by E.U. law.[52] entities that the U.S government successfully targets for data collection under Section 702 could not provide the adequate protections that Schrems II requires. The CJEU found PPD-28’s protections inadequate, since the NSA can collect bulk intelligence without specifying a particular target.[64]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
