In this episode, AGG’s Food & Drug team leader, Alan G. Minsk, and co-chair of AGG’s Data Privacy practice, Kevin L. Coy, discuss U.S. and international privacy and data security law issues life sciences companies may encounter such as privacy policies, the patchwork of federal and state privacy and data security laws in the U.S., international data protection laws, such as GDPR, and related international data transfer issues.
ALAN MINSK [00:00:05] Good morning, good afternoon, good evening. I am Alan Minsk. I am a partner with Arnall Golden and Gregory, and I head up our Food and Drug practice group. Welcome to the sixth episode of our podcast series, “I Wish I Knew What I Know Now: Conversations with AGG on FDA Issues.” That’s a nod to “The Faces” and Rod Stewart. Our podcasts feature AGG colleagues discussing challenges that we have encountered when assisting clients on business and legal issues. I am here today with my partner Kevin Coy, who works in our D.C. office, our Washington, D.C. office, and Kevin is a co-chair of our firm’s Data Privacy practice. Our episode today will focus on data privacy issues, where Kevin and I will discuss U.S. and international privacy and data security law issues that life science companies may encounter, such as privacy policies, patchwork of FDA, federal and state privacy and data security laws in the U.S., international data protection laws such as GDPR and related international data transfer issues. But actually, Kevin will be doing the talking. I’m just asking the questions, so I get off pretty easy. So with that, let’s get started. Now, first of all, Kevin, I understand that there is a new Virginia privacy law. So one, maybe you could tell us a little bit about that and how it could affect the life science industry. And I guess while you’re at it, I think people know a little bit about the California law, but maybe you can sort of compare and contrast that kind of briefly if you don’t mind. So take it away.
KEVIN COY [00:01:46] Thanks for having me on the podcast today. Appreciate the invitation. As you say, just last week, Virginia’s governor signed a new data protection law called the Virginia Consumer Data Protection Act, CDPA for short. It is, in some ways, as you said, similar to California’s California Consumer Privacy Act, which was enacted in 2018. Both are sort of first efforts at more expansive privacy laws here in the U.S. When I say more expansive, I mean, that traditionally from a U.S. perspective, we’ve historically done privacy mostly on a sectoral basis. So there’s a need in a particular space like healthcare, for example. We put in place specific rules around that. Like HIPPA, for example, or the Fair Credit Reporting Act, which regulates Consumer Reports and consumer reporting agencies. The common rule regulating federally funded research sectoral, things like that. California and now Virginia have passed broader privacy laws that, even though they have exceptions, apply to personal information across sectors and so will affect many more businesses than some of the traditional sectoral laws have. When you talk about comparing and contrasting California and Virginia, there are differences that folks will need to keep in mind; the Virginia law is new, so we’re still in the process of digging into it. But just from a very top-line standpoint, for example, the California statute only applies to the personal information of California residents. The Virginia law, on the other hand, applies to the personal data of Virginia residents. And there are also other differences in terms of what qualifies you as a business or a controller that’s subject to all of the requirements in the California or Virginia laws you now have to potentially consider. For a lot of organizations, that will entail thinking about their approach to compliance with these privacy laws, plus the fact that other states like Florida and Washington are considering legislation as well. We may soon be approaching the point where having special rules for California, special rules for Virginia, and special rules for Florida may or may not make sense for particular organizations. And instead, it may be a decision that companies will take in the life sciences space and elsewhere to try and develop a national policy which applies these rules as best they can nationwide, rather than trying to keep information about residents from particular states in individual silos. There are also other differences between the laws. For example, the Virginia law has some broader exceptions than some of the relevant provisions in California. California can apply to certain human resources data, while Virginia generally excludes that.
And similarly, Virginia clearly excludes business contact information. So if someone is acting in their professional capacity and sending an email, for example, that would appear to be excluded in Virginia, where it could potentially be covered in some ways in California. So there’ll be a lot of nuances between the two laws that companies will need to work through as well.
MINSK [00:05:59] OK, your group has or will probably do a Bulletin on the Virginia law, I suspect.
COY [00:06:05] Yes, we’re working on a client alert on the Virginia law, and there’ll be a lot more to come going forward.
MINSK [00:06:12] Great. So, I get a lot of questions about GDPR. And you also know that I can delegate to you. I appreciate you letting me do that. So, first of all, what is GDPR that clients call us about? And I refer to you, and why should clients care? So maybe you could actually say what does the acronym stand for and why do our life science clients care about this?
COY [00:06:40] Sure. GDPR stands for General Data Protection Regulation. It’s the European Union’s omnibus data protection law. In some ways, California and Virginia have drawn some principles from GDPR. Sometimes they’re referred to as GDPR light. But GDPR establishes data protection rules for the 27 countries of the European Union, plus the additional countries in the European Economic Area. It provides a uniform baseline for privacy, data protection, and data security across the EU. It’s important to life sciences companies that are doing business in the EU that are conducting clinical trials in the EU or have other activities in the EU because GDPR regulates the processing of personal data that would happen with any of those activities.
Similarly, if they have workforce members in the EU or subsidiaries in the EU, there are going to be directly impacted by GDPR as well. GDPR has a broad reach. Not surprisingly, it applies if you’re in the European Union and you’re processing personal data there, you’re headquartered there; you have an office there, you’re working there. It also has an extraterritorial reach, which means that even if you’re not in the EU, say you’re here in the U.S., you can still be covered by GDPR. If, for example, you’re targeting individuals in the European Union for the sale of goods or services or you’re tracking their behavior while they’re in the European Union, you can also be directly subject to GDPR even if you aren’t located there. So many of our clients have to develop GDPR or compliance programs because they’re doing business in Europe, even though they’re located here. Also, there are indirect ways in which GDPR can affect activities here in the U.S. For example, if you need to bring personal data from the EU to the U.S., the GDPR has specific rules around that.
COY [00:09:14] GDPR also requires companies to have a multifaceted privacy program with limitations on the purposes for which you can process personal data about someone.
COY [00:09:28] They take a very vigorous view of what constitutes consent, in many ways more rigorous than you might see typically here in the U.S. The Europeans are very concerned about situations, whether it’s in the context of clinical trials or employment or otherwise, where consent might be viewed as invalid because there’s an imbalance of power between the relevant parties, and it’s more stringent than we often take a more stringent view than we often take here in the U.S. GDPR also has a host of other administrative and regulatory requirements that organizations need to be conscious of and sensitive to as part of their program. And so a lot of our clients address GDPR compliance because they’re doing business there, they’re soliciting business there through their websites, or they have subsidiaries, or other operations there, or their parents are there and their subsidiaries here and have GDPR issues as a result.
MINSK [00:10:37] Let me ask you one kind of related and last question as it relates to international before we come back to sort of U.S.-centric. What is the status, I guess, of the rules governing international data transfers from the EU to the U.S.?
COY [00:10:52] They’re very much in flux at the moment. The European Union in GDPR, as well as the European rules that came before GDPR, are really going back to the mid-1990s, at least for the European Union as a whole. They restrict the transfer of personal information. There’s a whole process they go through to assess whether somebody has adequate privacy protections. And over the past 20 years, there have only been about a dozen or so countries that have gotten an adequacy determination. The U.S. does not have an adequacy determination. We don’t have a comprehensive privacy law. Europeans have lots of concerns about our approach to data privacy here in the U.S., fairly or unfairly. And so as a result, there needs to be additional safeguards in place to be able to transfer data here to the U.S., that difference was bridged in some ways because of a deal that was reached between the U.S. government and the European Commission.
COY [00:12:15] Two deals, actually. One from the late 90’s called Safe Harbor. And then a second program from 2016 – 2017 called Privacy Shield, where the European Union gave adequacy finding to a voluntary program that the U.S. set up for life science companies and other companies to enter into on a voluntary basis, committing to a voluntary set of principles to facilitate the protection of personal data. And if you joined those programs, you were considered adequate and personal data could flow freely from the EU to you as long as you complied with those requirements.
COY [00:12:57] But because of the Snowden revelations about the National Security Agency’s surveillance activities and the aftermath of that, the European Court of Justice struck down the old Safe Harbor program in 2015 and then again struck down its replacement, the Privacy Shield program, just last July, essentially saying that the U.S. government surveillance practices are inconsistent with EU expectations regarding privacy. And so, those aren’t valid methods for transferring data. And in addition, there are other mechanisms that the Europeans had authorized to put in place called standard contractual clauses, which organizations sending data out of the EU could enter into with companies here in the U.S. or elsewhere around the world. And the Court of Justice said with respect to those, those contract clauses are still valid. But whether transfers under those clauses to the United States or to other countries, for that matter, really depends on whether or not there are additional safeguards in place because the court still has concerns about U.S. government surveillance practices.
COY [00:14:20] That opinion had a huge effect for life sciences companies that were in Privacy Shield as well as those not in Privacy Shield. As well as companies and in lots of other sectors as well, not limited to life sciences. Because, one, if they were participating in the Privacy Shield program, they needed to come up with a new basis for transferring their data from the EU to the United States. And standard contractual clauses in most cases are the most likely option for that currently and then secondarily; the Europeans are now looking at a whole bunch of additional requirements, additional safeguards that companies relying on those clauses have to put in place. There’s also another wrinkle to this in that the clauses that are used today are still based on the old European rules, not on the GDPR, which took effect in 2018. So the Europeans are also in the process of updating those standard contractual clauses that parties sending personal data from Europe to the United States or elsewhere would use. And we’re expecting those clauses to be finalized in the next few months. A proposal was released last November for public comment, and they’re now in the process of revising that. So life sciences companies that are going to be transferring personal data from the EU to the U.S. are going to have, if nothing else, potentially significant contracting exercise to go through to replace any current standard contractual clauses they use with the new clauses. And then they also need to take steps to document the additional safeguards that they’re putting in place to address European Court of Justice concerns about U.S. government surveillance, which is a little bit tricky for some organizations because, you know, it’s U.S. government surveillance and it’s not like the typical company is really going to be in a position to do a huge amount about that. But there are expectations that companies will do what they can in terms of additional use of things like encryption as well as additional safeguards where they were, for example, to get a compulsory process request from a U.S. government agency that they would take certain steps to try and fight that, if appropriate, to notify the parties involved in Europe so that they’re aware of what’s going on and additional steps like that.
MINSK [00:17:02], Let me see if I can try to get you two questions with the limited time we’ve got left. Companies will say or will ask, life sciences companies will ask, must they be HIPPA compliant, and kind of related to that, what’s a business associate agreement? That’s one question. And then the last question, I guess, sort of as a takeaway, what should life science companies consider when they’re developing privacy policies? Because that’s a lot of what you do. So I guess the first question is do life science companies need to be HIPPA compliant, and then kind of related to that thinking is the business associate agreement. If you can sort of say quickly about that and then sort of the take home about, what should companies consider when developing policy, privacy policies?
MINSK [00:21:18] Great. Well, let’s end it there. Appreciate it.
MINSK [00:21:22] Thank you, Kevin, for joining us today. We hope all of you listening in found this discussion to be helpful and informative. If you have any questions or want to submit any feedback or topic suggestions for future podcasts, feel free to reach out to me, Alan. If you have specific questions on privacy, reach out to Kevin because I don’t know anything about this stuff. So it’s Kevin dot Coy at agg.com. You can find contact information about Kevin on agg.com, our website. Future podcast episodes will be distributed to our monthly Food and Drug newsletter, which Kevin is a frequent contributor, and I thank Kevin for that as well, and AGG’s website and social media pages. So again, thank you, Kevin, and thank you, everyone, for joining us today.
COY [00:22:09] Thanks, Alan. Thanks for having me.