Follow me:
Follow me:
Post featured image - black and gray laptop computer turned on

The US Privacy Data Shield: Is Your GDPR Compliance Plan Ruined?

Play episode

The E.U.-U.S. Privacy Shield agreement has recently been declared invalid. What does this mean for businesses that transfer data between the E.U. and the U.S.? Join Darshan Kulkarni as he talks about how to ensure that your business is not exposed to risk. Plus, we’ll discuss the basics of GDPR, and how this regulation impacts companies in the European Union.

Narrator: This is the DarshanTalks Podcast. Before this week's podcast, US privacy data shield is your GDPR compliance plan ruined, Darshan will introduce this episode with a recap for the week of Friday, July 31st, 2020.

Darshan: This week has been a little bit of a clinical trial heavy week. We've seen notices from the FDA where they've put out a guidance on how they want companies to deal with cannabis and CBD products, and they put our guidance on specifically how the clinical research should be done. They had some interesting ideas about where do you actually procure the hemp, if you will. This has been interesting in light of the actual farm bill. This is going to be interesting, because that speaks not only to the clinical research that's being done, but the enforcement efforts the FDA will expect as well in the context of promotion. So if you are manufacturing a product that does not meet FDA standards, or if you're making a product that does not meet FDA standards, but you're making claims that are drug-like claims, the FDA might start prosecuting based on that.

So that should be an interesting thing to look out for. Additionally, there is some news out there about how pharma is starting to work more with telehealth. So keep an eye out for that. You'll see that in the newsletter if you subscribe to it. I also am going to do a separate podcast on a CBD and the FDA's position on that. So keep an eye out for that as well. However, talking about telehealth and pharma, we've done several interviews on this so we know that this is an area that is of particular interest to companies right now, so obviously in the area of clinical research, there are companies that are now switching over to doing full blown remote studies. You combine that with telehealth, that's the Holton combination that companies are looking out for. In fact, there was a article that came out saying that clinical trials are rebounding after the COVID-19 crash.

Darshan: The question is, are patients going to continue coming in and participating in these studies, when it's evident that there is still a continuing fear about infection because of COVID. The last piece of information that I thought was kind of interesting is this article that I've seen pop up every so often, but the idea that drug companies are influencing academic conferences. We did an interview with Kelly Willenberg where we talked about how important the conferences are for a lot of the companies that are selling to drug companies or to sites. But the question of do drug companies actually use these conferences to influence physicians is really important. On one hand, obviously associations and groups like ASCO and conferences, like ASCO are really important to spread information, but if the information has been contaminated, that's not good. However, when is something contaminated? Is it when there's just no study done and the pharma happens to actually sponsor the conference, or is it in the actual writing of the study itself? Stay tuned. We'll probably keep exploring this as new news keeps coming out.

Narrator: This is the DarshanTalks Podcast. Regulatory guy, irregular podcast, with host Darshan Kulkarni. You can find the show on Twitter @darshantalks or the show's website at

Darshan: So the recent holding, talking about the US/EU privacy data shield, and I want to talk about that in the context of what's been happening. So let's start from what is GDPR. GDPR is the General Data Protection Regulation. Comes out of the European Union. It covers an individual's rights to basic identity information, such as name, address, ID numbers, web data, such as location, IP address, cookie data, RFID tags, health and genetic data, biometric data, racial or ethnic data, political opinions, and sexual orientation. It affects companies that have a presence in an EU country, if you don't have a presence in the EU country, but process data of European residents, if you have more than 250 employees, or fewer than 250 employees, but the data processing impacts the rights and freedoms of data subjects, and it's not occasional, and includes certain types of sensitive personal data.

Darshan: The penalty is extremely significant. Things like 4% of global revenue. So it's actually hugely problematic for companies that don't follow it. The key principles are that you need to look at lawfulness, fairness, and transparency. They want you to have purpose limitations, which means that you don't just collect data willy nilly. You need to be very clear about what data do you actually need and restrict yourself to just that data, which goes to the principle of data minimization. You need to be accurate. You need to have storage limitations. You need to have integrity and confidentiality. So what security processes do you have in place? And you need to be looking at things like accountability. So you need to be responsible for the data.

Darshan: So what rights do you actually have as an individual? You have the right to be informed. You have the right of access to that data. You have the right to rectify data that companies have. You have the right to erasure, which is the same as the right to be forgotten, which some people may have heard of. The right to be forgotten being that if something happened in the past that you don't want out there anymore, and it's been long enough, you have the right to ask them to delete that for you. You have the right to restrict processing, the right to data portability. So you can move from one system to the other. And you've got the US doing versions of that now, but the EU has had GDPR now since, I want to say 2018 or so. You have the right to object and the rights related to automated decision making, including profiling.

So why does it matter? In the event of noncompliance, again, you're subject to EU enforcement mechanisms laid out in the GDPR regulation. So to meet these criteria, there was the EU/US privacy data shield. This was basically a framework designed by the US department of commerce and the European Commission and Swiss administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the US in support of transatlantic commerce. On July 12th, 2016, the European Commission deemed that the EU/US privacy shield framework was adequate to enable data transfers under EU law. However, on June 16th 2020, the shield was deemed invalid. It was deemed not to adequately protect the data of European Citizens from US surveillance activities in the same way that they are protected in the EU.

Darshan: Here's the problem with that system. Number one, the European Court of Justice judged that US was basically expected to meet a standard that no European government could meet. So it seems like the US is being singled out. It found that the US surveillance powers threatened the data of Europeans without noting that the European government surveillaince powers pose similar or greater threats to the same data. Then there was the issue of data movement. They struck down the privacy shield, but left other methods for transferring personal data to the US. So if the problem is in US surveillance, it doesn't matter how the data is actually being transferred. It would be subject to the same problems. Then there's the issue of other EU trading partners. Is it mainly just the fact that it's outside the EU? It's oddly myopic because it's focusing on the US, but ignores the surveillance of China, Russia, and other major trading partners of the EU. It leaves this weird situation, which despite all the efforts to protect privacy, the court has made it more difficult to transfer data to the US, but there are no such impediments transferring data to Russia and China, that have done little or nothing to protect personal data, which is usually problematic as well.

Darshan: Then there was the issue of US security, and the idea is that US surveillance powers extend to European data, even if located in Europe. And this ignores that US data is more protected when it's located in the US than if it's located elsewhere. So that becomes hugely problematic as well. So what is the impact of this? Over 5,000 companies signed up for the privacy shield, which is essentially a self-certified mechanism administered by the US Department of Commerce. However, the ruling left open standard contractual clauses as an appropriate mechanism for onward data transfers, subject to a case by case assessment of the merits of transferring data under this mechanism. Essentially, it's a way that people can still continue to put fines if those mechanisms don't work. Global companies will still be able to operate because contractual clauses are still considered sufficient, but there's an increased level of risk because they do not have the same clear standards set up by the privacy shield.

It also puts companies in a very weird position, a very delicate position, if the data is subpoenaed by US authorities for national security investigations, particularly if the data may run afoul of EU regulations. So in those situations, companies will have to decide whether they want to fight the US government or face immense fines in the EU, which is not very useful. The only real solution is for the US to have a more comprehensive federal privacy legislation that creates a balance between the flow of information and privacy rights. You are seeing this hodgepodge of states doing versions of this. So you've got, for example, the CCPA, and you've got several other states looking at variants of this, but for now we're caught up in a conundrum where privacy rights are not synchronized across the US, and that puts problems for individuals and companies in the EU and the US.

Narrator: This is the DarshanTalks Podcast. Regulatory guy, irregular podcast, with host Darshan Kulkarni. You can find the show on Twitter @darshantalks or the show's website at

More from this show

Recent posts


Make sure to subscribe to our newsletter and be the first to know the news.