International transfers of health data between the EU and USA: a sector-specific approach for the USA to ensure an 'adequate' level of protection.

International health research increasingly depends on collaboration and combination using medical data to advance treatment and drug discovery. The European Union (EU), through its General Data Protection Regulation, has tightened the rules for sharing data across borders to protect individual privacy. These new rules threaten cooperation between the EU and the USA, the two largest public funders of biomedical research. This article analyzes the primary pathway for sharing research data with the USA, the US-EU Privacy Shield, and argues that the Shield is ill-suited to support complex health studies. Its legitimacy is in question under both EU and US law, and its terms are too restrictive for the variety of exchanges underlying research, treatment, and care. As an alternative, we propose that the USA seek an additional sector-based adequacy determination based on the existing US health privacy law, the Health Insurance Portability and Accountability Act. A sector-specific approach to adequacy for health would avoid many of the most contentious issues that divide the USA and EU on data protection. It could also serve as a model for other third-party jurisdictions and facilitate international harmonization of health research practices.

I. INTRODUCTION

The sharing of patient medical information is vital for research and drug discovery. In an effort to protect European Union (EU) data subjects’ privacy, the General Data Protection Regulation (GDPR) enacted by the EU in 2016 places stringent restrictions on international transfers of personal data, including data concerning health. The threat of steep penalties for noncompliance have upended decades of accepted practice in commercial and public health research between the EU and other major research centers, especially the USA. In November 2019 the director of the US National Institutes of Health, the largest public funder of biomedical studies in the world, labeled the GDPR ‘a serious impediment to research’ and said that progress on some important projects had ‘slowed to a crawl’.

The legal avenues for sharing personal health data with US entities under the GDPR are difficult and uncertain. Increasing scrutiny of US law enforcement data collection and surveillance practices led to the invalidation in 2015 of the US–EU Safe Harbor which had previously allowed exchanges of commercial data between the two regions. As a fallback, the European Commission (EC) adopted a ‘limited adequacy’ decision in 2016 on the so-called ‘EU-US Privacy Shield Framework’. This Framework allows the free transfer of personal data to companies that are certified under the EU–US Privacy Shield. However, the EU–US Privacy Shield has been challenged as insufficiently protective of subject rights in the EU and is seen as overly restrictive and burdensome on companies and federal agencies in the USA.

This paper analyses the EU–US Privacy Shield Framework from both the EU and the US perspective with particular attention to its suitability for transfers of health data. We argue that the Privacy Shield functions poorly as a mechanism for facilitating international health research and bioinnovation. It rests on an uncertain legal foundation under both EU and US law. It is neither a treaty, nor a binding agreement, nor a mandatory law; its status is therefore ambiguous under both the GDPR and the US constitutional system. Its scope is also too narrow to support the diverse health care research ecosystem.

Due to the importance of data transfers for public health and medical innovation, we suggest that one way around the inadequacy of the Privacy Shield would be to seek an additional sector-based adequacy determination based on the existing US health privacy law, the Health Insurance Portability and Accountability Act (HIPAA). A sector-specific approach to adequacy for health would avoid many of the most contentious issues that divide the USA and EU on data protection. It could also serve as a model for other third-party jurisdictions and facilitate international harmonization of health research practices.

Health care research is increasingly international and data intensive. Everything from genomic research to adverse drug reaction testing to epidemiology depends on the collection, linkage, and analyzation of diverse patient indicators and disease features. Healthcare organizations are increasingly supplementing traditional controlled drug discovery pipelines with distributed, collaborative, and iterative research methods that demand large-scale combinations of patient data. Research studies, including clinical trials, aim for an international scope, with results being compared and matched to achieve greater statistical significance. Genomic databases need to reflect the genetic diversity of patients across the world for their value to be maximized. Advances in personalized medicine and use of algorithms in diagnosis and treatment depend on the analysis of massive amounts of individual statistics. These include information about risk factors, disease outcomes, lifestyle, genetics, environment, behavior, and treatment responses. Huge collections of health-related data are shared continuously among commercial organizations, states, and state actors such as public health bodies, universities, and research laboratories.

Differences in the data protection regimes between the USA and the EU threaten to throttle these exchanges. Europe and the USA provide the lion’s share of public funding for health research and most of the major pharmaceutical companies have large research campuses in one or both jurisdictions. Exchanges of patient and population health-related data between the two regions are vital for continued innovation in treatments and public health.

The circumstances under which organizations may wish to exchange personal health data across the Atlantic are various. Multinational pharmaceutical companies may need to send data about drug safety and efficacy in certain populations to subsidiaries and affiliates in other jurisdictions. A clinical research organization managing a clinical trial may need to share outcome data with partners and sponsors located overseas. Researchers in North America may seek to access sample or population data, including identifying phenotype characteristics, held in European biobanks, or vice versa. Makers of medical devices or academic researchers may need to store patient data with cloud service providers whose servers are located in a different jurisdiction.

Presently the EU–US Privacy Shield is the legal basis for many of these transfers. In section II (legal overview), we describe the legal framework that currently applies to transfers of personal health data from the EU to the USA. As well as important informational background, this section has an overarching purpose for our argument. It demonstrates the seriousness of the policy issue, first by explaining how the GDPR affects US-based companies notwithstanding that it is European legislation and second by explaining why the EU–US privacy shield often comes into play, even though technically, there are other lawful bases such as binding corporate rules (BCRs) or standard contractual clauses (SCCs) for transferring personal health data from the EU to the USA.

In section III (explanation of EU–US Privacy Shield and its limitations), we provide further information about the operation of the EU–US Privacy Shield. As well as analyzing adequacy from the EU perspective, this article is the first to look at the legitimacy of the Privacy Shield from the US vantage point, both in terms of its origins and its operation. From the EU side, the Privacy Shield lacks the force of mandatory law, which would seem to be a prerequisite for an adequacy determination, under Article 45 of the GDPR. It is also subject to multiple legal challenges due to alleged deficiencies in the underlying US legal regime. From the USA side, the Privacy Shield essentially requires US agencies to enforce EU law and so is more restrictive than an adequacy decision based on domestic US law. The authority of individual federal agencies to agree to such enforcement commitments independent of Congressional approval or a negotiated treaty is also a concern. Finally, the Privacy Shield aims primarily at commercial transfers of data and so is ill-suited to serve as the primary mechanism for transfers of data concerning health within the highly regulated medical sector.

In section IV (HIPAA as possible solution), we argue that one way to overcome the problems with the EU–US privacy shield for EU–US transfers of health data would be to ask Europe to give a sector specific adequacy decision for the existing US health privacy law, HIPAA. A HIPAA shield would not replace the EU–US privacy shield, nor SCCs, BCRs or informed consent. It would be an additional legal basis for lawful international transfer of personal health data. In this section we briefly outline the advantages that the HIPAA shield would have over the EU–US privacy shield such as greater democratic legitimacy, a targeted health data focus; and harmonization with an existing and tested legal framework. We also discuss whether HIPAA would likely meet the ‘adequacy’ standard, and the modifications that are likely to be required. We consider several challenges posed by such an approach and possible alternatives.

II. THE CURRENT LEGAL FRAMEWORK FOR INTERNATIONAL TRANSFERS OF PERSONAL HEALTH DATA FROM THE EU TO THE USA

The GDPR’s reach is vast. The law can apply directly to many entities based in the USA even if they have no operations in the EU and arguably even if they are not processing EU subject data. Under Article 3, the GDPR applies to any processing of personal data ‘in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not’. It is possible then that any commercial or research collaboration anywhere in the world in which an EU-established entity participates is governed by the GDPR. This would be the case even if the data analyzed does not relate to EU subjects. Furthermore, the GDPR applies directly to non-EU entities who offer goods and services to data subjects in the EU or who monitor subject behavior taking place within the Union. Although this last provision seems targeted at companies who monitor behavior for advertising and marketing purposes, its reach can extend to pharmaceutical companies and researchers monitoring patient reactions to a drug.

To further ensure that the protection guaranteed by the GDPR is not undermined, the regulation restricts transfers of personal data to countries outside the EU and the European Economic Area (EEA). A ‘transfer’ of personal data occurs any time it is sent, or made accessible, to an outside receiver. If the GDPR does not apply directly to that receiver because of its location, then both the processor and the controller of the data must comply with the conditions specified in Chapter 5 of the GDPR.

The potential sanctions for senders and recipients that fail to comply with Chapter 5 are onerous. A noncompliant transfer of personal data to a third country is one of the infractions that invite the largest possible administrative penalty: up to €20,000,000 or four per cent of total worldwide annual turnover. In July 2019, for example, the Marriott hotel group was fined £99 million pounds for a data breach incident that exposed 339 million guest records globally, of which around 30 million related to residents of 31 countries in the EEA.

The landscape for transferring health data lawfully between the USA and EU is disjointed and difficult to navigate, however. Biomedical researchers lack accepted pathways to exchange patient health data impacted by the GDPR. The mechanisms prescribed to facilitate such transfers, such as BCRs, SCCs and explicit consent, are ill-suited to research scenarios and are burdensome to fulfill even where they are available.

Chapter 5 of the GDPR offers three basic pathways for a legal international transfer of data. These include:

Transfers on the basis of an ‘adequacy decision’ by the EC;

Transfers subject to ‘appropriate safeguards’ by the controller/processor on condition that enforceable data subject rights and effective legal remedies for data subjects are available; and

Derogations for specific situations.

In effect, these mechanisms are intended to ensure that either (i) the country (adequacy decision) or (ii) the organization (appropriate safeguards with SCCs and BCRs) ensure an appropriate level of data protection to the data subject. If none of these routes are available, the only way to transfer data is either to seek the explicit consent of the subject or to render the data anonymous so that the rules of the GDPR no longer apply.

A. Transfers on the Basis of an ‘Adequacy Decision’

Pursuant to Article 45 GDPR, the EC has the power to determine whether a country outside the EU offers an adequate level of data protection. The effect of these adequacy decisions is that personal data can be transferred from the EU and the EEA to that third country without any further safeguards. At the time of this writing, the EC has recognized Andorra, Argentina, Canada (for commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay as providing adequate protection.

The USA does not have a general adequacy decision as it lacks a federal general data protection legislation. Instead, the USA has instituted the Privacy Shield framework as a stopgap measure to allow transfers of data subject to the GDPR. As detailed further in Part III, the Privacy Shield framework has been judged ‘adequate’ by the EU, though it is subject to continuing judicial and administrative assessment.

B. Transfers Pursuant to Safeguards

In the absence of an Article 45 adequacy decision, the GDPR allows transfers of personal data outside the EU pursuant to various safeguard mechanisms specific to individual organizations under Article 46. These safeguards are applied on a case-by-case basis, under the guidance of one or more of the EU member states’ data protection authorities (DPA) and are subject to their final approval. The main ones are SCCs and BCRs.

BCRs allow multinational companies to move data globally within a group of affiliated entities. To make use of the safeguard, a controller, or processor located within the EU must establish personal data protection policies consistent with the GDPR for transfers within a single conglomerate or within a group of enterprises engaged in a joint economic activity. The obligations must be legally binding on the recipients and confer enforceable rights on data subjects.

SCCs allow the transfer of personal data outside of the EU to a company that accepts the terms of standard form clauses previously approved by the EC. These clauses require the data importer’s agreement to the data protection law of the exporter in processing the data, to name data subjects as third party beneficiaries under the contract, and to agree to answer for breaches in a court of a member state. They must be used exactly in the approved form unless an amendment is approved in advance by a DPA.

C. Transfers Pursuant to Derogations

The final category of permitted international transfers is derogations for specific situations. Under the GDPR, the main ones are: consent by the data subject, transfers necessary for the performance of a contract between the data subject and the controller, or transfers necessary for the purposes of a legitimate interest pursued by the controller, which is available only after all other options have been tried and only for limited and infrequent transfers.

D. Transfers and Health Data Under Chapter 5 of the GDPR

None of these mechanisms are ideally suited to transfers of medical data for research purposes. BCRs are a useful tool for multinationals to share data with affiliates. Outside of this scenario they have limited utility. Health organizations such as a national health service or university are not engaged in ‘joint economic activity’ with their research partners and so fail to qualify for BCRs. The task of writing an internal corporate code and obtaining approval from the relevant DPA is too expensive and time-consuming to pursue for temporary alliances, trials, or one-off exchanges. BCRs therefore cannot facilitate most research combinations of data between multinationals, SMEs, health care organizations, and service providers.

SCCs also are problematic. Because model SCCs have to be written to cover every kind of data transfer, they contain terms too onerous for specific research purposes and relationships. Parties may not negotiate any change, however without seeking official approval. The three existing approved clauses apply only where an EU controller is exporting data, and so cannot be used by EU processors looking to provide derived or observational data to controllers in the USA. The substantive terms of the clauses are also difficult for many US health processors. US public health bodies are not permitted to submit themselves to the jurisdiction of foreign states as required by the clauses. Furthermore, standard US commercial insurance policies limit coverage to claims brought in US courts and so would not cover any liabilities arising under an SCC, which requires signatories to agree to be sued in the courts of the relevant Member state. The clauses themselves were written over a decade ago under the GDPR’s predecessor law and so imperfectly describe the controller–processor relationship. Finally, the EU Advocate General examining a case (Schrems II) challenging SCCs with US entities has suggested that even when the approved SCCs are used, controllers must still conduct a context-specific inquiry into the underlying legal framework in the recipient state to ensure that the protections of the clauses are not undermined by local laws. This case presents a particular risk for transfers to the USA under SCCs due to continuing concerns about structural deficiencies in US privacy law that potentially allow unduly extensive surveillance for the purposes of national security.

The derogations under Article 49 are also quite limited. Article 49 (1) (a) states that a transfer of personal data to a third country may be made in the absence of an adequacy decision or of appropriate safeguards on the condition that ‘the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards’. Valid consent under this section must be specific and informed. This means that to provide a basis for transfer, consent must be given for the particular data transfer or set of transfers after the data subject is explicitly informed of the details of the transfers and the risks inherent to that specific transfer. This is a difficult burden to meet for large-scale repositories of patient data typical in clinical trials and medical research studies that may be held for years and combined with other sources for new studies not anticipated at the date of collection.

Similarly, ‘necessary for performance of contract’ is unlikely to apply as a basis for medical data transfer. In most cases, health data controllers based in the public sector are unlikely to have a commercial contract with patients or research subjects. Even where one does exist (for example, where a contract exists between a health app and a customer), the controller would have to show that the transfer of data overseas had a close and substantial link to the contract’s main purpose. The business convenience of the controller is not sufficient. Finally, for sensitive health data, controllers still must demonstrate compliance with one of the additional heightened legal bases set out in Article 9(2)(b)–(j) notwithstanding anything in a contract.

The ability to transfer data pursuant to a legitimate interest is also heavily circumscribed. First, the data transfer must be infrequent and limited in size, so this derogation could not be used to justify any activity that relies on regular data collection. The legitimate interests necessary to justify the transfer must be more than the regular legitimate interests basis for processing under Article 6; the transfer must be ‘essential’ for the data controller and outweigh any ‘competing’ interests of the data subject. Where entities seek to use this derogation, they must demonstrate that they have put in place appropriate safeguards and measures to protect the data subject’s rights and must inform the EU supervisory authority and the data subject of the transfer of data.

E. Anonymization

Anonymization of data places it outside the requirements of data protection legislation and so has long been the pathway of choice for sharing medical research data. Unfortunately, there is no clarity as to when health patient datasets may be considered anonymized under the GDPR. Biometric and whole genome sequence data are inherently unique to each natural subject, and thus at least potentially identifiable. It is an open question whether individuation itself in data renders it ‘identifiable’. The GDPR links the assessment of identifiability to available technology. Improvements in technology have made reidentification of even small amounts of genetic material more likely. The GDPR is also unclear on whether common deidentification techniques, such as unique identifier codes held separately from the code key, are sufficient to render such data anonymous, or merely pseudonymized in which case the data would still be subject to the GDPR. Furthermore, strict anonymization may render the data functionally useless for research as the most useful datasets for research are the ones that contain the greatest depth of detail about each subject. Insufficient deidentification, on the other hand, carries legal and reputational risks, as a Chicago hospital recently learned when it shared what it thought was anonymous patient data with Google. In this environment, many health organizations err on the side of caution, and treat all patient data as personal unless and until a supervisory authority assures them otherwise.

F. Research Exemption

The GDPR offers expansive exemptions from notice and consent requirements where processing of personal health data is done for the purpose of scientific research in the public interest. These research exemptions apply only within the supporting framework of EU or Member state law, however. They cannot form the basis for a transfer of data to a jurisdiction where the laws are insufficiently protective. Indeed, as discussed further in Part III.E, US entities certified under the Privacy Shield must still comply with notice and consent requirements to use EU subject data in further research.

G. Summary

To illustrate the potential risks of undertaking an international transfer of data under the current system, consider the examples from the introduction:

(1) A multinational pharmaceutical company sending data about drug safety and efficacy in certain populations to subsidiaries and affiliates in other jurisdictions;

(2) A clinical research organization managing a clinical trial in the EU may need to share outcome data with a US sponsor;

(3) Researchers in North America may seek to access sample or population data, including identifying phenotype characteristics, held in European biobanks, or vice versa;

(4) Makers of medical devices in the EU storing and accessing patient data through cloud storage providers whose servers are located in the USA.

Of these four common scenarios, only the first may definitely rely on an Article 46 safeguard (eg SCCs or BCRs), and even then, only after that safeguard has received approval from a supervisory authority. For the reasons detailed below, the other transfers will likely fail or be prohibitively difficult under Articles 46–49. Furthermore, depending on the outcome of the Schrems II decision, even SCCs may no longer be available as a mechanism to transfer data to the USA.

The European Data Protection Board (EDPB) is currently working on guidance for international transfers which may provide greater clarity on some of these issues. Until then, the Privacy Shield is the most promising means for transfers of health data between the USA and EU but even that is problematic.

III. THE EU–US PRIVACY SHIELD

The US–EU Privacy Shield itself rests on a tenuous legal foundation. Although trade between the USA and the EU is extensive, finding common ground for treatment of consumer data has never been easy. The two regions approach the concept of personal privacy differently. Privacy of personal data is enshrined as a fundamental right in the EU Charter. Trading in identifiable data is therefore forbidden in the EU unless a lawful basis applies. In the USA, by contrast, certain forms of privacy are protected by law, but these are balanced against equally strong constitutional regard for free and unfettered speech, including commercial ‘speech’. In the USA, transfers of personal data are presumptively legal unless a particular prohibition applies. From a regulatory standpoint, the USA favors a market-based approach wherein customers can choose levels of privacy as part of the product or service offered by a company.

The Privacy Shield offers an uneasy compromise between the privacy absolutism of the GDPR and the more laissez-faire, self-regulatory approach of the USA. The Shield is an opt-in mechanism that allows US companies that want to receive transfers of personal information from EU subjects to self-certify as meeting certain standards. Various arms of the US federal government have pledged to enforce those commitments, at least with respect to EU subjects.

As an awkward hybrid of voluntary, private commitments and mandatory, public laws, the Privacy Shield’s legal validity is doubtful under both EU and US law. From the EU side, it is vulnerable to court challenge that it does not offer adequate protection under the GDPR, both due to US law enforcement collection of personal data, and because enforcement of the Principles has been lax. From the US side, the Privacy Shield requires extensive EU monitoring and oversight of domestic federal agencies and requires the US government to create special mechanisms for EU subjects that are unavailable to US citizens. Critics contend that it neither assures adequate data protection for EU subjects, nor preserves US sovereignty over its own commercial data protection policy.

The Privacy Shield is an especially a poor fit for the health care sector. It omits from its coverage nonprofit research centers and health insurance providers, two major players in the US healthcare economy. It also imposes special burdens on US medical research entities that are not required of similar enterprises within the EU. The Shield was designed to address concerns about law enforcement spying and internet platform monitoring that are not relevant to most transfers of health data.

A. The Origins of the Privacy Shield

The Privacy Shield was created and implemented as a stopgap. On October 6, 2015 the Court of Justice for the European Union (CJEU) invalidated the Safe Harbor Agreement, the framework that had allowed transatlantic exchanges of data for 15 years. The Court found that the protections in the Safe Harbor were inadequate in light of the Snowden revelations that US law enforcement and national security agencies were obtaining and monitoring identifiable signal data obtained by US companies. The Schrems I decision sent US and EU official scrambling to put a replacement framework in place to avoid destabilizing trillions of dollars in EU–US trade in goods and services. Just under 3 months later, on February 2, 2016, the US Department of Commerce (DoC) issued the Privacy Shield Principles.

To rely on Privacy Shield to transfer commercial data from the EU, participating organizations must self-certify to the US DoC their adherence to 23 principles laying out the requirements for the use and treatment of personal data received from the EU, as well as access requests and recourse mechanisms for EU citizen complaints. The EC declared on July 12, 2016 that organizations that are Privacy Shield-certified provide ‘adequate’ privacy protection to personal data transferred outside of the EU under the EU Data Protection Directive, which has since been superseded by GDPR.

Like the Safe Harbor before it, the Privacy Shield depends on the voluntary participation of US companies. Once a company enters the program, however compliance is compulsory. An organization’s failure to comply is subject to prosecution under Section 5 of the Federal Trade Commission (FTC) Act prohibiting unfair and deceptive acts in or affecting commerce.

B. The Privacy Shield Framework Under EU Law

Notwithstanding the Commission’s 2016 decision, the adequacy of the Privacy Shield under the GDPR is far from evident. Formally, the Shield provides a lawful basis for transfer under Article 45 of the GDPR, which allows transfers to foreign jurisdictions deemed to have ‘adequate’ legal regimes. In practice, however the Shield is not a mandatory legal regime. Instead it has the characteristics of the opt-in company safeguards found in Article 46 of the GDPR, such as codes of conduct, certification schemes and BCRs. Like these mechanisms, the Privacy Shield Principles apply only when companies choose to participate.

It is unclear whether a voluntary opt-in regime can really meet the adequacy threshold under Article 45. The purpose of an adequacy inquiry under Article 45 is to examine the law and practices of the third country as a whole to ensure that the legal framework is sufficiently protective. Voluntary and individual corporate codes of practice are not usually considered relevant. Even considered under Article 46, the Privacy Shield does not meet the standards for organization-specific mechanisms. Article 46 requires private entities to submit their chosen safeguards to initial approval and ongoing, direct supervision by European DPA or their delegated bodies for validity. The Privacy Shield by contrast allows US companies to self-certify without independent verification even by US authorities. Enforcement of its terms is in practice left almost entirely to private action—companies largely self-monitor compliance, and EU subjects must formally complain directly to have access to the limited rights of redress under its terms. There is reason to believe that dozens of companies have declared their activities to be compliant with the Shield while not complying in fact. If challenged on this basis, the Shield might be vulnerable to claim that it cannot offer ‘equivalent’ protection to that found in the GDPR, the standard the CJEU laid down in Safe Harbor case for ‘adequacy’, because it does not meet even the minimum standards set out for functionally equivalent safeguard mechanisms under Article 46.

The Shield is in more direct legal jeopardy in the EU from the second lawsuit by Maximilian Schrems, the plaintiff in the Safe Harbor case, alleging that the US has not substantively improved its data protection practices since the Safe Harbor was invalidated. Although the Schrems II lawsuit aims at SCCs rather than the Privacy Shield, the allegations that intrusive US law enforcement practices undermine private contractual commitments also implicate the viability of the Privacy Shield. There is also a second French lawsuit directly challenging the Privacy Shield on these grounds that has been stayed pending the outcome of Schrems II. The plaintiffs in these cases contend that the Privacy Shield offers no improvements to the Safe Harbor regime that are binding on national security services and so the legal framework in the USA is still inadequate notwithstanding undertakings made by private businesses.

The recent Opinion of the Advocate General (AG) in Schrems II, which is persuasive but not binding on the CJEU, offered some assurances that SCCs and the Privacy Shield framework are not at immediate risk of being invalidated. The AG concluded that the SCC mechanism was overall adequate to protect fundamental rights of privacy and suggested that the Court does not need to render judgment on the validity of the EU–US Privacy Shield Framework to decide the case. However, the AG went on to raise some concerns about whether the Privacy Shield Framework in general met the adequacy threshold. Based on previous jurisprudence, the AG considered that surveillance by US authorities was generally justified on the grounds of public interest. He expressed reservations, however as to whether it contained adequate safeguards enshrined in law to prevent the risks of abuse. The AG advised against addressing these deficiencies for the case and noted that supervisory authorities could consider the necessity and proportionality principles as well as the fundamental right to respect for a private life on a case-by-case basis with regard to transfers made pursuant to SCCs. This emphasis on case-by-case inquiry, if adopted by the Court and individual DPA, could undermine the efficiency of general transfer mechanisms such as SCCs and the Privacy Shield. Furthermore, the CJEU could still potentially decide to invalidate the EU–US Privacy Shield Framework in its decision in the Schrems II case, or in the subsequent direct challenge. This possibility poses substantial legal risk to companies currently relying on the adequacy of the Privacy Shield mechanism. In the meantime, the continued legal vulnerability of the regime under EU law has led many US companies to delay undertaking the time and effort required to certify under the Shield.

C. The Privacy Shield Under US Law

Nor does the Privacy Shield protect US interests in domestic policy sovereignty. Many policymakers and industry representatives in the US think that its self-regulatory and patchwork approach is more hospitable to innovation than the ‘one size fits all’ EU privacy rules. They argue that data privacy experimentation may promote advances in the information technology and internet commerce sectors, whereas blanket prohibitions stifle technology firms. The USA has therefore been wary of saddling itself with complex and burdensome data protection rules before their utility has been proven.

Ironically, then, the decision to operate via the Privacy Shield undermines the ability of US companies to experiment, at least with respect to any data originating from the EU. US companies that choose to receive data under the Privacy Shield are effectively promising to follow EU law. By contrast, companies in Israel, Canada, Japan, and Argentina, to name a few, can process EU data under their own law without regard to the GDPR because their governments applied for and received an ‘adequacy’ determination under Article 45 of the GDPR. The laws of many of these ‘adequate’ jurisdictions differ in material respects from the GDPR but the EU has been willing to tolerate divisions in approach so long as the overall scheme achieves the aims of data protection. US companies are therefore at a comparative disadvantage because they have to assume the significant costs of compliance with US laws and the GDPR whereas their international counterparts follow only domestic law. Furthermore, because the Privacy Shield is nominally a ‘voluntary’ regime, US companies lack the support of domestic information agencies helping to interpret any ambiguity in the rules, and so must absorb completely as a private expense the legal compliance costs associated with a new and untested regime. Companies certified under the Shield also face the threat of investigation from multiple jurisdictions as they are subject to enforcement not only from the FTC but also individual EU DPA. Companies in countries that have received adequacy determinations, by contrast, are free to receive data from EU subjects under their own laws without further interference or annual audits from the EU.

The US government is under a similarly tight leash. The Commission’s 2016 US adequacy decision for the Privacy Shield was tentative at best, and its continuation depends on the US federal agencies submitting annually to detailed audits by the EC. The Commission is empowered to investigate the functioning of all aspects of the Privacy Shield including enforcement statistics, key staffing decisions and updates on any relevant development under US law. At the first annual review, the Commission issued 10 detailed recommendations for improvement to the management of the scheme. For the second and third annual reviews, the EC sought information not only from the DoC and the FTC, the agencies tasked with enforcing the Shield, but also sent questionnaires to 10 US trade associations and eight NGOs to get a broad picture of the practical implementation of the Privacy Shield framework by private entities. The Commission has sought several substantive changes in the way that the DoC and the FTC implement the scheme, including more interrogation of certification claims, more spot checks on continued compliance, and more proactive investigations of false claims of compliance. The EC has been vocal that making these changes is vital to the Shield’s continued adequacy.

The authority of DoC and the FTC to make such extensive commitments on behalf of non-US citizens is unclear. As federal agencies, the DoC and the FTC can exercise only those powers specifically granted by the Constitution to the executive branch or delegated by Congress. If the Privacy Shield is a voluntary scheme for private companies, then development of the Privacy Shield Framework falls within the DoC’s inherent mandate to foster and promote international commerce. However, the Framework, at least as interpreted by the EU, goes beyond setting out optional requirements for private companies. It also obligates agencies of the federal government to undertake particular actions outside their usual remit. These include, for the DoC, the duty to monitor whether US companies publish their privacy commitments, to conduct periodic compliance reviews and audits of listed and delisted companies, and to manage the establishment of special tribunals (‘Privacy Shield Panels’) available only to EU residents.

The FTC, the agency charged with enforcing Privacy Shield commitments made by private entities, has broad enforcement authority but is similarly overextended by the EU’s demands. The FTC has the power under its originating act to police deceptive conduct in interstate commerce. The US courts have tended to take a permissive stance on the question of whether the FTC’s enforcement power extends to conduct directed at overseas markets. In Branch v. Federal Trade Commission, a case concerning misrepresentations about a correspondence course offered only to students in Latin America, the 7th Circuit Court of Appeals held that enforcement fell within the Agency’s authority because (i) the deception was conceived and initiated within the USA and (ii) the agency’s mandate to ensure a level playing field for the company’s competitors within the USA included preventing deception targeted to overseas customers. Similarly, the FTC’s Privacy Shield enforcement ensures fair competition among domestic companies who seek to process EU personal data. Companies that do not comply gain an unfair advantage and risk undermining the credibility of the whole scheme. However, certain agency obligations, as interpreted by the EC, seem to reach beyond this limited authority. These include a commitment by the FTC to priority review of EU complaints of noncompliance and, according to the EC, an obligation to undertake proactive ex officio sweeps of listed companies without any basis for believing deceptive conduct has occurred. Such promises force the FTC to prioritize EU privacy misrepresentations over other kinds of deceptive conduct and to commit scarce enforcement resources for the sole benefit of citizens of foreign states. These state-to-state commitments arguably fall well outside §5’s remit, and should require specific congressional approval under the Art II Treaty Power of the US Constitution. Perhaps for this reason, the US agencies have sullenly resisted meeting the EC’s demands for enhanced enforcement efforts, and so have further imperiled the ‘adequacy’ of the scheme under the GDPR.

D. Unsuitability of the Privacy Shield for Transfers of Health Data

The Privacy Shield is not even useful as a temporary stopgap for many exchanges of healthcare data between the USA and the EU because many US health care providers and payors are excluded from its terms. The Privacy Shield is currently an option only for organizations subject to the jurisdiction of the FTC or the Department of Transportation. Insurance companies in the USA are regulated primarily by state insurance commissioners and are not generally subject to enforcement by the FTC. The FTC’s jurisdiction also does not generally extend to nonprofit entities. Health care providers, hospitals, and other care organizations that operate on this basis may be excluded from the Shield’s framework entirely.

When available, the Shield places asymmetric burdens on researchers in medicine, public health and social care in the USA. Under the GDPR, EU controllers of all types can process sensitive health data for purposes of treatment, social care, public health, or medical research as an independent lawful basis. They need not obtain the specific consent of the subject or offer mechanisms to withdraw that consent. (Ethics regimes may impose independent consent requirements, but these do not necessarily provide data subjects with an option for withdrawal). This is a substantial advantage for administering complicated, multiyear clinical studies. Controllers in the USA, by contrast, must comply under the Privacy Shield with detailed and untested requirements for explicit consent from data subjects even for public health and medical research uses. The Privacy Shield offers only a very narrow exception for processing for direct ‘medical care and diagnosis’ or for research specifically by ‘non-profit entities’. Many US health providers and some research institutions operate as for-profits. Those that do operate as nonprofits are outside the jurisdiction of the FTC, and probably cannot make use of the Shield framework and its research exceptions at all. The practical impact of these additional restrictions is to impose heavier compliance burdens on US research entities than on their EU counterparts, and so to hinder cross-border research and innovation. On the other hand, where use without consent for research purposes is allowed, the Privacy Shield contains none of the additional organizational and technological safeguards for such data that are set out in the GDPR. The Privacy Shield is therefore both unduly burdensome on US health research and unduly lenient on actual patient protections when health data are used.

Health service providers and researchers are caught in the uncertainty surrounding the Privacy Shield even though the concerns targeted by Privacy Shield are tangential to healthcare treatment and research. Long-term health and treatment data have little direct utility in preventing terrorist attacks, and US law enforcement and national security agencies have shown little interest in monitoring it. Although there is concern over search engines, platforms, and online retailers gaining personal health data, the US domestic medical privacy law, HIPAA, could be employed to address those concerns in the same manner as the GDPR. Meanwhile, as discussed in Part I, there is a wealth of relatively uncomplicated transfers for the purposes of storage, analysis, and treatment services that are unnecessarily complicated by the theatrics surrounding the Privacy Shield’s viability. If the Privacy Shield and SCC frameworks are struck down or hobbled in the Schrems II decision, the need for an independent basis under which to transfer health data to the USA will become even more urgent.

IV. ESTABLISHING A HIPAA SHIELD

In Section IV we argue that one way to overcome the problems with the EU–US Privacy Shield for transfers of health data would be to request a sector specific adequacy decision. Many in the health sector advocate for a sector-specific solution to allow research transfers of data to proceed internationally. We support such efforts, and suspect an option is available that has been overlooked. The USA has already signaled its agreement with many of the GDPR principles as applied to data concerning health. The US has an existing health data protection law, the Privacy Rule promulgated under the HIPAA, that could serve as the basis for a sector-specific adequacy decision. A health sector ‘shield’ based on HIPAA’s Privacy Rule would not replace the EU–US privacy shield, nor SCCs, BCRs, or informed consent. It would be an additional legal basis for lawful international transfer of personal health data. In this section we outline (i) the advantages that the HIPAA shield would have over the EU–US privacy shield. We also discuss (ii) whether HIPAA would likely meet the ‘adequacy’ standard, and (iii) the modifications that are likely to be required.

The US legal framework for certain kinds of private information, such as health information, is not dissimilar to that of the EU. The USA has had a comprehensive medical data privacy regulation since 2002, when HIPAA’s Privacy Rule was promulgated by the Department of Health and Human Services. The regulation’s initial reach was quite narrow; it originally prescribed privacy and patient data security rules only for ‘covered entities’, including clinicians, health care facilities, pharmacies, health insurance plans, and health care clearinghouses. The 2009 HITECH Act extended its reach to cover practices of companies working with covered entities—‘business associates’ in the law’s parlance—and also challenges arising from electronic health records. Together with the administrative regulations promulgated under these Acts, the HIPAA Privacy Rule has proved a functional and balanced approach to privacy of medical records and personal health data.

HIPAA’s Privacy Rule contains many similarities to the GDPR. Under HIPAA, as under the GDPR, use or disclosure of personal information is forbidden unless the subject explicitly consents or a specific exception applies. Covered entities may freely use and disclose personal information without prior permission for treatment, payment, operations, and certain public benefit activities such as research or law enforcement activities. These exceptions are similar to GDPR’s list of lawful bases for processing such as vital interests of the subject, performance of a contract, a task carried out in the public interest, or the legitimate interests of the processor. As under the GDPR, specific consent must be obtained before using or disclosing personal health information in a situation that is not one of the listed exceptions. HIPAA defines Protected Health Information (PHI) broadly to include any health-related information that can be used to identify a particular individual. This can be information related to an individual’s past, present, or future physical or mental health or condition, any provisions of healthcare to an individual, and any past, present, or future payment for the provision of healthcare to an individual. This scope is similar to the definition of Data Concerning Health under the GDPR. The HIPAA Privacy Rule does not define ‘authorization’ in the same detail that the GDPR defines consent, but both laws require notice and transparency to the subject about specific uses for consent to be considered valid. Both laws require additional disclosures and safeguards before individual data can be used for ‘marketing’ purposes. Under both frameworks, individuals have a right to withdraw consent, although this right is less robust under HIPAA. Both frameworks require use of technical and organizational measures to protect the security of data concerning health, although in the case of HIPAA, this rule applies only to records kept in electronic form.

The main difference between the GDPR and HIPAA is HIPAA’s narrower application. Where the GDPR governs any entity that processes personal information of EU subjects, HIPAA applies only to regulated health care entities such as clinicians, hospitals, and insurance companies. It also permits disclosure of PHI to ‘business associates’ of covered entities subject to contractual restrictions ensuring appropriate use and storage. Business associates covered by the Privacy Rules are persons or organizations that provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to a covered entity. A business associate processing personal health data covered by the HIPAA Privacy Rule must do so under prescribed terms. Covered health entities must impose through agreements with their business associates (i) obligations to use protected data only as permitted under the contract and (ii) appropriate safeguards to prevent unauthorized use or disclosure. Under 2009 amendments, business associates and their subcontractors can be held directly liable for breach of HIPAA’s Privacy Rule. HIPAA’s reach is narrower than the GDPR but it provides strict, GDPR-like rules for an important subsection of the US economy.

A. Advantages of Sector-Specific Adequacy Under HIPAA

Pursuing an adequacy determination based on HIPAA has several advantages. For the USA, an adequacy determination would allow transfers of data without continued oversight and monitoring by the EU. US health companies could obey one set of rules and need only submit to the jurisdiction of one set of regulators. Given the similarities between the two frameworks for healthcare, the process to obtain adequacy based on HIPAA could be relatively quick. Tailoring privacy rules to a sector where there is already substantial convergence in values and approach will allow for easier resolution of new policy challenges specific to the health sector, such as consent for follow on research studies, or the meaning of anonymization in the case of biometric data. Such a resolution can provide a useful model to other non-EU countries who may lack the resources to develop comprehensive data regulation but want to preserve open data exchanges for critical sectors.

The main advantage of an adequacy determination is that it will greatly simplify exchanges of health data critical for care, treatment, research, services, and public health. Once a country or an individual sector is deemed ‘adequate’ by the EC, personal data may then be transferred from EU Member States without additional guarantees or constant monitoring being necessary. Under the GDPR, the only continuing assessment required are periodic reviews at least every four years. US entities would benefit because they would need to comply with only one well-established Privacy Rule about patient data. They could save the considerable costs of annual self-certification under a second, conflicting regime at continual risk of being struck down.

Second, a limited HIPAA-based ‘shield’ would be managed and maintained by US regulators without undue interference from Brussels. US citizens would be equally entitled to its protections, and US enforcement efforts would not be inappropriately tilted toward EU citizens. The legislature writing the rules would have democratic accountability to both the data subjects and the affected businesses. Legislative competition between the US and the EU, both for healthcare and for sectors outside the HIPAA shield, could promote legal innovation in response to rapidly changing technologies and business models.

Third, pursuing a sector-based adequacy determination is achievable in the short term, whereas efforts to craft a comprehensive US privacy regime could take years. The US has pursued a sector-based approach to data protection because little consensus exists outside certain fields about what kinds of rules should govern uses of consumer data. Where states have filled in the gaps with their own comprehensive schemes, such as the new California Consumer Protection Act (CCPA), they have drawn intense opposition from the retail and technology industries. Business lobbies are now more amenable to the idea of a federal bill, if only to displace the stricter GDPR-like rules of the CCPA. All of the federal bills are still in early stages of consideration and would face concentrated opposition in both houses of Congress before becoming law. Should a scheme acceptable to US industry be enacted, it is unlikely it would be stringent enough to meet the EU definition of adequacy. Even the CCPA itself, which represents the vanguard of general US privacy legislation, is narrow in some respects. It is a consumer protection statute that governs only large businesses and those holding large amounts of consumer data of the residents of one state. It allows the transfer and sale, even of sensitive data, to third parties for any purpose unless consumers affirmatively ‘opt-out’. The CCPA also permits differential pricing and services to be offered to consumers who opt-out, unlike the GDPR, so long as the difference is ‘reasonably related to the value to the business provided to the business by the consumer’s data’. In contrast, one sector of the USA, healthcare, already obeys comprehensive GDPR-like rules. A limited healthcare adequacy ruling could provide an end-run around the US legislative logjam.

In addition to being procedurally easier to achieve, a privacy regime tailored to healthcare data is likely to be superior substantively at responding to new challenges and legal gray areas specific to the sector. The era of ‘big data’ and the use of large datasets to train algorithms to tailor products and services creates regulatory challenges throughout the economy. However, regulatory responses arguably should differ between retailers and hospitals because the public benefit calculus between research enabling personalized medicine, for example, is different than the calculus underlying the development of personalized advertising. Health-specific gray areas, such as whether initial consent for research allows for use of personal health information in new and unanticipated projects, or how to measure whether a patient dataset has truly been anonymized, are easier to solve when the context is limited to the already highly regulated health sector. The hardest cases, which surround tracking by unregulated internet platforms, device companies, and online retailers, can be left for further negotiation without interrupting research and development for human health. International bodies already exist to coordinate harmonized approaches to health challenges and regularly issue guidance for global health regulators. A sector-specific privacy regime can more quickly adapt such guidance without drawing opposition from other, unrelated sectors of the economy.

Finally, a sector-specific approach offers a useful model for other regions that hope to collaborate with the EU on healthcare and medical research but who may have different regulatory priorities regarding the balance between safeguarding privacy and promoting economic and technological development. India is an example of a country with a thriving cloud-computing sector that may wish to provide data management services to healthcare providers in the EU and the USA. It also has a different historical approach to individual rights, and, as a developing economy, may have different priorities with respect to the balance between privacy and economic development. Many developing economies may not want to allocate resources to policing data privacy, nor would their existing law enforcement sectors be well-suited to such a task. A limited sector-specific approach to data protection can promote important international harmonization in healthcare, a field where harmonization is urgently needed, while still allowing developing economies to pursue comprehensive regulatory reform at their own pace.

B. Is HIPAA Adequate Under the GDPR?

1. The Adequacy Test

For the level of protection in a third country to be considered adequate under the GDPR, it must offer guarantees to the data subject ‘essentially equivalent’ to those offered in the EU. The means of protection, however may differ from that in the EU, so long as they prove as effective in practice. The objective is not to mirror point by point the European legislation, but to establish the essential core requirements of that legislation.

This inquiry has a substantive and procedural component. The EC evaluates the text of rules applicable to personal data transferred to a third country or an international organization, and also the system in place to ensure the effectiveness of such rules. Beyond the data protection regime itself, the EC also considers contextual factors such as the rule of law, respect for human rights and fundamental freedoms, relevant legislation, the existence and effective functioning of one or more independent supervisory authorities, and the international commitments the third country or international organization has entered into. Since 1995, only 12 countries have been found adequate under this standard.

Although this may seem a high bar, the EC has been willing to apply the adequacy standard in a flexible and pragmatic manner. In 2003, the EC found Argentina to have an adequate level of protection even though its data protection law was brand new, and its DPA was not yet in existence. To observers, the finding seemed a reward to Argentina for enacting a comprehensive EU-style data protection law when such regimes were relatively rare, especially in Latin America. Similar pragmatic considerations may have influenced the recent adequacy decision for Japan, which was able to obtain a coveted adequacy determination based on promises of future enforcement notwithstanding a largely symbolic track record in fact. A respected third country in a strategically important region willing to enter into a ‘privacy dialogue’ with the EU is likely to find a receptive collaborator.

Also important to the EC in measuring adequacy has been the significance of a trading partner, both commercially and in terms of geographic or cultural ties to the EU. The history of the development of the Safe Harbor and the Privacy Shield programs with the USA, the EU’s largest trading partner, shows the EU bending over backward to find a way to preserve data flows with the USA, while gaining just enough commitments to appease lawmakers at home. Similar motivations helped push the adequacy evaluations of Canada and New Zealand over the line even though investigators found some flaws in both regimes. Where a third country has significant commercial and cultural ties to the EU, these considerations can outweigh a few gaps in the data protection template.

The EDPB, formerly known as the WP 29, has explicitly noted in its guidance on adequacy determinations that, for some countries, a sector-based finding of adequacy will be sufficient. The EDPB recognized that requiring blanket GDPR-like coverage in every case risked discriminating against divergent legal systems and so violating international trade rules. For example, nations with a federalist constitutional system have limited authority to impose uniform standards. For this reason the EDPB has cautioned that ‘a positive finding on adequacy should not in principle be limited to countries having horizontal data protection laws, but should also cover specific sectors within countries where data protection is adequate, even though in other sectors the same country’s protection may be less than adequate’. The same report singled out the USA as a jurisdiction where a sector-based enquiry might be suitable.

2. HIPAA Is Adequate

Based on this guidance, HIPAA has a chance of earning an adequacy determination because it contains the core requirements of the GDPR. The Privacy Rule is comprehensive in substance. As noted above, it is largely on all fours with the GDPR with respect to use and disclosure of sensitive health data. With respect to the fundamental privacy principles under GDPR Article 5, HIPAA can be said to embody the principles of lawfulness, transparency, purpose limitation, data minimization, accuracy, security, confidentiality, and accountability. Although the US lacks an independent data enforcement agency generally, the HIPAA Privacy Rule is enforced by an independent office, the Office of Civil Rights (OCR), within the Department of Health and Human Services. Comprehensive administrative and judicial remedies, including monetary penalties, are available in the event of a breach. The OCR has an established and extensive track record of investigating and resolving privacy-related complaints and issues. In contrast to FTC enforcement actions under the Safe Harbor, which totaled 11 cases in its first 13 years and only 39 overall, OCR investigates and resolves tens of thousands of complaints every year. It also conducts proactive audits of covered entities and their business associates to ensure compliance. In 2009, the OCR’s enforcement authority was extended directly to reach ‘business associates’ who provide services to covered entities. Enforcement at the federal level is complemented by state laws protecting against discrimination based on genetic data.

A finding of adequacy is also more likely because the exchange of health data between US and EU entities is commercially and culturally important to both regions. Together the USA and the UK spend more on healthcare research and development than all of the other OECD nations combined. The USA and its research institutions are members of and comply with all of the major international bodies and conventions surrounding ethics and good clinical practice in healthcare and research. Cooperation specific to research and care therefore poses minimal risk to EU patients. Greater global harmonization in healthcare information is a priority and need not wait for harmonization of practices across all industries.

To be sure, the EU is likely to require some alterations. HIPAA’s Privacy Rule is nearly 20 years old and needs updating. The EC is likely to require a private right of action for individual data subjects, at least those from the EU. It may also seek greater commitments on onward transfer by business associates. As discussed in Part IV.C below, more rigorous definitions of consent for further use may be required.

The EC’s adequacy determination for Canada, which is limited to commercial sector data processing, provides an indication for how the EC might approach the complications of a sector-specific adequacy ruling. In the Canadian case the relevant data protection legislation applied initially only to private sector organizations regulated by the federal government and was scheduled to come into broader effect in three stages. There was some complexity around health data as well as the interplay of the Canadian legislation and laws enacted by specific provinces that might supersede the federal law. Rather than demand that all of the potential inconsistencies be resolved, the EDPB Opinion for Canada noted approvingly the establishment of federal working groups tasked with pursuing harmonization across federal, provincial, and territorial governments and public and private sector organizations. This approach suggests that the EDPB and the EC are comfortable with sector-specific adequacy determinations so long as competent and effective domestic agencies are available to address inconsistencies and boundary issues. Within the USA, the relevant agency could be the Department of Health and Human Services, the FTC, a combination of both, or a specialized body empowered to bring together public and private stakeholders to achieve consensus. The EC could monitor ongoing compliance, as with every adequacy determination, under Article 45 of the GDPR.

3. Clarification and Improvement of HIPAA and GDPR for Health Data

A virtue of a sustained dialog between the USA and the EU on health data privacy is that the two regions could clarify several gray areas under both HIPAA and the GDPR. For example, the GDPR has generous exceptions from consent and withdrawal requirements for research; however it is not clear to what extent commercial entities may rely on these exceptions when they conduct healthcare research. Similarly, under HIPAA, covered entities are permitted to provide data to business associates for ‘data aggregation’ and analysis. It is not clear though whether such analysis has to be related to the services provided to the covered entity or if the business associate may use personal health information for their own commercial data-analytic purposes. Greater clarity under both laws about the boundary between research and care in the public interest, on the one hand, and secondary commercial research that should require additional consent, on the other, would be beneficial. Both regimes also exempt anonymized or ‘deidentified’ health data from any restrictions. A common definition of effective anonymization in health data would be welcome on both sides of the Atlantic.

Further discussion could also clarify the definition of ‘specific and informed consent’ in the context of healthcare research. Both HIPPA and the GDPR require that data subjects receive information about how their data will be used and, if an exemption does not apply, that they consent explicitly to any such use. This standard can be difficult to apply in medical research, where personal data are expected to be available for linkage, reuse, and analysis for largely undetermined future research purposes. Commentators have proposed a model of dynamic, ‘broad’ consent for scientific research where participants authorize unspecified future medical research uses, but researchers must seek ethics committee or some other form of representative participant committee review for each new category of use. That way, the risks if reidentification or other participant harms can be considered in real time and balanced against the benefits of the new use. On the flip side, the GDPR requires a stricter standard of consent where subjects are asked to approve use of sensitive health data for purposes beside research or care. If the USA were to adopt similar safeguards around meaningful patient consent, including rights of withdrawal and erasure outside of a care or bona fide research context, this would go a long way toward quieting fears about slippage of sensitive data from the regulated health sphere into the more rapacious commercial sector. Linking the two healthcare data regimes through an adequacy assessment would pave the way for common adoption of such standards.

C. Challenges With the Proposed Approach

Our recommendation for a HIPAA Shield is based two assumptions: (i) that the USA is not poised to pass comprehensive data protection legislation in the near term and (ii) that the US medical establishment will remain committed to following international norms of patient confidentiality and ethical practice. Given the wide divergence between the EU and the USA on how to approach data privacy in most fields, but the substantial convergence as to information governance in the healthcare field, we think that a HIPAA based Shield offers the easiest and most promising way forward.

A potential weakness of a HIPAA Shield is that the same concerns about US government surveillance that underlie the cases against the Privacy Shield could also sink a HIPAA Shield. The Snowden revelations concerned a program called Prism that allowed the government to track online communications between US citizens and foreign nationals. At present, there have not been credible reports of a similar widespread data collection program for surveillance of healthcare records. However, electronic health records are certainly exchanged electronically and so could be subject to US government surveillance through the existing programs. These records are not likely to be of much use for national security priorities at present, but as technologies develop and surveillance methods evolve, it is possible that health data held by providers and researchers could become useful for such purposes. If EU controllers have reason to believe that these data are likely to surveilled inappropriately by US government authorities, the AG Opinion in Schrems II has suggested that they must refuse the transfer notwithstanding the presence of a shield or other general legal basis.

A more immediate drawback to a sector-specific regime is that it would only apply to certain custodians of information. Much information concerning health is collected by companies and actors outside the healthcare field, through apps, wearables, and search requests and posts on social media. The GDPR protects the fundamental rights of the data subject no matter who holds or processes the data. The US system places no restriction on actors outside the health sector using such information to track, monitor, and advertise to individuals based on intimate health details. This kind of information may even lead to discrimination in employment or insurance if businesses can easily reidentify subjects. Perhaps even more worrisome, the current US administration in the process of proposing new rules that would require health care providers to send full electronic medical records to third party apps after a patient has authorized the exchange. Patients may provide consent to such transfers without fully understanding that once the records leave the care of an entity covered by HIPAA, the information therein can be used for any purpose whatsoever. A comprehensive rule like the GDPR that applies to all custodians of sensitive personal information, rather than to only certain kinds of processors, is more protective. This is true but not yet attainable in the USA. A Shield based on an enhanced version of HIPAA would be an incremental first step toward more comprehensive rights for individuals and details about their health. As part of the adequacy process, the EC can require that enhanced standards of consent apply to any patient authorization to disclose medical record data.

Some have proposed that medical charities and data protection bodies in Europe craft an overarching code of conduct or certification scheme under Article 40 of the GDPR that is specific to using personal data, including genetic and biometric data, in medical research. We support this idea, which has the benefit of linking protection to the type of data and use, rather than the type of organization undertaking the processing. However, precisely because of the diversity of parties, interests and uses that must be covered, drafting and implementing such a code may be difficult. The Biobanking and BioMolecular Resources Research Infrastructure-European Research Infrastructure Consortium has been working on such a code just for Europe since 2017 but has yet to release a draft. Even if such a Code were approved, other regions may object to following a Code monitored and overseen by a European supervisory authority. An ‘adequacy’ approach that builds off existing law in each region may be politically easier to achieve. An optional code of conduct, developed among and between an appropriately representative group of stakeholders, could then sit alongside sector-specific rules and provide guidance as to when onward transfers of medical data from primary caregivers or research studies might be appropriate.

V. CONCLUSION

International transfers of personal health data from the EU to the USA are vital for continued innovation in public health and biomedicine. Uncertainty about the application of the GDPR is threatening to unravel decades of productive research collaborations and networks of international expertise. Researchers and patients on both sides of the Atlantic require rules that protect the fundamental rights of individuals although also allowing research on treatments and therapeutics to move forward as swiftly as possible.

The US–EU Privacy Shield cannot facilitate international transfers of medical data. It is neither fully adequate under EU law, nor democratically legitimate under the US legal system. Its scope is too narrow to allow for the kinds of frequent, large-scale research transfers of medical data required for innovation in drug discovery, personalized medicine, and new uses of AI in medical devices.

A HIPAA shield could offer a better approach that is tailored to use of data in research and is simple to achieve in the near term. A comprehensive data protection regime for the entire USA is still years away. Building upon existing law in an area where US and EU values fundamentally align is a pragmatic approach that sidesteps the most contentious issues although advancing important public policy aims.