In an era of “big data,” companies across all industries are collecting consumer information to provide effective solutions to problems or better market their products. Industry watchdog groups have long been concerned about the implications of data collection on consumer privacy. These issues become even more complex when conducting transactions across international borders. A recently drafted European Union-United States Privacy Shield agreement is intended to clarify the privacy principles U.S. organizations must meet to comply with EU privacy laws.
Importance of Safe Data Transfer Across Global Boundaries
The transatlantic trade between the United States and EU countries represents an estimated $426 billion in transactions, according to the U.S. Census Bureau. This includes the activity of more than 4,400 companies that conduct business and legally transfer data between the U.S. and EU. A large volume of data includes information needed to process credit card payments or ship items to EU consumers.
In addition to commercial transactions, however, safe data transfer is essential for research in the biotech sector. Pharmaceutical and biotech companies often collect consumer data that is used to improve medical services or perform research. The sharing of this information is critical to research progress for some of our largest public health problems. However, companies have an ethical obligation to protect data against data breaches or excessive sharing with third parties.
Challenges Associated with Safeguarding Consumer Data
One of the major challenges to safeguarding consumer data is the patchwork of laws that regulate the collection and sharing of this information. Within the United States, data is generally owned by the organization that collected it, and this information may be shared with third parties (there are notable exceptions, such as personal health information protected by HIPAA).
The European Union has much more stringent privacy protection laws. Thus, when conducting transatlantic transfers of information, it is important that U.S. companies meet EU standards for data collection. A critical component of this is providing informed consent to the consumer. Consumers must be given information on how their information may be used in order to consent to data sharing. Information must also be protected from access by third parties, kept no longer than necessary, and processed for limited purposes to comply with EU regulations.
Understanding the EU-US Privacy Shield
The EU-U.S. Privacy Shield agreement is designed to replace the Safe Harbour agreement that was nullified by the Court Justice of the European Union in 2015. The EU court expressed concern that the Safe Harbour agreement did not do enough to protect the privacy of EU citizens involved in transatlantic information transfer.
The EU-U.S. Privacy Shield applies to all companies that provide services in the EU market. Companies must be considered a “data controller,” meaning that they have a physical presence in the EU. This could mean an office building, computer servers, or even cookies that are left on the personal computer of an EU consumer when visiting a website. The Privacy Shield still allows companies to collect personal information, but it places stricter rules on the ability of companies to transfer data onward to third parties.
Consequences of the EU-US Privacy Shield Agreement for the Biotech Industry
The EU-US Privacy Shield agreement applies to all U.S. corporations, meaning that it has strong implications for work performed by the biotech industry. The Privacy Shield includes two major principles: organizations must provide consumers information about how they process personal data, and they must give consumers the option to opt out of third party sharing. Furthermore, sensitive data such as medical information is regulated by an “opt in” policy. Thus, if companies are collecting sensitive information for research purposes, they must obtain informed consent from consumers that the data will be used for these purposes. This prevents corporations from collecting and using sensitive personal information without the individual knowing the extent of its use.
In particular, collaborative research performed by biotech corporations or partners must comply with the EU-Privacy Shield agreement. This means that companies must review their informed consent procedures and anticipate ethical hurdles that could affect their ability to collect important information. For rare disease research or those in the biobanking industry, it is essential to review privacy documents to ensure compliance with the Privacy Shield. Policies may need to be changed to improve transparency and allow consumers to make informed choices about how their data will be used. In consultation with privacy lawyers and ethics experts, biotech companies can continue to perform their important medical work without sacrificing consumer privacy.
Responsible use of data and compliance with consumer privacy doesn't have to deter research initiatives. Cutting edge technology is now being used to manage and integrate recruitment, scheduling, sample tracking, and other participant data. In our eBook, Next Generation Cohort Studies and Biobanking: How Cloud Technology is Accelerating Translational Research, we explore how mobile devices and cloud-based technology were used to cut time and cost in a prospective epidemiology cohort study called the California Teacher's Study (CTS). To learn more, I highly recommend downloading our eBook below!