Not a member? Become one today

Menu

Whats New

Latest Updates

See the latest News from other Associations - click here

1 August 2016:  European Commission adopts the EU – US Privacy Shield

From August 1, 2016, US companies will be able to certify their compliance with the new EU- US Privacy Shield agreement

The EU - US Privacy Shield is designed to protect the privacy rights of citizens of the European Economic Area (EEA) when their personal data is transferred to the USA.  This new framework is the replacement for the invalidated Safe Harbor Framework.  The Privacy Shield places stronger obligations on US organisations to protect the personal data of EEA citizens.  It requires greater transparency about transfers of personal data to the US and it offers more accessible redress options in case of complaints.

More details here - pdf 


July 2016: GDPR Update: more details here

The General Data Protection Regulation (GDPR) has now been agreed by the European Council, Parliament and Commission.  The final text was published in Official Journal on 24 May 2016 and came into force on the 24th of May 2016, which means it will apply from 25 May 2018 - giving us a two year window to prepare.  The GDPR updates and replaces the current data protection rules based on the 1995 Data Protection Directive.

The Regulation will establish a single, pan-European law for data protection meaning that organisations deal with one law, not many laws.  However there will be some country variations as Member States still have discretion on specific provisions.  Over 50 articles have been left to member states to implement in their own national law - including provisions governing the processing of personal data for research purposes.

The new rules mean we must build in data protection by design and by default, carry out privacy impact assessments for riskier or larger scale projects, and implement privacy-friendly techniques such as pseudonimysation, data minimisation and encryption.  They are designed to be future-proof, technologically neutral, fit for innovation and big data analytics.

May 2016: The EU General Data Protection Regulation (GDPR) has been approved by the European Parliament

The GDPR updates and replaces the current data protection rules based on the 1995 Data Protection Directive. The final stage of the legislative process will be publication of the GDPR in the official journal, which is expected by June this year. Based on publication by June of this year, it will come into force in mid-2018, so members will have approximately two years to prepare.

The Regulation will establish a single, pan-European law for data protection meaning that organisations deal with one law, not 28. However there will be some country variations as Member States still have discretion on specific provisions. The new rules encourage privacy-friendly techniques such as pseudonimysation, anonymisation, encryption and data protection by design and by default, they are designed to be future-proof: technologically neutral and fit for innovation and big data analytics.

The GDPR will also mean that any company - regardless of whether it is established in the EU or not - will have to apply EU data protection law if they wish to offer their services in the EU.

EphMRA is currently working on providing you with more detailed guidance on the implications of the GDPR and will be in touch again soon.

May 2016: The EU-US Privacy Shield – Replacement for the Safe Harbor Agreement

European data regulators (the Article 29 Working Party) have recently reviewed and have expressed concerns about the EU-US 'Privacy Shield' (the successor to the now invalid Safe Harbour Agreement) which is designed to cover the transfer of data between the EU and the USA. The regulators said the latest version needs further amendments and clarification.

The European Commission has indicated that they are hoping to seek approval for the Privacy Shield in May with adoption in June 2016. When we have further news, we will be in touch again.

 

March 2016: Country Differences Grid - a handy guide showing the country differences in the Code - brought together for easy reference. Available via Members Login.

 

February 2016: Transfers of Personal Data to the USA – Latest update following the Safe Harbor Decision

As some of you may be aware, the European Commission and the United States have reached political agreement on a new framework for transfers of personal data to the USA: the EU-US Privacy Shield. However it is important to note that the European Commission will now need to draft the adequacy decision for the new framework, which will then need to go through the approval process. This may, or may not lead to formal approval of the new framework as providing adequate protection for transfers of personal data to the USA. In the meantime the current uncertainty will continue at least for the next two to three months. Therefore you still need to use EU Model Clauses or, if you have them in place already, Binding Corporate Rules as the basis for the adequate protection for any existing or new transfers of personal data to the USA.

What is the EU-US Privacy Shield?

This new framework is the replacement to the existing US-EU Safe Harbor framework that some commentators have described as the planned "Safe Harbor v2”. European Commissioner for Justice, Consumers and Gender Equality, Vera Jourová, who made the announcement, stated the new arrangement reflects the requirements set out by the CJEU Safe Harbor judgement (Maximilian Schrems v. Data Protection Commissioner - C-362-14), and that the new framework is expected to come into force within three months.

  • The new EU-US Privacy Shield framework includes:
  • stronger obligations on companies in the US to protect the personal data of Europeans
  • stronger monitoring and enforcement by the US Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European data protection authorities.
  • commitments by the US to limit public authorities' access of personal data, preventing generalised access.
  • Europeans will also have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

However it is important to note that, whilst political agreement has been reached, the agreement must now be drafted into an adequacy decision by the EU Commission setting out full details. The EU-US Privacy Shield framework adequacy decision will then need to go through the approval process which may, or may not lead to formal approval of the new framework as providing adequate protection for transfers of personal data to the USA. .

What does this mean for current transfers and any new transfers being considered now?

As we explained in the previous update, the current US-EU Safe Harbor framework is invalid as a lawful basis for the transfer of personal data from Europe to the USA. This has not changed. Therefore you should have already identified and put in place an alternative mechanism for any existing transfers to the USA, or any new transfers that may take place in the next two to three months. The mechanisms you can consider using are:
unambiguous and explicit consent from individuals for the transfer of their personal data for processing in the US
use of the most appropriate standard contractual clauses (data controller to data controller, or data controller to processor) as set out in the relevant European Commission Decisions – more commonly known as the "EU model clauses”
or for longer term transfers within a corporate Group, consider implementing binding corporate rules (BCR’s); although BCR's are time consuming and can be costly to implement depending the amount of external specialist implementation support required.

The Article 29 Working Party (representatives of European data protection authorities) meet on the 2nd and 3rd of February 2016 to discuss the implications of the CJEU judgement for international transfers. The Article 29 Working Party (Art 29 WP) confirmed that the EU Model clauses and BCRs will remain valid adequacy mechanisms for international transfers until they are able to examine the new EU-US Privacy Shield framework in detail. The Art 29 WP statement called on the European Commission to provide full documentation by the end of February. The Art 29 WP will then examine the framework in detail, as well as whether EU Model Clauses and BCRs remain adequate following the CJEU judgement. Unfortunately this does mean the current uncertainty is will continue at least for the next two to three months.

Statement from US Secretary of Commerce on EU-US Privacy Shield: Click here

European Commission press release on EU-US Privacy Shield: Click here

Article 29 Working Party statement on the consequences of the Schrems judgement on international transfers: Click here

THIS UPDATE HAS BEEN PREPARED AND PUBLISHED FOR INFORMATION PURPOSES ONLY AND IS NOT OFFERED, NOR SHOULD BE CONSTRUED, AS LEGAL ADVICE.

We will update you again when we have further news.
 
For you information, our previous update of November 2015 ishere.

 

Other Updates

New EU Data Protection Regulation - November 2015 Update

March 2015 - EFPIA Disclosure Code requirements - overview by country - available to members only (via log in - Ethics)

January 2015: Disclosure requirements Update

In 2014 the EFPIA introduced a Disclosure Code, to increase transparency with regard to interactions between the pharmaceutical industry and the healthcare profession. For market research (MR) this means that disclosure of MR payments to HCPs is required when pharmaceutical companies are aware of the identities of those participating in MR it has commissioned and MR-related payments (incentives and expenses) have been made to HCPs. If the HCP’s identity is not known to the pharmaceutical company disclosure is not required.

More details from EphMRA here

Information from EFPIA - via members log in - Ethics - January 2015

EFPIA Code on Disclosure of Transfers of Value from Pharmaceutical Companies to Healthcare Professionals and Healthcare Organisations. (EFPIA HCP/HCO DISCLOSURE CODE)

Frequently asked Questions - FAQ - available to members via log in


It is understood that unless there is a strong legal mandatory requirement, no deviations from the EFPIA HCP/HCP Disclosure Code should be envisaged by the Member Associations, which were required to transpose the Code in full by 31 December 2013.

These FAQs provides clarification and interpretation of the EFPIA Code provisions. They are provided as guidance and in addition relevant national association codes and related guidance have to be considered.

Advertise with EphMRA

Web site (home page) banner, eNews adverts and Conference sponsorship/advertising packages are available - all tailored to suit your needs.

Find Out More