Hostname: page-component-586b7cd67f-dsjbd Total loading time: 0 Render date: 2024-11-28T17:09:23.872Z Has data issue: false hasContentIssue false

The European Union's Adequacy Approach to Privacy and International Data Sharing in Health Research

Published online by Cambridge University Press:  01 January 2021

Abstract

The European Union (EU) approach to data protection consists of assessing the adequacy of the data protection offered by the laws of a particular jurisdiction against a set of principles that includes purpose limitation, transparency, quality, proportionality, security, access, and rectification. The EU's Data Protection Directive sets conditions on the transfer of data to third countries by prohibiting Member States from transferring to such countries as have been deemed inadequate in terms of the data protection regimes. In theory, each jurisdiction is evaluated similarly and must be found fully compliant with the EU's data protection principles to be considered adequate. In practice, the inconsistency with which these evaluations are made presents a hurdle to international data-sharing and makes difficult the integration of different data-sharing approaches; in the 20 years since the Directive was first adopted, the laws of only five countries from outside of the EU, Economic Area, or the European Free Trade Agreement have been deemed adequate to engage in data transfers without the need for further administrative safeguards.

Type
Symposium Articles
Copyright
Copyright © American Society of Law, Medicine & Ethics 2016

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Summary of Principles Agreed at the First International Strategy Meeting on Human Genome Sequencing, Bermuda, 25-28 February 1996 (HUGO, 1996), available at <www.ornl.gov/sci/techresources/Human_Genome/research/bermuda.shtml> (last visited October 9, 2015).+(last+visited+October+9,+2015).>Google Scholar
The Wellcome Trust, “Sharing Data from Large-Scale Biological Research Projects: A System of Tripartite Responsibility,” Fort Lauderdale, January 2003; Toronto International Data Release Workshop Authors, “Prepublication data sharing,” Nature 461, no. 7261 (2009): 168-170; Global Alliance for Genomics and Health (GA4GH), “Framework for Responsible Sharing of Genomic and Health-Related Data,” (2014).Google Scholar
See European Parliament and the Council of the European Union, Data Protection Directive 95/46/EC of October 24, 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, available at <http://eur-lex.europa.eu/LexUriServ/Lex-UriServ.do?uri=CELEX:31995L0046:en:HTML> (last visited February 19, 2016), at art. 25 [Data Protection Directive].+(last+visited+February+19,+2016),+at+art.+25+[Data+Protection+Directive].>Google Scholar
Id., at art. 29.Google Scholar
For this preliminary study, the jurisdictions of Guernsey, Jersey and the Isle of Man will not feature prominently in the analysis given their unique relationship with Europe, and in particular with the UK. As Crown Dependencies, citizens in these jurisdictions carry UK passports and benefit from the free flow of goods within the European Union. Andorra and the Faroe Islands have similarly unique relationships to France and Denmark respectively. It is of limited utility to compare these particular jurisdictions with those that lack these specific links.Google Scholar
See European Commission, Proposal 2012/0011 (COD) of January 25, 2012 for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), available at <http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf> [General Data Protection Regulation].+[General+Data+Protection+Regulation].>Google Scholar
See Data Protection Directive, supra note 3, at Art. 25.Google Scholar
Id., at Art 25(6).Google Scholar
Id., at Ch. IV.Google Scholar
See Data Protection Directive, supra note 3, at art. 31.Google Scholar
Working Party on the Protection of Individuals with Regards to the Processing of Personal Data, Working Document WP 12 on of July 24, 1998 on the Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive, available at <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/1998/wp12_en.pdf> (last visited February 19, 2016) [WP12].+(last+visited+February+19,+2016)+[WP12].>Google Scholar
Id., at 6–7.Google Scholar
Wolf, C., “Delusions of Adequacy? Examining the Case for Finding the United States Adequate for Cross-Border EUU.S. Data Transfers,” Washington University Journal of Law & Policy 43 (2014): 227-257, at 251. See also W. J. Long and M. P. Quek, “Personal Data Privacy Protection in an Age of Globalization: The US-EU Safe Harbor Compromise,” Journal of European Public Policy 9, no. 3 (2002): 325–344.Google Scholar
See Wolf, , supra note 13.Google Scholar
Case C362/14 Maximillian Schrems v. Data Protection Commissioner [2015] CJEU.Google Scholar
Data Guidance, “EU: ‘Life Continues’ Despite CJEU Safe Harbor Ruling,” 2015, available at <http://www.dataguidance.com/dataguidance_privacy_this_week.asp?id=5072> (last visited February 19, 2016).+(last+visited+February+19,+2016).>Google Scholar
Other models have included: (1) Safe Harbor agreement for participating institutions or companies (invalidated as of 6 October 2015; (2) binding corporate rules which allow international data transfer between global units of corporations; (3) model contracts approved by European Union Data Protection authorities; (4) accountability within the organizations transferring data for ensuring compliance along the chain; and (5) third-party certification for an organization’s data management practices as is set out in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules. See Kosseim, P., Dove, E. S. and Baggaley, C. et al., “Building a Data Sharing Model for Global Genomic Research,” Genome Biology 15, no. 8 (2014): 430436.Google Scholar
As of October 2015, the jurisdictions found adequate (in alphabetical order) are Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, State of Israel, Isle of Man, Jersey, New Zealand, Eastern Republic of Uruguay. See European Commission, “Commission Decisions on the Adequacy of the Protection of Personal Data in Third Countries,” available at <http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm> (last visited February 19, 2016).+(last+visited+February+19,+2016).>Google Scholar
See Data Protection Directive, supra note 3, at art. 26.Google Scholar
See Kuner, C., Transborder Data Flows and Data Privacy Law (Oxford: Oxford University Press, 2013).Google Scholar
For example, see Mayer-Schönberger, V. and Cukier, K., Big Data: A Revolution That Will Transform How We Live, Work and Think (London: John Murray, 2013).Google Scholar
A Canadian survey conducted on a random sampling of adults revealed that government privacy impact assessment had a positive influence on 46% of survey respondents with regards to how they feel about participating in health research. See Teschke, et al., “Public Opinions about Participating in Health Research,” Canadian Journal of Public Health 101 (2010): 159-164, at 163.Google Scholar
While the Asia-Pacific Economic Cooperation has adopted its own data-sharing model, fewer jurisdictions have signed on to it. See Asia-Pacific Economic Cooperation, APEC Privacy Framework, available at <http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx> (last visited February 19, 2016) and G. Greenleaf, “Global Data Privacy Laws 2015: 109 Countries, with European Laws Now a Minority,” Privacy Laws & Business International Report 133 (2015): 1-7, at 6.+(last+visited+February+19,+2016)+and+G.+Greenleaf,+“Global+Data+Privacy+Laws+2015:+109+Countries,+with+European+Laws+Now+a+Minority,”+Privacy+Laws+&+Business+International+Report+133+(2015):+1-7,+at+6.>Google Scholar
Greenleaf notes that the influence of ‘European standards’ remains paramount though an increasing number of non-EU countries are adopting their own data privacy laws. Id., at 3.Google Scholar
European Commission, Commission Decision 2003/490/EC of 30 June 2003 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data in Argentina, available at <http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32003D0490&from=EN> (last visited February 19, 2016).+(last+visited+February+19,+2016).>Google Scholar
See Wolf, , supra note 13, at 241.Google Scholar
Article 29 Data Protection Working Party, Opinion 07/2012 of 19 July 2012 on the Level of Protection of Personal Data in the Principality of Monaco, available at <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp198_en.pdf> (last visited February 19, 2016).+(last+visited+February+19,+2016).>Google Scholar
France’s data protection agency.Google Scholar
Id., at 16.Google Scholar
Under the Data Protection Directive, sensitive personal data, such as that revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership call for additional safeguards. Data concerning health or sex life comprise a special category of data whose processing is prohibited except under certain exceptions. See Data Protection Directive, supra note 3, at Art. 8(1)-(2).Google Scholar
See the Article 29 Data Protection Working Party, Working Document on Genetic Data of March 2004, available at <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2004/wp91_en.pdf> (last visited February 19, 2016).+(last+visited+February+19,+2016).>Google Scholar
See WP 12, supra note 11, at 7.Google Scholar
Article 29 Data Protection Working Party, Opinion 2/2001 on the Adequacy of the Canadian Personal Information and Electronic Documents Act, available at <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp182_en.pdf#h2-10> [New Zealand Opinion] and <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2001/wp39en.pdf> [Canada Opinion] (both last visited February 19, 2016).+[New+Zealand+Opinion]+and++[Canada+Opinion]+(both+last+visited+February+19,+2016).>Google Scholar
Article 29 Data Protection Working Party, Opinion 11/2011 on the Level of Protection of Personal Data in New Zealand, available at <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp182_en.pdf> (last visited February 19, 2016).+(last+visited+February+19,+2016).>Google Scholar
Personal Information Protection and Electronic Documents Act (R.S.C. 2000, c. 5) [PIPEDA].Google Scholar
See Canada Opinion, supra note 33, at 3.Google Scholar
Indeed, it is unclear whether a principled-based approach necessarily offers more security than one that a contextual-based one. See McCullagh, K., “Data Sensitivity: Proposals for Resolving the Conundrum,” Journal of International Commercial Law and Technology 2, no. 4 (2007): 190201.Google Scholar
See Canada Opinion, supra note 33, at 3.Google Scholar
Article 29 Data Protection Working Party, Opinion 7/2014 of 4 June 2014 on the Protection of Personal Data in Québec, available at <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp219_en.pdf> (last visited February 19, 2016) [Québec Opinion].+(last+visited+February+19,+2016)+[Québec+Opinion].>Google Scholar
An Act Respecting the Protection of Personal Information in the Private Sector, L.R.Q Chapter P-39.1 (1994) (Q.C.).Google Scholar
See Québec Opinion, supra note 39, at 10.Google Scholar
Under para 26(2)(b) of PIPEDA, the Governor in Council may designate provincial legislation as substantially similar to PIPEDA, thereby allowing provinces to regulate personal information management practices of organizations within their borders. The Federal government declared Québec’s legislation substantially similar to PIPEDA in 2003. See Office of the Privacy Commissioner of Canada, “Legal Information Related to PIPEDA: Substantially Similar Provincial Legislation,” available at <https://www.priv.gc.ca/leg_c/legislation/leg-rp_030611_e.asp#provincial> (last visited February 19, 2016); see also Office of the Privacy Commissioner of Canada, Privacy “Legislation in Canada,” available at <https://www.priv.gc.ca/resource/fs-fi/02_05_d_15_e.asp> (last visited February 19, 2016).+(last+visited+February+19,+2016);+see+also+Office+of+the+Privacy+Commissioner+of+Canada,+Privacy+“Legislation+in+Canada,”+available+at++(last+visited+February+19,+2016).>Google Scholar
As examples, she notes the Québec data protection law’s higher fines and broader scope as compared to PIPEDA. See Gratton, E., “Q: When Is Adequacy Never Adequate? A. When Québec’s Data Protection Law Is Considered ‘Inadequate’ for Europe,” Nymity, Privacy Interviews with Experts, July 2014, available at <https://www.nymity.com/~/media/Nymity/Files/Interviews/2014/2014-07-Gratton.pdf> (last visited May 29, 2015).+(last+visited+May+29,+2015).>Google Scholar
CRID, Analysis of the Adequacy of Protection of Personal Data Provided in Tunisia (2010).Google Scholar
Makulilo, A. B., “Data Protection Regimes in Africa: Too Far from the European ‘Adequacy’ Standard?” International Data Privacy Law 3, no. 1 (2013): 4250.Google Scholar
See New Zealand Opinion, supra note 34, at 10.Google Scholar
See Data Protection Directive, supra note 3, at Art. 25 which states: “The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection” (emphasis added).Google Scholar
Article 29 Data Protection Working Party, Opinion 3/2008 on the World Anti-Doping Code Draft International Standard for the Protection of Privacy, available at <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wp156_en.pdf> (last visited February 19, 2016).+(last+visited+February+19,+2016).>Google Scholar
Article 29 Data Protection Working Party, Second Opinion 4/2009 on the World Anti-Doping Agency (WADA) International Standard for the Protection of Privacy and Personal Information, on Related Provisions of the WADA Code and on Other Privacy Issues in the Context of the Fight against Doping in Sport by WADA and (National) Anti-doping Organizations, at 3, available at <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp162_en.pdf> (last visited February 19, 2016).+(last+visited+February+19,+2016).>Google Scholar
Pijetlovic, K., “Fundamental Rights of Athletes in EU Post-Lisbon,” in Kerikmäe, T., Protecting Human Rights in the EU: Controversies and Challenges of the Charter of Fundamental Rights (New York: Springer, 2014): at 183.Google Scholar
See Article 29 Data Protection Working Party, “Letter from the Article 29 Working Party addressed to World Anti-Doping Agency, Regarding 3rd Stage of WADA’s Consultation in the Context of the Review of the World Anti-Doping Code and Its International Standards,” available at <http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2013/20130305_letter-to-wada_en.pdf> (last visited February 19, 2016).+(last+visited+February+19,+2016).>Google Scholar
For WADA’s perspective on how the WP 29 opinion will affect anti-doping practices in Europe, see World Anti-Doping Agency, “Summary of comments of WADA to the European Working Party advisory opinion on the International Standard on the Protection of Privacy and Personal Information,” available at <https://wada-main-prod.s3.amazonaws.com/resources/files/WADA_Summary_of_Comments.pdf> (last visited February 19, 2016). To respond to concerns regarding the uncertainty of whether WADA is governed by Canadian or Québec privacy legislation, the Government of Canada has introduced an amendment to PIPEDA whereby PIPEDA will apply to “[p]ersonal information that [WADA] collects, uses or discloses in the course of its interprovincial or international activities.” See Bill C-59, An Act to Implement Certain Provisions of the Budget Tabled in Parliament on April 21, 2015 and Other Measures, 3rd Sess, 41st Parl, 2015, Cl 13 and Schedule 2.+(last+visited+February+19,+2016).+To+respond+to+concerns+regarding+the+uncertainty+of+whether+WADA+is+governed+by+Canadian+or+Québec+privacy+legislation,+the+Government+of+Canada+has+introduced+an+amendment+to+PIPEDA+whereby+PIPEDA+will+apply+to+“[p]ersonal+information+that+[WADA]+collects,+uses+or+discloses+in+the+course+of+its+interprovincial+or+international+activities.”+See+Bill+C-59,+An+Act+to+Implement+Certain+Provisions+of+the+Budget+Tabled+in+Parliament+on+April+21,+2015+and+Other+Measures,+3rd+Sess,+41st+Parl,+2015,+Cl+13+and+Schedule+2.>Google Scholar
Blume, P., “EU Adequacy Decisions: The Proposed New Possibilities,” International Data Privacy Law 5, no. 1 (2015): 3439.CrossRefGoogle Scholar
See Makuililo, , supra note 46, at 4748.Google Scholar
Id., at 48.Google Scholar
See Greenleaf, G. and Bygrave, L. A., “Not Entirely Adequate but Far Away: Lessons from How Europe Sees New Zealand Data Protection,” Privacy Laws & Business International Report 111 (2011): 89.Google Scholar
Article 29 Data Protection Working Party, Opinion 6/2009 of 1 December 2009 on the Level of Protection of Personal Data in Israel, at 15, available at <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp165_en.pdf> (last visited February 19, 2016) [Israel Opinion].+(last+visited+February+19,+2016)+[Israel+Opinion].>Google Scholar
See 35th International Conference of Data Protection and Privacy Commissioners, “History of Conferences,” available at <https://privacyconference2013.org/Conferences>. During a panel presentation at the IAPP Global Summit 2015 (where two of the authors of this article were also speakers) Yoram Hacohen, the former Head of the Israeli Law, Information and Technology Authority, mentioned the importance of holding the annual privacy conference in negotiations with the European Union..+During+a+panel+presentation+at+the+IAPP+Global+Summit+2015+(where+two+of+the+authors+of+this+article+were+also+speakers)+Yoram+Hacohen,+the+former+Head+of+the+Israeli+Law,+Information+and+Technology+Authority,+mentioned+the+importance+of+holding+the+annual+privacy+conference+in+negotiations+with+the+European+Union.>Google Scholar
See, for example, Kuner, C., Transborder Data Flow and Data Privacy Law (Oxford: Oxford University Press, 2013): at 160165.Google Scholar
See Bamberger, K. and Mulligan, D. K., “Privacy on the Books and on the Ground,” Stanford Law Review 63 (2011): 247315.Google Scholar
See General Data Protection Regulation, supra note 6.Google Scholar
Hustinx, P., “EU Data Protection Law: the Review of Directive 95/46/EC and the Proposed General Data Protection Regulation,” course given at the European University Institute’s Academy of European Law, July 2013.Google Scholar
Personal communication from New Zealand Assistant Commissioner Stewart to author (JS) (December 3, 2014).Google Scholar
Kuner, C., Transborder Data Flows and Data Privacy Law (Oxford: Oxford University Press, 2013): at 48.Google Scholar
See Schrems, supra note 13.Google Scholar
While such corporations may have the financial means to support the bureaucratic burden, this is less true of universities, research facilities and public institutions who carry out health research in an age of fiscal restraint.Google Scholar
See European Data Protection Supervisor, Leading by Example: The EDPS Strategy 2015-2019, available at <https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Strategy/15-02-26_Strategy_2015_2019_EN.pdf> (last visited February 19, 2016) [EDPS Plan].+(last+visited+February+19,+2016)+[EDPS+Plan].>Google Scholar
Id., at 2.Google Scholar
Id., at 12–14.Google Scholar