Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
On 8 Jan., the U.S. Department of Justice published a landmark rule that changed the landscape around cross-border transfers of personal information.
The DOJ's final rule limiting certain cross-border transfers of sensitive personal data prohibits or restricts U.S. persons from engaging in "covered data transactions," defined as transactions that involve any access by a "country of concern" or "covered person" to any government-related data or bulk sensitive personal data related to U.S. persons. It covers not only data brokerages but also vendor, employment and investment agreements that may involve access to covered data.
Most of the rule's provisions are expected to take effect 8 April.
The rule fully prohibits some transactions and places limits on others. Fully prohibited are covered transactions involving data brokerages and bulk "human 'omic data," which includes genomic, epigenomic, proteomic and transcriptomic data, as well as biospecimens from which such data can be derived.
Restricted transactions are those involving vendor agreements, employment agreements or investment agreements. The restricted transactions are allowed but only if the U.S. entity engaging in the transaction complies with certain cybersecurity, recordkeeping and audit requirements.
Key aspects for health care and life sciences companies
The rule designates six countries — the People's Republic of China, including Hong Kong and Macau, Cuba, Iran, North Korea, Russia and Venezuela — as "countries of concern."
Importantly, the rule's definition of a covered person includes, among others, any entity organized or chartered under the laws of, or has its principal place of business in, a country of concern, as well as entities that are 50% or more owned, directly or indirectly, by such an entity.
As such, the many health care and life science companies that provide access to data of U.S. persons to affiliates or vendors located in China will need to assess such arrangements carefully.
The rule also sets relatively low bulk thresholds for certain types of data frequently processed by health care and life sciences companies. For example, "bulk U.S. sensitive personal data" includes human 'omic data, or human biospecimens from which human 'omic data could be derived, of more than 1,000 U.S. persons or, in the case of human genomic data, more than 100 U.S. persons; biometric identifiers of more than 1,000 U.S. persons; and personal health data of more than 10,000 U.S. persons.
These thresholds are calculated by aggregating all transactions between a U.S. person and a covered person during the preceding 12 months. Unlike most privacy laws, the rule contains no blanket exclusion for anonymized, pseudonymized, deidentified or encrypted data. Many health care and life sciences entities will easily exceed the above thresholds as part of their normal business operations and thus would be covered by the rule.
Most transactions that exceed the bulk thresholds, and do not involve data brokerages, are restricted but not prohibited by the rule. However, it prohibits transactions involving bulk human 'omic data, or human biospecimens from which bulk human 'omic data could be derived. Health care and life science entities engaging in transactions with human 'omic data or biospecimens from which such data can be derived will need to review such arrangements carefully because of the rule.
Understanding key exemptions
The rule includes several exemptions, including two tailored to certain types of health care and life sciences transactions. First, it exempts transactions that involve "regulatory approval data" and are necessary to obtain or maintain regulatory authorization or approval to research or market a drug, biological product, device or a combination product, provided the U.S. person engaged in the transaction complies with certain recordkeeping and reporting requirements.
"Regulatory approval data" means sensitive personal data that is deidentified or pseudonymized consistent with the standards of the Code of Federal Regulations Title 21 Section 314.80 and that isrequired to be submitted to a regulatory entity or is required by a regulatory entity to be submitted to a covered person to obtain or maintain authorization or approval to research or market a drug, biological product, device or combination product, including in relation to post-marketing studies, post-marketing product surveillance activities and supplemental product applications for additional uses.
The rule indicates this exemption would, for example, permit a pharmaceutical manufacturer that is a U.S. person to submit bulk sensitive personal data of U.S. persons to a regulatory authority in a country of concern to obtain marketing approval for a drug. Additionally, this exemption permits bulk sensitive personal data of U.S. persons to be provided to a covered person when the covered person requires such data to make a submission to a foreign regulatory entity located in a third country that is not a country of concern.
This could be particularly helpful for cross-border licensing transactions in which a U.S. company licenses rights to a product to a company based in a country of concern for not only the country of concern but also for other foreign countries.
Second, the rule exempts transactions that are ordinarily incident to and part of clinical investigations regulated by the U.S. Food and Drug Administration under sections 505(i) and 520(g) of the Federal Food, Drug, and Cosmetic Act — that is, the investigational new drug application and investigational device exemption requirements — or clinical investigations that support applications to the FDA for research or marketing permits for drugs, biological products, devices, combination products or infant formula.
The rule also exempts transactions ordinarily incident to and part of the collection or processing of clinical care data indicating real-world performance or safety of products, or the collection or processing of post-marketing surveillance data, including pharmacovigilance and post-marketing safety monitoring, but only to the extent the transactions are necessary to support or maintain authorization by the FDA, provided the data is deidentified or pseudonymized.
This exemption may be particularly relevant for circumstances in which a clinical trial sponsor uses a contract research organization or central laboratory that is a covered person in the performance of the trial. It may also be useful in multiregional trials in which safety data need to be shared between clinical trial sites located in the U.S. and those located in a country of concern.
Best practices to ensure compliance
To navigate the rule and ensure compliance, health care and life sciences entities should conduct data flow analyses to understand fully if and how their data is accessed by covered persons. As part of this analysis, entities should simultaneously determine if any of the data flows exceed bulk U.S. sensitive personal data thresholds such that the transactions will be prohibited or restricted starting 8 April.
Entities should also revamp their contracting to implement diligence processes to identify covered persons and establish contractual limitations on agreements and licenses involving data transfers with third parties, particularly those involving genomic data or "data brokerages" under the rule.
The rule establishes data transfer restrictions regarding U.S. personal data that health care and life sciences companies have not historically faced. It will be important for such companies to carefully consider their existing privacy and cybersecurity programs to address these evolving requirements.
David Peloquin is a partner in Ropes & Gray's health care group, Corey Dennis, CIPP/US, CIPP/E, is the chief privacy officer and assistant general counsel at Legend Biotech and Jake Barr, CIPP/US, is an associate in Ropes & Gray’s data, privacy and cybersecurity group.
