General Data Protection Regulation Archives

Health Data in the EU and UK: Regulatory Trends and Developments

by Sharon Lamb, Deniz Tschammler, Daniel F. Gottlieb, Lorraine Maisnier-Boché and Pilar Arzuaga | Apr 25, 2023 | Digital Health, Employee Benefits, Health and Welfare Plans

With the General Data Protection Regulation (GDPR) resulting in a rise in enforcement incidents, it is prudent for organizations operating in the health and life sciences industries across the United Kingdom, European Union (EU) and other European Economic Area (EEA) nations to assess their responsibilities regarding the gathering and handling of health data.

Major Points:

“Data concerning health” is a wide term; it doesn’t just apply to medical records. Policies and processing records should accurately capture all health data, including inference data.
Most EEA countries, and the United Kingdom, have national laws that supplement GDPR.
Consent is not the only legal basis for collecting, storing and using health data; there are other options available, but be aware that “insufficient legal basis for data processing” is a common type of GDPR violation.
If used, health data consents must be granular, specific and transparent, and they must break down all the purposes for which the data is being processed. Consent must be granted on an “opt-in” basis and not as a result of a pre-filled tick box.
Health data may be reused for genuine scientific research purposes provided the processing is compatible with the original use, appropriate safeguards are in place and any separate national law conditions are satisfied.
Privacy policies and transparency notices must be clear about the basis on which health data is processed.
Proceed carefully and consider reidentification risk when relying on anonymisation to process data; document any reidentification risk assessment and periodically review risk assessment in light of developments in publicly available data and evolving risk environment. Technical measures, such as evolving encryption standards, should be reviewed periodically.

HIPAA Challenges: State AGs Crack Down on Data Privacy

by McDermott Will & Emery | Feb 28, 2023 | Health and Welfare Plans, Privacy and Data Security

Unlike the European Union, the United States does not have a federal data privacy law like the General Data Protection Regulation. State attorneys general, however, are cracking down on data breaches at healthcare organizations, according to this For the Record article.

Access the article.

VIDEO: Transfers of Health Data from the European Union to the United States in a Post-Schrems II World

by Amy C. Pimentel and Romain Perray | May 27, 2021 | Employee Benefits, Health and Welfare Plans, Privacy and Data Security

In this video, McDermott Will & Emery partner Amy C. Pimentel explains the significance of health data transfers from the European Union to the United States in a post-Schrems II world. The recent Schrems II ruling invalidated the EU-US Privacy Shield, holding that the US legal regime on access to personal data does not contain adequate limitations and safeguards. Pimentel and McDermott’s Romain Perray recently also wrote for McDermott’s International News about this topic.

Access the article.

UK Employment Alert | What to Expect in UK Employment Law in 2018: GDPR, Brexit Negotiations and More

by Anthony A. Bongiorno, Katie Clark and Paul McGrath | Jan 11, 2018 | Employment, Privacy and Data Security

Whilst 2017 was anticipated to be a fairly static year for UK employment law, that did not in fact prove to be the case, and there were various notable developments. To a large degree, 2018 is likely to be defined by the ongoing Brexit negotiations and the passage of the EU Withdrawal Bill, which will, amongst other things, lay the framework for the future movement of EU workers to the United Kingdom. Employers should, however, be aware of some additional key developments on the horizon.

Key UK Employment Law Events in 2017 and Beyond

by Anthony A. Bongiorno, Katie Clark and Paul McGrath | Jan 19, 2017 | Benefit Controversies, Employee Benefits, Employment, Executive Compensation, Labor, Privacy and Data Security

Current indications are that 2017 may be a fairly static year as regards to employment law.

Whilst it is anticipated the government will trigger Article 50 to start Brexit negotiations, these are likely to last for at least two years, and existing employment laws are unlikely to feel any ripple effect from leaving the European Union for some time.

In the meantime, the Prime Minister has asked for a review, expected to take around six months, on whether current employment laws are adequate to protect the rights of the growing numbers of atypical workers. It is unlikely though that any resulting changes will come into effect in 2017.

There are, however, a number of key developments that employers will definitely need to get to grips with, or at least prepare for, in 2017.

Read the full article here.

*Cindy LaMontagne (Trainee) contributed to this article.

Brexit Update: The Effect of Brexit on Data Transfers between the United Kingdom and the European Union

by Dr. Claus Färber | Sep 1, 2016 | Privacy and Data Security

With the United Kingdom having voted to leave the European Union (Brexit) on 23 June 2016, the free flow of personal data between the United Kingdom and EU and European Economic Area (EEA) countries is at risk. Should the United Kingdom also leave the EEA and thus become a “third country” for the purposes of data transfers, EU/EEA businesses that are currently retaining UK service providers or data centres to handle or store personal data, or are planning to do so, would have to carefully re-evaluate this decision.

Read the full article here.

EU Data Protection Reform and Its Impact on EU and Non-EU Businesses

by Anthony A. Bongiorno and McDermott Will & Emery | Jan 12, 2016 | Privacy and Data Security

The European Commission’s proposed changes to the current legal framework on data protection will soon be adopted and will impact on EU and non-EU businesses alike.

Read the full article (PDF).