U.S., EU Regulations Pose Key Challenges to Health and Life Sciences Industries, Panel Says

The U.S. has become increasingly concerned with preventing companies from accessing data that might fall under the jurisdiction of a foreign government, noted Jim Dempsey, IAPP Cybersecurity Law Center managing director. That and the fear of foreign actors stealing data led to DOJ's Bulk Data Transfer Rule, he noted.

The DOJ rule is the first foray by the U.S. into data transfer restrictions, said Goodwin privacy attorney Omer Tene. It doesn't come primarily from a privacy angle, but from the intersection of privacy, national security and trade regulation, he said.

One thing Democrats and Republicans agree on, Tene said, is the need to contain and compete with China: While the rule defines several countries of concern, it's likely to be applied most frequently to China, Macau and Hong Kong.

The rule focuses on data brokers and the FTC will enforce it, Tene said. It affects health care and life sciences companies in particular because among the list of prohibited data transactions are bulk human genomic, human epigenomic and biometric data. For human genomic data, he said, "bulk" means information about 100 or more people. For personal health data, the threshold is more than 10,000 U.S. persons.

There are two kinds of prohibited transactions, Tene said. One is data brokerage with a covered person or country of concern; the other involves sharing human genomic data, among other categories. These transactions can't be authorized even if cybersecurity measures are in place. Unlike in the privacy sphere, Tene noted, the rule applies to anonymized, pseudonymized and de-identified data as well.

Some transactions are restricted, not barred, Tene noted. These, which involve vendor, investment and employment agreements, are permitted, but are subject to conditions. Some transactions are exempt from the rule, including if the bulk data is needed for life sciences regulatory approval.

The rule applies to U.S. persons, including citizens, green card holders, foreign branches of companies organized under U.S. law (although not subsidiaries) and people physically located in the U.S. regardless of nationality, Tene said. It applies to data transfers by a covered person to someone with a material nexus with a country of concern.

The DOJ rule came into effect on April 8, and companies have 90 days (until July 8) to comply, Tene said. Non-compliance risks criminal and civil penalties, he added.

Asked what companies should do now, Legend Biotech Chief Privacy Officer Corey Dennis advised determining if you fall within the scope of the rule, and then understand your data flows and address IT security systems. This will be hard for some organizations, he said, and some will decide not to do business with China.

A second challenge to the health and bioscience sectors comes from the EU Network and Information Security Directive 2 (NIS2), panelists noted. While the DOJ rule focuses on data and data transfers, which in Europe are governed by the General Data Protection Regulation, NIS2 covers internal information systems that process data, he said.

NIS2 covers digital infrastructure, pharmaceutical and medical device companies, and manufacturers, producers and distributors of chemicals, among many other sectors, said attorney Natallia Karniyevich, co-head of Bird & Bird's international cybersecurity steering group.

The directive covers the health sector, along with many other industries, such as energy, online marketplaces and public administrations, said Karniyevich. It's now in effect and European countries are adopting it into their national law, she added.

NIS2-covered companies should be determining what services and products fall under the law, updating policies, procedures and incident response plans, managing their contracts with customers and vendors and establishing appropriate governance to ensure they also comply with other laws, such as the GDPR, Karniyevich added.

There are many parallels between the DOJ rule and NIS2, Legend Biotech's Dennis said. Both require data governance and having the right controls as well as an understanding of an organization's data flows, he said, adding the big challenge is putting operational plans in place and then carrying them out.