A host of U.S. healthcare companies will be affected by a decision by Europe's highest court earlier this week to toss out a 15-year data-sharing compact between the U.S. and members of the European Union.
According to a U.S. Commerce Department website, health IT systems developer Epic Systems Corp. and GE Healthcare, data miners IMS Health, Quintiles and Wolters Kluwer, and drugmakers Pfizer and Johnson & Johnson, had all agreed to abide by the Safe Harbor Framework.
Some 4,500 companies have long been able to store users' personal data—everything from status updates and photos to personal information like bank details and home addresses—where they see fit, often in the U.S.
The E.U. ruled that data stored on U.S. computer servers isn't safe because of U.S. government spying.
Experts say the decision, which came after former U.S. National Security Agency contractor Edward Snowden revealed the extent of the NSA's surveillance programs, will hurt U.S. companies' operations.
The E.U. verdict does not ban the transfer of data, but it opens up the possibility that European regulators will be inundated by consumer complaints, making it hugely difficult to do business.
“This decision really focuses on the E.U.'s objection to national surveillance activities as opposed to companies' privacy practices,” said Joy Pritts, a U.S. privacy lawyer and consultant.
The provision would affect companies ranging from those that use the data for clinical research to those that need the information for treatment or employment purposes, said Pritts, the former chief privacy officer at the Office of the National Coordinator for Health Information Technology at HHS.
Pritts, a former research professor at Georgetown University, has written about the differences in privacy protections for healthcare data between the U.S., Canada and Europe and found the U.S. to be lagging.
Other experts agree.
"Congress should act quickly to provide greater privacy protections to everyone caught up in the U.S. mass surveillance dragnet, and help restore confidence in U.S. tech companies." said Jens Henrik-Jeppesen, director of European affairs for the Center for Democracy and Technology, a U.S.-based think tank.
Jeppesen said U.S. laws that allow surveillance of the content of communications should be revisited.
Epic Systems President Carl Dvorak said his legal staff doesn't believe the decision is a "major bump," adding there were alternate approaches to continuing normal support and implementation processes.
He did not share what those would entail.