Easily transferring key-coded data is key to conducting scientific research and developing impactful medications, therapeutics, and medical devices. Key-coded data is not transferable in reliance on the Privacy Shield Framework, but it will become transferable under the upcoming EU-U.S. Data Privacy Framework. VeraSafe, a law firm and consulting firm experienced in steering clinical trials through the requirements of the GDPR, local EU member-state legislation and regulatory guidance, explains why this development is so important for U.S.-based sponsors conducting clinical trials in the EU.
VeraSafe data protection professionals explained in a recent blog post that a replacement for the Privacy Shield Framework1 was being finalized. The replacement will be called the EU-U.S. Data Privacy Framework (EU-U.S. DPF or DPF), a new transatlantic data transfer framework that has already received the draft approval of the European Commission. If the European Commission adopts a final adequacy decision for the DPF, the most straightforward, cost-effective and popular transfer mechanism for companies engaging in EU-U.S. data flows will be restored.
However, the original Privacy Shield Framework didn’t benefit all sectors equally: it left an essential type of transfer of personal data to the pharmaceutical industry out of the Framework. Luckily, the upcoming EU-U.S. DPF (or Privacy Shield 2.0.) will fill the enormous gap that the Privacy Shield Framework created.
The Privacy Shield Framework excluded key-coded patient data from its scope. This exclusion precluded clinical trial sponsors and other parties involved in EU-U.S. transfers of key-coded patient personal data from relying on this cost-effective solution for one of the most common and vital types of transfers in the life sciences sector.
This situation forced clinical trial sponsors, contract research organizations (CROs), and researchers to find alternative mechanisms to transfer this data in compliance with the General Data Protection Regulation (GDPR). Many resorted to the Standard Contractual Clauses (SCCs). Yet, as organizations that have gone through the process of entering into SCCs and conducting transfer impact assessments (TIAs) for each data transfer to the U.S. know, signing SCCs and performing requisite TIAs is a time-consuming, expensive, and complex process.
The EU-U.S. DPF is a relief for the pharmaceutical industry. The U.S. Department of Commerce has drafted the Data Privacy Framework Principles (an update of the Privacy Shield Principles) and, with its updates, has extended the protections and benefits of the upcoming transatlantic framework to key-coded patient data processed under a clinical trial.
Before diving into the interplay between key-coded data and the EU-U.S. DPF, let’s familiarize ourselves with what key-coded data is.
Overview of Key-Coded Data (i.e., Pseudonymized Data)
The Purpose of Key-Coding
To protect the identity of participants of a clinical trial and to avoid jeopardizing the validity of the research study and results, investigators don’t ordinarily transfer raw data about the trial participants to the organizations sponsoring a clinical trial or the entities conducting the research on behalf of the sponsors. Instead, the data is key-coded at origin.
What Is Key-Coding?
Key-coding means replacing the identity of the individual trial participants with a new unique subject identification code (that is not derived from information related to the participant) and removing direct personal identifiers (such as name, date of birth, and the original recording identifiers) from the dataset.
Benefits of Key-Coding
Sponsors generally only receive study data in key-coded form, as it is not necessary to research directly on raw data. Using key-coded data protects the individuals’ identity while still permitting the addition of further research information as the study proceeds, clinical monitoring, and research oversight.
Another advantage of key-coded data, as opposed to fully anonymized data (which would involve deleting the original dataset), is that it allows for decoding data and re-identifying data subjects in specific circumstances. For example, the ability to decode data allows drug regulatory authorities to verify the source and quality of safety and efficacy data collected during clinical trials and subsequently used in an application for a license to market a medicinal product.
Who Has Access to the Keys and Raw Data?
In the clinical trial context, only the researchers and the sponsor’s CROs overseeing the clinical trial typically have access to the raw data and/or the key that connects the key-coded data to individual patients, and they only process those in case they need to identify a research subject for specific reasons. For example, there may be instances when a patient may need to be contacted for follow-up medical attention.
Now that we’ve covered what is generally considered key-coded data, let’s discuss how this type of data was addressed in the original Privacy Shield Framework.
The Privacy Shield Framework Deliberately Excluded Key-Coded Data from Its Scope
The exclusion of key-coded data from the Privacy Shield Framework was not unintentional. The drafters of the Privacy Shield Principles dedicated an entire Supplemental Principle to discussing how the Framework applied to personal data processed in the context of medical or pharmaceutical research, and notably devoted section g. of Supplemental Principle 14 to explaining that key-coded data could not be transferred in reliance of the Privacy Shield Framework (emphasis added):
Invariably, research data are uniquely key-coded at their origin by the principal investigator so as not to reveal the identity of individual data subjects. Pharmaceutical companies sponsoring such research do not receive the key. The unique key code is held only by the researcher, so that he or she can identify the research subject under special circumstances (e.g., if follow-up medical attention is required). A transfer from the EU to the United States of data coded in this way would not constitute a transfer of personal data that would be subject to the Privacy Shield Principles.
However, Key-Coded Data IS Personal Data Subject to the GDPR Transfer Requirements
The GDPR and Applicable Guidance Says So
Key-coding is one type of data pseudonymization2, and pseudonymized information still constitutes personal data subject to the GDPR. This is unequivocally stated in Recital 26 of the GDPR and guidance from the data protection authorities (DPAs) in the European Economic Area (EEA). For example, the former Article 29 Working Party stated in its Opinion 05/2014 on Anonymisation Techniques that key-coding per se does not, in and of itself, make a data subject unidentifiable since it does not eliminate the possibility that the data could be restored back to its original structure, either by applying a particular algorithm in the opposite way, or by brute force attacks. The Working Party went on to state that “as long as the key or the original data are available (even in the case of a trusted third party, contractually bound to provide secure key escrow service), the possibility to identify a data subject is not eliminated.”
VeraSafe Asked the EEA DPAs to Confirm that Key-Coded Data is Personal Data. All the Respondents Did.
In a similar line of reasoning to that crystallized in Section g. of Supplemental Principle 14 of the Privacy Shield Framework, many clinical trial sponsors situated outside of the EEA think that the GDPR does not apply to their processing operations of key-coded data because they do not have access to identifiable patient data. In light of the widespread confusion about this issue, VeraSafe contacted DPAs in 34 EEA jurisdictions to ask them whether patient data processed under a clinical trial would be considered “personal data” even if the data was pseudonymized. The results of VeraSafe’s survey were published by the International Association of Privacy Professionals (you can read VeraSafe’s article here), but you can guess what they told us:
Yes, key-coded data is still personal data. Out of the 34 DPAs we polled, 24 confirmed that pseudonymized data is personal data, and many of them referred to Recital 26 in their response. None said anything to the contrary.
Therefore, the argument that key-coded data is not personal data, implied in the Privacy Shield Framework and sustained by many clinical trial sponsors, is incorrect in the opinion of the GDPR enforcers, i.e., the EEA DPAs. Consequently, its processing must conform to the GDPR, including the data exportation requirements. Specifically, the GDPR generally limits transferring of personal data outside the EEA to where there is an adequacy decision for that country/territory/sector or organization (such as the Privacy Shield or the DPF) or if the personal data transferred is subject to other appropriate safeguards, such as the SCCs.
Then, Why Did Privacy Shield Leave Out Key-Coded Data?
It would be fair to assert the decision to exclude key-coded data from being eligible for transfers under Privacy Shield contradicted the position of (at least the majority of) privacy regulators in the EEA that key-coded data is personal data. This position was already clear when the Privacy Shield was drafted and negotiated in 2016, so why did the drafters leave out this type of data?
We believe that this was excluded because some protections of the Privacy Shield Framework are difficult to implement with regards to key-coded data. However, this doesn’t mean that they’re impossible to implement. For example, as pharmaceutical companies do not have personally identifiable information of the participants of the trials they sponsor, it is virtually impossible for them to process data subject rights requests by themselves, such as giving specific patients information about the processing of their personal data under Privacy Shield Principle 1 (Notice), or even a copy of their personal data under Privacy Shield Principle 6 (Access). However, the accountability principle of the GDPR requires clinical trial sponsors, as data controllers, to ensure that the GDPR-required protection is achieved somehow. For example, even if the sponsor cannot directly contact the subjects to provide them with information about the processing of their personal data, it can certainly task the team at the study site where the clinical trial takes place with giving this information to the individuals.
The DPF Will Include Key-Coded Data in Its Scope
On December 13, 2022, the European Commission published its draft adequacy decision for the EU-U.S. DPF, which concludes that the United States of America ensures an adequate level of protection for personal data transferred from the EU to U.S. DPF-certified companies. The decision is accompanied by the much-awaited text of the EU-U.S. Data Privacy Framework Principles issued by the U.S. Department of Commerce (pages 61 and following of the adequacy decision document), which now cover key-coded data (emphasis added):
g. Key-coded Data
i. Invariably, research data are uniquely key-coded at their origin by the principal investigator so as not to reveal the identity of individual data subjects. Pharmaceutical companies sponsoring such research do not receive the key. The unique key code is held only by the researcher, so that he or she can identify the research subject under special circumstances (e.g., if follow-up medical attention is required). A transfer from the EU to the United States of data coded in this way that is EU personal data under EU law would be covered by the Principles.
The European Commission considered this inclusion when it determined that the material scope of the DPF was adequate3.
This is great news for clinical trials sponsors because, if a final adequacy decision is adopted for the DPF, there will soon be a cost-effective cross-border transfer tool for key-coded data.
The DPF May Be Accepted As a Valid Data Transfer Mechanism (Hopefully) in June or July 2023
There are more steps remaining before companies can rely on the DPF as a legal means for conducting EU-U.S. data transfers. In the coming months, the European Data Protection Board (EDPB) will provide an opinion on the European Commission’s draft adequacy decision regarding the DPF. Then, a committee composed of representatives of the EU Member States needs to give the green light to the updated framework. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Only after that, the European Commission can adopt the final adequacy decision in relation to the DPF. According to declarations of the European Commissioner for Justice, this is expected to happen around June or July 2023.
At that point, and following updates to the PrivacyShield.gov website to enable U.S. companies to certify their compliance to the new DPF, data will be able to flow between the EU and U.S. companies self-certifying under the DPF.
This means there is still time for companies in the pharmaceutical and biotech sector to start preparing for the DPF so that they can benefit from a cross-border data transfer framework that allows for efficient transfers of key-coded data for clinical research purposes as soon as it’s approved.
What Can Pharmaceutical Companies Do Now?
Now that it’s confirmed that the DPF will apply to key-coded data and that the European Commission has given its preliminary approval to this new framework, it is time to prepare. VeraSafe has been advising companies for more than 10 years in their data protection compliance efforts, and assisted hundreds of organizations in certifying under the Privacy Shield and bringing their data transfers into compliance with the GDPR.
Also, independently of the outcome of the DPF, clinical trial sponsors conducting clinical trials in the EU are typically directly regulated by the GDPR, and therefore VeraSafe recommends ensuring that such clinical trials operate in compliance with the GDPR.
VeraSafe is your ideal partner in navigating the complexities of designing and operating clinical trials in compliance with the GDPR. Through numerous successful GDPR implementations ranging from small single-site phase I trials, to large multi-site phase III trials that involve clinical sites in multiple EU member states, VeraSafe has developed a highly accomplished practice at the intersection of clinical trials and the GDPR.
Take the first step now by contacting VeraSafe to discuss your questions and concerns.
For those who are not familiar with the Privacy Shield, the Privacy Shield Framework was an approved mechanism for the transfer of personal data from the EU and Switzerland to the United States of America, meaning that companies would have “adequate” protections in place when transferring personal data to self-certified companies, as required by the GDPR. While the Privacy Shield remains operative, it cannot be used as a lawful mechanism to transfer personal data to the U.S..
Pseudonymization is a technique that replaces or removes information in a dataset that identifies an individual.
Paragraph 11 of the draft adequacy decision (on page 5) reads: “The Principles define personal data/personal information in the same way as Regulation (EU) 2016/679, i.e. as “data about an identified or identifiable individual that are within the scope of the GDPR received by an organization in the United States from the EU, and recorded in any form”. Accordingly, they also cover pseudonymised (or “key-coded”) research data (including where the key is not shared with the receiving U.S. organisation). […]”.