Scientific Research & International Transfers of Data
Recently we’ve seen some developments regarding the rules that apply to international transfers of data.
On 4 June 2021, the European Commission issued:
to adopt two sets of standard contractual clauses (SCCs); one for use between controllers and processors and replace in a way the need to draft a Data Processing Agreements and another to rule the transfer of personal data to third countries which replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46.
From a scientific research industry perspective, these new SCCs were game changers. Now, not only Sponsors of clinical trials could request the processors, to sign a standardized Data Processing Agreement, as per the new SCCs as per Decision (EU) 2021/915, which would facilitate largely compliance across the organization, as they could also demand the processors to sign same contracts with their sub processors. This would not only bring consistency to the privacy approach taken by the Sponsors as controllers and reflected into its processors but also could be repeated down the chain with the subprocessors providing services in the scope of the research.
Another important development with the adoption of these new SCCs was the approach the Implementing Decision (EU) 2021/914 took to the transfers and how it broadly increased the scope of ruling. Before, SCCs adopted in line with the Data Protection Directive 95/46 (old SCCs), only ruled how EU Controllers could transfer data to a Non-EU Controller or a Non-EU Processor.
Now, SCCs allow for a broader scope and provide four modules for parties to adopt, depending on the circumstances:
Module 1: rules transfers between a controller and another controller (controller to controller)
Module 2: rules transfers between a controller and a processor (controller to processor)
Module 3: rules transfers between a processor and another processor (processor to processor)
Module 4: rules transfers between a processor and a controller (processor to controller)
The most important innovation with these new SCCs, apart from the obvious which is the long awaited clauses that rule the transfers between two processors, is the fact that now, the data exporter does not need to be established in Europe in order to use these transfers mechanisms, as long as it is subject to the GDPR by means of art. 3/2 (extraterritorial scope).
From a scientific research perspective, this means that Sponsors established in third countries, but that run clinical trials in Europe, can now be data exporters of EU patient’s data to third party providers located outside the EU.
However, in order to achieve this conclusion, we have to articulate not only recital 7 of the Implementing Decision (EU) 2021/914, but also the EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR as well as the discussion and clarifications provided by Isabelle Vereecken, Head of the EDPB Secretariat about what is a data transfer under the GDPR.
To understand a little bit the developments in question, let’s give a step back to recital 7 of the Implementing Decision (EU) 2021/914, which states the following:
A controller or processor may use the standard contractual clauses set out in the Annex to this Decision to provide appropriate safeguards within the meaning of Article 46(1) of Regulation (EU) 2016/679 for the transfer of personal data to a processor or controller established in a third country, without prejudice to the interpretation of the notion of international transfer in Regulation (EU) 2016/679. The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679. This also includes the transfer of personal data by a controller or processor not established in the Union, to the extent that the processing is subject to Regulation (EU) 2016/679 (pursuant to Article 3(2) thereof), because it relates to the offering of goods or services to data subjects in the Union or the monitoring of their behaviour as far as it takes place within the Union.
Here, we see two concepts articulated; on one hand the EU Commission is saying that SCCs are only applicable to transfer data to third countries to the extent the importer is not subject to the GDPR, on another hand is saying that en exporter not established in the Union but subject to the GDPR by means of art. 3/2 (extraterritorial approach) can use SCCs to transfer data to importers located in a third country.
This position, created some certainty, in the scientific research industry, that Non-EU Sponsors could now send data collected from EU clinical trial participants to processors located in third countries using SCCs to provide adequate safeguards as per art. 46 of the GDPR.
But it also raised the question about the need or not to rely on adequate safeguards to receive such data in Sponsor’s country of origin.
Would we need to rely on Module 4 (processor to controller) SCCs, to adduce in adequate safeguards in order to protect the personal data of EU clinical trial participants in Sponsor’s country or because the Sponsor is directly subject to the GDPR by means of art. 3/2 this would already provide enough guarantees to the protection of personal data abroad?
What about Schrems II Decision and the need to provide additional measures to compensate for lacunae in protection of third- country legal systems?
In order to answer to all those questions, the EDPB issued the Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, which are currently open for public consultation, so they are not final yet, but intend to provide some clarification around the need or not to adduce in adequate safeguards when the processing by the importer is within the scope of the GDPR.
As starters, the EDPB clarified on the criteria to qualify a processing as a transfer of personal data to a third country. On this regard, the EDPB has identified three cumulative circumstances that would qualify a processing as a transfer:
A controller or a processor is subject to the GDPR for the given processing - either by means of art. 3/1 or 3/2;
The controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.
And exactly there, on point 3, was where everything got more confused!
What exactly was the EDPB implying by saying that a processing activity is a transfer even when the data importer in the third country, is subject to the GDPR by means of art. 3/2?
The EDPB even stated that:
the controller or processor in a “transfer” situation (according to the criteria described above) needs to comply with the conditions of Chapter V and frame the transfer by using the instruments which aim at protecting personal data after they have been transferred to a third country or an international organisation.
These instruments include the recognition of the existence of an adequate level of protection in the third country or international organisation to which the data is transferred (Article 45) or, in the absence of such adequate level of protection, the implementation by the exporter (controller or processor) of appropriate safeguards as provided for in Article 46.
At this point, the question was, what to do regarding EU trial participants data that is received by the Sponsor in the third country? and what is the appropriate transfer mechanism to use in such cases, considering the SCCs clearly state they are not applicable to be used in situations where the data importer is directly subject to the GDPR by means of art. 3/2? Should we still use the new SCCs on a voluntary basis? At some point, it seemed the right approach, simply because the other adequate safeguards as per art. 46 GDPR where of more difficult application and couldn’t be implemented immediately as they required the approval of the competent supervisory authorities (e.g. ad hoc clauses, BCR’s, codes of conduct).
But the idea of relying on new SCCs to cover transfers from EU to an importer subject to the GDPR rapidly disappeared from my mind when Isabelle Vereecken, Head of the EDPB Secretariat, European Data Protection Board clearly stated that legally speaking, relying on these SCCs would be a risk, simply because the EU Commissions has expressly excluded its applicability on such specific circumstances.
And right there, she made a remarkable alert, for us to be sure that all three criteria, specially the second one, would apply to the processing activity.
So I went back to the second criteria, and realized that I was missing one very important aspect of the processing activity of a Non-EU Sponsor, which is how the disclosure happens.
In a clinical trial, as per the Guideline for good clinical practice (GCPs) the informed consent is
A process by which a subject voluntarily confirms his or her willingness to participate in a particular trial, after having been informed of all aspects of the trial that are relevant to the subject's decision to participate. Informed consent is documented by means of a written, signed and dated informed consent form.
and even though the responsibility to collect the informed consent form from the data subjects is from the Investigator, it is the Sponsor who needs to draft such informed consent form, and provides all relevant information about the trial to the participant, so she/he will be able to decide, taking into account all the information provided, if want or not to participate considering the risks, including the risks of processing personal data in third countries.
With this in mind, let’s go back to the clarification provided by the EDPB on criteria 2, specially when the EDPB says that:
This second criterion cannot be considered as fulfilled where the data are disclosed directly and on his/her own initiative by the data subject to the recipient. In such case, there is no controller or processor sending or making the data available (“exporter”).
To add to this point, it’s important to mention that when providing information to the trial participants through the informed consent form (ICF) Sponsors need ensure compliance with art. 13 of the GDPR “Information to be provided where personal data are collected from the data subject” instead of art. 14 that covers situations where personal data have not been obtained from the data subject.
Here, it’s relevant to understand that even though the trial participant interacts with the principal investigator, he/she knows that are providing their data to the Sponsor for the purposes of conducting the research, so there’s no disclosure by transmission from the Principal Investigator to the Sponsor, but rather a direct collection of personal data from the Sponsor, though a variety of service providers, of trial participant’s data, subject to an informed consent.
With this in mind, it’s important to say that without independence of the fact that SCCs don’t apply to Non-EU Controllers subject to the GDPR by means of art.3/2 and that when controllers collect directly data from the data subjects, such processing activity does not qualify as a data transfer under chapter V of the GDPR, this does not mean that controllers located in third countries do not need to ensure an essentially equivalent level of protection as confirmed in Schrems II Decision and hence perform an assessment and apply relevant security measures to guarantee such level of protection in the third country.
In this regard, the EDPB clarified the following:
Although a certain data flow may not qualify as a “transfer” to a third country in accordance with Chapter V of the GDPR, including example 5, such processing can still be associated with risks, for example due to conflicting national laws or government access in a third country as well as difficulties to enforce and obtain redress against entities outside the EU. The controller is accountable for its processing activities, regardless of where they take place, and must comply with the GDPR, including Article 24 (“Responsibility of the controller”), 32 (“Security of processing”), 33 (“Notification of a personal data breach”), 35 (“Data Protection Impact Assessment”), 48 (“Transfers or disclosures not authorised by Union law”), etc. Following from its obligation to implement technical and organisational measures taking into account, inter alia, the risks with respect to the processing under Article 32 of the GDPR, a controller may very well conclude that extensive security measures are needed – or even that it would not be lawful – to conduct or proceed with a specific processing operation in a third country although there is no “transfer” situation. For example, a controller may conclude that employees cannot bring their laptops, etc. to certain third countries.
To conclude, I am of the opinion that, in the scope of clinical trials, we do not need to raise SCCs with Institutions/Principal Investigator to transfer data from EU to the Sponsor located in a third country, because the processing activities of the Non-EU Sponsor do not qualify as a data transfer but instead as a direct collection of a Sponsor, subject to the GDPR, because it’s offering services and monitoring the behavior of subjects located in the EU. However, such Sponsor would be required not only to ensure that the data processed in the third country is adequately safeguarded by applying the necessary security measures to the processing, including supplementary measures if necessary to ensure an essentially equivalent level of protection, as well as it would be required to adduce in adequate safeguards, with data importers located in a third country that, without independence of being subject to the GDPR by means of art.3/2, would receive the data for processing through a disclosure by transmission from the Controller.
Such approach, not only is consistent with recital 7 of the Implementing Decision (EU) 2021/914 but also with the EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, and it closes the loop on data transfers in the scope of clinical research, as the big question mark since a long time was how to regulate transfers of EU personal data to and from a Non-EU Sponsor. Now, it’s clear that first disclosure to the Sponsor is not a transfer as per Chapter V of the GDPR and that the transfers from the Non-EU Sponsor to third countries will rely on recently approved SCCs to transfer data to third countries.
DCA.
