At this year’s European Society for Vascular Surgery (ESVS) annual meeting (ESVS Month; 29 September–29 October, virtual), the Vascular Low Frequency Disease Consortium (VLFDC) was a topic of discussion. Based on a presentation given at the meeting, Christian-Alexander Behrendt, Maarit Venermo, and Kevin Mani detail the challenges in Europe with participation in the VLFDC, and outline some possible solutions.
Over the last few decades, both health services research and the legal framework of the European Union (EU) have changed rapidly. Driven by comprehensive welfare reforms in the 1980s, various national registries have been established to improve the quality of care in vascular surgery.1 In 1997, the VASCUNET collaboration was founded to create a network of quality improvement programmes in European and Australasian countries.2 Although less than 3% of information at that time was stored digitally and only 1% of European inhabitants used the internet, the founding members soon realised that a cross-border exchange of data can prove advantageous to our patients.3,4
As we know, times have changed since then. Widespread use of social media, popular search engines, smartphones, wearables, and internet usage led to rapidly growing data with significant implications for the right to informational self-determination. The rise of commercially available anonymised health data led to public awareness when Sweeney et al used matching methods and different data to reidentify a public character.5 Patients became data subjects. Notably, the Treaties and Charter of Fundamental Rights of the European Union highlight the protection of personal data in several articles emphasising its central importance. Back then, the legal framework of the EU in regard of data protection and individual privacy was a potpourri of inconsistent national law, directives (e.g., 96/46/EC), and additional council decisions (e.g., 2008/977/JHA). To align Union law to an ongoing digital transition and developments in commercial and scientific data utilisation (Big Data, Smart Data), common data protection rules were developed as a pillar of citizens´ empowerment. 6–8
The General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, created a uniform set of rules across the EU fit for the digital era. Within the first year of the GDPR, more than 200,000 complaints were filed and fines totalling more than €56 million were issued.3 Most recently, the US–EU Privacy Shield framework collapsed over a decision of the EU Court of Justice. For more than four years, the Privacy Shield regulated transatlantic data sharing under the GDPR. These recent developments created certain challenges for research projects that aim to send personal data to the USA, and are especially relevant to research on low frequency or even rare diseases.
The VLFDC, a long-standing collaboration of more than 75 institutions and 135 investigators in the USA and overseas, aims to collect large multicentric cohorts to provide sufficient power for drawing meaningful conclusions on rare diseases. To date, patients with orphan diseases are known to be underprivileged due to the paucity of evidence for obvious reasons. To improve this situation, the EU commission founded the first European Reference Networks to support cross-border healthcare and research on patients affected by rare, low prevalence, and complex diseases.
According to the GDPR, no personal data shall be processed outside Union law. Until August 2020, the Privacy Shield framework was the only exception under the assumption that the processing of personal data is lawful. Since any information relating to an identified or identifiable natural person including the combination of one or more factors “specific” to the physical, physiological, or genetic identity is considered as personal data, it appears challenging to anonymise health data gathered from patients with rare diseases. Moreover, the GDPR states that even the process of erasure or destruction (including the process of anonymisation) should be considered as processing what underlines the absolute necessity to obtain an explicite informed consent by the data subjects.
Adequate measures are necessary in order to not withhold a good cause from Europeans. The VASCUNET currently aims to implement a data privacy compliant and secured registry platform, the EUROVASC to lawfully collect health data from registries connected to the member states. Together with experts in data protection, security in distributed systems, and biostatistics, this interprofessional consortium will apply robust mechanisms to anonymise research data before sharing with institutions outside Union law. This includes concepts such as k-anonymity, differential privacy, l-diversity, and t-closeness in a “privacy by design” manner to address the risk of growing data in this field. The question arises what research collaborations can do until such a technical solution is available. For instance, previous transatlantic efforts switched to the comparison of aggregated results rather than patient- or procedure-related data. Another solution may be the development of distributed analyses what introduces additional challenges and technical requirements.
- Sigvant B, Mani K, Björck M. The Swedish vascular registry Swedvasc 1987–2018. Gefässchirurgie. 2019;24:21–26.
- Behrendt CA, Venermo M, Cronenwett JL, et al. VASCUNET, VQI and the International Consortium of Vascular Registries – unique collaborations for quality improvement in vascular surgery. Eur J Vasc Endovasc Surg. 2019;58:1–2.
- Behrendt CA, Müller T, Venermo M, et al. The VASCUNET manifesto on data privacy compliant real-world-evidence. Eur J Vasc Endovasc Surg. 2020;In Press.
- Hilbert M, López P. The World’s Technological Capacity to Store, Communicate, and Compute Information. Science. 2011;332:60–65.
- Sweeney L. k-anonymity: A model for protecting privacy. Int J Uncertain. 2002;10:557–570.
- Doctorow C. Big data: Welcome to the petacentre. Nature. 2008;455:16–21.
- Davenport TH, Patil DJ. Data scientist: the sexiest job of the 21st century. Harv Bus Rev. 2012;90(70–6):128.
- Behrendt CA, Joassart A, Debus ES, Kolh P. The Challenge of Data Privacy Compliant Registry-based Research. Eur J Vasc Endovasc Surg. 2018;55:601–602.
Christian-Alexander Behrendt is a consultant vascular surgeon and head of the research group GermanVasc at the University Medical Center Hamburg-Eppendorf in Hamburg, Germany.
Maarit Venermo is professor of vascular surgery at the University of Helsinki and and head of the Department of Vascular Surgery at Helsinki University Hospital in Helsinki, Finland.
Kevin Mani is professor of vascular surgery at Uppsala University in Uppsala, Sweden.
The authors have no disclosures.