On April 10, 2019, the European Commission Directorate-General for Health and Food Safety (the “EU Commission”) issued new guidance (the “Q&A”) on the interaction between the Clinical Trials Regulation (EU) 536/2014 (“CTR”) and the General Data Protection Regulation (EU) 2016/679 (“GDPR”). The Q&A discusses, among other topics, appropriate bases for processing of personal data in the context of clinical trials. The Q&A builds upon recommendations of the European Data Protection Board (the “EDPB”) that were issued on January 23, 2019 in response to an earlier EU Commission document (the “EDPB Opinion”). We previously discussed the EDPB Opinion in an article for Bloomberg Law, available here.
Under GDPR Article 6, a data controller requires a legal basis for each activity involving the processing of personal data. Moreover, if the personal data involve “special categories” of personal data, such as data concerning health, genetic data, and data concerning race/ethnicity, the processing must also satisfy an exception under GDPR Article 9. Because clinical trials typically involve health data or other special categories of data, processing of personal data in connection with a clinical trial typically requires that a controller demonstrate both a basis under GDPR Article 6 and an exception under GDPR Article 9.
Processing for Prospective Research
Following the approach of the EDPB Opinion, the Q&A proposes different bases for processing when conducting prospective clinical trials, depending on whether the controller is processing personal data for purposes of (1) reliability and safety, as required by CTR, or (2) research activities.
The Q&A follows the recommendations of the EDPB Opinion and states that processing for reliability and safety purposes should be pursuant to legal obligation of the controller under GDPR Article 6(1)(c) and “processing necessary for reasons of public interest in the area of public health . . . such as ensuring high standards of quality and safety of health care and of medicinal products” under GDPR Article 9(2)(i). The relevant legal obligations are those found under CTR. The guidance suggests that CTR might provide a basis for processing other than safety reporting, including for purposes of archiving of the clinical trial master file and the medical files of the subjects, as well as disclosure in the context of inspection in accordance with member state requirements. This reading of legal obligations imposed by CTR, broader than that found in the EDPB Opinion, appears beneficial for sponsors seeking to ensure that they maintain data necessary for compliance with CTR and member state equivalents.
On the other hand, when a controller is processing personal data for purposes of research in connection with the clinical trial protocol, the Q&A proposes that controllers can rely on either (1) consent (for purposes of GDPR Articles 6 and 9) or (2) a task carried out in the public interest or legitimate interest of the controller under GDPR Article 6(1)(e) or (f), respectively, and either “processing necessary for reasons of public interest in the area of public health . . .” (GDPR Article 9(2)(i)) or “scientific . . . research . . . purposes in accordance with Article 89(1) . . . .” (GDPR Article 9(2)(j)). Similar to the EDPB Opinion, the Q&A advocates against the use of consent due to concerns that participants could withdraw consent, as well as the imbalance of power between sponsors/investigators and participants.
Processing for Secondary Research
When processing personal data as part of secondary research, the Q&A recognizes the possibility that secondary research could be considered compatible with the initial purposes of processing under GDPR Article 5(1)(b), but it does not provide much color on when this test would be satisfied. Instead, the Q&A merely states that any such processing would need to be in compliance with the relevant legal basis and other obligations under GDPR and CTR, including the requirement of CTR Article 28(2) that sponsors obtain consent from research subjects to use data collected in the clinical trial for secondary research.
Processing for Emergency Clinical Trials
The Q&A additionally contains a discussion of processing of personal data in the context of emergency clinical trials conducted pursuant to CTR Article 35, in which subjects may be enrolled without first providing informed consent. According to the Q&A, the basis for processing personal data in such a trial is the public interest or legitimate interest of the controller under GDPR Article 6(1)(e) or (f), respectively. Notably, the Q&A also provides that processing in the context of emergency clinical trials could also be justified on the ground of vital interest of the data subject, which provides both a basis for processing personal data under GDPR Article 6(1)(d) and an exception for processing special categories of personal data under GDPR Article 9(2)(c).
The Q&A is helpful in providing additional guidance regarding the interplay between GDPR and clinical research, though it largely reiterates the recommendations of the EDPB Opinion rather than extending the existing guidance. As the Q&A discusses, “it is the data protection authorities (DPAs) of the Member States who are competent for monitoring and enforcing the application of the GDPR. . . . The data protection authorities’ role includes informing controllers and processors of their obligations and raising the general public’s awareness and understanding of the risks, rules, safeguards and rights in relation to data processing.” Thus far, data protection authorities have expressed varying preferences for bases for processing of research data for prospective and secondary use. It therefore remains to be seen whether the Q&A, coupled with the EDPB Opinion before it, will lead to greater uniformity in approach to this topic across member states.