Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) with affiliated limited liability partnerships conducting the practice in France, Hong Kong, Italy, Singapore, and the United Kingdom and as an affiliated partnership conducting the practice in Japan. Latham & Watkins operates in South Korea as a Foreign Legal Consultant Office. Latham & Watkins works in cooperation with the Law Office of Salman M. Al-Sudairi in the Kingdom of Saudi Arabia. Under New York’s Code of Professional Responsibility, portions of this communication contain attorney advertising. Prior results do not guarantee a similar outcome. Results depend upon a variety of factors unique to each representation. Please direct all inquiries regarding our conduct under New York’s Disciplinary Rules to Latham & Watkins LLP, 885 Third Avenue, New York, NY 10022-4834, Phone: +1.212.906.1200. © Copyright 2019 Latham & Watkins. All Rights Reserved.
Latham & Watkins Data Privacy & Security Practice 22 March 2019 | Number 2473
EDPB Clarifies Use of Consent and Other Legal Grounds for Clinical Trials, but Challenges Remain European regulators are expected to align their processes and guidance to accommodate the EDPB’s recommended approach to processing special categories of personal data.
In January, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the General Data Protection Regulation (GDPR) and the Clinical Trials Regulation (CTR), which: (1) confirms that consent under the GDPR and CTR are different concepts; and (2) sets out the EDPB’s recommendations on the appropriate legal basis required for processing personal data in connection with clinical trials conducted in the EEA (which is unlikely to be consent). This Client Alert outlines the background to the Opinion, before delving into the most important guidance and takeaways.
Background
Legal Grounds for Processing Personal Data Under the GDPR, sponsors of clinical trials in the EEA (Sponsors) may legally process the personal data of trial subjects only if they have a legal basis to do so. Furthermore, as health information is considered a “special category†of personal data, processing that information requires both an Article 6 GDPR (Article 6) legal basis and an Article 9 GDPR (Article 9) condition.
Article 6 lists a limited number of permitted legal bases for processing special category data, including the following:
• The data subject has given consent. • The processing is necessary for compliance with a legal obligation to which the Sponsor is subject. • The processing is necessary for the purposes of the legitimate interest of the Sponsor or a third party
(but only if such interests are not overridden by the rights of the data subject). For consent to be valid under the GDPR, it must be freely given, informed, and capable of withdrawal. These conditions for validity set a high bar, which some argue may never be met in the context of clinical trials, given the imbalance of power between Sponsors and trial participants, who likely will not be in good health. Furthermore, should a data subject withdraw their consent, stopping all future processing of that subject’s data by the Sponsor may not be feasible, given the Sponsor’s legal obligations in connection with the conduct of the trial, the reporting of safety information, and the filing of subsequent applications for regulatory approvals for medicinal products.
Article 9 lists a limited number of conditions for processing special category data, such as health or genetic information, including the following:
• The data subject has given explicit consent. • Processing personal data is necessary for scientific research purposes in accordance with Article
89(1), based on EU or Member State law. Determining whether a Sponsor can rely on the “scientific research purposes†condition requires an analysis of the relevant EU or Member State law. The law varies among Member States in this regard, so the position is not harmonised across the EU.
Informed Consent for Clinical Trial Purposes The distinction between consent for GDPR purposes and consent required under EU clinical trials legislation is important to note. Prior to the GDPR, it was customary for Sponsors to rely on consent as their legal basis for processing personal data in connection with the clinical trial as well as for the data subject’s participation in the clinical trial, and it can now be challenging for organisations to untangle the connection between the two.
The CTR mandates that a clinical trial may be conducted only if each trial participant has given their informed consent to participate in the trial, with consent defined as the participant’s free and voluntary expression of their willingness to participate after being informed of all aspects of the trial that are relevant to their decision to participate1. A similar concept exists in the CTR’s predecessor legislation, the Clinical Trials Directive, which will continue to apply until the CTR becomes effective (six months after the successful completion and audit of the EU clinical trials portal, currently expected to take place in 2020).
Thus, while consent may not be an appropriate Article 6 legal basis or Article 9 condition for special category data for the purposes of the Sponsor’s ability to process personal data resulting from the clinical trial, the Sponsor’s legal obligation to obtain informed consent for the purposes of clinical trials legislation does not change.
Post-GDPR Inconsistency The GDPR entered into force before definitive guidance on its applicability to clinical trials and its interaction with EU clinical trials legislation was in place, leading to inconsistencies in how European regulators have approached the processing of personal data, in particular as to whether consent constitutes a valid ground for processing special category data.
Certain regulators, such as the UK’s Health Research Authority (HRA), which consulted with the UK’s Information Commissioner’s Office, have taken the view that under the GDPR consent is not an appropriate legal basis for processing clinical trial personal data and should be avoided. Regulators in other jurisdictions, such as the Spanish Agency of Medicines and Medical Devices, published guidance indicating that, notwithstanding the GDPR, consent continues to be the correct Article 6 legal basis and Article 9 condition for processing personal data in connection with clinical trials.
This divergence among Member States has created confusion and difficulty for Sponsors, who have in many cases adopted a different Article 6 legal basis and Article 9 condition from country to country in the EEA, depending on the guidance issued locally. For countries in which no guidance has been issued, Sponsors have been forced to make a judgment call based on their interpretation of the GDPR and often- conflicting local statements. That risk-based approach may now need to be updated as a result of the Opinion.
Latham & Watkins 22 March 2019 | Number 2473 | Page 3
Towards Clarity: Three Purposes for Processing Personal Data The Opinion provides commentary on a Q&A prepared by the European Commission’s Directorate General for Health to seek clarity on the perceived contradictions between the GDPR and the CTR. The EDPB has made certain recommendations and has requested that the European Commission update the Q&A to reduce its focus on consent as an appropriate Article 6 legal basis. The European Commission should now take on board these recommendations and update and publish the Q&A, and local regulators should issue updated guidance at the national level, in particular given the fact that scientific research is one of the areas in which the GDPR permits local derogations.
In its Opinion, the EDPB distinguishes between three purposes a Sponsor might have in the context of a clinical trial and confirms that each of these can (and often, should) have a different legal basis. Consent may be considered an appropriate legal basis for only one of the three purposes.
1. Processing for Reliability and Safety Purposes The Clinical Trials Directive and the CTR, once in force, impose a number of obligations on Sponsors connected with ensuring that clinical trials are reliable and safe. These obligations include safety reporting, maintaining and archiving a clinical trial master file, maintaining a copy of the medical files of subjects, and providing information to national authorities in the context of inspections.
The EDPB has confirmed that if a Sponsor can demonstrate that processing personal data is necessary to comply with a legal obligation, the Sponsor can use Article 6(1)(c) GDPR as its Article 6 legal basis, together with Article 9(2)(i) GDPR, which permits processing special personal data when “necessary for the reasons of public interest in the area of public health, such as [...] ensuring high standards of quality and safety of health care and of medicinal products or medical devices […]â€. The EDPB considers that the obligations set forth in the CTR relating to safety reporting and archiving the clinical trial master file (or in relevant national laws) will satisfy this legal basis.
2. Processing for Primary Research Purposes The EDPB distinguishes between processing tasks related to the reliability and safety of the trial and processing tasks that are “purely related to research activitiesâ€. The latter category includes any tasks the Sponsor undertakes in connection with the design and manufacture of its products, rather than in response to a specific legal obligation. Therefore, a different Article 6 legal basis is required for processing personal data in connection with research activities.
Prior to the GDPR, consent has traditionally been considered appropriate for research purposes, but the EDPB has warned against using consent as a default ground because:
• Consent needs to be freely given and there are many circumstances in which this is not the case, e.g., when the data subject is “not in good health conditions,†or when the data subject “belongs to an economically or socially disadvantaged groupâ€. While the EDPB does not go so far as to draw a red line, these statements throw significant doubt on the availability of consent as a legal basis for the conduct of clinical trials with unhealthy as opposed to healthy volunteers. Local regulators, such as the HRA, have gone further and expressly ruled out consent as a valid Article 6 legal basis in these circumstances.
• A data subject must be able to withdraw consent and obtain the deletion of their personal data by the data controller, unless another legal basis also applies to the processing of the relevant personal
Latham & Watkins 22 March 2019 | Number 2473 | Page 4
data. However, consent withdrawal is problematic in the context of a clinical trial, which relies on the robustness and integrity of statistical data collected from subjects.
The Opinion therefore suggests one of the following legal bases instead:
• Task in the Public Interest: The processing may be “necessary for the performance of a task carried out in the public interest†pursuant to Article 6(1)(e) GDPR. According to the Opinion, the conduct of clinical trials should “directly fall within the mandate, missions, and tasks vested in a public or private body by national lawâ€. While this may apply to public or academic institutions, this legal basis is unlikely to be available to commercial Sponsors. Furthermore, the scope of processing permitted will depend on the scope of the provision of EU or Member State law relied on by the Sponsor.
• Legitimate Interests: Sponsors that are unable to point to such a mandate, mission, or task should be able to argue that the processing is “necessary for the purposes of the legitimate interests pursued by the controller†under Article 6(1)(f) GDPR. The Article 9 condition can then be either “reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices†(Article 9(2)(i) GDPR) or “scientific […] research purposes†(Article 9(2)(j) GDPR). Each of these Article 9 conditions, however, needs to be available under applicable EU or Member State law, such as the UK Data Protection Act 2018. Furthermore, trial subjects whose data is processed based on legitimate interests have the right to object to such processing under Article 21 GDPR and Sponsors may face a problem in the event that a trial subject objects to the processing of data already collected for the purposes of the trial. A Sponsor should therefore check to see whether national law disapplies the right to object if the exercise of that right would prejudice the integrity of the trial. For example, the UK Data Protection Act 2018 disapplies the right to object if an objection would “prevent or seriously impair the achievement of the [research] purposes in questionâ€.
3. Processing for Secondary Purposes Outside of the Protocol Sponsors may also wish to use data collected in the course of a clinical trial for follow-up scientific research that is not directly covered by the protocol for the original trial. Under the CTR, consent to this secondary use should be sought from the data subject at the time informed consent to participate in the original trial is sought.
Article 5(1)(b) GDPR states that further processing for scientific research purposes, conducted in accordance with Article 89(1) GDPR (which sets out adequate safeguards and derogations) should be presumed not to be incompatible with the initial purposes for which it was collected, meaning that no additional Article 6 legal basis will be required for such processing. However, a condition under Article 9 is still required, and Article 9(2)(i) or (j) GDPR may apply, provided there is such permission in EU or Member State law. The Opinion does not definitively confirm when the presumption of compatibility would apply in this context and states that the EDPB intends to revisit these matters in the future, given their complex nature.
Practical Takeaways While the Opinion brings some much-needed certainty to the area of consent and other legal grounds for clinical trials, challenges remain. Outlined below are the key challenges to bear in mind and the steps Sponsors should take when designing their research activities:
Latham & Watkins 22 March 2019 | Number 2473 | Page 5
• National laws are not entirely uniform in their implementation of the GDPR. National laws may pose additional hurdles before a particular ground can apply or may not even permit the use of some of the grounds mentioned above. Sponsors must consult national law when relying on the scientific research condition, in particular to confirm whether the trial subjects’ right to object can be disapplied if it would prejudice the trial’s research findings. National law may also limit the scope of processing, as permitted by the GDPR. Sponsors should therefore carefully consider local laws when planning clinical trial activities. The discrepancies among national laws present a particular challenge for trials that include a number of European jurisdictions simultaneously. In such cases, Sponsors should consider the regime in each candidate country at the earliest opportunity and plan their trial accordingly.
• It may take a while for all regulators to fall in line. European regulators are expected to follow the Opinion and align their processes and guidance to accommodate the approach set out above. However, it remains to be seen how quickly this will happen and whether there will be a further period of uncertainty as national regulators and ethics committees reconsider and potentially revise their guidance. National laws may need to be passed or amended, which can take a considerable amount of time. In addition, a Sponsor’s processing activities in the context of a clinical trial are subject to the scrutiny of the national health research bodies in each European country, such as the HRA. There may therefore be a further delay while national health research bodies reconsider and potentially revise their GDPR-compliance guidance. Before national regulators produce updated guidance, Sponsors must form a view as to whether they will follow the Opinion or national guidance that may not yet be in line with the Opinion.
• Distinguishing between legal obligations and research purposes may be challenging. In practice, it may be difficult to distinguish between processing tasks that are undertaken in order to comply with legal safety and quality requirements and processing tasks that are undertaken for research purposes. For example, testing samples collected from trial subjects may fall under both categories. Sponsors should carefully consider their processing activities and take advantage of the legal obligations basis wherever possible.
• Informed-consent forms may need to be updated. Sponsors should consider updating their informed-consent forms and other data subject-facing documentation, such as supplementary fair processing notices, to refer to one or more legal grounds in place of consent. Different language may be required in different jurisdictions to comply with national guidance and practice. For example, the HRA has published standard GDPR-compliant language to be used in informed-consent forms and patient information leaflets, which would not necessarily be appropriate in other jurisdictions.
Latham & Watkins will continue to monitor and report on developments concerning the area of consent and other legal grounds for clinical trials.
Latham & Watkins 22 March 2019 | Number 2473 | Page 6
If you have questions about this Client Alert, please contact one of the authors listed below or the Latham lawyer with whom you normally consult:
Gail E. Crawford gail.crawford@lw.com +44.20.7710.3001 London Mihail Krepchev mihail.krepchev@lw.com +44.20.7710.1184 London Frances Stocks Allen frances.stocks.allen@lw.com +44.20.7710.4668 London
You Might Also Be Interested In
Clinical Trials Under the GDPR: What Should Sponsors Consider?
What a ‘No Deal’ Brexit Means for UK Data Privacy
EDPB Publishes Regulatory Guidance on Territorial Scope of GDPR
Client Alert is published by Latham & Watkins as a news reporting service to clients and other friends. The information contained in this publication should not be construed as legal advice. Should further analysis or explanation of the subject matter be required, please contact the lawyer with whom you normally consult. The invitation to contact is not a solicitation for legal work under the laws of any jurisdiction in which Latham lawyers are not authorized to practice. A complete list of Latham’s Client Alerts can be found at www.lw.com. If you wish to update your contact details or customize the information you receive from Latham & Watkins, visit https://www.sites.lwcommunicate.com/5/178/forms- english/subscribe.asp to subscribe to the firm’s global client mailings program.
Endnotes
1 Article 2(21) CTR.
