There has been a lot of confusion in the past months on applying the General Data Protection Regulation (GDPR) to clinical trials. For example, the GDPR requires honoring specific individual rights such as notice, access and deletion. However, that seems to be at odds with a clinical trial sponsor’s desire not to interact directly with participants or know who they are because the sponsor only gets coded data from investigators or because the study is blinded. The European Commission has recognized the need for clarifications, and is preparing a Q&A on the interplay between the GDPR and Clinical Trials Regulation 536/2014 (CTR). Prior to releasing its Q&A (which has not yet been made public), the Commission has requested the European Data Protection Board (EDPB) to advise on the Q&A. The EDPB issued its opinion in that respect on January 23, 2019 (“Opinion”), which we analyze below.
Key Finding of the EDPB Opinion
The EDPB’s Opinion focuses only on the topic of the legal justification for and secondary use of personal data (while the Q&A will contain explanations of a range of other topics which are not yet all known).
1. On legal justification – The EDPB cautions against using consent as a legal justification under the GDPR in clinical trials, arguing that such consent is different from informed consent under clinical trial rules, and that other legal justifications are more suitable, such as legal obligation, public interest or legitimate interest (see the table further below).
2. On secondary use – The EDPB highlights the existence of a “presumption of compatibility” according to which “scientific research” outside the clinical trial protocol may still be deemed a compatible secondary use of the primary clinical trial research, thus not requiring its own legal justification.
These are useful clarifications, for example, for sponsors and investigators drafting clinical trial privacy documentation or considering retention practices and privacy assessments. However, selecting the appropriate legal justification will still require a fact-based assessment considering the conditions and implications of each legal basis laid out in the GDPR. Also, it is unclear to what extent the EDPB’s Opinion will lead to alignment within the EU, given the different approaches that have been taken at EU Member State level on the legal basis to use under the GDPR in the context of clinical trials so far.
We provide more explanation on each key finding of the Opinion below.
Legal Justification (Legal Basis/Derogation)
The Issue – Under the GDPR, the use of personal data is subject to on one of the legal bases listed in the GDPR (GDPR Art. 6). Where sensitive personal data are at stake, such as health data, a stricter regime applies, i.e., processing sensitive data is prohibited unless specific derogations apply (GDPR Art. 9). One of these derogations is the explicit consent of individuals.
In parallel, EU clinical trial rules generally require that participants provide their informed consent to participate in a clinical trial. The purpose of this informed consent is essentially to safeguard human dignity and integrity (by explaining the risks and benefits of the clinical trial to individuals, for example). Given that informed consent is required from participants under clinical trial rules, there has been intense debate as to whether consent should also be used under the GDPR.
This has been a particularly thorny issue because the GDPR includes very strict conditions to consent (see GDPR Art. 7), and sets out that individuals may be entitled to delete their personal data if they withdraw their consent. Furthermore, an opinion of the Article 29 Working Party on consent which the EDPB endorsed took a very broad stance on the right to delete data. This created concern in the market as it clashed with the understanding in clinical trials where even if a participant withdraws from the clinical trial, data collected prior to withdrawal may (and in many circumstances must) generally still be used. Also, it could threaten the quality and credibility of clinical trials if the data associated with individuals who withdraw from a clinical trial are not used to assess the clinical processes or the adverse reactions to a drug or device.
Finally, the CTR essentially cross-references to the Data Protection Directive, now GDPR, and vice versa, without making any clarifications. This simply creates self-referential documentation with no explanation.
The EDPB’s Answer – The EDPB distinguishes two main sets of activities in a clinical trial, namely (i) reliability and safety, and (ii) research activities. Each set falls under different legal justifications (see the table further below for the GDPR article references).
(i) Reliability and Safety
The EDPB believes that reliability and safety duties deriving from the CTR and relevant national provisions can be viewed as tied to the performance of a legal obligation and, where sensitive data are involved, of a public interest in the area of health. Those activities include notably:
1. safety reporting by the investigator to the sponsor, and by the sponsor to the European Medicines Agency
2. disclosures of clinical trial data to the national authorities responsible for inspecting the clinical trial
3. archiving of the clinical trial master file (25 years under the CTR) and participants’ medical files (as determined by national law)
(ii) Research Activities
The EDPB states that operations purely related to research activities in the context of a clinical trial cannot be derived from a legal obligation, and it identifies three alternative legal justifications:
1. individual (explicit) consent
2. a task carried out in the public interest, in conjunction (where sensitive data are involved) with public interest in the area of health or scientific research
3. where the clinical trial cannot be considered necessary for a public interest, legitimate interest in conjunction (where sensitive data are involved) with scientific research
Regarding consent, the EDPB seemed very skeptical as to the use of consent for research activities. In particular, the EDPB stressed that:
- consent under the CTR should not be confused with consent under the GDPR as they pursue different objectives (one relates to human dignity and integrity, the other to privacy)
- reliance on GDPR consent assumes that all of the conditions for valid consent under the GDPR are met. Particular attention should be given to ensuring “freely given” consent, which would not be the case where there is an imbalance of power between the participant and sponsor/investigator. According to the EDPB "when a participant is not in good health condition, when participants belong to an economically or socially disadvantaged group or in any situation of institutional or hierarchical dependency,” then there is an imbalance of power. This suggests that a privacy consent would be very difficult to procure in the clinical trial context.
The EDPB concluded that “consent will not be the appropriate legal basis in most cases, and other legal bases than consent must be relied upon.”
The options other than consent as put forward by the EDPB appear to be consistent with guidance provided at the local level in France, Belgium and the UK, for example. However, it does seem to contradict guidance/rules in other countries which relied more on the use of consent, such as the Netherlands. It should also be noted that the “scientific research” exemption often comes with specific further restrictions (such as pseudonymization/anonymization) and must also be based on an EU or EU Member State law. This means that organizations will still need to check what specific conditions apply to scientific research locally.
Below is a table summarizing the justifications put forth by the EDPB.
The Issue – Within clinical trials, a “protocol” must be drafted to describe the clinical trial objectives among other details. Those objectives are then built into clinical trial documentation which is provided to participants. That said, clinical trials may last many years and discoveries may prompt the need for research beyond the protocol. However, according to the EDPB Opinion, the European Commission’s Q&A indicates that where the clinical trial sponsor/investigator wants to use personal data for any scientific purposes other than the ones defined in the protocol, that use would require another legal basis. This could create practical challenges, for example, where it would entail finding participants after a trial has ended to notify them of the new use and new legal basis or having to delete personal data after the primary use for the data has ended.
The EDPB’s Answer – The EDPB indicated that the GDPR contains a “presumption of compatibility” for certain types of secondary uses, namely those relating to archiving in the public interest, historical research, scientific research and statistical purposes performed in accordance with GDPR Art. 89.1. Where this is the case, the controller is able to process data for a secondary purpose without the need for a new legal justification. However, the EDPB also stressed that, given the complex nature of the issue, further guidance will be required. The EDPB does not indicate when to expect such guidance or how it will align with Member State rules.
The EDPB’s Opinion will be sent back to the European Commission. It is unclear, however, whether the European Commission will follow the EDPB’s Opinion, what the timing is for the Commission to revise the Q&A or when the Q&A will be made public.
Conclusion and Tips
The EDPB’s Opinion differentiates between consent under the GDPR and the CTR, identifies specific legal bases/justifications for personal data use in clinical trials, and provides that secondary use would not necessarily require a different legal basis. It remains to be seen, however, how the Opinion will play out in practice. In the past few months, EU Member States have taken different approaches to relying on GDPR consent in clinical trials, and it is unclear if or how rapidly all EU Member States will align, particularly because the EDPB opinions are not binding on the Member States. Until there is a harmonized approach, selecting the appropriate legal justification – and relying on the “presumption of compatibility” – in the clinical trial context will require an assessment at EU Member State level.
Also, there are a host of other issues that remain unclear in the clinical trial context, such as the role as controller or processor of investigators and sponsors, or whether the appointment of a representative under the CTR triggers the application of the GDPR, for example. It remains to be seen whether the European Commission’s Q&A will provide explanations on those topics as well.
Organizations involved in clinical trials should for the time being consider the following steps:
- Review clinical trial documentation templates against the EDPB’s Opinion.
- Check if consents for privacy and clinical trials are combined, and how to dissociate those consents.
- Consider whether to rely on consent at all under the GDPR in clinical trials given the EDPB’s views and, if not, what alternative legal bases are appropriate.
- Analyze the local conditions and implication of relying on “scientific research” for the processing of sensitive data and for secondary use (and impact on retention practices/policies).
- Map out key reliability and safety duties at the EU Member State level.