Since the European Union (EU) General Data Protection Regulation (GDPR) became applicable on May 25, 2018, data protection regulators from the EU member states — gathered in the European Data Protection Board (EDPB) — have issued GDPR-focused opinions and recommendations at an increasing rate. With the GDPR being general in scope and industry-neutral, the EDPB quickly recognized that businesses require hands-on guidance on how to apply the new rules. Also, the ambiguity surrounding many provisions of the GDPR has triggered public demand for regulatory clarification, not in the least from life sciences companies.
On the short list of “hot topics” that has drawn the EDPB’s attention is the question whether consent should be used to justify the processing of personal data when conducting clinical trials in the EU.
One of the key requirements under EU data protection law is that the sponsor of a clinical trial must have a valid legal basis for processing a trial participant’s personal data. In the pre-GDPR era, most sponsors relied on (explicit) consent to cover the processing of trial participants’ data, often in combination with consent to participate in the trial. An opinion adopted by the EDPB last January suggests that sponsors may need to reconsider this consent-based approach.
According to the EDPB, in many trials a consent-based approach to processing personal data may no longer work, considering the strict conditions for valid consent and trial participants’ enhanced rights under the GDPR. Notably, the EDPB considers that the condition under the GDPR that consent be “freely given” will not be met if, for example, trial participants are not in good health condition or they belong to an economically or socially disadvantaged group. In those cases, the EDPB recommends using other legal bases in the GDPR.
As an alternative to consent, some sponsors may be able to justify the processing on a public interest ground if conducting clinical trials directly falls within the mandate, missions and tasks vested in them by national law. In other cases, the processing of personal data may be justified based on the sponsor’s “legitimate interests”. In addition, the EDPB takes the view that sponsors could rely on scientific research or public health derogations under the GDPR to justify the processing of “sensitive” personal data, such as health data. Processing of personal data relating to trial participants that is needed to comply with reliability and safety requirements (e.g., safety reporting by the investigator to the sponsor) is arguably covered by a “legal obligation” justification.
The EDPB also addressed the question how sponsors/investigators can justify “secondary” use of personal data collected in the context of a clinical trial, for purposes other than those identified in the initial protocol. Here the EDPB favors a pragmatic approach, based on the GDPR’s presumption of “compatibility”. This enables sponsors/investigators to further process data, under certain conditions, without the need for a new legal justification.
In a recent Q&A on the interplay between the GDPR and Clinical Trial Regulation 536/2014, the European Commission follows the views of the EDPB while emphasizing the need for a harmonized approach across the EU on how to justify the use of personal data in clinical trials. However, it remains to be seen if health and data protection regulators in all EU member states will apply these views in practice.