The GDPR Impact on Specimen Management in Clinical Trial Labs in the U.S. phelps.com phelps.com THE GDPR DILEMMA FOR CRO & CLINICAL TRIAL LABORATORIES THE ISSUE What happens when the GDPR’s data minimization rules run headlong into U.S. law mandating protracted data storage? This issue is more than a theoretical head scratcher for U.S. laboratories and Contract Research Organizations (CROs) subject to both laws in the clinical trial context. The dilemma comes into particularly sharp focus when the GDPR’s rules relating to personal data destruction clash with rote domestic law mandating protracted, inflexible holding times for study and lab data. CROs and laboratories with global operations and those that service clinical trials for multi-national pharmaceutical companies are on the front line of entities that must sort out the conflicting data minimization concepts of the GDPR and the data retention approach of U.S. laws when they are subject to both GDPR and U.S. privacy and data management regulations. The competing laws can often be reconciled through strategic application of exceptions in GDPR. In analyzing this issue, this commentary addresses: • GDPRs policy of data minimization. • The general policy of warehousing laboratory data advanced by U.S. law. • The impact on CRO and clinical trial labs caused by the tension between U.S. law and GDPR. • A proposed approach to reconciling GDPRs data minimization values with the policy of data retention advanced by U.S. law applicable to CROs and support labs. • Identification of pitfalls in analyzing relevant GDPR provisions. phelps.com On May 25, 2018 the General Data Protection Regulation (GDPR) was enacted by the European Parliament to secure the privacy of personal data of persons located in the European Union (EU). It sets forth requirements that are binding on entities that possess or process the personal data of EU residents. As such, the GDPR generally applies to companies located in the EU. The Regulation can also apply to “controllers” or “processors” of data not located in the EU when they engage in the activity that relates to EU-based organizations or to organizations that offer goods or services to EU residents or to the monitoring or collection of data from persons in the EU. Perhaps the most fundamental premise of GDPR is that the retention and use of personal data, once collected, should be restricted qualitatively and chronologically to the greatest degree possible. This concept of data minimization is advanced through rules that require data processors to purge data once the reason for having it no longer exists. 1 GDPR further empowers “data subjects” with the right of erasure,* which allows them to direct data processors to destroy their personal data without undue delay under certain circumstances and subject to exceptions.2 The right to erasure promotes GDPRs overreaching policy of minimizing unnecessary data storage. “Undue delay” generally means that personal data must be destroyed within 30 days of the request to destroy the personal data.3 EU GENERAL DATA PRIVACY REGULATION (GDPR) GDPR - ADVANCING A POLICY OF DATA MINIMIZATION *The right to erasure dovetails with the GDPRs general requirement that data “processing,” which includes storage, is only lawful if: • The subject consents. • It is necessary for the performance of a contract. • It is necessary for compliance with a legal obligation. • It is necessary to protect the vital interests of the data subject. • It is in the public interest. • Falls within a legitimate interest of the controller or a related third party. phelps.com In contrast to GDPR, both state and federal U.S. law relating to the retention of personal data by labs tends not to be circumstantial or based on an assessment of whether it is necessary to maintain the data to advance the purposes for which it was collected. Rather, it is typically rote and categorical. The Clinical Laboratory Improvement Amendments (CLIA) is the best example of this approach, but state laboratory regulations may impose more stringent retention standards.4 • TEST REQUISITIONS & AUTHORIZATIONS • TEST REPORTS (ALL OTHERS) • LABORATORY QUALITY SYSTEMS • SPECIMEN BLOCKS PATHOLOGY • ANALYTIC SYSTEMS & RECORDS (ALL OTHERS) • CYTOLOGY SLIDES TISSUE REMNANTS: PATHOLOGY *TIME: Contingent on Completion of Diagnosis 2 years 10years 5 years RETENTION TIME* • ANALYTIC SYSTEMS & RECORDS: IMMUNOHEMATOLOGY & INFUSION RELATED • HISTOPATHOLOGY SLIDES • TEST REPORTS: PATHOLOGY, SUBSPECIALTIES, IMMUNOHEMATOLOGY, TRANFUSION RELATED CURRENT CLIA REQUIREMENTS phelps.com INDUSTRY IMPACT THE IMPACT FOR CRO & CLINICAL TRIAL LABS IN THE U.S. The conflict between GDPR data minimization rules and U.S. law on data retention can be a significant compliance issue for clinical laboratories supporting clinical trials that are subject to both sets of regulations. Specifically, GDPR’s data minimization rules, including the right of erasure, prohibit the protracted retention of personal data, which includes human tissue, when it is no longer necessary to advance the purposes for which it was collected. To achieve data minimization, GDPR imposes fluctuating, case-specific data retention ceilings on “processors.” This approach contrasts with U.S. law, which typically imposes strict, categorical holding times for trial data and related laboratory testing results, including the underlying tissue and cellular specimens. The impact arising from conflict between GDPR and U.S. law can be particularly acute for U.S. based labs because most routinize data and specimen holding times based on applicable domestic law and write them into lab policies and procedures that are followed by multiple layers of technicians and compliance personnel in multiple locations. As such, when a data subject invokes GDPR’s right to erasure relative to lab based information subject to U.S. law, efforts to comply with the request can impose substantial uncertainty, increased management costs and a heightened possibility of failure to adhere either to U.S. law, to GDPR, or possibly both. To achieve data minimization, GDPR imposes fluctuating, case-specific data retention ceilings on ‘processors.’ phelps.com Labs may be able to effectively reconcile GDPR’s data minimization rules and U.S. data retention laws by invoking GDPRs legitimate interest exception to opt out of the Regulation’s data minimization rules, including responding to right to erasure requests. THE LEGITIMATE INTEREST EXCEPTION Under Article 6.1 (f) (“Legitimate Interest of Controller”), Controllers and third parties can process or store data where it is necessary to pursue a legitimate interest. Labs subject to both the GDPR and categorical US retention laws such as CLIA can argue that they have a legitimate interest in complying with applicable law because it is a condition to the continued operation and licensure of controller and the laws advance an interest in patient protection. Article 6 1(f)’s balancing test is passed because the extended retention may ultimately benefit the data subject by providing her access to critical health information when the need for it is discovered later. To rely on this exception, CROs/labs must: • Reply to any request for erasure by informing the subject that it is rejecting the request and why; • Not use the retained data for any purpose extraneous to the study; and • Dispose of the data securely at the end of the holding period mandated by US law. CROs/Labs should also: • Explain the retention protocol as part of the subject consent process at the beginning of the trial; • Maintain pseudonymization relating to the specimen during the retention period. RESOLVING THE DILEMMA THE LEGITIMATE INTEREST EXCEPTION phelps.com OTHER EXCEPTIONS TO THE GDPRs DATA MINIMIZATION RULES ARE SUPERFICIALLY TEMPTING GROUNDS FOR RETAINING DATA BUT ARE ULTIMATELY UNAVAILING: • GDPR Article 89’s exception for data that is processed for “scientific or historical research purposes” does not shield data processors working in the clinical trial context because (a) it does not authorize an exception to Article 17’s right to erasure, and (b) is dependent on the Union or EU “member state” passing a law providing an explicit exception to other rights held by data subjects. Conflicting US law is insufficient grounds to invoke the exception.5 • Consent to protracted retention as part of the study recruiting process likely will not suffice because the retention requirements of US law must be obeyed by the processor regardless of whether the data subject consents or not. Thus, consent is arguably not “freely given” consistent with GDPR Article 9 and Recital 43 and, therefore, not effective.6 • GDPR’s exception for holding data “necessary for performing a contract” may not be effectual because the exception has been narrowly construed to mean essential to the actual ability to perform the agreement, as opposed to merely related to the performance of an agreement.7 • Likewise, the “legal obligation” exception is inapplicable because the obligation must arise under Union or Member State Law.8 As we step into a new world of data privacy, Phelps remains committed to building defensible compliance programs for CROs and clinical labs. TEMPTING BUT INAPPLICABLE EXCEPTIONS RESOLVING THE DILEMMA phelps.com Phelps Dunbar is able to meet the needs of clients in health care and life sciences due to extensive experience with health care providers and life sciences companies. We provide our health care clientele with counsel and advice regarding regulatory compliance, corporate transactions, and dispute resolution. We offer particular expertise in labor and employment, antitrust, employee benefits, intellectual property, financing and securities, and litigation. Bob Hearn, Parter - Tampa | Raleigh Bob Hearn has a long history of performing wide-ranging legal work in the clinical laboratory industry. Bob’s practice focuses on representing health care providers and other highly regulated enterprises in litigation and with regard to regulatory, compliance and other business and operational matters. For the last 15 years, he has represented a national laboratory in an array of litigation matters, including claims arising from cytology and histology interpretations, prenatal genetic testing, result reporting discrepancies, blood coagulation studies, FDA-regulated tissue transplant testing, microbiology cultures, and phlebotomy and specimen collection injuries. He focuses extensively on defending misdiagnoses of cancer cases, particularly those arising from Pap smear screening and the diagnosis of dermatological and breast pathology. Bob’s litigation work in the laboratory industry has fostered a strong skill set in cultivating and challenging specialized expert opinion testimony and a heightened ability to present technical issues to lay audiences. Contact Information: 813-472-7579 | firstname.lastname@example.org Nate Huff, Associate - Raleigh A former federal prosecutor with nearly fifteen years of litigation experience, Nate concentrates his practice on federal and business litigation and white collar defense. He applies the insight of a prosecutor in leading internal investigations and preventing and responding to government enforcement actions. Contact Information: 919-789-5307 | email@example.com Jason Pill, Partner - Tampa Jason Pill plays a leading role in litigating multiple state and federal data breach class action lawsuits. He has a deep knowledge of workplace and employment issues and helps companies train employees to reduce cybersecurity risks and respond appropriately when a breach occurs. Jason is the author of “You’ve Been Hacked, and Now You’re Being Sued,” The Florida Bar Journal July/August 2016 (with Mike Hooker), and serves as a member of the University of South Florida’s Cybersecurity for Executives Advisory Committee. Contact Information: 813.222.7664| firstname.lastname@example.org ABOUT US Citations 1 See Article 5, EU GDPR; See also, Recital 39, EU GDPR. 2 Article 17(1), EU GDPR. 3 Article 12 (3), EU GDPR. 4 42 CFR § 493.1105. 5 Article 89(2), EU GDPR. 6 Article 9(2), EU GDPR; Recital 43, EU GDPR. 7 Article 6(1)(b); Working Party Opinion 0612014 (April 9, 2014) interpreting Article 7 of former Directive 95/46/EC). 8 Article 6(3), EU GDPR; Recitals 40,41, and 45, EU GDPR.