This article by Ropes & Gray partner Mark Barnes, associates Michael DiMaio and David Peloquin and Harvard Medical School professor Barbara Bierer, M.D. was published by Bloomberg Law on June 15, 2018.
The European General Data Protection Regulation (“GDPR”), which took effect on May 25, 2018, requires that all processing of personal data subject to the GDPR must have a legal basis under the GDPR’s Article 6. To process special categories of personal data, which includes health and genetic data, data controllers must demonstrate an additional basis under Article 9. There has been concern that various European Union Member State research and/or data protection authorities may determine that they disfavor consent as the basis for processing data in the research context. Such an approach disfavoring consent may, however, present inconsistencies in the obligations faced by sponsors of clinical research both under U.S. law as well as potentially the law of various EU Member States.
If consent is not relied upon as the GDPR legal basis for processing (Art. 6), then the alternative bases presumably would be, for universities and public authorities, the “task carried out in the public interest” basis (Art. 6(1)(g)), and for commercial sponsors and charitable research organizations, the “legitimate interests” basis (Art. 6(1)(f)). Similarly, if consent is not the basis for processing special categories of personal data (often called “sensitive personal data” (Art. 9)) in clinical research, then research sponsors presumably would be forced to rely upon the processing “necessary for scientific purposes” basis under Article 9(2)(j). At least one EU Member State human research authority—the U.K. National Health Service’s Health Research Administration (“NHS-HRA”)—previously issued a guidance document suggesting that it disfavors consent as a basis for processing data in research. However, this NHS-HRA view would appear fundamentally inconsistent with previous guidance from the EU’s Article 29 Working Party on Data Protection and Privacy, which recognized that gaining consent from subjects in clinical research has been the traditional approach, should continue, and could be reconciled with and incorporate consent for data processing. (Article 29 Working Party, Guidelines on Consent under Regulation 2016/679, pp. 27-28 (last modified April 10, 2018)). Similarly, the U.K. Information Commissioner’s Office (“ICO”) guide to consent as a basis for processing discusses rules on consent for scientific research purposes. Although the ICO does not require reliance upon consent as the basis for processing, it assumes that entities may rely upon consent as a basis for processing for scientific research, and identifies considerations for entities when doing so. (ICO, Lawful Basis for Processing: Consent). Furthermore, relying on consent for processing personal data in research has been an historical practice in the EU, as in other jurisdictions: since 1995, under the EU Data Protection Directive 95/46/EC, consent has been widely used for clinical research purposes as a basis for processing data and as a basis for transfer of personal data to jurisdictions that have not been found by the European Commission to have adequate data protection legislation.
A primary and understandable concern regarding using consent as a basis for processing personal data is the potential effect of data subjects’ withdrawal of consent. Yet each data subject right carries with it appropriate exceptions to that right, and such exceptions ought to apply in the research context. For example, if a data subject withdraws consent on which the processing of the subject’s personal data has been based, the data subject’s ability to seek erasure of the data is available only when there is no other legal ground for the processing. (Art. 17(1)(b)). In the event of a data subject’s withdrawal of consent, this would allow, for example, continued processing as necessary for scientific purposes, or if required for legal obligations, such as regulatory reporting to the U.S. Food and Drug Administration or European Medicines Agency. Indeed, the Article 29 Working Party Guidelines on Consent indicate that, “Controllers have an obligation to delete data that was processed on the basis of consent once that consent is withdrawn, assuming that there is no other purpose justifying the continued retention.… In that case, the other purpose justifying the processing must have its own separate legal basis. This does not mean the controller can swap from consent to another lawful basis.” (p. 22, f.n. 54) (emphasis added). One reasonable argument here would be that although a controller cannot “swap” one legal basis for processing for another, nevertheless, when a data subject enrolled in clinical research withdraws his or her consent for processing, then the data subject has fundamentally changed his or her legal relationship to the trial site and the trial sponsor. In that case, the data subject has moved from the status of research participant to that of a person not participating in research but whose data are, from a regulatory and scientific viewpoint, required to be retained and processed for regulatory and scientific purposes. Therefore, processing their data could be based on “legitimate interest” (Art. 6(1)(f)). Additionally, processing their “special categories” of personal data can be based on necessity in the “area of public health, such as … ensuring high standards of quality and safety of health care and of medicinal products or medical devices.” (Art. 9(2)(i)). This is not the controller “swapping” bases for data processing, but rather, the data subject, through his or her voluntary choice to withdraw from the research, fundamentally altering his or her own legal relationships to the site and sponsor.
Unfortunately, EU Member State law related to processing personal data for research remains unsettled and ambiguous. Article 9(2)(j) allows processing of special categories of data when necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) based on EU or Member State law. Article 89(1) in turn authorizes individual EU Member States to introduce technical and organizational safeguards for scientific research, and Article 89(2) authorizes derogations related to certain data subject rights. (Art. 89(1)-(2); Recital 156). However, because many EU Member States have not yet further specified these derogations, and because even those that have specified some derogations may not have done so comprehensively in regard to clinical research, reliance on Article 9(2)(j) presents problems for both industry and academic research sponsors.
In addition, a position that rejects consent as a basis for data processing in research potentially conflicts with U.S. and EU Member State law. In the U.S., Common Rule and FDA regulations require that informed consent forms contain a statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained. (45 C.F.R. § 46.116(5); 21 C.F.R. § 50.25(5)). Thus, research subjects already must consent to the processing of their personal data, and sponsors and researchers are required to include related operative language in the informed consent forms. Yet if consent is rejected as a basis for personal data processing in research, this required research consent would not be coterminous with consent to personal data processing for purposes of the GDPR. This presents a confusing situation for sponsors, researchers, and research subjects. Moreover, individual EU Member States are still developing national laws and regulations implementing the GDPR. To the extent that one or more EU Member States may disallow consent to be used under the GDPR as a basis for personal data processing, trial sponsors will be required to rely upon different bases for processing depending on the country of collection, presenting administrative hurdles and high transaction costs for clinical research in the EU—the situation that the GDPR was intended to prevent through standardization of approaches across the EU Member States.
It remains to be seen whether regulatory hostility toward the consent process as a basis for personal data processing will be adopted by research and data protection authorities in EU Member States. Industry and academic sponsors of research should carefully monitor further guidance on consent to processing under the GDPR and adjust their practices and legal documents accordingly.