Ronan Tigner and Miriam H. Wugmeister
Privacy + Data Security
There has been a lot of confusion in the past months on applying the General Data Protection Regulation (GDPR) to clinical trials. For example, the GDPR requires honoring specific individual rights such as notice, access and deletion. However, that seems to be at odds with a clinical trial sponsor’s desire not to interact directly with participants or know who they are because the sponsor only gets coded data from investigators or because the study is blinded. The European Commission has recognized the need for clarifications, and is preparing a Q&A on the interplay between the GDPR and Clinical Trials Regulation 536/2014 (CTR). Prior to releasing its Q&A (which has not yet been made public), the Commission has requested the European Data Protection Board (EDPB) to advise on the Q&A. The EDPB issued its opinion in that respect on January 23, 2019 (“Opinion”), which we analyze below.
Key Finding of the EDPB Opinion
The EDPB’s Opinion focuses only on the topic of the legal justification for and secondary use of personal data (while the Q&A will contain explanations of a range of other topics which are not yet all known).
1. On legal justification – The EDPB cautions against using consent as a legal justification under the GDPR in clinical trials, arguing that such consent is different from informed consent under clinical trial rules, and that other legal justifications are more suitable, such as legal obligation, public interest or legitimate interest (see the table further below).
2. On secondary use – The EDPB highlights the existence of a “presumption of compatibility” according to which “scientific research” outside the clinical trial protocol may still be deemed a compatible secondary use of the primary clinical trial research, thus not requiring its own legal justification.
These are useful clarifications, for example, for sponsors and investigators drafting clinical trial privacy documentation or considering retention practices and privacy assessments. However, selecting the appropriate legal justification will still require a fact-based assessment considering the conditions and implications of each legal basis laid out in the GDPR. Also, it is unclear to what extent the EDPB’s Opinion will lead to alignment within the EU, given the different approaches that have been taken at EU Member State level on the legal basis to use under the GDPR in the context of clinical trials so far.
We provide more explanation on each key finding of the Opinion below.
Legal Justification (Legal Basis/Derogation)
The Issue – Under the GDPR, the use of personal data is subject to on one of the legal bases listed in the GDPR (GDPR Art. 6). Where sensitive personal data are at stake, such as health data, a stricter regime applies, i.e., processing sensitive data is prohibited unless specific derogations apply (GDPR Art. 9). One of these derogations is the explicit consent of individuals.
In parallel, EU clinical trial rules generally require that participants provide their informed consent to participate in a clinical trial. The purpose of this informed consent is essentially to safeguard human dignity and integrity (by explaining the risks and benefits of the clinical trial to individuals, for example). Given that informed consent is required from participants under clinical trial rules, there has been intense debate as to whether consent should also be used under the GDPR.
This has been a particularly thorny issue because the GDPR includes very strict conditions to consent (see GDPR Art. 7), and sets out that individuals may be entitled to delete their personal data if they withdraw their consent. Furthermore, an opinion of the Article 29 Working Party on consent which the EDPB endorsed took a very broad stance on the right to delete data. This created concern in the market as it clashed with the understanding in clinical trials where even if a participant withdraws from the clinical trial, data collected prior to withdrawal may (and in many circumstances must) generally still be used. Also, it could threaten the quality and credibility of clinical trials if the data associated with individuals who withdraw from a clinical trial are not used to assess the clinical processes or the adverse reactions to a drug or device.
Finally, the CTR essentially cross-references to the Data Protection Directive, now GDPR, and vice versa, without making any clarifications. This simply creates self-referential documentation with no explanation.
The EDPB’s Answer – The EDPB distinguishes two main sets of activities in a clinical trial, namely (i) reliability and safety, and (ii) research activities. Each set falls under different legal justifications (see the table further below for the GDPR article references).
(i) Reliability and Safety
The EDPB believes that reliability and safety duties deriving from the CTR and relevant national provisions can be viewed as tied to the performance of a legal obligation and, where sensitive data are involved, of a public interest in the area of health. Those activities include notably:
1. safety reporting by the investigator to the sponsor, and by the sponsor to the European Medicines Agency
2. disclosures of clinical trial data to the national authorities responsible for inspecting the clinical trial
3. archiving of the clinical trial master file (25 years under the CTR) and participants’ medical files (as determined by national law)
(ii) Research Activities
The EDPB states that operations purely related to research activities in the context of a clinical trial cannot be derived from a legal obligation, and it identifies three alternative legal justifications:
1. individual (explicit) consent
2. a task carried out in the public interest, in conjunction (where sensitive data are involved) with public interest in the area of health or scientific research
3. where the clinical trial cannot be considered necessary for a public interest, legitimate interest in conjunction (where sensitive data are involved) with scientific research
Regarding consent, the EDPB seemed very skeptical as to the use of consent for research activities.In particular, the EDPB stressed that:
The EDPB concluded that “consent will not be the appropriate legal basis in most cases, and other legal bases than consent must be relied upon.”
The options other than consent as put forward by the EDPB appear to be consistent with guidance provided at the local level in France, Belgium and the UK, for example. However, it does seem to contradict guidance/rules in other countries which relied more on the use of consent, such as the Netherlands. It should also be noted that the “scientific research” exemption often comes with specific further restrictions (such as pseudonymization/anonymization) and must also be based on an EU or EU Member State law. This means that organizations will still need to check what specific conditions apply to scientific research locally.
Below is a table summarizing the justifications put forth by the EDPB.
Legal Basis (GDPR Art. 6)
Derogation (GDPR Art. 9)
Reliability and Safety
(safety, disclosures, archiving)
Legal obligation (6.1(c))
Public interest in the area of health (9.2(i))
(under specific circumstances)
Explicit consent (9.2(a)) (under specific circumstances)
Public interest (6.1(e))
Scientific research (9.2(j))
Legitimate interest (6.1(f))
(if public interest does not work)
The Issue – Within clinical trials, a “protocol” must be drafted to describe the clinical trial objectives among other details. Those objectives are then built into clinical trial documentation which is provided to participants. That said, clinical trials may last many years and discoveries may prompt the need for research beyond the protocol. However, according to the EDPB Opinion, the European Commission’s Q&A indicates that where the clinical trial sponsor/investigator wants to use personal data for any scientific purposes other than the ones defined in the protocol, that use would require another legal basis. This could create practical challenges, for example, where it would entail finding participants after a trial has ended to notify them of the new use and new legal basis or having to delete personal data after the primary use for the data has ended.
The EDPB’s Answer – The EDPB indicated that the GDPR contains a “presumption of compatibility” for certain types of secondary uses, namely those relating to archiving in the public interest, historical research, scientific research and statistical purposes performed in accordance with GDPR Art. 89.1. Where this is the case, the controller is able to process data for a secondary purpose without the need for a new legal justification. However, the EDPB also stressed that, given the complex nature of the issue, further guidance will be required. The EDPB does not indicate when to expect such guidance or how it will align with Member State rules.
The EDPB’s Opinion will be sent back to the European Commission. It is unclear, however, whether the European Commission will follow the EDPB’s Opinion, what the timing is for the Commission to revise the Q&A or when the Q&A will be made public.
Conclusion and Tips
The EDPB’s Opinion differentiates between consent under the GDPR and the CTR, identifies specific legal bases/justifications for personal data use in clinical trials, and provides that secondary use would not necessarily require a different legal basis. It remains to be seen, however, how the Opinion will play out in practice. In the past few months, EU Member States have taken different approaches to relying on GDPR consent in clinical trials, and it is unclear if or how rapidly all EU Member States will align, particularly because the EDPB opinions are not binding on the Member States. Until there is a harmonized approach, selecting the appropriate legal justification – and relying on the “presumption of compatibility” – in the clinical trial context will require an assessment at EU Member State level.
Also, there are a host of other issues that remain unclear in the clinical trial context, such as the role as controller or processor of investigators and sponsors, or whether the appointment of a representative under the CTR triggers the application of the GDPR, for example. It remains to be seen whether the European Commission’s Q&A will provide explanations on those topics as well.
Organizations involved in clinical trials should for the time being consider the following steps:
The GDPR is the key legislation in the EU for the protection of privacy and personal data which came into effect on May 25, 2018 (link).
The CTR is the new legislation in the EU for clinical trials. It was enacted in 2014 but its application is currently expected in 2020 (depending on the launch of an EU portal and EU database for clinical trial data)(link).
Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (Art. 70.1.b), January 23, 2019 (link).
In clinical trials, the “investigator” is the person such as a doctor, who interacts directly with the clinical trial participant at a site (e.g., a clinic), conducts exams, provides clinical trial documentation to participants, etc. The “sponsor” is an organization on the back-end that, for example, funds or manages the clinical trial. However, pursuant to Good Clinical Practice, the sponsor does not interact directly with the participant generally and only receives from the investigator coded data about the participant (so that the sponsor cannot identify that participant by name). For more information, see, e.g., https://www.ipmpc.org/dpa-workshop (Role of the Parties in Clinical Trials).
Article 29 Working Party (“WP29”) guidelines on consent under Regulation 2016/679, November 28, 2017, WP259 (link): “if consent is withdrawn, (…) the controller must stop the processing actions concerned. If there is no other lawful basis justifying the processing (e.g. further storage) of the data, they should be deleted by the controller.”
 To be clear, the EDPB is not stating that consent is an absolute no-go. However, given how onerous consent is under the GDPR as interpreted by the WP29/EDPB, relying on consent would have to be carefully assessed for specific cases. Also, consent requires multiple practical steps and encumbrances such as operationalizing consent and being granular, recording consent, managing withdrawals back to the sponsor and deletion risks, etc.
 CNIL, Recherches dans le domaine de la santé: ce qui change avec les nouvelles méthodologies de référence, July 16, 2018 (link).
Belgian preparatory works for the GDPR (link), June 11, 2018, page 211.
Information Governance Alliance, The General Data Protection Regulation: Guidance on Consent, February 2018 (link). The core members of this alliance include the UK Department of Health and NHS. See also Medical Research Council, General Data Protection Regulation (GDPR): Consent in Research and Confidentiality (link); and Health Research Authority, Legal basis for processing data (link), May 8, 2018.
See statements by the Central Committee on Research Involving Human Subjects (link).
 Supervisory authorities (data protection authorities) or the European Commission may request that the EDPB make a binding decision towards a supervisory authority that would not follow an opinion of the EDPB (GDPR Art. 65). This mechanism has not been used so far. Also, such binding decision might not apply as such against a health authority or an ethics committee (to the extent that they are not a “supervisory authority” within the meaning of the GDPR).
Also, some cases will be difficult to fit under the EDPB’s combination of legal bases and justifications. For example, where a sponsor would need to comply with a foreign reliability and safety requirement, it may not be able to rely on a “legal obligation” as put forth by the EDPB (as that legal basis only applies to compliance with EU/EU Member State laws). Likewise, research purposes that would not meet the threshold for “scientific research” under the relevant EU Member State law would have to be based on another justification.
©1996-2019 Morrison & Foerster LLP. All rights reserved.