European Data Protection Board Clarifies the Interplay Between the EU Clinical Trials Regulation and the General Data Protection Regulation

On January 23, 2019, the EU Data Protection Board (“EDPB” - the gathering of all European Union (EU) data protection authorities) adopted opinion no. 3/2019 (the “Opinion”) on the interplay between the Clinical Trials Regulation no. 536/2014 “CTR”) and the General Data Protection Regulation (“GDPR”). Anticipating the application of CTR (currently expected to occur in 2020) following the implementation of the EU portal and the EU database of the European Medicines Agency, the Opinion provides clarification on (i) the different legal bases for the processing of personal data operations related to a specific clinical trial, from commencement of the clinical trial until the deletion of personal data collected during the clinical trial (“Primary Use”); and (ii) the further use of the same personal data set for any other scientific purposes (“Secondary Use”). Without establishing a legal basis, no one can process the personal data needed to run a clinical trial or to use the personal data for other research.

1. Legal basis for Primary Uses of clinical trial data

• Notion of legal obligation: With regard to data processing relating to reliability and safety purposes, the EDPB determined that the legal basis for the processing operations related to a specific clinical protocol can be considered as falling within the “legal obligation(s) to which the controller is subject” under Article 6(1)(C) of the GDPR. The EDPB provides several conditions under which such legal basis would effectively be applicable and, in particular, the binding and valid nature of such obligation. The main conditions relate to the requirement for such obligation to originate at European or Member State level (as opposed to non-Member-State national legislation), and for such obligation to comply with the key tenets of GDPR (i.e., necessity, proportionality, and purpose limitation, as well as transparency as to the categories of personal data required for the trials).
• Consent as a legal basis: For operations purely related to research activities, consent can be a proper legal basis. Nevertheless, the Opinion highlighted the differences between “informed consent” under CTR and “explicit consent” under GDPR. On the one hand, consent under CTR aims at ensuring the protection of the right to integrity and human dignity; however, on the other hand, consent under GDPR is one of several legal bases allowing the processing of personal data. As a result, organizations involved in clinical trials have to reconsider their current procedures around consent and ensure that, where required, they obtain the participant’s consent in a way that would satisfy both CTR and GDPR. For example, the EDPB is of the opinion that data controllers should examine whether or not there may be an imbalance of power between the sponsor and the participant – should this be the case, an alternative lawful basis would be required in order to ensure that the clinical trial is compliant with both regulations. This is especially important considering that, while consent, once given, may be freely withdrawn, the consequences of withdrawing consent greatly differ between the requirements of CTR and those of GDPR. While the withdrawal of a participant’s informed consent under CTR would not affect the use of data obtained based on the previously given consent, the withdrawal of a participant’s consent under GDPR would prevent the sponsor from any further use of the same data.
• Public interest or legitimate interest: Public interest can be considered as a relevant legal basis when the conduct of clinical trials falls within the mandate, missions and tasks in a public or private body by national law. For all other situations, the EDPB considers that the legitimate interest of the data controller or third party can be an appropriate legal basis. In that regard, the Opinion refers to the accountability framework set by GDPR, which places the burden on the stakeholders to document and demonstrate their legitimate interest, as well as safeguarding that such legitimate interest will not override the interests or fundamental rights and freedoms of the participants. Consequently, documentation of the decision-making process will be of utmost importance.

2. Legal basis for Secondary Uses of clinical trial data

While the Opinion finds that Secondary Uses of data from clinical trials for other specific purposes could be permitted without the need for a new legal basis, the EDPB remains wary of providing sponsors with a carte blanche for all downstream usage of clinical trial data.

Indeed, GDPR provides for a so-called “presumption of compatibility” with the original purposes whenever a data controller implements subsequent data processing operations. Such presumption would, in theory, not require another specific legal ground for Secondary Uses. However, once again, the EDPB highlights that the forthcoming CTR accountability framework will mandate that stakeholders demonstrate such compatibility between the original purpose and subsequent purposes.

Consequently, documentation of the decision-making process will need to take those aspects into consideration and balance the interests at stake prior to initiate such Secondary Uses.

The Opinion has been provided to the European Commission for further consideration.

K&L Gates data protection team remains at your disposal to assist you in the assessment of your current clinical trial process and preparation of compliance with CTR and GDPR.