On January 23, 2019, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the Clinical Trial Regulation (CTR) and the General Data Protection Regulation (GDPR), an issue which has been the subject of intense debate and that resulted in a draft, and still non-public, FAQ prepared by the EU Commission. The Opinion comments on the draft FAQ and provides some insight on data protection regulators’ view on how the GDPR applies to patient data collected as a part of a clinical trial.
In short, the EDPB takes the position that consent under the GDPR, and informed consent under the CTR, are different concepts, and that various legal grounds, including consent, are available under the GDPR to process patient personal data in the clinical trial context. Practically speaking, organizations will have to conduct a case-by-case assessment of the various options available.
The GDPR requires organizations involved in clinical trials (such as sponsors, sites, and contract research organizations—CRO—in some cases) to rely on a legal ground to process patient personal data. The GDPR provides a limited number of legal grounds, including a patient’s unambiguous consent, compliance with a legal obligation, relying on an organization’s legitimate interest, and the necessity to perform a task in the public interest. The GDPR further restricts the legal grounds available for the processing of sensitive data (such as health or genetic data); in those instances, an organization can only rely on a patient’s consent, if that consent is explicit and can only rely on public interest if it involves public health or a scientific purpose as provided under applicable law.
In parallel to the GDPR, the CTR requires patients’ informed consent to participate in clinical trials. This requirement is central to the World Medical Association Declaration of Helsinki, and reflects respect for patients’ dignity and, in certain cases, their physical integrity. Such informed consent could be confused with the (explicit) consent required to collect patient data, especially because the CTR contains some cross-references to data protection.
The main takeaway from the EDPB opinion is that informed consent under the CTR must be dissociated from consent under the GDPR. This means that consent is not the only available legal ground to process personal data in the clinical trial context, and that even though the legal ground for processing patient data may not be GDPR consent, patients should still be asked to sign an informed consent form (ICF) based on the CTR.
In addition, the EDPB analyzes the GDPR legal grounds as follows:
- Consent: Consent remains a valid legal ground (and the “default” especially in case of sensitive data processing), but before relying on consent, organizations should assess whether the GDPR’s consent requirements are effectively met. The EDPB advises to ensure that consent is in all cases freely given, which may, according to the Opinion, require specific effort in case trial patients are “economically or socially disadvantaged” or are in a “situation of institutional or hierarchical dependency”. Furthermore, patients can withdraw their consent at any time, which means that all processing activities must be stopped if a patient withdraws his/her consent unless the organization can rely on another legal ground.
- Compliance with a legal obligation. Compliance with an EU or member state legal obligation is a valid legal ground if personal data are processed for purposes such as safety reporting, archiving of the clinical trial master file and disclosure to relevant authorities. The EDPB further reminds that sensitive data may be processed for “reasons of public interest in the area of public health […] on the basis of Member State law” (Article 9(2)(i) GDPR).
- Other legal grounds. Organizations can rely on other legal grounds such as the public interest legal ground or an organization’s legitimate interest to process personal data. However, these legal grounds cannot be relied on when an organization is processing sensitive data. When such data are processed, the EDPB considers that organizations should assess whether they can rely on specific GDPR derogations, in particular if the processing could be completed for “reasons of public interest in the area of public health […] on the basis of Member State law” (Article 9(2)(i) GDPR), or “scientific … purposes in accordance with Article 89(1) GDPR based on Union or Member State law”(Article 9(2)(j) GDPR).
- Secondary uses. If an organization wants to use the personal data for other scientific purposes than the purposes defined in the clinical trial protocol, it should rely on another legal ground than the one used for the primary purpose. However, if the secondary use is for archiving purposes in the public interest, or for scientific, historical research or statistical purposes, the organization may proceed without a new legal ground.
The EDPB opinion comments on the draft FAQ prepared by the EU Commission and intends to clarify the interplay between the GDPR and the CTR. It now remains to be seen whether and how the EU Commission FAQs will incorporate these comments. In addition, the Opinion does not account for the fact that many clinical trials are conducted by organizations located outside of the EU, thus practically preventing them from relying on compliance with a legal obligation or on the public interest legal ground. According to the EDPB, consent under the GDPR and the CTR are different, and GDPR consent is not the panacea, but it can be relied on after a careful factual assessment. It will be interesting to see if and how market practices will evolve in light of this EDPB Opinion.