On 23 January 2019, the European Data Protection Board (EDPB) adopted an Opinion on the interplay between the Clinical Trials Regulation (CTR), which is likely to become applicable in 2020 (if not later), and the European General Data Protection Regulation (GDPR). The Opinion focusses on an area provoking much discussion since the GDPR came into force; that is, as we discussed in our previous blog, which legal bases under the GDPR are appropriate for processing personal data in the context of clinical trials?
The Consent Overlap
While focussing on the CTR, the principles in the Opinion would apply equally to the Clinical Trials Directive. In all cases, the sponsor must obtain the explicit, unambiguous and freely given consent of subjects before commencing the trial. This consent requirement is distinct from any consent provided under the GDPR as a legal basis for processing personal data.
Before processing special category personal data under the GDPR, companies must have a basis for processing those data under Article 6 GDPR, and an exception to the general prohibition on processing special category data under Article 9 GDPR. One such basis is consent.
However, as previously discussed, consent is unlikely to be the most appropriate basis in the clinical trials context. If consent is used, and special category personal data are being processed, an individuals’ explicit consent is required. However, the Opinion reiterates that consent must be “freely given” to be valid, which may not be possible where there is an imbalance of power between the participant and the sponsor/investigator in a clinical trial. Additionally, if consent is withdrawn, the data processing operations should be stopped and the data deleted unless there is another lawful basis for retaining it. With this being difficult to achieve in clinical trials, the EDPB considers other bases under the GDPR to be more appropriate.
Which Bases Should Be Used?
Where personal data are processed in clinical trials, the Opinion suggests “compliance with a legal obligation” as the most appropriate basis under Article 6(1)(c). If health data are processed, the corresponding exception is Article 9(2)(i) (i.e., the processing is “necessary for reasons of public interest in the area of public health…”).
For research activities, the Opinion states that a valid basis for processing may be that it is necessary for “the performance of a task carried out in the public interest” (Article 6(1)(e)). This may not apply to commercial companies, as the conduct of a clinical trial would need to fall within the mandate, missions and tasks vested in a public or private body by national law. Alternatively, Article 6(1)(f) could be relied upon (i.e., the processing is necessary for the purposes of the legitimate interests pursued by the controller (e.g., a sponsor) or a third party, and these interests do not override the rights and freedoms of the data subjects). The corresponding exception for special category data is that the processing is necessary (a) “for reasons of public interest in the area of public health…” (Article 9(2)(i)); or (b) “for scientific… research purposes”, provided appropriate safeguards are used.
For secondary uses of clinical trial data for scientific purposes (i.e., uses that are outside of the original clinical trial protocol), the Opinion suggests that further processing may be considered compatible with the initial purposes of the clinical trial. Therefore, a new legal basis and exception may not be required. It’s worth noting that the EDPB may issue further guidance on this, and that separate consent/approval may be required under the clinical trial rules (e.g., ethics committee approval).
The Opinion provides some welcome insight on this much-discussed area. It remains to be seen whether regulatory bodies across the EU follow the approach of the EDPB, particularly with regard to consent. Up to now, we are aware that authorities across the EU are taking different approaches, and are fixed in their views of which basis to use.
Parties processing such data may want to consider the GDPR bases they are relying on in light of the Opinion and should be aware of the limitations of using consent. Information provided to clinical trial participants should distinguish between the informed consent as required under the clinical trials rules and the bases/exceptions relied upon to process personal data under the GDPR.