On April 10, 2019, European Commission Directorate-General for Health and Food Safety issued a revised Q&A analyzing the interplay between the EU Clinical Trials Regulation (“CTR”) and the EU General Data Protection Regulation (“GDPR”). The revised Q&A takes into account the opinion of the European Data Protection Board (“EDPB”) issued on January 23, 2019, on the same topic (which we discuss in our blog post here). Below, we summarize the main takeaways of the Commission’s updated Q&A.
Legal basis for processing health data
Helpfully, the Q&A addresses the appropriate legal basis under the GDPR for the processing of clinical trial data, an issue which Member States appear to be adopting divergent approaches to in recent months. The Q&A, like the EDPB opinion, distinguishes between two different processing purposes associated with clinical trials and attributes different legal bases to each:
- processing for patient safety purposes, such as safety reporting, archiving and inspections, which is required by the CTR (and thus can be based on Articles 6(1)(c) and 9(2)(i) of the GDPR), and for which no consent is required.
- processing for scientific research purposes, which “cannot be derived from a legal obligation,” such as one arising under the CTR. In this case, data controllers may consider a number of different legal bases, depending on the nature of the clinical trial. The Commission notes that the processing can potentially serve a public interest, be based on a legitimate interest or be based on participant consent (each time in combination with a legal basis in Article 9 when special data, such as health or genetic data, are processed).
While generally helpful, the Commission noticeably refrains from endorsing any particular legal basis when processing data for scientific research purposes, leaving it up to the sponsor and research institutions to decide. The Q&A also fails to highlight that, with the exception of consent, the remaining legal bases under Article 9 of the GDPR mentioned in the Q&A must be grounded in Union or Member State law (with the CTR apparently excluded as a possibility – see (2.) above). In practice, consent is likely to be the only available option in many cases, owing to an absence of such laws.
As regards consent, the Commission’s Q&A provides that a trial subject’s consent to participate in a trial must be distinguished from consent to the processing his or her personal data, a theme that also appears in the EDPB guidance. Thus, a trial participant could, in theory, withdraw consent to the former, but not the latter. However, if the processing of data is based on a trial subject’s consent and he or she later withdraws that consent, the controller is expected to stop processing the data and delete it, unless it has another legal basis to continue processing the data (e.g., for safety purposes). Curiously, the Q&A fails to discuss the GDPR’s scientific research exemption to the deletion right under Article 17(3)(d) – i.e., the right to erasure does not apply if the data are used for scientific research and complying with the erasure request would render impossible or seriously impair the research aims.
Further use of research data
In relation to further use of clinical trial data, the Commission Q&A appears to acknowledge that the CTR’s limitations on further use of such data (requiring consent for data used outside the scope of the trial protocol – see here) are waived where one of the alternative legal bases in the GDPR applies. In short, consent would not appear to serve as the sole legal basis for the further use of clinical trial data.
Further, the Q&A highlights the fact that secondary use of clinical trial data for scientific research purposes is by default compatible with its original use, in accordance with Article 5(1)(b) of the GDPR. As a result, it should not be necessary to obtain a new consent in order to engage in additional secondary research. In the event that the secondary research is nevertheless based on consent, the Q&A repeats the EDPB’s cautionary language about reliance upon overly broad consent (notwithstanding GDPR recital text supporting broad consent in the research context). This restrictive interpretation of the consent doctrine, which we discuss in more detail here, limits its utility and conflicts with the GDPR’s other research-friendly provisions.
Ultimately, readers may be forgiven for being confused by references to broad consent in the GDPR, when the Commission states in the Q&A that “the obligations with regard to the requirement of specific consent still apply.” In fact, the Q&A explains that consent for further, secondary use must be separated from the original consent, likely involving a “separate sheet” for the collection of the consent, effectively ensuring that the original consent could not be a “broad” consent. The Commission’s suggestion, however, begs the question of why anyone would seek to rely upon consent, in light of the Commission’s earlier concession that the further use of clinical trial data for scientific research is compatible with its original use.
Finally, the Q&A also contains some additional notable remarks, including that research sponsors established outside the EU and performing clinical trials in the EU are subject to the GDPR, on the basis that they are “monitoring” EU data subjects (i.e., trial participants) or offering services in the EU, and that the GDPR’s transfer restrictions also apply to transfers of clinical trial data. The Commission document also makes clear that pre-GDPR informed consent forms used in ongoing trials should be updated and furnished to trial subjects in order to meet the GDPR’s augmented transparency requirements, but leaves it open as to when obtaining fresh consent from trial subjects would be necessary. In this respect, the Q&A does not provide any more insights than appear in the EDPB’s existing guidance.