Many U.S.-based life sciences companies outsource their clinical trial needs to laboratories outside of the U.S., including labs located in the European Union (EU). Others conducting clinical trials in the U.S. may be involved with the collection and processing of EU patients’ data in some other capacity. Despite the benefits of such international cooperation, these arrangements trigger an array of compliance obligations for U.S. companies under a number of EU laws, including the General Data Protection Regulation (GDPR) and its rules pertaining to data processing activities.
The GDPR regulates the processing of the personal data of EU residents by companies of all sizes and irrespective of whether or not they have a physical presence within the EU. Within the context of clinical trials, the data at issue fall under the GDPR’s definition of “special categories of data,” which includes “generic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health and data concerning a natural person’s sex life or sexual orientation.” As a general rule, the GDPR prohibits the collection and processing of “special categories” of personal data, unless one of the GDPR’s exceptions to that prohibition applies.
Bypassing the GDPR’s Prohibition with Consent
One exception (or legal basis for processing clinical trial data under GDPR) is consent by the data subject to the processing of their personal data. For years, most sponsors of clinical trials have required consent from participants in their trials. However, the notion of consent under the GDPR is much different than what is required for purposes of securing “informed consent” for clinical trial participation3, which can create added compliance challenges for organizations in this space.
For consent to be valid under the GDPR, it must be given in a clear, intelligible, and easily accessible form, and only after a patient/participant has been given a clear and explicit description of the purpose of the data processing. Consent cannot be based on a catch-all or vague statement as to the use of the data. If, for example, the purpose of the trial’s processing evolves after consent has been obtained, the sponsor would need to clearly and intelligibly inform the patient of the change in purpose(s), and give the patient an opportunity to consent to the new purpose(s) of the processing, in order for the consent to remain valid under the GDPR. Similarly, if a patient requests to withdraw consent, the data can no longer be processed as planned. Finally, use of consent as the lawful basis for the processing under the GDPR necessitates record keeping by the sponsor, which tracks all consents received, the date any consent was received/withdrawn, and the purpose(s) for which the consent was given.
In addition to presenting administrative burdens, consent as a lawful basis for processing data under GDPR can be vulnerable to challenges questioning whether consent was given freely by clinical trial participants, particularly in situations where there may be an imbalance in power between the participant and the sponsor/investigator. For instance, when a participant is not in good health, belongs to an economically or socially disadvantaged group, or is in a situation of institutional or hierarchical dependency, his or her consent may be deemed invalid under the GDPR’s strict rules.
A recent opinion issued by the European Data Protection Board (EDPB), which brings together representatives of the 28 EU Member States’ national data protection regulators, actually concluded that companies engaged in clinical trials may be better served by relying upon a different GDPR exception4.
Alternatives to Consent
The GDPR offers other legal bases upon which to validate the collection and/or processing of personal data in the EU. For example, under the “compliance with a legal obligation” basis, data processing in the clinical trial space would be allowable when it is required for purposes of complying with the Clinical Trials Directive or EU Member State law. Other exceptions include situations where the processing of clinical trial data is either in the public interest in the area of public health, such as processing data for reliability and safety purposes5; justifiable on the grounds that it is “a task carried out in the public interest,” such as to ensure high standards of quality and safety of health care, medicinal products or medical devices; or “in the legitimate interests of the sponsor or a 3rd party” (such as processing being done for research purposes).
National Laws of Member States
Finally, it is important to highlight the role of member state national laws in the EU legal landscape. Each member of the EU has adopted its own set of laws regulating the processing of personal data within its own country. These national laws (also known as the national derogations) add further compliance obligations. Although it is remains to be seen, it is quite possible that the EU Member States will follow the EDPB’s 2019 opinion and amend their respective data processing laws to require the use of other legal bases for the processing of special categories of personal data.
It will be important for any organization which collects the data of EU-based patients in a clinical trial to closely watch how national legislation evolves on this issue, especially in those countries where they are presently collecting data. Appointing a data protection manager and/or engaging EU privacy counsel can also help companies ensure continued compliance with the GDPR and applicable EU Member States laws and regulations, particularly with respect to the collection and processing of EU patients’ data for clinical trial purposes. Finally, U.S.-based sponsors of clinical trials, as well as companies acting as CROs or service providers to sponsors or CROs, should consider appointing an internal or external resource to advise on complying with the GDPR and other data protection laws in connection with their business activity. If you have questions about data collection or processing in the EU within the context of clinical trials, or about the GDPR in general, please contact Stephan Grynwajc at firstname.lastname@example.org or 347-543-3035.
 Including the Clinical Trials Directive (CTD, as supplemented by the GCP and GMP Directives), set to be itself replaced by the upcoming Clinical Trials Regulation (CTR); the Pharmacovigilance Regulation; the Good Pharmacovigilance Practice Guidelines; the ICH GCP Guidelines; and various EU Member State national laws.
 The GDPR defines “data concerning health” as including “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”
3 For purposes of the GDPR, consent seeks to ensure a lawful collection and processing of personal data for any disclosed purposes at the time of collection of the data; whereas consent under the CTD/CTR refers to a patient’s willing participation in the clinical trial. The requirements of “informed consent” for CTD/CTR purposes are beyond the scope of this blog.
4 Specifically, the EDPB indicated on January 23, 2019 that, “consent will not be the appropriate legal basis in most cases (involving the processing of personal data for clinical trial purposes),” and further that “other legal bases must be relied upon.”
5 For instance, safety reporting under Articles 41 to 43 of the Clinical Trial Regulation; archiving of the clinical trial master file and of the medical files of patients; and disclosures to national competent authorities as part of inspections are all examples of data being processed for reliability and safety.
Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape. email@example.com