Because No One is Immune to the Law
July 16, 2019 - European Union, Regulatory, Privacy + Data Security

European Commission Q&A on the interplay between the Clinical Trials Regulation and GDPR

New York Enacts Employee Monitoring Notification Law

In response to the opinion of European Data Protection Board (EDPB) (see our alert), the European Commission has issued its Question and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection Regulation (GDPR) (Q&A). The non-binding Q&A offers some additional clarifications for data processing within clinical trials. However, the Q&A also falls short in other respects. In particular, it omits some core issues, deferring to national data protection authorities instead.

Key takeaways

The Q&A aligns with the opinion that he EDPB issued on the Q&A ahead of its publication on:

  • The legal justification within clinical trials and deterrent on using consent – Under the GDPR, the processing of personal data must be tied to one of the legal justifications/derogations (for sensitive data such as health data) listed in the GDPR. One of those justifications/derogations is consent, but there are also others, such as public interest or scientific research. In parallel, EU clinical trial rules generally require that clinical trial participants provide their informed consent to participate in a clinical trial. The Q&A confirms that consent under the GDPR (protecting privacy) should be distinguished from clinical trialinformed consent (protecting ethics), and that consent is generally not the appropriate justification under the GDPR.
    • This is the case in particular, given the potential imbalance of power between participants and clinical trial investigators (so that consent would not be freely given) and because if a participant withdraws consent, personal data collected prior to the withdrawal may have to be deleted, which can lead to a host of issues, and threaten the quality and credibility of the clinical trial.
    • As a result, the Q&A recommends other legal justifications than consent, which it allocates depending on some core activities identified within clinical trials, namely “reliability and safety purposes” and “research activities” as the EDPB had suggested (see the table below). As we identified in our previous alert, while clarifying the absence of the need for consent under the GDPR is helpful, it can also cause tension where local privacy laws prescribe consent for reliance on scientific research, as in Ireland or the Netherlands.
  • Secondary use – The Q&A also confirms the existence of a “presumption of compatibility” under the GDPR for further scientific research outside the study protocol. Within clinical trials, a “protocol” must be drafted to describe the clinical trial objectives among other details. Those objectives are then built into clinical trial documentation that is provided to the participants. That said, clinical trials may last several years and discoveries may prompt the need for research beyond the protocol. Under clinical trial rules, such prolonged use is allowed (CTR Art. 28.2) under certain conditions. The question therefore arises as to whether such prolonged use is also possible under the GDPR without having to obtain a new legal justification (or whether, conversely, a separate justification is required, which may require taking additional steps, such as re-notice/re-consent with individuals). The EDPB confirms that it is possible to rely on the initial justification for the scientific research also for the prolonged use. It should be noted, however, that secondary use is a complex issue under the GDPR, and that the EDPB already announced, in its opinion, that it will devote further attention and guidance to it in the future. There will, therefore, be additional considerations to look out for in the future.

Read our Client Alert