On January 23, 2019, the European Data Protection Board ("EDPB") issued an interesting opinion about personal data processed in relation to clinical trials.
The main role of the EDPB – which succeeded the Article 29 Working Party – is to contribute to the consistent application of the GDPR throughout the European Union. Its tasks include providing general guidance to clarify the law and advising the European Commission on data protection issues and new legislations.
The interplay between European rules on clinical trials and the GDPR is certainly a complicated topic worthy of EDPB clarifications, as we mentioned in a previous blog post. This is probably why the DG Health of the European Commission drafted a "Q&A on the interplay between the Clinical Trials Regulation (the "CTR") and the GDPR" and submitted it to the EDPB last October. It turns out that it was a good call, considering the EDPB actually disagreed with several of the European Commission's answers in its Q&A, and that the rules treat reliability and safety uses quite differently than research uses.
Various topics were included on the Q&A, however the EDPB said that it will first focus on one issue: the appropriate legal basis for the processing of personal data either in the context of clinical trials or for further uses. Indeed, one of the fundamental rules set out in the GDPR (which already existed in the 1995 Directive) is that all data processing activities must have a legal basis. These legal bases are listed in Article 6 of the GDPR, e.g., consent or necessary for compliance with a legal obligation. In addition, processing of sensitive data such as health data must also comply with one of the conditions listed in Article 9, e.g., ensuring the "reliability and safety" of products.
1. Legal basis for the processing of personal data in the course of a clinical trial protocol (primary use)
What legal basis is there for activities whose purpose is reliability and safety?
Product reliability and safety relate directly to the protection of human health. Medicinal products come to market based on data generated through clinical trials; once in the market, medicinal products are subject to high standards of quality and safety. Processing activities that fall under this "reliability and safety" category include ?the archiving of the clinical trial master file or the medical files of subjects, safety reporting, and any disclosure to national competent authorities in the course of an inspection.
For those activities, the EDPB considers that the appropriate legal basis is:
- "legal obligation(s) to which the controller is subject" under Article 6(1)(c) of the GDPR,
- in conjunction with Article 9(2)(i) "processing is necessary for reasons of public interest in the area of public health, such as [...] ensuring high standard of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law".
Which legal basis is there for activities related to research?
The use of personal data for "research" faces a more stringent analysis than "reliability and safety". According to the EDPB, processing operations purely related to research activities in the context of a clinical trial cannot be derived from a legal obligation of the CTR. Therefore, another legal basis must be relied upon, and it may be, depending on the circumstances:
- a task carried out in the public interest (Article 6(1)(e)) in conjunction with reasons of public health on the basis of EU or national law (Article 9(2)(i)) or scientific research (Article 9(2)(j));
- the legitimate interests of the controller (Article 6(1)(f) in conjunction with reasons of public health on the basis of EU or national law (Article 9(2)(i)) or scientific research (Article 9(2)(j)); or
- the explicit consent of the data subject (Article 6(1)(a) in conjunction with Article 9 (2)(a)).
As regards consent, the EDPB makes it clear that the patient's informed consent to the clinical trial under the CTR is different from the data subject's consent ?under the GDPR. Consent is required under the CTR for reasons related to human dignity and the right to integrity of individuals under the Charter of Fundamental Rights, it is not an instrument for data protection compliance.
As a consequence, the EDPB refers to the Guidelines about consent that were previously issued by the Working Party and says that it applies to clinical trials. In particular, consent will be deemed not to be freely given if participants are not in good health conditions, or belong to an economically or socially disadvantaged group or in a situation of institutional or hierarchical dependency. It seems reasonable to assume that the good health condition must be understood not to mean that all patients have to be perfectly healthy but the condition of the patient must not be so bad as to impair his/her free will.
2. Secondary uses of clinical trial data for scientific purposes
For secondary uses of clinical trial data, the EDPB insists once more that the consent required in the CTR for sponsors in such cases has nothing to do with the legal ground for processing personal data under the GDPR.
Therefore, if a sponsor or an investigator would like to further use the personal data gathered for any other scientific purposes, other than the ones defined by the clinical trial protocol, it would require another specific legal ground than the one used for the primary purposes. It may end up being the same legal ground, most probably "scientific research" (Article 9(ii)(j)), but the GDPR reasoning must be conducted separately for primary uses and secondary uses.
* * *
This EDPB opinion shows the high degree of scrutiny the EDPB demands when assessing the legal basis of each processing activity conducted in the context of clinical trials. This opinion brings some light on the interplay between the CTR and the GDPR but the EDPB itself recognizes that there are other issues which would deserve to be clarified and further commented by the EDPB. In particular, the EDPB decided not to comment in this Opinion on the "presumption of compatibility" for further use under Article 5(1)(b) of the GDPR, according to which a new legal basis is not always necessary for further processing for scientific research purposes. However, this "presumption of compatibility" may apply in some cases on secondary use of clinical trials data.
To view Foley Hoag's Security, Privacy and The Law Blog please click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
