On 23 January 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the EU General Data Protection Regulation (“GDPR”) and the EU Clinical Trials Regulation (“CTR”). The CTR is not yet applicable (it is expected to enter into application in 2020) but the guidance given by the EDPB should also prove useful under the current regime. The opinion seeks to address a lack of consensus regarding the appropriate legal basis for processing of personal data in clinical trials. In doing so, the opinion distinguishes between: (i) processing during the course of the clinical trial protocol (“primary use”), and (ii) processing outside of the relevant clinical trial protocol for scientific purposes (“secondary use”).

Legal Bases for Processing

Under the GDPR, processing of personal data is only lawful to the extent one of six legal bases applies to the processing. These bases are:

• consent;
• necessary for performance of contract;
• necessary for compliance with a legal obligation;
• necessary for protecting vital interests;
• necessary for performance of a task in the public interest or in the exercise of official authority;
• necessary for the purposes of legitimate interests, except where overridden by the data subject’s rights and freedoms.

Data controllers therefore need to identify the purposes for which they are processing personal data in order to establish the most appropriate legal basis.

For special categories of data (which includes health data) data controllers must identify a further legal basis for processing, the most relevant of which are:

• (a) explicit consent
• (b) – (h) […]
• (i) necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law, which provides for suitable and specific measures to safeguard the rights and freedoms of the data subjects, in particular professional secrecy;
• (j) necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Primary Use

The EDPB says that all processing operations relating to a specific clinical trial protocol are primary uses of clinical trial data, but processing operations may be for different purposes. Consequently, the legal basis for primary use may differ. The EDPB outlined two particular categories of processing activities: (1) processing for "reliability and safety" related purposes, and (2) processing for "research activities."

Reliability and Safety Purposes

Most processing operations for reliability and safety purposes (such as archiving of the clinical trial master file and safety reporting) are dictated by the CTR and other relevant national provisions. As such, they are necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) GDPR).

Where special categories of data are processed, the EDPB states that the corresponding lawful basis is that “processing is necessary for reasons of public interest in the area of public health, such as […] ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law, which provides for suitable and specific measures to safeguard the rights and freedoms of the data subjects, in particular professional secrecy” (Article 9(2)(i) GDPR).

Research Activities

Depending on the processing, the EDPB indicates that one of three legal grounds under Article 6 GDPR could be applicable.

The first possible ground is consent under Article 6(1)(a) (and, for special categories of data, explicit consent under Article 9(1)(a) GDPR). The EDPB emphasized that consent as a legal ground under the GDPR is distinct from the "informed consent" required under the CTR, meaning two layers of consent would need to be obtained. The GDPR sets a high standard for consent; the EDPB focused particularly on the requirement for such consent to be “freely given” which may not be the case where there is an imbalance of power, such as where the data subject is not healthy or suitably fit to give consent. This was a significant factor in the EDPB’s determination that consent will not, in most instances, be the appropriate legal basis for processing of personal data for research activities.

Difficulties also arise with withdrawal of consent. Under the GDPR, individuals may withdraw their consent to processing at any time, at which point the controller must cease all processing actions which are based on consent (although this does not affect the lawfulness of the processing carried out to that point). This would present problems with the continued use of clinical trial data relating to the particular individual for research activities.

Accordingly, the second and third possible grounds – “task carried out in the public interest,” and “legitimate interests of the controller” under Articles 6(1)(e) and (f) respectively – would appear to be more appropriate legal bases. The former would only be relevant for a narrow range of clinical trials – those carried out by a public or private body in the exercise of official authority vested in them by national law. For all other circumstances, the EDPB considered that the “legitimate interests” of the data controller could be grounds for data processing, as long as the fundamental freedoms and rights of the data subject do not override these legitimate interests.

For special categories of data, the EDPB pointed to Article 9(2)(i) GDPR (reasons of public interest in the area of public health) or Article 9(2)(j) (scientific purposes).

Secondary Use

The EDPB considered that where personal data is further processed for scientific purposes outside those defined in the clinical trial protocol, there should be a presumption that such purposes are compatible with the initial purpose (of conducting the clinical trial), provided that appropriate safeguards are in place (in accordance with the GDPR), such that a new legal basis is not required.

However, the EDPB did indicate that it would need to give further consideration to, and guidance on, the safeguards in the future.

Comment

Currently, data controllers looking to conduct multi-site clinical trials need to grapple with conflicting guidance from regulators across Europe. In particular, we understand that some European regulators generally expect sponsors to obtain consent for processing of personal data in clinical trials; in contrast, the UK Health Research Authority points to legitimate interests as being the appropriate legal basis for processing.

Given the difficulties with obtaining GDPR-standard consent (and the consequences of withdrawal of consent) the EDPB’s opinion is welcome, and helpful in clarifying its view as to the appropriate legal bases for processing of personal data in clinical trials. However, it remains to be seen whether supervisory authorities across the EU will follow this approach.

Data controllers in clinical trials are reminded of the importance of undertaking data mapping and planning for clinical trials and, where appropriate, legitimate interest assessments so that they are clear on exactly what legal basis they are relying on for the relevant processing purpose.