On January 23, 2019, the European Data Protection Board (“EDPB”), which is composed of representatives of the national data protection authorities and the European Data Protection Supervisor, adopted an Advisory Opinion (“Opinion”) on the interplay between the EU Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”). The Opinion was provided in response to a European Commission (“EC”) request to comment on a draft Q&A document on this issue. We already highlighted in a previous blog post the serious impediments that this Opinion creates for commercial pharma organizations’ clinical trials in Europe, due to its very restrictive approach to consent absent any other readily available justifications for processing clinical trials data. This blog post provides a more detailed analysis of the Opinion, including its significance beyond clinical trials, as it contains highly-relevant guidance on the authorities’ approach to interpreting key provisions of the GDPR generally.
The CTR aims at ensuring a greater level of harmonization of the rules for conducting clinical trials throughout the EU. To that end, it introduces, among other things, an authorization procedure based on a single submission through an EU portal, an assessment procedure leading to a single decision, and rules on individuals’ protection, informed consent, and transparency requirements. The CTR is currently expected to enter into application in 2020, when the required EU portal has full functionality.
The Opinion extensively discusses the possible legal bases for the processing of personal data in the context of clinical trials.
The EDPB distinguishes “primary use” and “further processing” of personal data. The EDPB does not follow the approach in the Article 29 Working Party’s Opinion 3/2013 on purposes limitation of April 3, 2013 (WP203), which had considered any processing following the initial collection to be “further processing”. Rather, the EDPB broadly interprets “primary use” as all processing of personal data related to a specific clinical trial protocol during its entire lifecycle – from the starting of the trial to deletion at the end of the archiving period. It is not clear from the Opinion whether this is a general change in interpretation, or specific to the clinical trials situation. At the same time, the EDPB takes the view that not all processing operations relating to such “primary use” of clinical trial data pursue the same purposes and fall within the same legal basis, so further differentiation is required (see below).
The EDPB also discusses “secondary uses” of personal data, meaning situations where the organization responsible for the management, setting up and funding of the clinical trial processes an individual’s data for scientific purposes outside the scope of the protocol.
B. Primary Use of Clinical Trial Data
The EDPB distinguishes processing operations purely related to research activities from those related to the setting of standards of quality and safety for medicinal products based on reliable and robust data. The EDPB considers that these two categories fall under different legal bases.
1. Processing Operations Related to Reliability and Safety Purposes
Processing to comply with legal obligations. Under the GDPR, organizations may rely on a legal obligation to which they are subject under EU law or under the laws of an EU country to justify their processing operations, Art. 6(1)(c) GDPR. The CTR imposes upon organizations that perform clinical trials to process personal data for reliability and safety purposes. Consequently, the EDPB confirms that this “legal obligation” ground permits the processing of personal data in this context. This particularly applies where organizations are required to process personal data to comply with their obligations to prepare reports for safety purposes, to archive the content of a clinical trial master file and the medical files of the individuals concerned after the end of the trial, as well as their obligation to disclose clinical trial data to national authorities in the context of an inspection. However, organizations subject to non-European laws that require them to process personal data (e.g. for safety purposes or inspections by non-EU authorities) will need to identify another legal basis to justify their processing activities, Art. 6(3) GDPR.
Processing of sensitive data. The EDPB considers that the processing of sensitive data for reliability and safety purposes in the context of clinical trials could rely on the fact that the processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU law or an EU country law, Art. 9(2)(i) GDPR. According to the EDPB, this would be the Art. 9 GDPR provision corresponding to the necessity to comply with a legal obligation under Art. 6 GDPR, as explained above.
2. Processing Operations Purely Related to Research Activities
For processing activities relating to research – the actual purpose of clinical studies – the EDPB discusses the conceivable legal bases in detail, without providing clear answers.
Consent. The CTR requires organizations to obtain individuals’ consent for participating in clinical trials, but the EDPB rejects the view that this CTR requirement can at the same time be the legal basis for the processing of personal data associated with the trial. As commented in our previous blog, the EDPB’s restrictive approach towards consent is a key aspect of its Opinion.
Under the GDPR, consent must be freely given, specific, informed, and unambiguous. Explicit consent is required for processing sensitive data. The EDPB insists that free consent means that individuals should have a real choice and control, and that there could not be free consent where there is a “clear imbalance” between the individual concerned and the organization processing his or her personal data. According to the EDPB, there will be such an imbalance of powers when participants are not in good health conditions, when they belong to an economically or socially disadvantaged group, or in any situation of institutional or hierarchical dependency. For these reasons, in the view of the EDPB, consent will not be the appropriate legal basis in most cases.
Public Interest. As an alternative to consent, organizations may be able to invoke that the processing is necessary for the performance of a task carried out in the public interest to justify processing operations, Art. 6(1)(e) GDPR. The GDPR limits this to public interests of the EU or an EU country. Furthermore, according to the EDPB, processing operations in the context of clinical trials are only necessary for the performance of a task carried out in the public interest when the conduct of clinical trials falls within the mandate, missions and tasks vested in a public or private body by an EU country law.
Legitimate Interests. Alternatively, organizations may be able invoke their legitimate interests, Art. 6(1)(f) GDPR. This requires organizations to ensure that their legitimate interests are not overridden by the interests or fundamental rights and freedoms of the individual concerned. We recall that legitimate interests cannot, on their own, be relied upon for processing sensitive data pursuant to Art. 9 GDPR.
Contractual Necessity. The EDPB does not even mention contractual necessity, Art. 6(1)(b) GDPR, as a possible basis for the processing.
Sensitive Data. The EDPB also discusses the legal basis for processing sensitive data when conducting clinical trials for research purposes. The EDPB explains that the legal basis identified under Art. 6 GDPR shall be applied only if Art. 9 GDPR provides for a specific derogation from the general prohibition to process sensitive data. Therefore, organizations should both determine whether the GDPR provides for a specific derogation from the general prohibition to process sensitive data under Art. 9(2) and identify an appropriate legal basis for the processing under Art. 6 GDPR. In this light, Art. 9 GDPR does not provide a legal basis for data processing but is an additional requirement when the data being processed is sensitive. In such cases, Art. 6 GDPR and Art. 9 GDPR should be applied cumulatively. This interpretation echoes the Article 29 Working Party’s Guidelines on Automated individual decision-making and Profiling (WP251rev.01), which the EDPB has formally endorsed, where the authorities considered that organizations “can only process [sensitive] data if they can meet one of the conditions set out in Article 9(2), as well as a condition from Article 6”. This reading of the GDPR might be somewhat surprising as one could have also assumed that Art. 6 and Art. 9 GDPR provide distinct legal grounds for processing personal and sensitive data respectively. Still, this is unlikely to have much practical consequence, if any, since the conditions for processing sensitive data under Art. 9 GDPR are stricter than their corresponding conditions under Art. 6 GDPR. In this light, organizations that can rely on an exemption under Art. 9 should be able to rely on a condition under Art. 6 GDPR.
In the specific circumstances, the EDPB considers that the processing of sensitive data for purely research purposes could be justified by the public interest in the area of public health or the necessity of the processing for scientific purposes, both being based on EU law or an EU country law. According to the EDPB, these legal grounds under Art. 9(2)(i) and Art. 9(2)(j) GDPR should be applied in conjunction with the respective provisions under Art. 6 GDPR, i.e. the necessity to perform a task carried out in the public interest, or the organization’s legitimate interests.
C. Secondary Uses of Clinical Trial Data
The EDPB also briefly discusses the issue of secondary use of clinical trial data, i.e. the use of such data for scientific purposes outside the clinical trial protocol. Consistent with its hostility towards consent, the EDPB does not even mention the discussions regarding possibilities for “broad consent” in this context.
The EDPB’s view is as follows: (1) if the responsible organization for the management, setting up and funding of the clinical trial would like to further use the personal data gathered for any other scientific purposes than those defined by the clinical trial protocol, it would require another specific legal ground than the one used for the primary purpose; (2) however, it is possible, that the presumption of compatibility provided under Art. 5(1)(b) GDPR applies. This provision provides that where data is further processed for archiving purposes in the public interest or for scientific purposes, these shall not be considered as incompatible with the initial purpose, provided that it occurs in accordance with the provisions of Article 89 GDPR, which foresees specific adequate safeguards and derogations in these cases. Where that is the case, organizations could be able, under certain conditions, to further process the data without the need for a new legal basis; (3) all other obligations under data protection law also apply. This interpretation of the EDPB is different from the EC’s interpretation in the draft Q&A, which excluded the presumption of compatibility provided under Art. 5(1)(b) GDPR in all circumstances.
The Opinion confirms the EDPB’s hostility to organizations relying on consent for data processing operations. This approach has the potential to seriously impede commercial pharma organizations’ clinical trials in Europe absent any other readily available justification for processing sensitive personal data in that context, but it also has an impact far beyond clinical trials. Unfortunately, the EDPB does not provide any kind of clarification regarding topics like pseudonymization/key-coded data and international transfers of personal data in the context of clinical trials.
Organizations conducting clinical trials should start reviewing their GDPR compliance documentation, and in particular their notification and consent forms, in light of the EDPB’s view that consent will not be appropriate in most cases. Where organizations decide to rely on consent, they must allow individuals to withdraw consent at any time. If consent is withdrawn, data processing operations based on consent until that point in time remain lawful, but all research activities relating to the individual who withdraws his or her consent must cease if there is no other lawful basis justifying the retention for further processing. The EDPB clarifies that the withdrawal of consent does not affect the processing operations that are based on other lawful grounds, such as legal obligations, as explained above. The review of existing templates should therefore also include notification language to comply with the GDPR transparency requirements.
We assume the EC will finalize its Q&A document on the interplay between the CTR and the GDPR, taking into consideration the EDPB’s input.
Given the remaining uncertainties, we expect additional interest to update EU countries’ laws to provide a reliable and robust framework for data processing activities conducted in the context of clinical trials. Otherwise, the remaining uncertainties and a misconceived focus on absolutist protection of personal data may end up endangering the health of the very people it purports to protect.