On April 10, 2019, European Commission Directorate-General for Health and Food Safety issued a revised Q&A analyzing the interplay between the EU Clinical Trials Regulation (“CTR”) and the  EU General Data Protection Regulation (“GDPR”).  The revised Q&A takes into account the opinion of the European Data Protection Board (“EDPB”) issued on January 23, 2019, on the same topic (which we discuss in our blog post here).  Below, we summarize the main takeaways of the Commission’s updated Q&A.

Legal basis for processing health data

Helpfully, the Q&A addresses the appropriate legal basis under the GDPR for the processing of clinical trial data, an issue which Member States appear to be adopting divergent approaches to in recent months.  The Q&A, like the EDPB opinion, distinguishes between two different processing purposes associated with clinical trials and attributes different legal bases to each:

  1. processing for patient safety purposes, such as safety reporting, archiving and inspections, which is required by the CTR (and thus can be based on Articles 6(1)(c) and 9(2)(i) of the GDPR), and for which no consent is required.
  2. processing for scientific research purposes, which “cannot be derived from a legal obligation,” such as one arising under the CTR. In this case, data controllers may consider a number of different legal bases, depending on the nature of the clinical trial.  The Commission notes that the processing can potentially serve a public interest, be based on a legitimate interest or be based on participant consent (each time in combination with a legal basis in Article 9 when special data, such as health or genetic data, are processed).

While generally helpful, the Commission noticeably refrains from endorsing any particular legal basis when processing data for scientific research purposes, leaving it up to the sponsor and research institutions to decide.  The Q&A also fails to highlight that, with the exception of consent, the remaining legal bases under Article 9 of the GDPR mentioned in the Q&A must be grounded in Union or Member State law (with the CTR apparently excluded as a possibility – see (2.) above).  In practice, consent is likely to be the only available option in many cases, owing to an absence of such laws.

As regards consent, the Commission’s Q&A provides that a trial subject’s consent to participate in a trial must be distinguished from consent to the processing his or her personal data, a theme that also appears in the EDPB guidance.  Thus, a trial participant could, in theory, withdraw consent to the former, but not the latter.  However, if the processing of data is based on a trial subject’s consent and he or she later withdraws that consent, the controller is expected to stop processing the data and delete it, unless it has another legal basis to continue processing the data (e.g., for safety purposes).  Curiously, the Q&A fails to discuss the GDPR’s scientific research exemption to the deletion right under Article 17(3)(d) – i.e., the right to erasure does not apply if the data are used for scientific research and complying with the erasure request would render impossible or seriously impair the research aims.

Further use of research data

In relation to further use of clinical trial data, the Commission Q&A appears to acknowledge that the CTR’s limitations on further use of such data (requiring consent for data used outside the scope of the trial protocol – see here) are waived where one of the alternative legal bases in the GDPR applies.  In short, consent would not appear to serve as the sole legal basis for the further use of clinical trial data.

Further, the Q&A highlights the fact that secondary use of clinical trial data for scientific research purposes is by default compatible with its original use, in accordance with Article 5(1)(b) of the GDPR.  As a result, it should not be necessary to obtain a new consent in order to engage in additional secondary research.  In the event that the secondary research is nevertheless based on consent, the Q&A repeats the EDPB’s cautionary language about reliance upon overly broad consent (notwithstanding GDPR recital text supporting broad consent in the research context).  This restrictive interpretation of the consent doctrine, which we discuss in more detail here, limits its utility and conflicts with the GDPR’s other research-friendly provisions.

Ultimately, readers may be forgiven for being confused by references to broad consent in the GDPR, when the Commission states in the Q&A that “the obligations with regard to the requirement of specific consent still apply.”  In fact, the Q&A explains that consent for further, secondary use must be separated from the original consent, likely involving a “separate sheet” for the collection of the consent, effectively ensuring that the original consent could not be a “broad” consent.  The Commission’s suggestion, however, begs the question of why anyone would seek to rely upon consent, in light of the Commission’s earlier concession that the further use of clinical trial data for scientific research is compatible with its original use.

Miscellaneous observations

Finally, the Q&A also contains some additional notable remarks, including that research sponsors established outside the EU and performing clinical trials in the EU are subject to the GDPR, on the basis that they are “monitoring” EU data subjects (i.e., trial participants) or offering services in the EU, and that the GDPR’s transfer restrictions also apply to transfers of clinical trial data.  The Commission document also makes clear that pre-GDPR informed consent forms used in ongoing trials should be updated and furnished to trial subjects in order to meet the GDPR’s augmented transparency requirements, but leaves it open as to when obtaining fresh consent from trial subjects would be necessary.  In this respect, the Q&A does not provide any more insights than appear in the EDPB’s existing guidance.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.