The European Data Protection Board (“Board”) released an opinion on January 23, 2019, on the intersection between the EU General Data Protection Regulation (“GDPR”) and the Clinical Trials Regulation (“CTR”). The opinion considers a Q&A on this topic prepared by the European Commission’s Directorate General for Health. The Directorate General decided to create this Q&A because of perceived contradictions between the GDPR and the CTR, in particular in relation to the legal basis (e.g., the use of consent) and the further use of clinical trial data. (See also here).
The opinion provides some helpful clarifications. It starts out by making a logical distinction between the primary and the secondary use of clinical trial data.
The Board defines primary use of clinical trial data as all processing operations related to a specific clinical trial protocol, from the collection of the data to the deletion at the end of the archiving period. However, the Board correctly observes that this does not mean that all processing has the same legal basis. It distinguishes between two main processing purposes: protection of health (safety) and scientific research.
According to the Board, the processing of clinical trial data for “safety” purposes can be based on a legal obligation (Art. 6(1)(c) and Art. 9(2)(i) GDPR), so no consent is required. As for the notion of a “safety” purpose, the Board refers to safety reporting (i.e., pharmacovigilance), inspections by competent bodies, and retention of clinical trial data in line with the CTR’s archiving obligations. While this clarification is helpful, it probably warrants some further reflection and elaboration. After all, the purpose of clinical trials and the CTR fundamentally involves assessing the safety of the medicinal product being investigated, not just the safe performance of a trial.
The Board notes that performing purely scientific research using clinical trial data cannot be based on a legal obligation (at least not a legal obligation in the CTR). For this reason, an alternative legal basis must be found. The Board considers two possibilities.
The Board rightly points out that consent to participate in a clinical trial (a CTR consent) must be distinguished from consent to the processing of clinical trial data (a GDPR consent). The Board then specifically accepts that scientific research can be performed on the basis of consent, while focusing on the freely given nature of the GDPR consent, in particular in relation to vulnerable trial participants.
In relation to the withdrawal of consent, the Board repeats its guidelines on consent of April 2018. Withdrawal of consent means that no further research can be performed on the trial data and that the data should be deleted in the absence of another legal basis, such as the safety purposes mentioned above. For example, the safety processing discussed above would have another legal basis. Surprisingly, the Board does not consider the possibility of applying Art. 17(3)(d) GDPR, which contains a derogation to the deletion obligation specifically for scientific research.
(2) Alternatives to consent?
The Board highlights two alternatives to consent for the processing of sensitive health data: Art. 9(2)(i) GDPR (processing in the interest of public health) or Art. 9(2)(j) GDPR (processing for scientific research). However, both legal bases require an underpinning in a European Union or Member State law. Unhelpfully, such laws remain rare in the EU at the present time.
In relation to secondary use of clinical trial data (i.e., uses outside the scope of the trial protocol), the CTR requires that consent be procured for such use. The Board again points out that this is not a consent in the GDPR sense of the word, indicating that the CTR consent does not have to rise to the more exacting GDPR standard.
From a GDPR perspective, the Board now specifically recognizes that the secondary use of clinical trial data should not always require a fresh consent. Instead, such use could also rely on the presumption of compatibility in Art. 5(1)(b) GDPR. The application of this presumption means that no new legal basis (and thus no new GDPR consent) is required for the secondary use of clinical trial data for scientific research. This is a helpful clarification, as this specific provision in the GDPR intended to encourage scientific research is often ignored. The Board, less helpfully, does not explain when the presumption of compatibility can apply and states that it requires specific attention and future guidance.
On the basis of its opinion, the Board requests that the European Commission changes its Q&A to reduce its focus on consent and to better reflect alternative legal bases in the GDPR. It is now up the European Commission to consider the Board’s recommendations and, hopefully, continue the dialogue with the Board and other stakeholders to ensure a seamless and harmonized application of the rules.
 While the Board acknowledges that the CTR also addresses this ethical consideration, it points out that: “[…] even though conditions for an informed consent under the CTR are gathered, a clear situation of imbalance of powers between the participant and the sponsor/investigator will imply that the consent is not ‘freely given’ in the meaning of the GDPR.” This statement controversially implies that the standard for assessing coercion when someone agrees to the processing of personal data in a clinical trial is different from, and higher than, the standard used for assessing coercion when someone agrees to participate in a clinical trial.