Earlier this year, the European Data Protection Board (“EDPB”) issued additional guidance on the application of the General Data Protection Regulation (“GDPR”) in the area of scientific health research.
In key takeaways from the guidance, the EDPB:
- Confirmed that the informed consent that individuals must provide under ethical standards to participate in scientific research (including clinical trials) is to be distinguished from Art. 9(2)(a) GDPR (and, therefore, legal grounds other than consent, provided under Articles 6 and 9, may be relied upon for processing health data);
- Confirmed that the processing of personal data for scientific research may rely on Member State law that specifically authorizes such processing, under Art. 9(2)(j);
- Acknowledged that harmonization of requirements that underpin Art. 9(2)(j) is unlikely at this stage because Member States have enacted local requirements that controllers must meet to process personal data under Art. 9(2)(j). As such, there may need to be a different legal basis for processing health data in a single research project involving multiple Member States (but the controller should make an effort to limit the consequences of these different legal regimes);
- Confirmed that controllers may obtain individuals’ consent for future secondary research without specifically defining the research, so long as the purposes of the research are compatible with the purposes of the original data processing and adequate safeguards are implemented;
- Confirmed the need to conduct Data Protection Impact Assessments (“DPIAs”); and
- Reserved a number of key points for future consideration, including the issue of whether legitimate interests can serve as the basis for transfer of health data for research purposes outside of Europe.
GDPR Upended Scientific Research Approval Process in Europe
Over the past several years, the EDPB has made various efforts to clarify GDPR guidance for scientific research purposes. While this is a welcome effort, clarity remains elusive.
In the clinical trial space, the GDPR has presented a unique and sometimes intractable challenge to sponsors that conduct clinical trials in Europe. It is not a challenge to the sponsors’ substantive data processing practices, as they have been handling clinical trial data in accordance with globally-accepted set of standards – Good Clinical Practices (“GCPs”) – for decades. Instead, the GDPR introduced “process” barriers to the approval and conduct of scientific research.
These challenges arose because – as the GDPR took the world by storm – Europe’s data protection authorities did not provide guidance to Ethics Committees (“ECs”) and Independent Review Boards (“IRBs”) on harmonizing GDPR with the then current approval processes, including the requirement for participants to consent to participation in scientific research. In the absence of guidance, ECs and IRBs in each Member State were left to their own devices leading to dozens of divergent applications of the GDPR in scientific research space. Indeed, in the early days of GDPR, one of the most critical areas of divergence among Member States was the different positions adopted by ECs and IRBs on whether patient consent was a valid legal ground for processing personal data in scientific research projects. This EDPB guidance confirms that this issue has been resolved.
While there has been uncertainty, it is important to acknowledge that the GDPR has also brought about significant benefits to the industry. Specifically, the GDPR exposed the low levels of data protection maturity – including non-compliance with GCPs and information security lapses – among clinical trial sites and vendors that support scientific research in Europe. This exposure has resulted in significant push by the industry to adopt more robust data security practices.
This new EDPB guidance provides controllers with a path forward (i) where scientific research projects are being rolled out across multiple Member States; (ii) when all intended scientific research purposes are not known at the point the participant is asked to provide their consent; and (iii) where scientific research may change direction or controllers in course of research.
This is Final -- “Consent” under GCPs is NOT Art. 9(2)(a) GDPR Consent.
The EDPB emphatically reiterates the point that informed consent to participate in a scientific research project is not the same as consent for purposes of processing special categories of personal data under GDPR Art. 9(2)(a). The EDPB stressed that the principles embedded in the Oviedo Convention and Declaration of Helsinki (i.e., the requirement of informed consent for scientific research) are distinct from explicit consent under GDPR. The EDPB has confirmed in previous guidance that legal bases available to controllers to process data for these purposes are legitimate interest Art. 6(1)(f), and – for special category data – public interest in the area of public health based on Union or Member State law (Art. 9(2)(j)).
Because Member State law is the basis for data processing under Art. 9(2)(j), controllers that conduct scientific research projects across multiple Member States will either need to consider local Member State laws in applying Art. 9(2)(j), or identify another legal basis for processing personal data.
Consent CAN Cover Further Research
The EDPB confirmed that controllers continue to have flexibility to include further research purposes in the Informed Consent Form (“ICF”) without detailing the research at the outset. For such broad consent to be valid, however, the EDPB required it to be closely related to the original research purpose for which it was collected. The guidance also stresses that this flexibility cannot be used to undermine key GDPR principles, and the implementation of adequate safeguards under Art. 89(1) is a condition of any further processing on the basis of compatibility. The EDPB contemplates more detailed guidance on this topic later this year. Until this further guidance is delivered, controllers will need to make a determination if the secondary research purposes for which they intend to use personal data meet the criteria for closely related purposes, and whether they have adopted sufficient safeguards.
Controllers have several avenues to mitigate the EDPB’s concerns where the research is not “closely related.” For example, controllers may put processes in place to use only anonymized data for secondary research. To that end, key-coded data provided to scientists for investigator-initiated research is not viewed as personal data because the scientists could not under any circumstances have access to the reference table that connects key codes to the identities of the participants. The EDPB reiterated that that key-coded data in other circumstances may only be pseudonymized and, unlike anonymized data, is still personal data subject to GDPR. Anonymization is also more difficult to achieve with respect to biospecimens.
Even where the research is not “closely related,” controllers should be able to process the data and specimen without obtaining additional consent where the processing is authorized under Member State law – under Art. 9(2)(j).
For personal data that was not obtained directly from individuals, the EDPB left open the possibility that the controller may rely on Art. 14(5) exemption (which eliminates notice requirement where the provision of notice is impossible, would involve a disproportionate effort, or is likely to render impossible or seriously impair the achievement of the scientific research purposes). Noting that this area will be the subject to further guidance this year, the EDPB also made clear that this exemption is not available to controllers who collect data directly from individuals. These controllers should consider “dynamic ways” of informing individuals of any future processing.
In practice, it is extremely burdensome and may not be practical for controllers to obtain additional consents from individuals who have participated in earlier scientific research, or to segregate data and specimens in accordance with the scope of the consent the controller obtained under an ICF. For this reason, the use of scientific research data and biospecimens for secondary research is likely to require careful structuring and consideration to avoid requiring additional consents or otherwise running afoul of GDPR.
Data Protection Impact Assessments
The EDPB confirmed that “high risk” processing will require controllers to conduct DPIAs. While guidance for when to conduct a DPIA may be ambiguous and varies among Members States, it is already standard practice for clinical trial sponsors to perform and document DPIAs in connection with scientific research.
Cross-Border Data Transfers
The EDPB did not answer the question as to whether controllers can rely on legitimate interest for transfers of health data outside of Europe for research purposes. The EDPB expects to issue guidance on this in the future. In the meantime, U.S.-based controllers working with CROs, EU site investigators and other third parties in the scientific research chain should continue to consider cross-border data transfer issues as we have discussed in our previous publications on the topic which can be found here and here. We will be providing further insights in the coming months given the developing regulatory guidance in this area.
If life sciences companies and scientific research organisations were hoping for certainty from the EDPB and closer alignment with long standing industry practices, the guidance does not provide it. The guidance does show some reflection on the part of the EDPB with respect to the complex issues faced by the industry and the complications its previous guidance have created. Nevertheless, the uncertainty and lack of harmonization across Member States will continue to challenge the industry. The EDPB dangled the promise of further guidance this year on some critical issues. We will of course be keeping a close eye on future clarifications from the EDPB in the area of health research, particularly in connection with transfers of personal data outside Europe.