This post relates to Cooley’s Privacy Talks series – a webinar program featuring Cooley practitioners discussing practical guidance and best practices around managing data protection-related issues. Sessions range from the European General Data Protection Regulation (GDPR) to the California Consumer Privacy Act (CCPA) – and all the other new data protection frameworks arising in the US, Asia and Latin America. Sessions will occur on a monthly basis in 2022.
Life sciences companies and other organizations conducting clinical trials in the European Economic Area (EEA) are required to comply with heavy regulatory requirements, particularly the General Data Protection Regulation and, from January 31, 2022, the Clinical Trial Regulation (CTR). Because these regulations impose obligations that are potentially contradictory, they could prove hard to apply conjunctly in practice. Below, we’ve provided answers to some of the most challenging questions about reconciling the GDPR and the CTR.
#1. What steps are necessary when preparing to conduct a clinical trial in the European Union?
The CTR imposes obligations related to the establishment and conduct of a clinical trial and, in parallel, the GDPR imposes obligations related to the processing of personal data while conducting a clinical trial.
CTR clinical trial obligations
Although the CTR entered into force on June 16, 2014, it will only enter into application on January 31, 2022, and related transition provisions will delay application of some of its provisions. Thus, two different regimes may apply:
- For ongoing clinical trials, the CTR’s transitional provisions dictate how long the Clinical Trial Directive will apply and when the CTR will begin to apply.
- For future clinical trials, the CTR’s transitional provisions provide for an 18-month transition period, which allows for the Clinical Trial Directive’s further applicability during this period in defined circumstances.
The CTR imposes many obligations, including the need for the informed consent from clinical trial participants to participate in the trial. The regulation also introduced the possibility for a trial sponsor to request the consent of patients to the future processing of their data for purposes falling outside the trial protocol.
GDPR clinical trial obligations
Under the GDPR, the following requirements must be addressed before or in conjunction with an application to ethics committees:
- Local jurisdictional requirements: Although the GDPR intends to provide a single set of rules for all EU member states, it allows the states to adopt local deviations from certain provisions, such as the legal basis for processing personal data, which are particularly important in the context of clinical trials. It is therefore critical to check whether any local deviations apply.
- Transparency requirements: The GDPR obligates controllers, including clinical trial sponsors, to provide certain disclosures to trial participants. Sponsors can satisfy this obligation either as part of an informed consent form (ICF) or in a separate privacy notice.
- Data protection officer: Early in the process of preparing a clinical trial, organizations need to assess whether it is necessary to appoint a DPO and, if so, to appoint one. The DPO’s contact details must be included in the ICF or GDPR notice submitted to ethics committees.
- EU and UK representatives: Organizations that are not established within the EEA and/or the UK must appoint EU and/or UK GDPR representatives, as applicable, and include the representatives’ contact details in the ICF or GDPR notice.
- Contractual frameworks with third parties: Organizations must ensure that the contracts required by the GDPR are concluded. These include a data processing agreement with the sites, and, where relevant, contractual research organization (CRO). Contracts compliant with the GDPR must also be concluded with any other vendor that may have access to the clinical trial data.
- Technical and organizational measures: The GDPR obligates parties processing personal data to implement and maintain appropriate technical and organizational measures.
- Data protection impact assessment: Organizations must assess whether it is necessary to conduct a DPIA and, if so, complete the DPIA before collecting personal data.
#2. What are the main points of friction between the CTR and the GDPR?
As we explain in further detail below, the scope and consequences of patient consent differs between the GDPR and the CTR. These can be difficult to reconcile in practice.
#3. Can the CTR’s informed consent requirements be reconciled with those provided in the GDPR?
Consent requirements under the CTR and the GDPR are often believed to mean the same thing, but such an understanding is misguided.
Consent in the CTR
The CTR imposes a legal obligation to obtain informed written consent of the trial participants prior to the clinical trial for the purpose of participating in the clinical trial and receiving any potential treatment.
Consent in the GDPR
In the GDPR, consent relates to the processing of personal data. However, legal bases other than consent can be used for the processing of personal data, including within the context of a clinical trial. The European Data Protection Board (EDPB) and the UK Information Commissioner’s Office (ICO) advise organizations against using consent as a legal basis for processing of trial participants’ personal data and recommend using an alternative legal basis, such as legitimate interests. Under the GDPR, consent must be freely given and in the context of a clinical trial, but the aforementioned data privacy authorities contend that the trial participants have no free choice because of an imbalance of power. However, in some EEA countries, such as the Netherlands, ethics committees still require the use of patient consent as a legal basis for both participation in clinical trials and the processing of personal data of trial participants.
#4. Do the CTR representative and the GDPR representative have the same role?
No. These are two different roles with different responsibilities.
- CTR representative: Trial sponsors not established within the EEA are required by the CTR to appoint an EU legal representative, who represents the trial sponsor in interactions with the competent authorities and, if necessary, the courts in the EEA countries.
- GDPR representative: The EU representative required by the GDPR acts as the point of contact for data subjects (including for trial participants) and data protection authorities in the EEA and the UK. The GDPR representative also maintains records of processing activities and makes these records available to the data protection authorities upon their request.
There is, in principle, no prohibition on appointing one person or organization to fulfill both roles. In practice, however, to avoid any actual or inferred conflict of interest, most clinical trial sponsors appoint a separate representative for each role, and ensure that each representative has a sufficient level of expertise to fulfill the specific obligations under the CTR and the GDPR, respectively.
#5. What are the roles and obligations of clinical trial sites in the GDPR?
- Roles: Depending on the EU member state concerned, clinical trial sites may take different positions and act as controller, joint controller or processor. In most cases, the role depends on guidance from national authorities or national ethics committees. For instance, sites in the Netherlands are always considered joint controllers with the sponsor, while in France and Belgium, they are usually qualified as processors.
- Obligations: Depending on the role, different obligations apply under the GDPR, which also will have an impact on liability. In case of joint controllership between the sites and the sponsor, different contractual obligations need to be agreed upon, as opposed to where the sites act as processors. Having the right contractual agreement in place and ensuring that all parties comply with the GDPR are crucial to help mitigate risks. This becomes particularly relevant for joint controllers, as the sponsor and sites are jointly liable under the GDPR.
Thus, roles and obligations of clinical trial sites should be evaluated in detail with the CRO, if it oversees the negotiations, to ensure that the correct contractual agreements are implemented and risks are mitigated from the outset.
#6. How can data protection obligations imposed on sponsors and sites most effectively be integrated into the clinical trial agreement?
Data protection obligations can be integrated into the clinical trial agreement mainly in three ways:
- In the body of the clinical trial agreement: This is often not considered the best approach, because the parties’ processing activities or legal obligations may change over time. Any such changes could require burdensome revisions to the body of the clinical trial agreement.
- In an annex: Market practice is to address data protection provisions in an annex to the clinical trial agreement, which is arguably a more efficient approach that makes any necessary revisions easier to agree and execute.
- In a stand-alone agreement: In the case of France, where an obligatory template must be used when negotiating clinical trial agreements with sites. As a result, the options discussed in the two previous bullet points cannot be used. We, therefore, commonly recommend that a stand-alone data protection agreement be concluded between the parties.
#7. Could the qualification of sites in the GDPR have an impact on the ownership of data generated in a clinical trial?
The GDPR does not regulate ownership of personal data.
A common misconception is the belief that where the sponsor and the site are considered joint controllers under the GDPR, there is co-ownership of the clinical trial data. A site doesn’t become co-owner of the clinical trial data because it is a joint controller under the GDPR, but we have seen organizations claiming “ownership” of data generated in clinical trials – and even using it with competitors. For this reason, parties to clinical trial agreements should include clear wording regarding ownership of the clinical trial data.
#8. How important is compliance with the GDPR for assessment of a clinical trial from CTR perspective?
EU data protection authorities can impose administrative fines of up to 20 million euros or 4% of global annual turnover, whichever is higher. Class actions and criminal sanctions can also be applied under the GDPR. Since the entry into force of the GDPR, the enforcement risk has significantly increased.
Furthermore, the “reputational” perspective shouldn’t be neglected. GDPR compliance is more often being scrutinized in the context of M&A transactions and IPOs, so organizations should consider not only enforcement risks, but also growth perspectives and business reputation in the market.
Finally, we are seeing that GDPR compliance is an increasingly important part of good clinical practice (GCP) inspections at both trial sites and the trial sponsor’s facilities, with inspectors expecting both to demonstrate compliance with their related obligations.
#9. How can CTR provisions governing patient consent to secondary processing be reconciled with related GDPR obligations?
CTR provisions
The CTR introduces the possibility for trial sponsors to addresses the issue of secondary use of their personal data with trial participants. Article 28(2) of the CTR permits sponsors to request such consent, limited to circumstances in which the sponsor wishes to process the data for exclusively for scientific purposes, even though they fall outside the scope of the protocol.
GDPR obligations
The GDPR generally prohibits further processing of personal data. Under the GDPR, data subjects (trial participants) must be informed upfront about the purposes for which their personal data will be processed, in order to be able to make an informed decision. However, the EDPB adopted a flexible approach in its guidance on the interplay between the GDPR and the CTR, and stated that the presumption of compatibility provided under Article 5(1)(b) GDPR could be used for future research involving personal data collected in the context of a clinical trial. This article provides that further processing for scientific research purposes isn’t considered to be incompatible with the initial purpose for processing – if it occurs in accordance with the provisions of Article 89 GDPR, which foresees specific adequate safeguards. Where that is the case, organizations could be able, under certain conditions, to further process the data without the need for a new legal basis.
These conditions, due to their horizontal and complex nature, will require specific attention and guidance from the EDPB in the future. In the absence of such guidance, we recommend conducting a case-by-case analysis to assess whether the data subjects concerned could reasonably consider that the contemplated further processing activities have a link with the initial purposes for processing their personal data.
#10. Is it possible for a trial sponsor to create a single worldwide compliance strategy that governs data protection obligations and clinical trial obligations?
Because there are differences in regulatory frameworks globally, it is extremely difficult to create a single worldwide compliance strategy for data protection and clinical trial regulatory obligations. Furthermore, market practice in terms of approaches and priorities suggest that it is most appropriate to tailor an organization’s compliance strategy to the relevant jurisdiction.
However, clinical trial sponsors may be able to address certain data privacy and protection efforts globally, such as implementing and maintaining appropriate technical and security measures to cover all mission-critical data (including personal data) in the same manner. This baseline approach provides for greater flexibility in terms of managing personal data and promotes a culture of strong security across the organization.