Clinical Trials in the EU: Ongoing Uncertainty Around Data Protection Compliance for Sponsors
It has been more than a year since the European Data Protection Board (EDPB) published its opinion in January 2019 on the interplay between the EU Clinical Trials Regulation (CTR) and the EU General Data Protection Regulation (GDPR). Unfortunately, there still remains a lack of harmonization across the EU with different countries taking different approaches as to the lawful basis for processing study subject personal data. This has resulted in a fragmented and confusing picture for sponsors — including Swiss-based sponsors running clinical trials in multiple EU countries.
The EDPB’s opinion — which the European Commission largely reiterated in its document, Questions and Answers on the Interplay Between the CTR and the GDPR — advocated a radical shift away from reliance on consent of the study subject as the lawful basis for the processing of personal data for primary research. Instead, the EDPB recommended reliance on (i) compliance with a legal obligation where processing personal data for safety and reliability purposes (e.g., vigilance reporting) and (ii) the legitimate interests of the sponsor (or a third party) where processing for all other primary research purposes.
However, not all EU countries have followed these recommendations due either to conflicting national legislation that mandates reliance on consent (e.g., Germany) or to a reluctance to change from the traditional approach of relying on consent. Therefore, for Swiss-based sponsors running clinical trials in multiple EU countries, the appropriate lawful basis for processing will likely vary. In practice, this means potentially multiple variants of the Patient Information Sheet/Informed Consent Form, as well as supporting documentation (e.g., legitimate interest assessments).
Interestingly, this lack of consistency and continued uncertainty extends beyond the lawful basis for primary research to other key data protection concepts, including the role of the study site (i.e., as controller, processor or joint controller). This determination is important for sponsors as it will affect the wording to be included in the clinical trial agreement (CTA) and the statutory liability of the site. Historically (i.e., pre-GDPR), sites were typically viewed as controllers or, in some cases, joint controllers — that is, two or more controllers that jointly determine the purposes and means of the processing. Indeed, this is the approach that certain regulators continue to take: for example, in Italy where the Model CTA identifies the site and the sponsor as independent controllers, and in the Netherlands where the Model CTA includes joint controller provisions. However, there are also countries where the sites are typically viewed as processors. In practice, there is a varied approach taken by sponsors and a lack of consensus from sites (even within a country).
In response to these developments, we are aware that many clinical legal teams are actively exploring or are in the process of transitioning their lawful basis for processing personal data in the context of EU clinical trials. Specifically, we are seeing a shift away from reliance on consent from a GDPR/data protection perspective. However, to manage the lack of harmonization, sponsors are having to consider the position at a national level in each of the EU countries in which they are running trials. We have been working with a large number of sponsors to review and amend existing clinical trials documentation and to develop practical guidance for the business to handle the ongoing uncertainty in what is a rapidly developing area.