The European Data Protection Board (EDSA) issued new guidance on January 23, 2019, on the interaction between the GDPR and the Regulation (EU) No. 536/2014 on clinical trials published (Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation). The guideline is based on a request for advice from the Commission’s Directorate-General for Health and Food Safety (GD SANTE) of October 8, 2018, in the form of a list of questions on which the EDSA should take a stand.
It should be noted in advance that although the Clinical Trials Regulation is in force, it will not apply until the envisaged IT infrastructure, namely the common EU portal and the EU database pursuant to Articles 80 and 81, are operational. This is expected to be the case in the course of 2020. Nevertheless, the EDSA’s opinion is not premature, because it also serves to clarify the relationship between the GDPR and clinical studies conducted under the regime of the currently valid Directive 2001/20/EC on clinical trials be carried out.
The EDSA notes that the GDPR and the Ordinance on Clinical Trials do not have a hierarchical relationship to each other, but apply in parallel and serve different purposes. In particular, the “informed consent” pursuant to Art. 29 of the Clinical Trials Regulation pursues a different thrust than consent as a conceivable authorization basis for the data processing associated with the clinical trial: the former serves to comply with ethical principles and has no significance from the perspective of data protection law. This applies to the consents both to the primary processing within the framework of the trial plan and to the further use of the data for further scientific research.
In order for the patient’s consent to the processing of his or her health-related information to be effective under data protection law, all the requirements for explicit consent pursuant to Art. 9 (2) lit. a GDPR be met, using the criteria of the relevant working document of the Article 29 Working Party (Guidelines on consent) are to be taken to heart. Particular attention must be paid to the criterion of voluntariness. In the context of clinical trials, there is often a power and information imbalance between the investigator and the person concerned, which is why, from the point of view of the EDSA only rarely can effective consent be assumed. This leads the panel to the following conclusion:
Consequently, the EDPB considers that data controllers should conduct a particularly thorough assessment of the circumstances of the clinical trial before relying on individuals’ consent as a legal basis for the processing of personal data for the purposes of the research activities of that trial.
Alternative authorization bases for the processing of personal data in the context of clinical trials are set out in the GDPR quickly found:
- For the primary processing purposes, reference may be made to Art. 9(1)(i) (processing for reasons of public interest in the field of public health) and to Art. 9(1)(j) in conjunction with Art. 89(1) GDPR (processing for research purposes, taking into account appropriate technical and organizational measures).
- In the case of further use of the data collected within the scope of the protocol for other research purposes (secondary use), according to Art. 5 para. 1 lit. b GDPR In principle, the principle of purpose limitation can be deviated from (presumption of compatibility), so that no new authorization basis is required for further processing.
With regard to facilitated reuse, it appears that the EDSA however, to be shocked by his own and the EU regulator’s courage and does not want to make a definite commitment yet:
These conditions, due to their horizontal and complex nature, will require specific attention and guidance from the EDPB in the future. For the time being, the presumption of compatibility, subject to the conditions set forth in Article 89, should not be excluded, in all circumstances, for the secondary use of clinical trial data outside the clinical trial protocol for other scientific purposes.
The guideline of the EDSA leads to two key findings:
- Consent is not a reliable basis for authorization. It is a “last resort” and should only be considered if no other basis for authorization is available. Somewhat surprisingly, this applies to the EDSA even in the context of clinical studies (cf. e.g. the contrary view in the “Handout” of the Working Group of Medical Ethics Committees in the Federal Republic of Germany). Patients are thus expected to understand the nature, objectives, benefits, consequences, risks and disadvantages of a clinical trial and to give their consent to an investigative medical intervention in the knowledge of these circumstances, but not to freely agree to the associated data processing. This shows once again that data protection takes itself too seriously. Not only would patient consent be a more reliable basis for sponsors and investigators than a vague weighing of interests, relying solely on public health and research interests to justify the processing of data derived from medical interventions also stirs uneasy feelings: The individual is deprived of the capacity for self-determination, and the state with its own value system takes its place. No answer is provided by the EDSA The report also addresses the burning question of whether it is still possible to invoke alternative grounds for authorization in the event of invalid consent. Clarification would be desirable, particularly in view of the uncertain continued validity of old-law consent.
- As strict as the requirements of the GDPR to the effectiveness of consent, the exceptions in favor of research are so liberal and numerous, e.g., with regard to purpose limitation, data economy, the obligation to provide information and the right to erasure (cf. Art. 5 para. 1 lit. b and e, Art. 14 para. 5 lit. b and Art. 17 para. 3 lit. d GDPR). However, the contours have yet to be found, and it is to be hoped that supervisory authorities and ethics committees will find a balance that is practicable and free of value contradictions. It might be more purposeful to recognize the similarities rather than differences between privacy and human research regulation.