The EU Clinical Trials Regulation (CTR) will likely become applicable in 2020, upon confirmation of the full functionality of the Clinical Trials Information System (plus an additional six months). With the implementation date approaching, in April 2019 the EU Commission published a list of 11 ‘FAQs’ on how the requirements of the CTR interact with those of the EU’s General Data Protection Regulation (GDPR). Given the critical significance of personal data in any clinical trial, it is hardly surprising that questions were frequently being asked. Neither legislation takes precedence over the other, and so those conducting clinical trials must ensure they achieve compliance with both regimes.
The FAQs were preceded by an Opinion, issued in January 2019, by the European Data Protection Board (EDPB). Both the Opinion and the FAQs provide a useful insight into the regulators’ position, particularly as regards the appropriate lawful bases to process personal data relating to clinical trials.
The need for a lawful basis
For those less familiar with EU data protection law, any collection or use of personal data must satisfy one of the six ‘lawful bases’ set out in Article 6 of the GDPR. Where ‘special category data’ is processed, an additional lawful basis is needed, from the more restrictive list set out in Article 9. Since special category data includes health information (as well as ethnicity, sexual orientation, genetic and biometric data), it is to be assumed that at least some personal data collected in the context of all EU clinical trials will need a lawful basis under both Article 6 and Article 9.
Conducting a clinical trial in accordance with the CTR will require the processing of personal data for numerous purposes, including: to conduct the research itself; perform safety reporting; archive the trial master file for 25 years as well as medical files of subjects for a period set by national law; and allow auditing, including of individual patient records, by national inspectors. All of these activities will involve a consideration of the ‘lawful basis’ relied upon, for the purposes of GDPR, by the sponsor/investigator institution (as the “data controller”).
When considering the various uses of personal data in this context, the FAQs and the EDPB distinguish between, on the one hand, processing relating solely to the research itself and, on the other hand, processing relating to the safety and reliability of the clinical trial.
What lawful bases to rely on?
The processing of personal data to ensure the safety and reliability of the clinical trial is a requirement of the CTR. Therefore the processing is necessary to comply with a legal obligation imposed on the data controller, and so the controller can rely on Article 6(1)(c). For an Article 9 condition, the GDPR legislators clearly envisaged these precise circumstances – providing the specific basis in Article 9(2)(i) of processing “necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…”
The research itself, however, is not derived from a legal obligation, and so will need a different lawful basis. The recommendation of the Commission and EDPB, for public authorities or those with a public mandate, is to rely on “processing necessary for the performance of a task carried out in the public interest” (Article 6(1)(e)). For those without a public mandate, the Commission and EDPB suggest ‘legitimate interests’, in Article 6(1)(f), as the most appropriate basis. To rely on the legitimate interests basis, the controller will need to conduct a balancing test between the legitimate interests identified (which could include wider societal benefits, as well as commercial interests) and those of the data subjects, to ensure its legitimate interests prevail. Again, the controller will also need an Article 9 basis – and the most logical will usually be that the processing is necessary for scientific research purposes.
A notable absence from the above is any discussion of consent as a lawful basis. It may come as a surprise to those not thoroughly immersed in the tangles of data protection law to learn that a controller can – and in many cases should – process personal data in clinical trials without obtaining the participant’s consent.
When is a consent not a consent?
The question of consent is, without doubt, one of the thorniest legal issues presented by the interplay between the GDPR and the CTR. The CTR requires the informed consent of the individual, as a fundamental condition for their participation in a clinical trial. However, both the Commission and the EDPB are keen to emphasise that this ‘consent’ is entirely distinct from a consent to processing of personal data: it is in place to ensure the protection of two EU Charter rights, the protection of human dignity and the integrity of the individual. It is not an instrument for data protection.
In fact, quite the opposite is true. The Commission and the EDPB agree that ‘consent’, as understood in a GDPR context, will generally not be the appropriate lawful basis under which to process personal data in a clinical trial.
This is because of the stringent requirement, under GDPR, that any data protection consent must be “freely given”. In order to be freely given, there cannot be an imbalance of power between the data subject and the controller, or exist any other circumstance which might limit the data subject’s ability to exercise a genuine choice. The EDPB warns that where the participant is not in good health, belongs to a disadvantaged group, or is in a situation of hierarchical dependency, consent will be presumed to not have been freely given, and will therefore be invalid. An indigent cancer patient would not, realistically, be exercising a ‘free choice’ when deciding whether their personal data can be processed as a necessary condition to their receiving treatment.
The fact that a GDPR consent can be withdrawn also makes it a less attractive lawful basis for the controller: if a participant drops out of the trial and withdraws their consent to data processing, it would be very frustrating for the investigator to have to cease processing any of the data already collected for the purposes of the research (although the data could still be retained to comply with legal obligations).
Since the distinction between a CTR consent and GDPR consent can be confusing enough to lawyers, controllers must work especially hard to avoid passing on this confusion to data subjects. The GDPR requires controllers to specify their lawful basis to data subjects, and so careful thought must be given when drafting informed consent forms and notices to ensure that they don’t mislead or confuse participants as to what they are ‘consenting’ to.
A Brexit Epilogue
A brief and unavoidable word on Brexit, since both the CTR and GDPR are EU laws. The UK has confirmed that the GDPR will remain in UK law, termed the “UK GDPR”. As regards the CTR, if implemented during the transition period introduced under the amended Withdrawal Agreement concluded between the EU and the UK (which is to end on 31 December 2020 unless extended), it will apply in the UK in its entirety. In any event, however, the UK Government has confirmed their intention that UK law will remain aligned with the CTR.
 Following the General Election of 12 December 2019, the new UK Government has pledged not to request any extension to the initial transition period