On May 25, 2018 the new and far reaching General Data Protection Regulation (GDPR) went into effect in the European Union. The key goals of GDPR are to strengthen transparency and accountability of data security. The rights afforded to individuals to control their personal data is unprecedented in scope and extend beyond companies headquartered in the EU and its citizens to cover all residents of any EU member country. The changes affect every industry and every company doing business within the EU including US based life science companies that are conducting clinical trials in the EU.
Clinical research has long been governed by strict consent rules and therefore many of the requirements of the GDPR are not new to companies in the clinical research sector. However, there are some important changes that sponsors of clinical trials and CROs need to keep in mind. The most important ones related to clinical trials are:
Extra-Territorial Effect of The Law
Going forward one of the first questions to ask and answer before undertaking a clinical trial that touches one of the EU member states is: “Does GDPR apply?”. The answer is not as clear cut as one might hope. Let’s look at the easy case first: if the sponsor of a clinical trial is located in the EU, GDPR automatically applies. However, if the sponsor is not based in the EU, GDPR may still apply depending on the specific circumstances. If the sponsor has an office in the EU that is involved in any aspect of the clinical trials, GDPR likely still applies. In addition, clinical trials that include data subjects located in the EU fall under GDPR regardless of where the sponsor and/or CRO are located, where the clinical data is processed, and where the sponsor plans regulatory submission. This applies even if the trial participants are not EU citizens but are simply in the EU while their data is collected.
Accountability Extends to Data Processors
GDPR makes it easier for individuals to not only hold data controllers (sponsors) but also data processors, e.g. CROs, investigators or statisticians, responsible for any breach of privacy and obtain compensation even for infringement that lead to non-material damages. The ramifications for the data controllers include that they might have to hire a data protection officer and maintain documents proving compliance with GDPR.
New Rights for “Data Subjects”
One of the phrases one hears frequently in connection with GDPR is the “right to be forgotten”. This is one of a number of new rights given to individuals under GDPR. Also known as the Right to Erasure this provision enables the “data subject”, in this case the clinical trial participant, to have their personal data deleted without undue delay, which is defined as within one month of receipt of the request. A helpful exception for clinical trials is, that the right to be forgotten does not apply if processing of the data is necessary for scientific research. It will be interesting to see if this exception will be used as a loophole that could open the door to fairly creative interpretation of what scientific research might entail.
Other rights of the data subject include: the right of access, i.e. the right to know whether or not personal data are being processed and if so, to obtain access to that data. In addition, the right to rectification gives the individual the right to have inaccurate data corrected within a month, and the right to data portability gives the individual the right to receive the data and to transfer these data to another data controller.
Changes to Consent and the Definition of Sensitive Data
The conditions for consent, already a cornerstone of privacy related to clinical trials, has been further strengthened through GPDR. The regulation requires consent to be stated in clear, unambiguous terms, to be distinguishable from other matters, and the purpose for collecting the data must be made clear in the consent. Withdrawing consent has to be just as easy as giving it.
In addition, the definition of “sensitive data” has been broadened compared to HIPAA to include genetic and biometric data.
Where Things Get Tricky
While GDPR mentions clinical trials specifically only twice, the provisions of Regulation (EU) No 536/2014 apply and regulate the specifics. This interface between 536/2014 and GDPR is where it can get tricky, specifically with regards to clinical studies done outside the EU but referenced in a clinical trial application within the EU. These trials must now comply with regulatory requirements that are at least equivalent to those in the EU – and that is now GDPR. That means that even clinical trials that are conducted entirely outside the EU but which the sponsor might want to include as background for an EU trial need to be carefully evaluated for compliance with GDPR.
For pharma and biopharma companies as well as CROs it is critically important to carefully review whether they need to comply with GDPR. Running afoul of the new European Data Protection Regulation can be very expensive – fines up to 4% of worldwide revenue or € 20 million, whichever is higher, apply.
BioPharma Law Blog posts updates and analyses on IP topics, FDA regulatory issues, emerging legal developments, and other news in the constantly evolving world of biotech, pharma, and medical devices.