New European Data Protection Board (EDPB) Guidance Highlights – but Leaves Unresolved – Several GDPR Compliance Issues Facing Clinical Researchers
Last week, the European Data Protection Board (the “EDPB”) released new guidance on the application of the European Union General Data Protection Regulation (“GDPR”) to health research. The guidance was issued in the form of answers to questions posed by the European Commission, the executive branch of the European Union. The EDPB did not answer substantively many of the questions posed, instead noting that additional guidance would be forthcoming later this year regarding processing personal data for scientific research purposes. Nevertheless, the guidance acknowledged important issues to researchers, including:
- the effect of divergent laws across European Union Member States (“Member States”) on research projects that take place in multiple Member States;
- a lack of clarity on what “additional safeguards” allow for processing data for scientific research purposes and for using data previously collected, especially when research goals change during the course of a study;
- how researchers can obtain “broad consent” to data processing; and
- whether genetic data can be anonymized.
This Alert provides summaries of key issues the guidance addresses, as well as some key questions left unanswered by the document.
Trials Across Member States: The EDPB acknowledged the problems with, but provided limited guidance on, GDPR compliance when conducting clinical trials across multiple Member States. The GDPR only allows a controller to “process” personal data under one of a limited set of legal bases listed in Article 6, and controllers must further satisfy one of the exemptions listed in Article 9 if the data include special categories of personal data, such as health data. Several of these legal bases and exemptions, such as “processing necessary for . . . scientific and historical research purposes” in Article 9(2)(j), are only available based on Member State or E.U. law.
The guidance states that the only E.U. law that has been identified to date as providing a uniform basis to process personal data in the context of research is the E.U. Clinical Trial Regulation (“CTR”), which provides a basis for processing personal data in clinical trials for reliability and safety purposes. The CTR does not, however, provide a basis for processing personal data for other purposes in clinical trials, such as for conducting analysis for research purposes, and does not provide a basis for processing personal data in the context of other research. Further, Member States may limit the processing of genetic, biometric, and other health data.
The EDPB recognized that researchers may need to rely on different legal bases and exemptions to process personal data in the same clinical trial across different Member States. However, the EDPB expressed a strong preference that researchers maintain consistent rights for data subjects across all Member States when possible. While the EDPB acknowledged the inherent tension between relying on different legal bases in different member states while maintaining consistent rights for data subjects across Member States, the EDPB provided no further guidance and suggested that the European Commission resolve these issues in upcoming lawmaking related to the creation of a European Health Data Space.
Explicit Consent: One legal basis for processing health data is explicit consent, under GDPR Article 9(2)(a). The guidance clarifies that “explicit consent” and “informed consent” are different concepts—while a clinical researcher must obtain a study participant’s informed consent under principles of research ethics, such as the Declaration of Helsinki, the researcher may process that participant’s health data using any of the permitted bases and exemptions in Articles 6 and 9. Because consent under the GDPR must be freely given, the guidance clarifies that explicit consent is a permissible basis to process clinical research data only if “a particularly thorough assessment of the circumstances of the clinical trial” reveals that there is not a “clear imbalance of power” between the study participant and the investigator or institution. Such an imbalance may occur, for example, when a study participant is “not in a good health condition and there is no therapeutic treatment outside the clinical trial”; in that circumstance, the guidance states that using explicit consent would be impermissible under the GDPR. The EDPB fails to explain how consent to participate in the trial and receive an investigational product of unknown safety and efficacy can be valid despite any imbalance of power, whereas consent to the processing of personal data is invalid if there exists an imbalance of power.
Processing Previously-Collected Health Data: The EDPB also provided limited additional guidance on processing previously-collected health data for research purposes, instead stating that its upcoming guidance will provide further elaboration. Researchers wishing to process further previously collected health data must satisfy several GDPR requirements. First, under GDPR Article 5(1)(b), the data must be processed either for the same “specified, explicit and legitimate purposes” for which the data were initially collected or for scientific research purposes and with adequate safeguards. The EDPB said it would provide more information regarding what “adequate safeguards” entail in its upcoming guidance.
Second, if the exemption and/or basis used initially to collect the data, such as providing medical care to a patient under GDPR Article 9(2)(h), does not apply to the researcher’s further processing, the researcher must find a different basis and/or exemption. Additional questions arise when the data come from social media platforms or activity trackers, rather than directly from patients. Further, the EDPB noted that there are unique rules for when researchers seek to reprocess personal data originally processed based on consent of the data subject. The EDPB said its upcoming guidance would provide more information on these topics.
Broad Consent: The EDPB said it would also provide more information on processing personal data for research purposes under a broad consent. “Broad consent” comes from the idea, in Recital 33 of the GDPR, that, when a researcher cannot “fully identify the purpose of personal data processing for scientific research purposes at the time of data collection,” the researcher may obtain consent to certain areas of scientific research, rather than consent to a specific research project. The EDPB said that researchers using a broad consent should obtain specific consent to known stages of the research and uses of the data up front; permit data subjects to later withdraw their consent; “narrow down” the research areas that the broad consent covers; “carefully evaluate the rights of the data subject, the sensitivity of the data, the nature and purpose of the research and the relevant ethical standards”; and apply other “additional safeguards” on which the EDPB will elaborate in future guidance. The EDPB’s comment that it will evaluate broad consent in future guidance shows potentially more openness to the concept than the EDPB has shown in its previous, non-research specific guidance on consent.
Notifying Data Subjects of a Change in Data Processing Purposes: The EDPB affirmed that researchers must generally inform data subjects when using their data for a purpose different than that for which the data were collected or when changing the legal basis under which the data are processed. However, it may become difficult or impossible to locate data subjects following the initial collection to inform them of the new uses of data. The EDPB said that an exception to this notification requirement in GDPR Article 14(5)(b) – an exception targeted at researchers – is narrow and applies only to data that researchers did not collect themselves. The EDPB said it would provide more information on this topic in its upcoming guidance.
Anonymization and Genetic Data: The EDPB explained that data anonymization is “difficult to achieve” and “should be approached with caution in the context of scientific research,” especially for research involving genetic data. To determine whether data are anonymous, researchers must consider “all the means reasonably likely to be used” to re-identify the data, which may change as technology advances. Moreover, the EDPB said that it remains “unresolved” whether “any combination” of measures could make genetic data anonymous, though its upcoming guidance will address this issue.
“Appropriate Safeguards”: The upcoming guidance will elaborate further on what “appropriate safeguards” processing data for purposes of clinical research requires. GDPR Article 89(1) requires that researchers put in place “appropriate safeguards” when processing personal data for “scientific or historical research purposes.” Researchers retaining data in an identifiable form for “longer than is necessary for the purposes for which the personal data are processed” must, under GDPR Article 5(1)(e), also implement such safeguards. While the EDPB acknowledged that the lack of information available on what constitutes acceptable safeguards makes GDPR compliance more difficult for researchers, the EDPB generally declined to offer any additional information in this document and instead pointed to its upcoming guidance. One potential additional safeguard recognized by the EDPB is the use of pseudonymization or coding of personal data.
Other Issues: Finally, the EDPB said it would provide more information on both (1) the transfer of data to third countries for scientific research purposes and (2) on what constitutes “processing [health and other special categories of data] on a large scale,” a threshold relevant to the determination of whether to conduct a data protection impact assessment (DPIA) as well as whether to appoint a representative of a controller or processor not established in the E.U. and/or a data protection officer. The EDPB noted that any “high likelihood of risk to the rights and freedoms of the data subjects” could trigger the DPIA requirement, even if the processing does not meet the “large scale” threshold.
Conclusion: While the guidance highlights many of the complications that researchers face under GDPR when conducting studies that span multiple Member States, it does not provide many solutions. It remains to be seen whether the EDBP’s guidance on processing personal data for scientific research purposes, which is expected to be published later this year, will provide further clarity.
If you have questions, please do not hesitate to contact one of the authors or your usual Ropes & Gray advisor.