When conducting a clinical trial in the EU, actors from the pharmaceutical sector need to comply with the data protection requirements arising from the General Data Protection Regulation (GDPR) and the specific requirements under the national laws of each EU Member State. This article also analyses the specific requirements that arise under the French Data Protection Law (FDPL).
Legal framework under GDPR
In January 2019, the European Data Protection Board (EDPB) adopted in its Opinion 3/2019 on the interplay between the Clinical Trials Regulation and the GDPR. Last Tuesday, the EDPB published its Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak. The EDPB announced that it is working this year on a further and more detailed guidance in this issue, which scope will not be limited to the COVID-19 outbreak.
Legal grounds for processing
The EDPB suggests various combinations of legal bases (art. 6 GDPR) together with the conditions of processing health-related data (art. 9 GDPR) for processing operations purely related to research activities. One of these combinations is the possibility for sponsors to rely on their legitimate interests as controllers (art. 6(1)(f) GDPR) to provide a lawful ground for these processing operations. Where this is the case, sponsors can use as an exception to process the data concerning health either article 9(2)(i) [public interest in the area of public health] or 9(2)(j) [scientific research purposes] of the GDPR.
For clinical trials in general, and scientific research on Covid-19 in particular, the combination of consent (art. 6(1)(a) GDPR) and explicit consent (art. 9(2)(a) GDPR) is not recommended, given the burdensome regime for collection and withdrawal of consent.
International data transfers
As a general rule, personal data should be transferred on the basis of an adequate decision (article 45 of the GDPR) or on one of the appropriate safeguards listed in article 46.2 of the GDPR. The legal derogations under article 49 are normally limited to specific transfers and must be relied upon in limited cases only.
That being said, given the exceptional sanitary crisis of an unprecedented nature and scale caused by the Covid-19, the EDPB considers that private and publies entities may rely on the legal derogations of article 49 for transferring personal data outside the EU, in particular where the transfer is necessary for important reasons of public interest.
Indeed, the EDPB considers in its Guidelines 03/2020 that "the fight against covid-19 has been recognised by the EU and most of its Member States as an important public interest, which may require urgent action in the field of scientific research (for example to identify treatments and/or develop vaccines), and may also involve transfers to third countries or international organisations".
Therefore, the EDPB confirms that public authorities and private entities playing a role in pursuing such public interest can rely on this derogation, as a temporary measure due to the urgency of the medical situation globally. However, appropriate safeguards should frame the transfers, where possible.
In addition to these developments, it is worth recalling that the GDPR authorises Member States to introduce further conditions, including limitations, with regard to the processing of data concerning health. This "margin of manoeuvre" has been the key for the development of a highly regulated regime that applies in France with respect to scientific research.
Legal framework under French law
The FDPL contains provisions on the processing of personal data for the purposes of research, study or evaluation in the health sector. In this respect, the French data protection authority (CNIL) has issued several Reference Methodologies ("Méthodologies de Référence"), each of them having a different scope. The scope of each CNIL Reference Methodology depends on the type of scientific research or study at issue.
Compliance with the Reference Methodologies: a self-certification process
Where the contemplated processing operations meet the requirements contained in the relevant Reference Methodology (MR-001, MR-002, MR-003,…), the clinical trial sponsor must self-certify its compliance to this Reference Methodology on the CNIL's website, with results in a declaration of compliance acknowledged by the CNIL.
For example, if a clinical trial sponsor relies on MR-001 (one of the most common Reference Methodologies used for clinical trials), it is responsible as a data controller to ensure that the processing operations are carried out in compliance with the conditions that are set out under this MR-001. In this respect, it must ensure that all the necessary documentation and technical and organisational measures are implemented in accordance with this Reference Methodology.
The CNIL has identified the security of health data as one of its top priorities for its enforcement strategy in 2020. It is worth highlighting that the reference methodologies contain a section on "implementation and security", which will require clinical trial sponsors to focus on this year.
Non-compliance with the Reference Methodologies: request for CNIL's authorisation
Where the sponsor does not meet the requirements set out in a Reference Methodology, it must request authorisation from the CNIL, which is lengthier process by which the CNIL scrutinises and reviews the contemplated processing activities in detail. At the end of the process, the CNIL decides whether it to grant an authorisation and can recommend measures to the sponsor in order to obtain such authorisation.
In a statement made on its website on 26th March 2020, the CNIL has announced its commitment to giving priority to authorisation requests relating to scientific research in the context of the Covid-19 crisis, and to shorten the timeframe for giving its approval in the event that the planned data processing does not comply with one of the Reference Methodologies.
Sign up to our email digest