Pharmaceutical and biotech companies sponsoring clinical research have traditionally relied on patient consent as the legal basis for processing personal data, sensitive personal data and biologic material for current and future research. The EU General Data Protection Regulation (GDPR) has opened up the possibility of applying a new approach that may eliminate or limit the need to obtain patient consent for the processing of patient data for such purposes – an approach that carries significant benefits to the pharma and biotech entities sponsoring clinical trials. However, guidance published by the Article 29 Working Party (WP29)  has left researchers around the world questioning whether the new approach will be recognized and accepted and whether consent might remain the best approach going forward.
Legal Bases for Processing Patient Data in EU Clinical Trials
As pharmaceutical and biotech companies work to adapt to new requirements and opportunities under GDPR, clarity is required to find optimal solutions that will enable the processing of patient data for current and future scientific research.
Consent for Current and Compatible Future Research
Perhaps the most straightforward approach to meeting current requirements in the context of EU clinical research, and future research in particular, is to apply the plain language contained within GDPR. Specifically, GDPR Article 6(4) allows processing for a purpose other than that for which personal data were originally collected where the subsequent processing is “compatible” with the original purpose.
In the context of clinical research, patient data, including biological samples applied to future research for medical purposes, are likely to meet a compatibility test, given general clinical research objectives of discovering and verifying the efficacy of new and innovative treatments for often life-threatening diseases. Additionally, GDPR Recital 33 indicates that researchers may obtain a general consent from clinical trial patients that can be used for future processing in connection with “areas of scientific research,” regardless of whether detailed study plans have been finalized for such research at the time consent is obtained. The recital states:
It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research.
In Article 6(4) and Recital 33, GDPR provides a framework by which researchers can provide a general description of the purposes of current and potential future research purpose in their initial informed consent forms (“ICFs”) and rely on the original patient consent in order to further process their personal data, sensitive personal data and biological samples for purposes of compatible future research.
In the immediate aftermath of GDPR being fully effective and enforceable, it appears that this is the approach most pharmaceuticals and biotechs are taking as clinical trial sponsors. In addition, many European Ethics Committees seem to favor this approach and apply it where they publish templates of guidance for ICFs. This is not, however, the only valid legal basis and it is not without its drawbacks. For example, clinical trial sponsors relying on consent must have mechanisms in place to address withdrawal of consent (subject to other applicable legal requirements such as the EU Clinical Trials Regulation). In addition, there is some risk that Data Protection Authorities (“DPAs”) could favor the WP29 approach and apply that approach if they receive data subject complaints.
The WP29 Approach
WP29 takes a more restrictive approach to patient consent for purposes of identified current and unidentified future research in its Guidelines on Consent Under GDPR. That guidance limits the possibility of reliance on a patient’s general consent for future research activities. While acknowledging that “Recital 33 seems to bring some flexibility to the degree of specification and granularity of consent in the context of scientific research”, the WP29 guidance states that “Recital 33 does not disapply the obligations with regard to the requirement of specific consent”. Thus, WP29 appears to significantly limit the possibility of reliance on a patient’s general consent for future research activities.
According to the guidance a “well-described purpose” for each stage of research or other safeguards must be included in the original consent form to comply with the GDPR consent requirements. This makes it highly impractical for clinical research sponsors to rely on a patient’s initial general consent for future research activities because, as Recital 33 states, “[i]t is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection.”
Thus, in cases where a trial sponsor would choose to rely on the WP29 guidance new specific consents may need to be obtained from patients each time the sponsor plans to process patient data for a new clinical research purpose that was not described in the original ICF.
A More Progressive Approach – Legitimate Interest and Article 9(2)(j)
GDPR provides a more progressive approach – one that does not require patient consent for the processing of personal and sensitive personal data for purposes of scientific research – that researchers may adopt in order to lawfully process patient data in a clinical trial and for purposes of future scientific research.
By now, most privacy professionals are familiar with the legitimate interest provisions contained in GDPR Article 6(1)(f). Under that provision, controllers may process personal data without consent when the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”.
In the context of clinical trials, a sponsor (the controller) can readily take the position that the research is necessary for the purposes of its legitimate interest in developing new therapeutic treatments to meet the needs of individuals suffering from a particular disease. GDPR appears to support this approach, identifying the benefits associated with scientific clinical research in Recital 157, which references its potential for new knowledge about “widespread medical conditions such as cardiovascular disease, cancer and depression.” Recital 159 further supports this, citing the Treaty on the Functioning of the European Union, which promotes “the objective of strengthening its scientific and technological bases by achieving a European research area in which researchers, scientific knowledge and technology circulate freely.”
While Article 6(1)(f) provides a legal basis for the processing of personal data, patient data in clinical trials will, by the nature of the processing activity alone, almost always comprise sensitive personal data. Article 9(2)(j) provides a solution, allowing the processing of sensitive personal data where necessary for purposes of scientific research. Such processing must be proportionate to the purposes for which the patient data was originally collected – a standard which should generally be considered to have been met when processing for purposes of further medical research – and adequately safeguard the patients’ fundamental rights and interests. Article 89(1) provides further guidelines, specifying pseudonymization, commonly accomplished in clinical trials via key coding of patient identifiable data, as an appropriate safeguard. Researchers should also note that Article 89(2) limits some data subject rights (access, rectification, restriction and objection) where processing is taking place for purposes of scientific research, if the fulfilment of those data subject rights would impact the achievement of the purposes of the research.
Combined, Articles 6(1)(f), 9(2)(j) and Article 89 provide clinical trial sponsors a manner by which to process personal and sensitive personal data for purposes of the trial without obtaining consent to the processing from patients. This approach is specifically accepted by organizations such as the UK Medical Research Counsel and the UK Information Commissioner’s Office (https://mrc.ukri.org/documents/pdf/gdpr-preparation-guidance-note-2/).
While the approach is attractive to pharmaceutical and biotech companies, hurdles remain. One considerable impediment is that many European Ethics Committees and some Member State laws still require patient consent in clinical trials. Sponsors might also be required to obtain separate consents from clinical trial patients in some circumstances, for example, for some ex-EU transfers of sensitive patient data to third parties in “non-adequate” countries.
GDPR has opened up a variety of options for clinical trial sponsors to establish a legal basis for processing of personal and sensitive personal data of trial patients. The general lack of alignment that remains between GDPR requirements, Ethics Committee expectations and demands, and country-specific requirements has resulted, at least in the early days of GDPR enforceability, in many pharmaceutical and biotech companies sticking with a traditional consent-based approach. And while there appears to be a desire amongst trial sponsors to rely on the legitimate interest/Article 9(2)(j) approach, many companies appear to be awaiting the efforts of a pharmaceutical giant to really press this approach and blaze the trail for smaller entities that remain more concerned with Ethics Committee approvals and maintaining momentum in key trials than they are in implementing an incrementally better solution than patient consent.
 WP29 Guideline on Consent under GDPR (wp259rev.01)