The recently issued European Data Protection Board Opinion 3/2019 stipulates that “informed consent” from clinical trial participants for life science research purposes typically does not satisfy requirements for consent as a legal basis for processing personal data under the EU General Data Protection Regulation. There has been strong disappointment voiced within the life sciences community by those who believe that “informed consent” necessary to comply with EU member state clinical trial laws and the EU Clinical Trials Regulation for life science purposes should satisfy the GDPR Article 6(1)(a) legal basis requirements for consent. However, for reasons highlighted in this article and as further explained in the paper "Science and Privacy: Data Protection Laws and Their Impact on Research," the position in the EDPB opinion should not come as a surprise.
As a result of the EDPB opinion, life science research organizations should take steps to comply with both regimes by satisfying “informed consent” requirements under the Clinical Trials Regulation and member state clinical trial laws and also supporting a non-consent legal basis under the GDPR. After all, acting otherwise involves risk of interrupting business operations, reputational damage, GDPR enforcement actions and penalties.
The EDPB opinion is consistent with earlier interpretations by the Article 29 Working Party and its successor, the European Data Protection Board. For example, in the context of iterative analytics, artificial intelligence and machine learning, relying on consent is problematic because the processing cannot be described in advance with required specificity. Obtaining valid consent can also be challenging in the context behavioral advertising, marketing, product improvement or profiling. In all these instances, the opinion of the WP29/EDPB has been that organizations are prohibited from performing data processing activities that they may have relied upon for years if they do not satisfy legal basis and other new requirements under the GDPR. To lawfully continue such processing, alternate legal bases and other compliance measures may be required, necessitating new technical capabilities not supported by security and privacy technologies developed prior to the regulation.
The GDPR sets a very high bar for consent — it must be “freely given, specific, informed and unambiguous” and manifested through “a statement or by a clear affirmative action” indicating the data subject’s agreement. And consent must be “explicit” where the processing involves “special categories” of personal data, which includes health data. The EDPB opinion highlights that these requirements likely are not satisfied in the context of clinical studies for a number of reasons, including a power imbalance between data subjects and researchers that calls into question whether the consent is “freely given.”
Moreover, as the "Science and Privacy" paper explains, obtaining explicit consent from data subjects is sometimes impractical and can undermine the statistical validity of clinical study outcomes.
There is strong evidence that seeking and obtaining consent to have personal data included in a research study can result in a non-representative or biased data sample and affect the outcome of the research. Further, where the legal basis for the data processing is consent, data subjects have a right to withdraw consent, which, if exercised, could dramatically sidetrack and undermine ongoing research projects.
Separate from the concerns regarding consent-induced bias, researchers have also raised concerns that requirements to obtain consent for accessing data for research purposes can lead to inadequate sample sizes, delays and other costs that can interfere with efforts to produce timely and useful research results. Thus, the potential for consent requirements to negatively affect life science research is quite high.
However, the GDPR provides practical alternatives to consent. As explained below, data controllers conducting life science research have a strong case under the GDPR for relying on a legal basis other than consent, such as “legitimate interests.”
'Controlled linkable data'
Prior to the GDPR, traditional privacy programs relied largely on written rules that were incapable of preventing unauthorized data use before it occurs. But as the GDPR significantly expands the rights of data subjects and the penalties for noncompliance, it requires organizations to implement technologies and solutions capable of enforcing policies by leveraging technology that can prevent misuse before it can transpire. The regulation specifically recognizes benefits from using GDPR-compliant pseudonymization to reduce the risk of unauthorized data linkages to protect data on a per-use basis by limiting access to authorized data.
Controlled linkable data can leverage GDPR-compliant pseudonymization to enable organizations to accomplish desired data processing objectives in compliance with the GDPR and unlock data value by enabling the “dialing-up” or “dialing-down” of the linkability (identifiability) of data.
This approach supports reliance on legitimate interests as an appropriate and valid legal basis for life sciences research. This legal basis applies where the “legitimate interests” pursued by the data controller or a third party are not outweighed by the interests or rights of the data subject. Clinical trials and life sciences research inherently involve compelling interests, including the preservation and improvement of human life. But the legal basis involves a balancing test between those legitimate interests pursued by the controller or by a third party and the risks to the interests or rights of the data subject. Controlled linkable data effectively addresses and minimizes those risks, enabling the outcome of that balancing test to clearly favor the legitimate interests in pursuing such research.
Further, given that clinical trials will typically involve health data, which is a special category of data under the GDPR, in addition to establishing a legal basis under Article 6, researchers must also establish that a derogation from the general prohibition on the processing of special categories of data under Article 9 applies. But here, too, the EDPB opinion provides helpful guidance.
“The EDPB considers that depending on the specific circumstances of a clinical trial, the appropriate Article 9 condition for all processing operations of sensitive data for purely research purposes could either be “reasons of public interest in the area of public health [...] on the basis of Member State law” (Article 9(2)(i)), or “scientific ... purposes in accordance with Article 89(1) based on Union or Member State law”(Article 9(2)(j)).”
Article 89(1) requires the use of “appropriate safeguards” consisting of “technical and organizational measures” that may include pseudonymization. Thus, the use of controlled linkable data enables researchers to meet the conditions set out by Article 9, as well.
Organizations around the globe are looking for a way to continue lawfully using their data under the GDPR. The EDPB Opinion highlights this challenge in the context of clinical trials, where individual consent is unlikely to satisfy the GDPR legal basis requirement. Controlled linkable data supports legitimate interests as a valid legal basis under Article 6, as well as helping to establish an applicable derogation under Article 9. In addition, it extends beyond GDPR compliance for life sciences research to enable controls necessary for lawful secondary uses of data underlying the new global digital economy for more general purposes, as well.