What Europe’s New Privacy Regulations Means For US Trials

By Allison Proffitt

October 24, 2017 | In less than eight months, The European Union’s General Data Protection Regulation goes into effect. The GDPR applies to all types of data, but it will have a special impact on clinical trials, even ones run by US companies.

The GDPR was adopted in April 2016 by the European Parliament. The regulation replaces an earlier directive and includes provisions on a right to be forgotten; "clear and affirmative consent" to the processing of private data by the person concerned; a right to transfer your data to another service provider; the right to know when your data has been hacked; ensuring that privacy policies are explained in clear and understandable language; and stronger enforcement as a deterrent to breaking the rules.

But importantly, the GDPR doesn’t apply just to those in the European Union. “The key is, it is not geographical,” Peter Alterman, COO at SAFE-BioPharma Association, told Clinical Informatics News. The GDPR applies to any group or company with goods or services for whom EU data subjects are the envisaged audience. And the definition of sensitive data now includes genetic and biometric data. “Let me just give you a quick comparison, that is a broader set of data than is covered by HIPAA,” said Debra Diener, an attorney and Certified Information Privacy Professional.

CLN_GDPR1

Diener and Alterman believe the regulation will have a special impact on clinical trials, and groups conducting trials within the EU both now and years into the future.

Consent & Sensitive Data

Clinical trials are only mentioned specifically in GDPR twice, and the Regulation refers readers to another, older, EU regulation: “For the purpose of consenting to the participation in scientific research activities in clinical trials, the relevant provisions of Regulation (EU) No 536/2014 of the European Parliament and of the Council should apply.”

Consent, itself, has a section in GDPR and Diener says the consent terminology is an important departure from how some other countries, including the United States, may handle consent. Consent “has got to be unambiguous” and given in writing, Diener says. “That's a very high standard: unambiguous, affirmative action by the individual.”

The regulation is broad, she adds. “This regulation applies to paper documents and paper processing. Although the new emerging technology is what was the really motivating consideration… a lot of clinical trial data is still paper based, a substantial portion of it,” Diener notes.

The regulation also forbids pre-checked boxes. Forms must allow individuals to actively opt into something, instead of only giving the option to opt out, or uncheck a box. “Those cannot be used by companies that fall within this regulation, that are governed by this regulation,” Diener emphasizes.

The GDPR doesn’t only raise the bar for consent, the regulation also paints a broader definition of sensitive health data. “Sensitive data now includes, under this regulation, genetic data, biometric data,” Diener says. “That is a broader set of data than is covered by HIPAA.”

A clinical trial group in the United States seeks to be compliant with HIPAA privacy rules, or the expanded HITECH Act. But if the group is conducting trials in within the European Union, that’s just not enough, Diener warns.

Implications for Clinical Applications

While meeting the requirements for consent going forward should be fairly straightforward, studies or trials consented in the past could bring challenges. The GDPR requires data protection impact assessments for big projects and clinical trials, assessments meant to evaluate the origin, nature, particularity, and severity of risk to the rights and freedoms of natural persons.

Regulation 536/2014 says that clinical trials conducted outside of the EU, but that are referred to in a clinical trial's application within the EU, must comply with regulatory requirements that are at least equivalent with those applicable in the EU, which now includes the GDPR. In short, any clinical trials mentioned in trial applications within the EU must comply with the GDPR.

“So you're sitting at university or a hospital. You've done a clinical trial, you're partnering with a company or a hospital or a university in one of the EU countries,” posits Diener. “In your application to the relevant authority within that EU country, everyone wants to make reference to this prior clinical trial done outside of the EU. If that clinical trial has not been done at least in compliance with the GDPR and perhaps other regulatory requirements, that application will not be deemed acceptable.”

How far back does this apply? “Let's just say the regulation does not specify a time limit,” Diener says, though individual countries may clarify this.

This point will have significant ramifications for trial sponsors and CROs worldwide, Alterman and Diener believe. It's not enough to say, “We didn't do this trial in the EU, but we're just including it as background or as justification in this application to the EU,” Diener said.

And conversely, sponsors will need to consider trials today that are not taking place in the EU, and think about how they may be used years into the future.

CLN_GDPR2

“Even if you look at the GDPR, you can't look at it in isolation without thinking: What is our group doing? What is our company doing? What is our hospital doing? What is our university research doing? Are we trying to do clinical trials that have extraterritorial application? Or do we want to use it to apply to a clinical trial elsewhere?”

Game Plan

It’s complicated for sure; Diener and Alterman didn’t deny that. But the repercussions for ignoring the GDPR could be staggering. The fines that can be imposed for noncompliance are up to 4% of a company’s total worldwide annual profits for the preceding year or up to 10 million Euros, whichever amount is higher, Diener says.

She and Alterman suggested that trial sponsors, CROs, and other groups do at least an internal mapping. “They have to be aware of what the GDPR does at a high level, and the way their business model could map to it, the way their data flows could map to it,” Diener said.

The implications for clinical trials are broad—reaching back to old trials and to ones not yet conceived. But the work of preparation is far less painful than having to defend against an international investigation or inquiry in an EU country, Diener pointed out. “The head in the sand approach is going to be the most disastrous.”