GDPR in the scope of clinical research and secondary use of data: EMA discussion paper

By Anastassia Negrouk, Head of International Policy and DPO

Prior to and since its coming into force, on 25 May 2018, the European General Data Protection Regulation (GDPR) has been causing significant concerns among the scientific community. This have been related to the diverging national implementation, the uncertainty regarding the correct compliance with its provisions. Perceived barriers for longer storage and re-use of already collected data as well as for the sharing of data with other researchers has also caused concern.  In addition, GDPR interplay with other pieces of European legislation applicable to health research, such as the upcoming Clinical Trials Regulation, In Vitro Diagnostic Medical Devices Regulation, and Medical Devices Regulation. Unfortunately, the authoritative EU bodies have not focused on GPDR to a sufficient extent, if at all. Last, but not the least, the overall picture is further made complex through application of national highly heterogeneous legislation in relation to other matters, such as biobanks, registries and genetic testing.

Further to the opinion of the research community, the lack of harmonisation and practical solutions in the area of scientific, and more specifically, clinical research was noted in the commission’s first GDPR report and it proposed several actions aiming to facilitate innovation, such as codes of conduct and guidelines specific to the field. This is further aligned with the commission strategy in the health data space.

Within this general context, EMA has issued for consultation a Discussion Paper concerning the Secondary Use of Data for Medicines and Public Health Purposes in the scope of GDPR. This document is the contribution of EORTC to this consultation.

EORTC’s contribution to this paper puts forward the position that not only emphasises existing barriers and zones of uncertainty, but also provides possible ways to find a balance between GDPR requirements and needs of science while respecting rights of researchers and patients.

Among other elements, EORTC introduces the innovative term of chain of controllers helpful to understand in terms of responsibilities of various stakeholders and complex data flows, which are one of key characteristics in clinical research. EORTC also emphases the differences between consent to research and consent in the sense of GDPR and attracts a specific attention to the fact that the choice of the legal basis is key for the feasibility of cross-border research projects as not all legal grounds are fit for international undertakings. Last, but not the least, EORTC briefly touches to the respective responsibilities of data controller and the Ethical committees in the scope of clinical research.