EU: Cross-border dilemmas for clinical trial sponsors
With the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the life sciences sector, particularly in the framework of clinical research, had to deal with a significant variance of approaches and opinions expressed across Europe by all interested stakeholders. Arianna Sekeri, Junior Partner at ALG Manousakis Law Firm, discusses this issue, the additional challenges brought about the Court of Justice of the European Union's ('CJEU') ruling in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II') in July 2020, and what the subsequent regulatory response means for the industry going forward.
One would expect that the apparent confusion and variance of approaches rests only on the side of the clinical trial stakeholders (mainly the sponsors, the study sites and the clinical vendors); however, this is not the case. In a recent survey conducted by VeraSafe, in which data protection authorities ('DPAs') from 34 EEA Member State jurisdictions participated, 16 of the DPAs confirmed that the GDPR does apply to the processing of EEA personal data by a clinical trial sponsor situated outside the EEA, while eight DPAs advised that this would need to be assessed by a factual analysis (i.e. on a case-by-case basis)1. It should come as no surprise that the majority of the DPAs consider that the GDPR requirements would be directly applicable to the processing of EEA patient data by clinical sponsors in and outside EEA, and tailoring one's privacy compliance program on a Member-State by Member-State or a country-by-country approach would not of course be a viable solution, particularly for multinationals in the life science sector conducting clinical trials across multiple jurisdictions. Adherence to the highest standard of data protection, namely to the GDPR, horizontally across all jurisdictions would seem the prudent strategy to follow.
Even more important is the variance of approaches and opinions expressed in relation to the data processing roles of the parties. Although there can be no doubt that a clinical trial sponsor is a data controller for study related purposes, the role of the study centre and the investigator may vary from country to country so that the investigator and the site could be seen as independent controllers, joint controllers, or even processors. The one thing that is clear is that the controllership of the parties involved in any given trial, cannot be pre-determined but should be assessed taking into account the factual circumstances of the clinical research in question.
In a similar way, transferring personal data across different jurisdictions in a GDPR-compliant way has turned into an everyday struggle for clinical sponsors, and particularly so following the Schrems II ruling in July 2020, despite the attempts of the European Data Protection Board ('EDPB') to force a harmonised approach to dealing with such cross-border transfers.
Following the invalidation of the EU-US Privacy Shield by the CJEU in its Schrems II ruling, it was made clear for controllers and processors exporting data outside the EEA that the mere execution of the EU Standard Contractual Clauses ('SCCs') or the adoption of Binding Corporate Rules ('BCRs') by the data exporters (controllers and processors) would not be enough without the adoption of supplementary measures to ensure that an adequate or essentially equivalent level of data protection is afforded to the personal data being transferred, and that the privacy rights of the individuals are respected, taking into account the factual circumstances of the transfer in question.
Furthermore, the necessity to perform a Transfer Impact Assessment ('TIA') was confirmed in November 2020 by the EDPB in its Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data ('the EDPB Recommendations on Supplementary Measures')2. These Recommendations, together with Recommendations 02/2020 on the European Essential Guarantees for Surveillance Measures3, seem to offer data exporters practical guidance and a clear six-step process to be followed, to enable international data transfers and to ensure compliance with the Schrems II ruling, by assessing the level of data protection in third countries and by implementing supplementary measures where such level of data protection appears to fall short of European expectations.
In reality, conducting TIAs remains even today a difficult puzzle to solve for many data exporters and privacy professionals. The difficulty lies in the fact that a significant level of local expertise is required to successfully assess a third country's legal and regulatory framework; on the other hand, implementing appropriate controls to mitigate the privacy risk inherent in international data transfers is a 'best-case-scenario' assessment, to the extent that compliance with the chosen safeguards (be they SCCs or BCRs) is heavily dependent on external factors such as the actions or inactions of local governments in performing their tasks within the scope of their powers.
Solving the puzzle of privacy compliance necessarily requires clinical trial sponsors, study sites and clinical vendors to cooperate with each at a global, regional and local level to ensure that they put in place policies and processes to ensure ongoing monitoring of third country laws and practices, and that they are in a position to re-evaluate their international data transfers on a regular basis and are ready to account for and demonstrate on demand their compliance with the EU international transfer requirements. If they fail to meet these requirements, they may have to either refrain from transferring any data, or if the data has been already transferred, they may be instructed to be returned or destroyed by the data importer.
Although the SCCs offer a viable, GDPR-compliant, mechanism to transfer data to a third country, the draft modernised set of SCCs proposed by the European Commission on 12 November 20204, do not seem to be fully aligned with the EDPB Recommendations on Supplementary Measures. This discrepancy was recently confirmed in the EDPB and EDPS Joint Opinions on the Draft Implementing Decision and the Draft SCCs (Joint Opinion 1/20215 and Joint Opinion 2/20216 respectively) issued on 14 January 2021; to fix this gap, the EDPB and the EDPS have already proposed amendments to be made to the SCCs by the European Commission.
As stated by EDPB Chair Andrea Jeinek7, the new SCCs are not a catch all solution for data transfers post-Schrems II; while they remain an important piece of the puzzle, data exporters should still make the puzzle complete by following the step-by-step approach of the EDPB Recommendations on Supplementary Measures to bring the level of protection of the data being transferred up to the EU standard of essential equivalence.
A possible alternative to the new SCCs and one that some Ethics Committees in certain jurisdictions e.g. Belgium seem to favour the use of derogations pursuant to Article 49 GDPR in the context of clinical trials, and in particular the explicit consent of the data subjects pursuant to Article 49(1)(a) of the GDPR. On this point, data exporters should take due account of the EDPB's Guidelines 2/2018 on Derogations of Article 49 under Regulation 2016/6798, according to which derogations, as being exceptions from the rule, should be interpreted strictly, and could be appropriate to use for data transfers that are occasional and do not take place repeatedly. In a clinical trial context it should be critically evaluated to what extent, if any, consent of the data subject could be a feasible long-term solution for data transfers to third countries, especially as it can be easily withdrawn without providing reasons and could potentially jeopardise the integrity of the trial and the trial results. In addition to that, to the extent that the sponsor of the trial is based outside EEA, it is questionable whether consent could be freely given, as there would be no real choice for the data subject other than not to participate in clinical trials sponsored by non-EEA based controllers.
With all the complexity involved when data exporters choose to use the adoption of appropriate safeguards as a transfer mechanism, adequacy findings from the EU Commission have become more and more significant for international data transfers. It is for this reason that the long-awaited draft adequacy decision for the United Kingdom was so loudly celebrated with a sigh of relief by the privacy industry.
With more and more data localisation laws emerging in third countries, it has become increasingly important to ensure that practical, easy-to-use solutions are offered to controllers and processors with a global data processing footprint. It is very much welcomed that the EDPB has recognised the Commission's (and of course the life sciences industry's) request for further clarifications on the consistent application of the GDPR, especially in the context on clinical research9. As noted by the EDPB, further analysis and discussion will be required, before it will be able to finalise its Guidelines on the Processing of Personal data for Scientific Research Purposes (currently under preparation, and due later within 2021).
In addition to the EDPB Guidelines, the European Federation of Pharmaceutical Industries and Associations ('EFPIA') is also working to develop its own EU GDPR-approved Code of Conduct that would help address some of the concerns raised in the Commission's report10, at least in the area of clinical trials and pharmacovigilance, with the possibility of later expanding the code into other areas, such as real-world data.
These tools will provide clinical sponsors and other clinical trial stakeholders the clarity they so very much need to fully comply with the European rules of data protection.
ALG Manousakis Law Firm
1. See: https://iapp.org/news/a/how-does-the-gdpr-apply-to-clinical-trial-sponsors-outside-the-eea-views-of-eea-dpas/?mkt_tok=eyJpIjoiTlRVM05EWTFNVEUxTTJJMCIsInQiOiJNWnFtaVJpejZLNjhmQlczZ04yZk1oS0xWV0JFOWxodzEwU0ZKNTJcL3ZxWFwvc3dDR2V3aU9TYngzUm45UDdWUE5HcENyR2tiOGM4Yis4eGJtUUUrYkJ6bExJdVdmMmVQeFwvbkpHSDB3R2JCSm00dGMxc0IwRUh2NUUzY000U1I5cSJ9
2. Available at: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf
3. Available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf
4. Available at: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries
5. Available at: https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-12021-standard_en
6. Available at: https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-22021-standard_en
7. See: https://edpb.europa.eu/news/news/2020/european-data-protection-board-42nd-plenary-session-presentation-two-new-sets-sccs_en
8. Available at: https://edpb.europa.eu/our-work-tools/our-documents/directrices/guidelines-22018-derogations-article-49-under-regulation_en
9. See: https://edpb.europa.eu/our-work-tools/our-documents/other/edpb-document-response-request-european-commission-clarifications_en
10. Available at: target="https://ec.europa.eu/health/sites/health/files/ehealth/docs/ms_rules_health-data_en.pdf" https://ec.europa.eu/health/sites/health/files/ehealth/docs/ms_rules_health-data_en.pdf