EU: EDPS opinion may encourage "innovative forms of consent in research activities"
The European Data Protection Supervisor ('EDPS') published, on 6 January 2020, its preliminary opinion on data protection and scientific research ('the Preliminary Opinion').
The Preliminary Opinion addresses the governance framework for data protection and research in the EU, with specific reference to clinical trials. In addition, the Preliminary Opinion distinguishes between consent under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and informed consent of human participants when they are involved in research projects involving humans, highlighting that informed consent can still act as a safeguard in cases where consent might not be appropriate as a legal basis for processing data.
Alexandros Manousakis, Senior Partner at ALG Manousakis Law Firm, told OneTrust DataGuidance, "Consent can only be valid if data subjects are able to exercise a real choice and are given sufficient information in order to be able to make the unrestricted choice of whether or not to participate […] Blanket consent without any specification of the exact purpose(s) of the processing is not valid […] To that end, if consent is to be used for processing personal data in a clinical research context, it needs to be clearly defined as such and separated from the consent obtained for participation in the clinical trial itself. This means, in practice, separate tick boxes and consent statements for the processing of personal data for each purpose of processing. [Companies] should also examine the possibility of using innovative forms of consent in research activities, like tiered and dynamic consent."
“Currently there is a lot of uncertainty for pharmaceutical and other industries”
Furthermore, the Preliminary Opinion analyses key principles of the special regime for data processing for the purposes of scientific research, as set down in the GDPR. The Preliminary Opinion notes that it is possible for companies to derogate from data subject rights and controller obligations if the access to data and the data processing are based on the public interest. In addition, the Preliminary Opinion states that some derogations from controller obligations are permitted, and that processing for scientific research purposes of data collected in commercial and other contexts for scientific research can be presumed to be compatible with Article 9(2)(j) of the GDPR, provided appropriate safeguards are in place. Moreover, the Preliminary Opinion highlights that there is no universally agreed definition of 'scientific research.'
Manousakis concluded, "From the standpoint of research within the pharma sector, scientific research could mean any activity intended to discover, verify, or enhance the clinical, pharmacological, or other pharmacodynamic effects of a medicinal product […] We believe that a uniform standard in order to assess what activity constitutes an activity 'for the public interest' should be established to clarify what the term 'public interest' means […] Some examples of activities that could be related to 'public interest' are the provision of healthcare, safeguarding and improving public health, addressing the climate crisis, the promotion of academism, science, and technology, safeguarding national security […] Currently, there is a lot of uncertainty for pharmaceutical and other industries, which may have business activities which could classify as [in the public interest]."
Suzanna Georgopoulou Privacy Analyst