EDPB Clarifies Scientific Research GDPR Compliance; Key Questions for US Sponsors Remain

Last month, the European Data Protection Board (“EDPB”) issued additional guidance on the application of the General Data Protection Regulation (“GDPR”) in the area of scientific health research. You can read our summary of the key takeaways here. While the EDPB’s responses offer some clarifications, many obstacles and complications remain for controllers located in the US in a post-Schrems-II world.  Fundamental principles that are well settled in the US, including what is and what is not considered human subjects research, and what future uses require consent under US regulations, may be at odds with the approach in the EU under the GDPR. US-based controllers should consider the following when planning trials in the EU or UK:

  • Further processing of previously collected data: The EDPB confirmed that controllers may obtain individuals’ consent for future secondary research without specifically defining the research, so long as the purposes of the research are compatible with the purposes of the original data processing and adequate safeguards are implemented. Accordingly, while US-based sponsors might be accustomed to freely using de-identified data for research purposes unrelated to the original purpose for which the data was collected, these broad unrelated uses may be subject to restrictions under GDPR.
  • Broad consent: In the US, sponsors  can rely on broad consent for storage, maintenance, and secondary research use of identifiable private information or identifiable biospecimens. However, the EDPB confirmed that broad consent “cannot be asked and relied on for processing health data for any kind of – unspecified – future research purposes” where the scope of the secondary research is not closely related to the original research purpose for which it was collected.[1] These broad consent limitations can cause complications for US sponsors who are accustomed to relying on broad consent for future unspecified research. Broad consent limitations under GDPR may further restrict the downstream use or sale of de-identified biospecimens and data for future unrelated research.
  • Anonymized versus pseudonymized data: US sponsors commonly assume that because health research data has been key-coded and de-identified in accordance with HIPAA standards (if applicable), and they do not maintain the key (but a third party does), that the data has been “anonymized” and is not subject to regulation. At that point, the key-coded data can be used for any purpose. However, the GDPR regulates even pseudonymised data, which can be a surprise for US sponsors accustomed to the HIPAA regime. The EDPB has reiterated that where key-codes exist, and are maintained by a site, investigator, or other third party processor, it is reasonably likely that the individual could be re-identified.  As a result, the key-coded data is still subject to GDPR protections. The EDPB plans to issue future guidance as to whether further downstream recipients of key coded data, who are not permitted to access the key, can consider that data to be anonymized.  This guidance will be crucial for research collaborators or specialized research labs who may receive key-coded data for which they have no intent, need, or ability to re-identify data.
  • Transfer of research data and biospecimens: The transfer of research data and biospecimens into the US for processing remains an ongoing and unsettled concern.  Transfers of personal data are restricted unless a US based controller can demonstrate adequate safeguards have been implemented to ensure the rights of the data subjects have been protected.  Most of those specific safeguards are either inapplicable to US controllers, or are unduly burdensome for smaller entities to comply with.  EDPB is expected to release future guidance to address the question of whether US or other controllers can rely on the legitimate interest derogation for transfer of special categories of data for research purposes.

Conducting scientific health research in the EU raises specific and difficult considerations for US sponsors, including assessing legal bases for processing sensitive data and transfer mechanisms to ensure data is processed in accordance with GDPR.  This is not helped by the lack of clarity in the EU around some key issues discussed in this blog.  Until the EDPB issues further clarifications, US controllers and trial sponsors are encouraged to consult with counsel to navigate the complexities of EU scientific health research.

___________________________________________________________________________________________

[1] EDPB Document on response to the request from the European Commission for  clarifications on the consistent appliable of the GDPR, focusing on health research, 2 Feb. 2021, response 31.