Brona Heenan
7 min
Illumina’s acquisition of cancer testing startup, Grail, looks set to be the testing ground for the Commission’s...
Establishing the correct legal basis under the GDPR is essential for any project involving use of personal data from individuals in the EEA. Organisations involved in healthcare research, such as universities, pharmaceutical companies and medical charities, will need to consider what legal basis applies to their research project or clinical trial.
Under the EU’s General Data Protection Regulation (“GDPR”), and the corresponding law, the use of personal data is only permitted where there is a “lawful basis” for doing so. Each different use of data, known as a processing purpose, requires a corresponding lawful basis. The GDPR sets out in Article 6(1) a list of lawful bases available, and controllers must ensure they have a valid legal basis to rely on for all purposes for which they process personal data.
Even where there is a lawful basis for processing under Article 6, the processing of sensitive personal data, such as health data, is not possible unless one of the conditions in Article 9 is also satisfied. The conditions set out in Article 9 are essentially additional lawful bases. A controller processing personal data must ensure it has a valid lawful basis for doing so under Article 6 and if it also processes sensitive personal data it will need to fulfil a condition under Article 9.
In addition to the above, other national conditions may apply as EEA countries can introduce specific conditions which must be met in order to rely on certain legal basis under Articles 6 and 9, which has resulted in legislative variation across the EEA. However, this point will not be discussed in this article.
| Relevant lawful basis & condition for processing – summary table | ||
| Article 6 of the GDPR | Article 9 of the GDPR | Paragraph reference |
| Consent 6(1)(a) | Consent 9(2)(a) | 1.1 Consent |
| Legal obligation 6(1)(c) | Public health 9(2)(i) | 1.2 Quality and safety monitoring |
| Public interest 6(1)(e) | Research 9(2)(j)
|
1.3 Research
|
| Legitimate interest 6(1)(f) | ||
1.1 Consent
Personal data may be processed where the individual has consented to this. Consent is a lawful basis under Article 6(1)(a) and is also one of the permitted conditions for processing sensitive personal data under Article 9(2)(a). The GDPR sets out the requirements for consent: it should be “freely given, specific, informed and unambiguous” (Art 4(11) GDPR). Briefly, these requirements have the following practical implications:
- Freely given: the individual must have a real choice in deciding whether or not to consent. As the WP29 guidance explains, if the individual “feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid“[1]. Where there is imbalance of power between the individual and the party asking for consent, it is unlikely that consent will be valid as the individual may feel pressured to consent.
- Specific: this requires consent to be sought for specific processing activities, rather than a single consent for multiple processing purposes. Individuals should not be asked to consent as part of a wider acceptance of terms.
The GDPR notes that “it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research” (Recital 33)
- Informed: closely linked to the principle of transparency, this requires information to be provided to individuals as to what they are consenting to by providing information about the envisaged processing activity. Individuals must be told who is processing their data and why and what data will be processed, as well as their right to withdraw consent. Additional information must be provided where certain international data transfers take place or automated decisions are made.[2]
- Unambiguous: consent must be a clear, affirmative act. Pre-ticked boxes or implied consent are not valid method, and accepting wider terms of use containing a requirement to consent will also not meet this threshold.
1.1.1 Consent in clinical trials
Any clinical trial in the EEA requires individuals/participants to provide their informed consent. This is provided for in the EU Clinical Trials Directive 2001/20/EC and its successor, the Clinical Trial Regulation (Regulation (EU) No 536/2014) (“CTR“).
Having obtained participants’ CTR consent to take part in a trial, the question arises whether this same consent can be relied on as the legal basis for processing their data under the GDPR.
Prior to the GDPR coming into force, it was common to rely on consent for both clinical trial and data protection purposes. This approach is no longer straightforward, as the conditions required for consent under the GDPR may not be met – in particular the requirement for consent to be freely given. There could be an imbalance of power between the sponsor of the trial and the participant, making consent an inappropriate legal basis to rely on. The EDPB gives the examples of such situations as being “when a participant is not in good health conditions, when participants belong to an economically or socially disadvantaged group or in any situation of institutional hierarchy or dependency“.[3]
As a result, relying on consent as a GDPR legal basis for a clinical trial will require careful analysis of the circumstances, and sponsors and investigators should bear in mind that consent obtained for CTR purposes is distinct from the consent required under GDPR. When collecting informed consent therefore, a legal basis not based on consent remains available and will generally be preferable.
1.1.2 Withdrawing consent
Article 7(3) GDPR gives individuals the right to withdraw their consent at any time. If consent is used as a legal basis for processing the data, and the individual withdraws their consent, there is no longer a lawful basis for processing the data and the processing must stop.
The Article 29 Working Party (“WP29”), the predecessor of the EDPB, notes that there is “no exemption to this requirement for scientific research. If a controller receives a withdrawal request, it must in principle delete the personal data straight away”.[4] If the withdrawal of consent is not possible or would significantly undermine the processing, consent will not be the right legal basis to rely on.
The withdrawal of other types of consent (e.g. informed consent for CTR purposes or consent to waiving confidentiality of medical records) does not affect the GDPR legal basis for processing the data.
Therefore, where participants revoke their consent to participate in a clinical trial but the legal basis for processing their data is legitimate interest, their existing data can continue to be processed under the GDPR but no further data can be collected after withdrawal as they no longer participate in the trial. By contrast, where the legal basis for processing is consent, and such consent is withdrawn, the processing of their existing data must cease (though the legality of the processing prior to the withdrawal of the consent will not be affected).
There are some limited circumstances in which it might be possible for the sponsor to continue to process personal data following the withdrawal of consent from a participant. However, this is only possible where the sponsor has another condition for the processing under Article 9 of the GDPR.
For example, the investigator and sponsor will have legal obligations to keep trial records (potentially allowing it to invoke Articles 9(2)(g) and (i) discussed below, instead of consent (which falls under GDPR Article 9(2)(a)). The sponsor could continue to process the personal data to defend a legal claim brought by the participant (invoking Article 9(2)(c).
In relation to ongoing clinical trials, the WP29 guidance makes clear that “this does not mean the controller can swap from consent to another lawful basis“. If particular, the guidance notes that “if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent“. If the sponsor is relying on consent as the lawful basis of processing and that consent is withdrawn, it is not possible to have a ‘back-up’ lawful basis to which the sponsor will swap, so that it can continue to process the personal data for the same purpose.
1.2 Quality and safety monitoring
In order to avoid a scenario where participant consent can be withdrawn, or may not be valid (requiring research using such data to cease), it is possible and in most cases preferable to rely on an alternative legal basis under Articles 6 and 9 of the GDPR.
In recent guidance on the interplay between the GDPR and the Clinical Trial Regulations, the European Commission[5] and the EDPB[6] distinguished two types of processing relevant to clinical trials: research activities and activities related to quality and safety monitoring.
Under the GDPR, sensitive personal data can be processed where “necessary for reasons of public interest in the area of public health such as (…) ensuring high standards of quality and safety of health care and of medical products or medical devices on the basis of Union or Member State law” (Article 9(2)(i) GDPR). Where the controller is required by law to monitor the medical safety, the processing can rely on this legal basis.
In the EU, market authorisation holders are required to carry out pharmacovigilance activities both under EU law (Regulation No 726/2004, Directive 2001/83/EC Implementing Regulation (EU) No 520/2012) and member state legislation at national level. Accordingly, pharmacovigilance activities carried out in compliance of this requirement can rely on the Article 9(2)(i) and Article 6(1)(c) (“compliance with a legal obligation to which the controller is subject“).
1.3 Research
The GDPR provides a privileged regime for research purposes, with numerous exemptions for historical and scientific research and archival and statistical purposes. The obligations relating to data purpose limitations are more flexible and there are designated legal grounds for processing data for research purposes.
1.3.1 Article 9 research exemption
As set out in the last two rows of the table above, Article 9(2)(j) sets out a ground for processing sensitive personal data for research purposes. This is addressed first before turning to the corresponding Article 6 lawful bases than can be relied on in conjunction with Article 9(2)(j).
Article 9(2)(j) of the GDPR provides that processing of sensitive personal data such as health data is permitted where the processing is “necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”
Recital 159 of the GDPR states that “the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research“.
Article 9(2)(j) of the GDPR is worded so as to legitimise processing only if “based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject“, and controllers wishing to rely on this ground will also need to implement suitable “safeguards” for the data as required by Article 89(1).
The GDPR specifically refers to pseudonymisation and data minimisation as appropriate safeguards for protecting sensitive personal data used of research purposes. It also envisages national laws specifying additional rules on the handling of data for scientific research purposes. For multi-country clinical trials or health research projects, this means that an analysis of local laws is essential in order to rely on Article 9(2)(j).
1.3.2 Corresponding Article 6 lawful basis
The EDPB envisages two lawful bases relevant to the use of sensitive personal data for research purposes: public interest (Article 6(1)(e)) and legitimate interest (6(1)(f).
In order to rely on public interest as a lawful basis for processing personal data, the controller must be able to point to a public interest based on EEA law. The EDPB described this as being the case where the research being carried out “directly falls within the mandate, missions and tasks vested in a public or private body by national law“,[7] such as state-run research institutes, health ministries, local government associations, and in some countries, public universities or health care providers.
Where the controller carrying out the research does not have a legal mandate to do so, legitimate interest should be considered. Legitimate interest cannot be relied on by public authorities, who would generally rely on 6(1)(e) instead. Article (6(1)(f) can be relied on where the legitimate interests of the controller (or a third party) are not overridden by the “fundamental rights and freedoms of the data subject“. This requires the interests to be balanced against each other.
Research purposes are recognised as being a legitimate interest,[8] but the existence of such a legitimate interest does not in itself mean that Article 9(2)(f) can be relied on – the ground is only available if the balancing test is cleared. Balancing the legitimate interests of the researching organisation with the rights and freedoms of the study’s participant requires considering the importance of the research interest with the severity of the impact on the individuals.
In the context of healthcare research, the scales of the test are tipped in favour of the controller where the interest benefits the wider community (e.g. the development of a new drug or a better understanding of a pathology) rather than being solely the controller’s business interest. Where the proposed processing will have a significant impact on the individuals, the balancing test outcome can be improved by implementing safeguards to reduce this impact, such as pseudonymising data, improving security, reducing retention periods and volumes of data.
[1] Art 29 WP Guidelines on Consent under Regulation 2016/679 (wp259rev.01)
[2] See section 3.3.1 of wp259rev.01 and Article 49 (1)(a) GDPR.
[3] Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art. 70.1.b))
[4] Guidelines on consent under Regulation 2016/679 (WP259 rev.01)
[5] European Commission Directorate-General For Health And Food Safety – Question and Answers on the interplay between the Clinical Trials Regulation and the General Data Protection Regulation
[6] Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR)
[7] Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR)
[8] Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, WP 217
