GDPR and clinical research: time for a rethink?

Although it’s become an increasingly common occurrence, I can’t help but feeling excited whenever the Financial Times reports on data protection.  This shouldn’t be a surprise, given the extent to which much of global business now runs on data, but it’s still heartening to see the issues that many of us grapple with on a daily basis brought to and synthesised for a wider audience. 

It happened again yesterday, when an email notification came through that Robert Eiss, a preeminent figure in U.S. medical research at the National Institutes of Health, had written an opinion piece for the Financial Times calling for a rethink of how the GDPR applies to scientific data sharing.

In particular, Eiss describes the challenges of lawfully exporting personal data — data that are often pseudonymised, or key-coded — to U.S. government agencies that fund research around the world and publicly-supported research universities, and suggests that building on the EU-U.S. Data Privacy Framework “to restore legal certainty for commercial data flows is a chance to forge a compact that both keeps GDPR’s robust privacy safeguards, and allows science to deliver vital medicines and preventive care”.  Remedies could, he says, “take the form of an international agreement, amendments to the GDPR to recognise scientific data sharing as a public interest or expanded guidelines on GDPR transfer mechanisms”.

Eiss is not alone in confronting these challenges.  Last month, I spoke at a conference in Boston organised by Ropes & Gray and the Multi-Regional Clinical Trials Center of Brigham and Women’s Hospital and Harvard, titled “The Impact of International Privacy Laws on Research”, in which panellists and attendees from industry, academia and government (including Eiss) debated many of the issues that he describes in the FT article.

Ahead of the conference, David Peloquin, a partner in Ropes & Gray’s healthcare practice in Boston, and I prepared a Discussion Paper and Guide describing the topics to be addressed as well as points for discussion by the panellists and audience alike.  The Paper can be accessed here.  We will in due course be formalising the Paper for publication, but in the meantime would welcome any comments, suggestions or feedback that you may have.

In a stroke of good timing, the European Commission’s draft adequacy decision on the EU-U.S. Data Privacy Framework was publicised five minutes before the start of David’s panel on cross-border data transfers at the December conference.  The adequacy document is long and complex, and is still in the first stages of a potentially lengthy review and approval process.

However, unlike the previous transatlantic data pact that was invalidated by the European Court of Justice in July 2020, EU-U.S. Data Privacy Framework Principles apply to the key-coded data that are typically shared with medical research sponsors located outside the EU.

Even if the finalised version of the EU-U.S. Data Privacy Framework retains the application to key-coded data, it likely does not address all of Eiss’s concerns.  A number of the other challenges faced by stakeholders across the clinical trials supply chain also remain.  The United Kingdom has sought to address some of these challenges by easing the restrictions on health-related research and offering a path that the European Union could, but seems unlikely to, follow — at least for now. 

In the meantime, the EU-U.S. Data Privacy Framework represents an attempt to lower the barriers — but not the protections — to data sharing that Eiss identifies, which may prove to be an important first step in achieving those aims.