The way clinical trials have been conducted in the European Union is actually undergoing two major challenges: the coming into effect of Regulation (EU) no. 536/2014 (so-called Clinical Trial Regulation) and the application of the General Data Protection Regulation or GDPR.

On the one hand, the Clinical Trial Regulation will create a consistent framework of rules applicable to clinical trials at the European level, which will then require implementation from all member states. On the other, GDPR is the much talked about piece of legislation concerning the protection and free movement of personal data in the EU, whose specific impact on clinical trials is yet to be seen.

The crossroad between GDPR and the Clinical Trial Regulation is an important one. This because the wide use of internet, electronic records and new technologies enabling the collection of massive amounts of data is becoming increasingly important in clinical, pharmaceutical and biomedical research. In fact, this is posing new challenges to data security as well as to the protection of privacy of individuals.

New GDPR rules apply to nearly every sector and industry, as they have strengthened data subjects' rights and controller / processor obligations in the processing, sharing and transfer of personal data. However, such new rules do not necessarily fit with other sector specific legislation where the collection and use of large quantities of data is vital and sometimes imperative to achieve some goals, such as developing a new drug, medicine or service.

To this extent, GDPR raises some important questions for clinical trials, a fundamental aspect of which is the collection and analysis of the so-called special categories of personal data (e.g., health related data, genetic data, biometric data, etc.). The GDPR strongly protects these special categories of data, as they are also at the very centre of each clinical trial performed for scientific, statistical or research purposes.

For instance, for the processing of genetic or health related data, new privacy rules imposes that those entities processing such data must collect consent according to clarity, intelligibility, transparency and substantial burden of proof requirements. Furthermore, every collection and use of personal data or special categories of data shall comply with data minimization and privacy by design and by default principles, as well as adequate security standards. In addition, the vast use of special categories of personal data may impose on controllers the obligations to perform a so-called Data Protection Impact Assessment (DPIA) pursuant to art. 35 GDPR. In fact, the duty to comply with these obligations shall be specifically included in detailed agreements regulating the relationship and goals between the owner of the data (controller) and its operational arm (processor).

Despite the above, many of the responsibilities and obligations defined by GDPR are not new to companies operating in the clinical research sector, thus including that of informed consent. In fact, clinical research operators have long been subject to very stringent rules in various jurisdictions around the world concerning data security and the use of health related information for different purposes – think of, among others, the US HIPAA, Regulation (EU) no. 726/2004 and the European Pharmacovigilance Package of 2010-12.

So what is the big deal between GDPR and the Clinical Trial Regulation?

The issue is the possibility to collect and use personal data and special categories of personal data for clinical and research purposes under a particular regime of exception from general data protection rules, on the basis of which research becomes a legal basis for the processing.

As of today, there are some openings in the GDPR pointing in that direction (e.g., Recital 47, 50 and 157 or Art. 6(1)(f), 5(1)(e) and 89), although their interaction with the new provisions of the Clinical Trial Regulation are yet to be assessed. What is clear, though, is that the GDPR adopts a broad definition of research that encompasses all the activities of both public and private entities and finds its common denominator in big data analytics technologies and legitimate interest of clinical research providers, acting as controller.

In the eyes of the GDPR, determining the existence of a solid legitimate interest requires a "careful prior assessment" at the time and in the context of the collection of personal data. However, on the other hand, the use and secondary processing of vast amount of data for clinical and biomedical research purposes is already there and cannot be stopped.

According to the European Medicine Agency (EMA), the use of big data in medicines development and regulatory science will boom in the coming years. To this extent, the Clinical Trial Regulation will bring significant innovation in relation to the procedures to gather and make available the data necessary to conduct a clinical trial and obtain all the required authorization to initiate it.

In effect, the Clinical Trial Regulation also addresses the "over bureaucratization" of authorization procedures at the European level with the aim to speed up trial tests by introducing a common and harmonized procedure applicable in all member states. In this view, the Clinical Trial Regulation will also set the basis for the construction of a freely accessible EU clinical trial portal and database containing information on all ongoing clinical trials in the EU.

In theory, such database should not contain personal data or special categories of personal data referring to individuals undertaking clinical and biomedical trials. However, any other information concerning trials will be publicly available and freely accessible by interested healthcare and clinical research providers. This will indeed create new economic opportunities in the life sciences sector, although it may also affect data protection and privacy.

In fact, the Clinical Trial Regulation states that information contained in the clinical trial database should be public, unless specific reasons require that a piece of information should not be published, in order to protect the right of the individual to private life and the right to the protection of personal data as per the EU Charter of Fundamental Rights – whose core principles have been included in all European data protection laws and regulations.

The GDPR is very clear about the protection of special categories of personal data, and it provides for member states to set out rules that are more stringent in order to do it properly and in coordination with other more sector-specific rules (i.e., art. 9(4) GDPR). For instance, the recently reformed Italian Data Protection Code (DPC), as amended by Legislative Decree no. 101/2018, provided that the Italian Data Protection Authority (the Garante) shall issue biannual guidance / specific authorization on the processing of certain categories of personal data, thus including health-related, genetic and biometric data. This guidance is still a work in progress, as the Garante did not release any official statement on the timing for its future publication and implementation.

In addition to this, we note that the DPC also goes in a slightly different direction than the GDPR when it comes to processing activities for research purposes, thus including clinical trials. In fact, the issue of secondary processing is subject to a provision of the DPC stating that the Garante shall authorize each re-use of personal data for medical and scientific research purposes prior to the start of such processing (i.e., art. 110-bis of the DPC).

Indeed, it is unclear what will be the interplay between this provision and the future guidance of the Garante on the processing of special categories of personal data, nor it is foreseeable how these rules will affect the implementation of the Clinical Trials Regulation in Italy. In fact, we expect more indications and guidelines on this topic to be issued and published in the coming months, hopefully alongside a coordinated effort of regulators active in different areas such as data protection, life sciences and healthcare services.

Do you have more questions or you want to share your thoughts on this article? Contact our Dentons Italy TMT Team.

This article was co-authored by Francesco Armaroli and Fabiola Moretta

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.