Why 'consent' is not always 'consent' in clinical trials.
In Europe, both the General Data Protection Regulation (EU) 2016/6792 (GDPR) and the Clinical Trials Regulation (EU) 536/2014 (CRT) cast a spotlight on 'informed consent', the former as a legal basis for data processing and the latter as a cornerstone to safeguarding data subjects' rights.
But the meaning and legal weight of the 'consent' notion is very different in both contexts. Specifically, the requirement of informed consent by the CTR must not be confused with consent as a legal ground for processing personal data set out in Article 6(1) (a) of the GDPR.
It serves sponsors and investigators (bot to mention lawyers) to understand the difference.
Informed Consent in the CTR - a safeguard, not a basis
Informed consent, in the context of CTR, is a safeguard not a legal basis for data processing. Therefore, it is important to distinguish between the requirement for consent for a subject to participate in a CT and the requirements for a lawful processing of personal data under the GDPR.
The CTR contains several provisions that specify certain aspects on how the processing of personal data should take place. Informed consent required by that Regulation serves as an ethical standard and procedural obligation. The informed consent under CTR is the fundamental condition under which a person can be included into a clinical trial. It is not conceived as an instrument for data processing compliance.
Consent for participation in CTs must be distinguished from the consent for processing personal data. The withdrawal of consent to participate in a CT under the CTR may not necessarily affect the processing of personal data gathered in the context of that trial. The personal data may continue to be processed, in particular for legal obligations to which the sponsor / investigator are subject such as the ones related to safety purposes.
Informed Consent in the GDPR - a legal basis...
CTR compliance does not get an investigator off the hook from a GDPR perspective, though. Indeed, the CTR constitutes a sectoral law containing specific provisions relevant from a data protection viewpoint but no derogations to the GDPR. I.e., the GDPR applies to the processing of personal data carried out under the CTR.
It is the obligation of the data controller(sponsor / clinic-institution of the investigator) to implement the appropriate technical and organizational measures to ensure and be able to demonstrate that the personal data are processed in accordance with the GDPR.
All processing operations related to a specific CT protocol during its whole lifecycle (from the beginning of the trial until the end of the archiving period), shall be understood as primary use of CT data. However, processing operations purely related to research activities must be distinguished from processing operations related to the purposes of protection of health and safety; these two main categories activities fall under different legal bases:
Processing activities expressly provided by the CTR (or similar national provisions) that relate to reliability and safety purposes can fall within the processing ground “legal obligation(s) to which the investigator/sponsor is subject”. This is especially the case for (i) obligations relating to the performance of safety reporting, (ii) obligations concerning the archiving of the clinical trial master files and the medical files of the test subjects, and (iii) obligations to disclose clinical trial data to national authorities during inspections.
Processing activities purely related to research activities, however, cannot be derived from a legal obligation. For these processing activities, the investigators/sponsors will need to invoke another processing ground: controller's legitimate interest, public interest or ... informed consent.
... but not necessarily the right one
So the informed consent obtained as part of the CTR obligation covers it, right? Not necessarily.
As stated before, the ‘informed consent’ set out by the CTR is not the same as the processing ground ‘consent’ set out by the GDPR. Moreover, the EDPB (European Data Protection Board) believes that even if you meet the conditions for obtaining an informed consent under the CTR, this does not mean that you will have a valid consent under the GDPR. The EDPB believes that consent will often not be “given freely” within the meaning of the GDPR:
"Consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller. Depending on the circumstances of the clinical trial, situations of imbalance of power between the sponsor/investigator and participants may occur."
(Question and Answers (Q&A) paper on the interplay between CTR and GDPR)
As a result, the data subject’s consent will mostly not be the most appropriate processing ground. A controller must conduct a thorough assessment of the circumstances of the clinical trial before relying on consent as a processing ground. According to the EDPB, controllers should investigate whether the other processing grounds are more appropriate.
In summary - check those consent forms
When conducting clinical trials, sponsors and investigators should rethink whether they really need to rely on the trial subject’s consent to process personal data, as there are other (possibly more appropriate) processing grounds available. Consequently, they should also review their consent forms.