Life sciences organizations have a host of reasons to want to expand their clinical trial efforts outside of the US to Europe. Expansion into Europe means access to diverse patient populations, and therefore more robust and representative clinical trials, as well as the opportunity to collaborate with some of the world’s most prestigious research institutions and academic centers. Europe enjoys very well-developed national healthcare systems, which can be a huge boost to participant recruitment and data collection at scale, alongside well-established regulatory frameworks giving further practical assistance.
On the commercial side, ambitious life sciences companies will also know that successful European clinical trials pave the way to accessing the world’s largest market, the 27 Member States of the European Union with a combined population of 450 million.
The blockbuster pharmaceutical products which have recently come out of Europe, and the volume of exciting life sciences and healthtech spin-outs from universities in the EU, UK, and Switzerland underscore the continent’s potential for innovation and reputation for cutting-edge research. Why then are many life sciences companies not expanding their US clinical trials into Europe at the pace and scale we might expect? Much of the reason, from the conversations we are having with clients, are concerns over navigating compliance with data protection and clinical trials regulations simultaneously.
Properly administered informed consent has rightly been enshrined in law and ethical practice for many decades, and so the requirements of the EU’s Clinical Trials Regulation, the UK’s Medicines for Human Use (Clinical Trials) Regulations, or the Swiss Federal Human Research Act around actually taking part in studies are readily understood. Where things get more complex is the interplay between the clinical trials regulations and the lawful bases for processing, purpose limitations and information requirements, which must be applied for the underlying personal data itself, as governed by the sprawling general data protection regulations Europe has pioneered.
At some 88 pages of text, 99 articles and 173 recitals, it is easy to see why the mere mention of GDPR might strike fear into the hearts of those unused to working within its framework. However, as with many fabled “bogeymen,” fears that GDPR poses a barrier to clinical research are unfounded, with the right approach. The all-encompassing, general nature of GDPR and its sister regimes (Member State laws enacting regulations) mean that the facilitation of research has been baked right in.
In their initial framing and subsequent guidelines, legislators and data protection supervisors in Europe have actually created a very favorable environment for all stakeholders in the research ecosystem. Organizations involved in research simply have to understand and correctly apply the carveouts which have been created for them.
Take for instance the issue of consent. Informed consent may be non-negotiable for participation in the clinical trial itself (including for any necessary tokenization of patient data) but in this research context, it’s unlikely to be the correct lawful basis for processing the personal data beyond that. To be valid under GDPR and its equivalents, consent must be for a specified processing purpose and may be revoked at any time, which closes down further study potential and opens up the risk of losing valuable data – potentially at great trouble and expense. Far preferable are the legal pathways provided for research, projects which serve the public interest or an organization’s legitimate interests in carrying out a study (for an in-depth discussion of this issue see our recent piece, ‘Looking beyond consent for research under GDPR’).
And the ability to find alternative, very much more liberal lawful bases for processing the personal data volunteered for and generated by clinical trials is just the start of the accommodations European data regulation has to offer the research ecosystem. Life sciences organizations will also find numerous exceptions and exemptions they can leverage too. They simply have to ascertain and document their applicability, and take any mandated steps required to qualify, which might include additional information security measures, anonymising data, and carrying out Data Protection Impact Assessments (which can be thought of as an enhanced version of US-style Privacy Impact Assessment, in simple terms). Careful consideration of compliance requirements and a “Privacy by Design” approach can actually open up opportunities, rather than in any way shutting research potential down.
While the EU GDPR and the associated national/state implementing legislation and regulations are primarily intended to protect individuals’ data rights, these rules were not meant to stymie the use of personal data for business and the betterment of society at all (and they in fact say exactly this throughout their texts). Pragmatic, and in many ways highly encouraging pathways were included to help all manner of organizations pursue their interests while also giving individuals a finely judged degree of control. And, although the GDPR framers had the wisdom to be technology neutral in their original legislation, the European authorities are still furiously working to keep up with the pace of change in areas like anonymization, genomics, and machine learning, and aim to position the continent at the forefront of research innovation.
The latest developments include the European Health Data Space (EHDS), a framework designed to facilitate efficient sharing of health data across the EU; the UK’s Data (Use and Access) Bill, intended to ease access to data and collaboration in research; and Germany’s Health Data Act (Gesundheitsdatennutzungsgesetz or GDNG), which will open up new frontiers in the secondary use of state-gathered data. In fact, we can happily say that recent moves in Europe to liberalize data use for research are too numerous to enumerate here.
The takeaway is that although European data protection compliance can seem daunting, GDPR and its related rules need not be a barrier to expanding clinical trials at all, with the right privacy partner and a strategic approach to the legal pathway. In fact, read correctly and with an expert eye, there is actually a lot for research organizations to like.
Please get in touch to discuss developments relevant to the projects and countries you have under consideration.
Datavant’s European Privacy Solutions team offers a full suite of end-to-end privacy governance solutions to help life sciences companies, clinical research organizations and their partners achieve compliance confidence in all their research efforts. Read our case studies to see how we have helped organizations maximize the value of health data, including with the UK’s National Health Service, or get in touch to discuss which strands of our consultancy and wider data logistics offering could best facilitate your projects.
This article should not be taken as legal advice.
Explore how Datavant can be your health data logistics partner.
Contact us
.svg)
