New Draft Guidelines on GDPR Consent Requirement’s Application to Scientific Research

The Article 29 Data Protection Working Party (the “Working Party”), a European Union (“EU”) advisory body that issues non-binding guidance on EU data protection law, recently provided draft guidelines on applying the consent requirements under the EU’s General Data Protection Regulation (the “GDPR”). See Guidelines on Consent under Regulation 2016/679 (WP259) (Nov. 28, 2017) (hereinafter the “Guidelines”). In the Guidelines, the Working Party addressed, among other issues, the use of consent as a basis for processing personal data in connection with scientific (including medical or clinical) research. Comments on these draft Guidelines may be submitted until Jan. 23, 2018.

Understanding the GDPR’s requirements for consent is critical to the research community because consent of the data subject is the most typically used basis for processing personal data of research subjects. A previous Bloomberg Law article by the present authors provided a more general overview of issues regarding consent as a basis for processing personal data in connection with scientific research under the GDPR. (Barnes, et al., Reconciling Personal Data Consent Practices in Clinical Trials with the EU General Data Protection Regulation, Bloomberg BNA Med. Res. L. & Pol’y Rep. (Sept. 20, 2017)).

This article provides an overview of the Guidelines’ treatment of subjects’ consent in scientific research and identifies certain problems posed by the Guidelines for scientific research.

I. Overview of New Guidelines

While the Guidelines address the topic of consent generally with respect to the GDPR, a few pages of the Guidelines focus specifically on the topic of consent in scientific research. We focus on this portion of the Guidelines, as certain statements made therein may be very problematic for the research community’s practical implementation of GDPR requirements.

The Guidelines begin their discussion of scientific research by addressing the types of activities that may be considered “scientific research” under the GDPR. The Guidelines note that the GDPR contains two recitals in which processing personal data for scientific research is discussed, although the term “scientific research” is not itself defined in the GDPR. See Guidelines at 27. While the GDPR’s recitals provide that “the processing of personal data for scientific research purposes should be interpreted in a broad manner,” the Guidelines note that the Working Party considers that scientific research “may not be stretched beyond its common meaning” and thus for purposes of the GDPR should be taken to mean “a research project set up in accordance with relevant sector-related methodological and ethical standards.” GDPR Recital 159; Guidelines at 27. This language suggests a fairly flexible definition of “scientific research” and also that activities meeting the definition of “research” found in the Health Insurance Portability and Accountability Act (“HIPAA”) and the Common Rule, i.e., a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge, will qualify as “scientific research” for purposes of the GDPR. See 45 C.F.R. §§ 164.501, 46.102

Unfortunately, the remainder of the Guidelines’ discussion of scientific research potentially is more problematic to the research community. The GDPR’s Recital 33 could be read on its face to allow researchers to obtain a general consent for future processing in connection with “areas of scientific research,” regardless of whether detailed plans have been finalized for such research. Specifically, Recital 33 states:

“It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”

However, the Guidelines take the position that “Recital 33 does not disapply the obligations with regard to the requirement of specific consent” and notes that a “well-described purpose” must be included in the consent to comply with the GDPR’s consent requirements. Guidelines at 27. Confusingly, the Guidelines then state that, “[R]ecital 33 allows as an exception that the purpose may be described at a more general level.” Id. at 28. The Guidelines propose that, in such circumstances, data subjects should be asked to consent for the research in more general terms at the outset and to consent to specific stages of research that are already known at the outset of the primary study. Id. Subsequently, the Guidelines suggest, additional consent must be sought from the subject when additional stages of research (unknown at the outset of the primary study) are identified and proposed. Id.

The Guidelines also specify that further safeguards should be put in place when research purposes cannot be fully specified at the time of initial consent. These common safeguards include data minimization, anonymization, and data security. The Guidelines further suggest that “transparency” should be incorporated into the consent process when circumstances do not allow for specific consent. Id. The approach to transparency contemplated by the Guidelines involves a series of continued contacts between researchers and subjects designed to inform the subjects of evolving purposes: “[a] lack of purpose specification may be offset by information on the development of the purpose being provided regularly by controllers as the research project progresses so that, over time, the consent will be as specific as possible.” Id. As discussed more fully below, this approach of a “rolling consent” process, with the data subject offered new consent for each separate stage of the study, fundamentally is different than the way in which medical research typically has been conducted and poses enormous implementation problems. Further, the Guidelines recommend “having a comprehensive research plan available for data subjects,” with the research plan “specify[ing] the research questions and working methods envisaged as clearly as possible.” Id. at 28-29. Transparency, the Guidelines indicate, is desirable because it allows data subjects to have “at least a basic understanding of the state of play, allowing [subjects] to assess whether or not to use, for example, the right to withdraw consent.” Id. at 28.

Perhaps most problematic for the research community, the Guidelines emphasize the importance of subjects’ ability to withdraw their consent, if consent has been relied upon as the basis for processing. The Working Party “notes that withdrawal of consent could undermine types [of] scientific research that require data that can be linked to individuals, however the GDPR is clear that consent can be withdrawn and controllers must act upon this [because] there is no exemption to this requirement for scientific research.” Id. at 29. If a researcher receives a notice that the data subject has withdrawn consent to data processing, the Guidelines conclude that the controller “should delete or anonymise the personal data straight away.” Id. The Guidelines, however, fail to address the difficulties in meeting the standards for both deletion or anonymization under the GDPR, especially with respect to the sensitive categories of data that often are used in research.

II. Problems Posed for the Research Community

Breadth of Consent

When the GDPR initially was proposed, one concern of the research community was that its requirement for specific consent for processing of personal data would stifle the ability of researchers to obtain broad consent for future research purposes. This possibility was especially problematic for U.S.-based researchers, whose research activities in the U.S. are allowed, under revisions in the 2013 HIPAA Omnibus Rule and the revisions announced to the Common Rule in early 2017, to solicit from research subjects a broad authorization for data use and a broad consent to future research, respectively. Many in the research community were pleased to see that the GDPR drafters appeared at least to acknowledge the needs of the research community for some level of broad consent, as the GDPR recitals recognize that “[i]t is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection.” GDPR Recital 33. The Recital further recognizes that consent is possible for “certain areas of research” – i.e., it is possible under the GDPR to obtain from research subjects consent for “areas” of research, as opposed to specific research activities. It is troubling for scientific research that the Guidelines appear to narrow the scope of this Recital.

The solutions proposed by the Guidelines for obtaining consent for future research are unlikely to be feasible in many circumstances. For example, the suggestion that “[a]s the research advances, consent for subsequent steps in the project can be obtained before that next stage begins” would impose a burden on researchers (including researchers who are direct employees of sponsors) continually to re-contact research subjects to obtain additional consent. This could prove infeasible in multi-year biobanking studies in which research subjects’ biological specimens and associated phenotypic data (which are likely to be considered “personal data” under the GDPR) are stored and used for many different research projects over the course of several years. Researchers often lose contact with subjects who participate in such studies, making it impossible to re-contact such subjects to obtain additional consent as additional research uses of the specimens and data are carried out. Moreover, even if feasible logistically, subjects could become fatigued by repeated requests for additional consent and cease responding to such requests. Further, these requirements also would mean that researchers employed by sponsors would need to contact subjects and request consent for additional research conducted by sponsor staff using identifiable biospecimens and personal data, even though subjects would not ever have had any previous contact with sponsor staff. Being contacted directly by industry sponsors could prove disturbing and seem intrusive to some subjects, and would mark a radical departure from research norms that long have regarded the research relationship as between the institution-based researcher and the subject, rather than between the industry sponsor and the subject.

The Guidelines also are unclear regarding the nature of the obligation imposed on researchers to re-contact research subjects as a research project further develops: is the researcher required to obtain additional consent from the research subject or could the provision of an informational notice to the research subject suffice? As noted above, the Guidelines state at one point that when the purposes of research are not known with specificity at the outset the researcher can obtain consent for subsequent steps in the project as the research advances. Guidelines at 28. This language suggests an obligation on the part of the researcher to obtain additional affirmative consent from the research subject before advancing to the next stage of a research project. The Guidelines also state, however, that a lack of purpose specification can be offset by providing “information on the development of the purposes” at regular intervals as the research project progresses, noting that providing this information will permit the consent to be as specific as possible while providing subjects with the information they need to determine whether or not to exercise their right to withdraw consent. Id. at 28. This statement suggests that providing regular notice could suffice rather than obtaining a fresh affirmative consent as the research project advances. Providing periodic informational notices to research subjects also would be a departure from current research practices and would be significantly burdensome, though somewhat less so than obtaining additional affirmative consents during the course of research. In any event, as described above, even such a requirement for additional informational notices to subjects would fall most often on the sponsor, not research site staff, which would be inconsistent with current practices in which sponsors have no direct relationship or contact with subjects.

In addition, a requirement to obtain additional consent for future research appears contrary to the policy announced by the European Medicines Agency (EMA) in its Policy 0070 on “Publication of Clinical Data for Medicinal Products for Human Use,” which will require sponsors of clinical trials from which data are used in support of a marketing authorization before the EMA to make available publicly individual subject-level data collected in such studies to permit, among other things, future research use of such data. While the EMA policy states that all data submitted should be anonymized, in the case of pediatric or rare disease studies it may not be feasible to anonymize data to the strict standards set forth in the GDPR. Thus, consent may be the only basis on which data could be made available for future research under the policy. The consent practices advocated by the Working Party in the Guidelines (as discussed above) limit the ability to obtain general consent for future research purposes, and thus may frustrate the ability of researchers and sponsors to obtain such consent and thereby prevent sponsor compliance with Policy 0070.

Withdrawal of Consent

Equally problematic to the Guidelines’ narrow interpretation of consent for future research is the Guidelines’ requirements for the deletion or anonymization of personal data upon a subject’s withdrawal of consent. The research community, in many instances, faces a conflict between (i) the Guidelines’ strict interpretation of the research subject’s right to withdraw consent to personal data processing under the GDPR and (ii) independent legal and ethical obligations to maintain personal data for the integrity of a clinical trial and/or adverse event reporting. Because mere storage of data is considered “processing” of data under Article 4 of the GDPR, researchers and sponsors cannot, under the Guidelines, continue even to “store” personal data after a subject has withdrawn consent – even though data retention is required for regulatory purposes.

Researchers may be able to maintain copies of the data for clinical trial integrity and/or adverse event monitoring when a subject withdraws consent on the basis that “processing is necessary for reasons of public interest in the area of public health, such as . . . ensuring high standards of quality and safety of health care and of medicinal products or medical devices . . .” GDPR Article 9(2)(i). The Guidelines appear to support reliance on this as a second, alternate basis for processing after consent is withdrawn because “it is possible to rely on more than one lawful basis to legitimize processing if the data [are] used for several purposes, as each purpose must be connected to a lawful basis.” Guidelines at 22. “However,” the Guidelines note, “the controller must have identified these purposes and their appropriate lawful bases in advance.” Guidelines at 22.

Thus, there is a colorable argument that (i) processing of personal data for the conduct of research and (ii) maintenance of data collected in research to meet legal obligations are separate purposes and may, under the GDPR, have distinct lawful bases. To rely on separate bases for such distinct processing purposes, the controller should identify the dual purposes and their respective bases for processing to the subjects at the time of consent. Incorporating such information into the consent form both provides the subject a full view of the potential uses of their data and creates documentation that would help to refute potential concerns that reliance on a second basis for processing could call into question the validity of the subject’s consent.

Conclusion

The Guidelines do not clearly define how and under what circumstances researchers will be unable to obtain full consent to future uses of data at the time of initial consent and fail to identify when additional communications with subjects may be required to alert them of, and seek their new consent for, procedures and areas of research that were not specified in adequate detail at the outset. Further, the Guidelines do not directly address how a researcher and sponsor can retain copies of a subject’s personal data after withdrawal of consent, to satisfy ongoing independent legal obligations, which require the retention, maintenance, and in some cases (such as adverse event causation analysis) use, of subject-level personal data.

The Guidelines’ failure to contemplate and appreciate these various problems suggests that the Working Party lacks a clear understanding of how and by whom medical research is conducted, how personal data are necessary for regulatory and research integrity purposes, and how the GDPR itself poses challenges to the use of personal data in scientific research. The Guidelines are open for comment through Jan. 23, 2018, with instructions for submitting comments found on the Working Party website, located at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611232. Members of the research community may wish to submit comments to the Working Party in advance of that date, to highlight the challenges that the Guidelines may pose to research.