Addendum to Approved SACHRP Recommendation (March 2018)
Regarding the European Union’s General Data Protection Regulation
and its Impact on Human Subjects Protection Regulations
In March 2018, the Secretary’s Advisory Committee on Human Research Protections (SACHRP) respectfully submitted for your consideration recommendations relevant to the implications of the European Union’s General Data Protection Regulation (GDPR) on the Department of Health and Human Services (HHS) human subjects protection regulations at 45 CFR part 46. The recommendations transmitted to you in March 2018 had been presented to SACHRP by the co-chairs of SACHRP’s two subcommittees, the Subcommittee on Harmonization and the Subpart A Subcommittee, and were approved by SACHRP on March 14, 2018.
At this time, some of the matters discussed and analyzed in SACHRP’s March 2018 recommendations have become more urgent. Specifically, it has come to SACHRP’s attention that some research authorities in the European Union (EU), as well as a number of private entities, have taken the position that consent for use of personal data should no longer the sought as a basis for processing sensitive personal data in trials and studies in which GDPR jurisdiction attaches to the trial’s or study’s data collection and data uses. Instead, these agencies and entities have indicated that “scientific research” under GDPR Article 9(2)(j) should be relied upon as the basis for processing these study data, in order, among other things, to ensure that the individuals participating cannot withdraw their consent for the processing of their personal data. Meanwhile, other EU authorities and private entities have taken the position that subjects’ consent for processing of personal data is appropriate and indicated as a basis for processing their personal data and assert that the possibility of subject withdrawal of consent for processing of their personal data can be accommodated under the GDPR framework.
In one sense, this is a regulatory interpretation matter for the EU and EU member state authorities and institutions. However, at this point in time, many studies have sites and subjects located in both the U.S. and the EU, and the consent forms and protocols for these studies must accommodate and comply with GDPR, HIPAA and the Common Rule. Many U.S.-based research entities, such as universities and academic medical centers, maintain study sites in the EU, and because some or many of these U.S. lead sites are HIPAA-covered entities and comply with the Common Rule, then the template consents must comply with all three regulatory regimes. If, however, consent for use of personal data is not appropriately included in an informed consent form used in the EU, then there will be great confusion in the regulated community as to how to construct a consent form, including HIPAA authorization, that would include consent for data use under U.S. law, but simultaneously say that under the GDPR, no consent for use of personal data is required. The same consent form would therefore say both that the subject has the right to withdraw consent for research use of their personal data, and that the subject’s data can be used without consent anyway, under GDPR. There is a great risk here of formulating consent forms that comply with all these applicable requirements but that are fundamentally internally inconsistent and are incomprehensible to potential subjects.
Even more importantly, an interpretation of the GDPR that eliminates consent for use of personal data, cleaving off personal data rights from other subject rights, challenges fundamental assumptions and requirements under the Common Rule, FDA regulations and HIPAA, all of which recognize subjects’ consent for use of their personal data as foundational element of ethical research. There are real and imminent issues confronting IRBs and researchers as to how to approve research that falls under all applicable regulatory regimes, including the GDPR, in this confused legal context.
For all these reasons, SACHRP commends this issue to your attention, consistent with SACHRP’s previous March 2108 recommendations regarding GDPR’s effect on human subjects research.