SACHRP recommendations approved March 13, 2018 Implementation of the European Union’s General Data Protection Regulation and its Impact on Human Subjects Research The Secretary’s Advisory Committee on Human Research Protections (“SACHRP”) has taken note of the impending implementation of the European Union (“EU”) General Data Protection Regulation (“GDPR”) as it relates to human subjects research activities conducted in the United States, or in association with entities and researchers located in the United States. This memorandum describes certain challenges the GDPR creates for the research community generally and how U.S.-based researchers who participate in multi-site, trans-national research are likely to be affected by the GDPR’s obligations, which in general exceed those under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The application of GDPR requirements to human subjects research has alarmed many in our national research community, as the GDPR appears not have taken into account adequately the nature, process and demands of scientific and medical research. This letter focuses on (i) issues with the GDRP’s potential application to U.S.-based research and (ii) two problem areas resulting from EU officials’ interpretations of consent as a basis for data processing under the GDPR: (a) the ability to obtain, at the time personal data are collected, consent to future research uses and (b) the need for continued use of personal data to satisfy legal obligations following subjects’ withdrawal of consent for the processing of their data, such as those imposed by the U.S. Food and Drug Administration (“FDA”). These topics are critically important to the research community, as consent is the basis most typically relied upon for processing personal data in research. Moreover, because federal research dollars, including those of the National Institutes of Health (“NIH”) and other constituent parts of the U.S. Department of Health and Human Services (“HHS”), are increasingly awarded to support multi-site, trans-national research projects that include sites in Europe and thus necessitate the unimpeded flow of personal data of research subjects between Europe and the United States, advancing interpretations of the GDPR that are workable for the research community is of critical importance to the mission of HHS. We urge that HHS coordinate with other U.S. officials and your European counterparts to seek to mitigate the difficulties described in this letter. Harmony amongst national bodies of law would ease the regulatory burden on U.S.-based researchers and would facilitate the conduct of multi-national scientific and medical research, which benefits society at large, both in the U.S. and the EU member states. I. Background The GDPR becomes effective May 25, 2018, superseding the EU Data Protection Directive (the “Directive”), which was adopted in 1995. As a regulation of the EU, the GDPR will apply directly to data controllers and data processors in the 28 member states of the EU and in the three additional countries (Iceland, Liechtenstein, and Norway) that, together with the EU, make up the European Economic Area (‘‘EEA’’). In contrast, the Directive applied indirectly, requiring that the member states of the EEA transpose its principles into their national bodies of law, which had created legal divergences across the EEA. The GDPR will apply extraterritorially in a broader range of circumstances than the Directive. Unlike the Directive, the GDPR applies to the processing of personal data by a controller or processor not established in the EEA, i.e., that lacks a physical presence in the EEA, when the processing is related to (a) offering goods or services to data subjects in the EEA or (b) the monitoring of behavior of data subjects who are in the EEA. See GDPR, Art. 3. This means that the GDPR will apply directly to, and will directly regulate, much of the U.S.-based use and processing of personal data that have been collected in the EEA for clinical and other research purposes. The problems described in this letter, therefore, will soon confront U.S.-based researchers, institutions, research funders (such as the NIH), and industry sponsors of research, including private pharmaceutical, biotechnology and medical device companies, as they seek to use personal data collected at research sites based in the EEA and transferred to the U.S. Further, the category of “personal data” to which the GDPR applies is much more broadly defined than “protected health information” covered by HIPAA or “identifiable private information” as defined in the Common Rule. See 45 C.F.R. § 46.102. Under the GDPR, “personal data” are defined broadly to include: [A]ny information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. GDPR, Art. 4(1) (emphasis added). Notably, coded data, referred to as “pseudonymised data” in the GDPR, are considered to be “personal data” subject to the protections of the GDPR. This is in contrast to the Common Rule, which generally does not protect such information as “identifiable private information” provided that certain steps are taken to prevent the investigator from obtaining the means to link the code to the subject’s identity. While this letter focuses on a select jurisdictional issue and on the particular issues of consent that arise for the research community under the GDPR, it is worth noting that there are many additional ways in which the GDPR diverges from HIPAA, including extensive enforcement penalties that exceed those imposed for HIPAA violations. II. Problems and Recommendations A. Jurisdictional Issues The GDPR’s sweeping jurisdictional scope, which does not take into account data subjects’ residency, could prove disruptive to the conduct of U.S.-based research with U.S.-based human subjects. The implications of the GDPR’s application in these circumstances have not been considered adequately in the drafting of the GDPR and in the guidance provided by EU regulators. As described above, the GDPR applies to data controllers or processors not established in the EU when related to monitoring data subjects’ behavior in the EU. A U.S.-based clinical study could be subject to the GDPR if it uses digital technology, such as wearables, mobile phones, or other personal electronic devices, to track subjects’ heart rate, blood pressure, levels of physical activity, or other data points. Although such a study may be initiated in the U.S. and enroll only U.S.-residents, some of these subjects may travel to EU destinations for vacation or work while enrolled in the study. If their personal electronic devices continue to transmit their data back to the U.S. study site from their EU location, then those data, alarmingly, could be subject to the GDPR under the jurisdictional hook regarding the monitoring of behavior. In such a scenario, the GDPR would apply to the data collected while the subject was in the EU even after the data subject returns to the U.S. and has no further contact with the EU. Such a result and its effects on research appears unforeseen and increases regulatory and related compliance costs on U.S.-based studies, without any increase in meaningful protections of these data subjects. 1. SACHRP recommends that HHS encourage its EU, EEA, and EU member state counterparts to exclude, under their interpretations of the GDPR, this category of U.S.-based research from the GDPR’s jurisdiction. B. Consent to Future Research Uses The Article 29 Data Protection Working Party (the “Working Party”), an EU body constituted to provide non-binding guidance on EU data protection law, recently issued draft guidance on processing personal data on the basis of the data subject’s consent. As described in more detail below, this draft guidance advances positions that will be, if adopted by the EU regulatory authorities, highly problematic for the U.S.-based research community, including research institutions, industry sponsors of research, and researchers themselves. See Guidelines on Consent under Regulation 2016/679, WP259, Article 29 Data Protection Working Party (Nov. 28, 2017) (the “Working Party Draft Guidelines”). i. Level of Generality in Description of Future Research Purposes Guidance from U.S. and EU regulators has diverged with respect to obtaining consent for the use of data in future research studies. Often, personal data collected in one research project may prove useful, or even critical, to future research endeavors that were not contemplated at the time the data were collected, and for which specific purposes the data subjects’ consent could not therefore be obtained. At the time of initial data collection, researchers are often aware of the general purposes for which the data may be used, but they frequently cannot foresee the particular studies for which the data may be useful. For example, a dataset containing information on persons with a particular disease or condition will predictably be useful for the study of that disease or condition, but all specific future particular hypotheses that could be tested with the data are unlikely to be known. U.S. regulatory interpretations have recognized the importance of gathered data to future scientific research. In recent years, regulatory interpretations have allowed researchers to obtain authorization for future research generally, rather than requiring specific authorization for specific studies. For example, as originally interpreted, HIPAA had required that an individual’s authorization to use and disclose PHI for research be study specific. In 2013, the HHS Office for Civil Rights (“OCR”), in line with recommendations made by SACHRP, modified its interpretation of HIPAA in the Omnibus HIPAA Final Rule, allowing that authorizations may permit future research, provided the future research is described adequately in the authorization so that an individual reasonably could expect that PHI could be used or disclosed for the future research. See 78 Fed. Reg. 5566, 5611-13 (Jan. 25, 2013). Similarly, the revisions to the Common Rule announced through the issuance of a final rule in January 2017 formalized the concept of “broad consent” through which research subjects can provide consent to future research described in such a fashion that a reasonable person giving the consent for future research would have expected the broad consent to permit the types of research conducted. See 82 Fed. Reg. 7149, 7219-7223 (Jan. 19, 2017). In contrast, the Working Party Draft Guidelines could seriously restrict the availability of broad consent to future research as a basis for processing personal data under the GDPR, and by extension in HHS-supported research that includes sites located in the EEA. The Working Party’s interpretations are notwithstanding Recital 33 to the GDPR itself, which recognizes that, “it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection.” GDPR, Recital 33. Recital 33 further provides that data subjects may be asked to consent to “areas of scientific research,” apparently contemplating the availability of broad consent to future research: [D]ata subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognized ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose. GDPR, Recital 33. Confusingly, the Working Party Draft Guidelines assert that the GDPR’s “Recital 33 does not disapply the obligations with regard to the requirement of specific consent” and note that a “well-described purpose” must be included in the consent to comply with the GDPR’s requirements. Working Party Draft Guidelines at 27. The Working Party Draft Guidelines could therefore be read to suggest that providing data subjects a description of the general areas of future research, which would be permissible under both HIPAA and the Common Rule, might not satisfy the GDPR’s requirement that consent be specific. On the other hand, also confusingly, the Working Party Draft Guidelines note that, “[R]ecital 33 allows as an exception that the purpose may be described at a more general level.” Id. at 28. This statement seems to be consistent with the text of the GDPR Recital 33, but does not help delineate what level of generality in describing future research may be considered acceptable. 2. In order to ensure that HHS-supported investigators are able to perform valuable future research using personal data collected in the EEA, SACHRP recommends that HHS acknowledge these regulatory difficulties and, in turn, to encourage its EU, EEA, and EU member state counterparts to issue additional guidance to clarify the level of generality at which future research uses of personal data may be described. Such guidance should permit researchers conducting research at sites located in the EEA to obtain a broad consent along the lines permitted by HIPAA and the Common Rule. ii. Repeated Contact with Data Subjects to Provide Subjects with Additional Notices or to Secure Additional Consent The solution the Working Party Draft Guidelines purport to offer for obtaining consent to future research uses—ongoing, repeated contact by researchers with data subjects—will be unworkable and would, if adopted, impede valuable future research using already-collected personal data. The Working Party Draft Guidelines propose that, when future scientific uses of personal data are not known with particularity at the time of initial consent, data subjects should be asked to consent for the research in more general terms and to consent to any specific stages of future research that are already known. The Working Party Draft Guidelines suggest re-contacting research subjects when additional stages of future research (unknown at the outset) are identified and proposed. See id. However, the Working Party Draft Guidelines are unclear regarding what the nature of additional contact should be. On the one hand, the Working Party Draft Guidelines suggest that the researcher may be permitted simply to provide additional information to the data subjects, stating that “[a] lack of purpose specification may be offset by information on the development of the purpose being provided regularly by controllers as the research project progresses so that, over time, the consent will be as specific as possible.” Id. On the other hand, the Working Party Draft Guidelines could be read to suggest that the researcher may be required to seek additional consents from the research subjects, noting that “[a]s the research advances, consent for subsequent steps in the project can be obtained before that next stage begins.” Id. In either case, for researchers, research institutions or industry sponsors of research repeatedly to contact and re-contact data subjects with notices of additional research uses of their data, or to obtain additional consents for those research uses, fundamentally differs from the way medical research is generally conducted and poses implementation problems that could impede and stifle scientific progress. Some examples of problems include: • Obtaining such consent or establishing such contact could prove infeasible in multi-year biobanking studies in which research subjects’ biological specimens and associated phenotypic data (which will likely be considered “personal data” under the GDPR) are stored and used for many different research projects over the course of several years. Researchers often lose contact with subjects who participate in such studies, which can make it impossible to re-contact the subjects as additional research uses of the specimens and phenotypic data are carried out. • Data subjects may become fatigued by repeated requests for additional consent and cease responding to such requests, making it impossible to obtain sufficient additional consents to allow the additional research to be carried out. • A requirement to obtain consent from, or to provide additional information to, subjects would fall most often on a clinical trial sponsor, such as a U.S. academic medical center, university or a U.S.-based pharmaceutical or medical device company, that designed the clinical trial, or in the case of HHS-supported research, served as the lead site. This would be inconsistent with current practices in which sponsors and research institutions typically have no direct relationship or contact with research subjects. For these sponsors and institutions repeatedly to contact and re-contact research subjects would mark a radical departure from research norms that long have regarded the research relationship as between the researcher and the subject, rather than between the sponsor or research institution and the subject. Being contacted directly by industry sponsors or research institutions could prove disturbing and seem intrusive to some subjects, who likely have never been contacted by such entities regarding their clinical trial, or other medical research, participation. 3. SACHRP recommends that HHS encourage its EU, EEA, and EU member state counterparts to amend their guidance so that it is not required that data subjects be re-contacted or re-consented before additional research is conducted using existing personal data for which an appropriate consent for that future research use already has been obtained. iii. GDPR’s Conflict with EMA Policies and Regulations A requirement to obtain additional consent for future research would also appear contrary to a policy announced by the European Medicines Agency (the “EMA”), which would apply to trials conducted in the United States whose results are submitted to the EMA to support marketing applications for medicinal products in the EU. The EMA’s policy will require sponsors of clinical trials from which data are used in support of an EMA marketing authorization to make publicly available the individual subject-level data collected in such studies to permit, among other things, future research use of such data, and this will apply regardless of the national site of these trials. See EMA Policy on Publication of Clinical Data for Medicinal Products for Human Use (EMA/240810/2013) (Oct. 2, 2014). While the EMA policy states that all data submitted should be anonymized, in the case of pediatric or rare disease studies, or for phase I or phase II trials (for which there are generally very few subjects), it may not be feasible to anonymize data to the strict standards set forth in the GDPR. Thus, research subject consent to the use of personal data for these EMA transparency policy purposes may be the only basis on which personal data could be used. By limiting a researcher’s, research institution’s or sponsor’s ability to obtain general consent for future research use of personal data, the data consent practices detailed in the Working Party Draft Guidelines would frustrate compliance with the EMA policy. 4. SACHRP recommends that HHS encourage its EU, EEA, and EU member state counterparts to interpret GDPR requirements so that compliance with EMA data transparency regulations do not conflict with data subjects’ rights under the GDPR. C. Working Party Draft Guidelines Regarding Withdrawal of Consent and Ancillary EU Legal Requirements The research community, in many instances, faces a conflict between (i) the Working Party Draft Guidelines’ strict interpretation of the research subject’s right to withdraw consent to personal data processing under the GDPR and (ii) independent legal and ethical obligations to maintain personal data for the integrity of a clinical trial and/or adverse event reporting. HIPAA does not create such a conflict, as recent OCR guidance reaffirmed earlier OCR interpretations that permit both HIPAA covered entities and non-covered entities, following an individual’s revocation of authorization, to maintain, use and disclose data as needed to preserve the integrity of the research. See Guidance on HIPAA and Individual Authorization of Uses and Disclosures of Protected Health Information for Research, OCR (Dec. 13, 2017). Therefore, under these interpretations of the U.S. regulations, a covered entity may continue to use and disclose PHI obtained prior to an individual’s revocation to the extent the covered entity has acted in reliance on that authorization (e.g., to maintain the integrity of the research) or for purposes that do not require authorization (e.g., treatment, payment or health care operations). See id. A non-covered entity enjoys still greater latitude and is unaffected by revocation of authorization if it received the PHI pursuant to an authorization prior to a patient’s revocation of the authorization. See id. In contrast with HIPAA, the Working Party Draft Guidelines observe that, “withdrawal of consent could undermine types [of] scientific research that require data that can be linked to individuals, however the GDPR is clear that consent can be withdrawn and controllers must act upon this [because] there is no exemption to this requirement for scientific research.” Working Party Draft Guidelines at 29. If a researcher receives a notice that the data subject has withdrawn consent to data processing, the Working Party Draft Guidelines conclude that the data controller “should delete or anonymise the personal data straight away.” Id. Such deletion, however, could seriously imperil the integrity of the research, thereby undermining the investment made by HHS in multi-site, trans-national studies with sites located in the EEA. It could also imperil the ability of U.S.-based research institutions, industry sponsors and researchers to respond to requests from FDA and/or from cognizant IRBs, as they would be hindered from using for their responses the personal data of the individual who has withdrawn consent. 5. SACHRP recommends that HHS encourage its EU, EEA, and EU member state counterparts to issue guidance that researchers may maintain copies of the data for regulatory, research integrity and/or adverse event monitoring purposes after a subject has withdrawn his or her data consent. We believe that the text of the GDPR permits such an interpretation, as it permits personal data to be processed when “processing is necessary for reasons of public interest in the area of public health, such as . . . ensuring high standards of quality and safety of health care and of medicinal products or medical devices . . . .” GDPR Article 9(2)(i). III. Conclusion As outlined above, the GDPR’s jurisdictional scope and current draft interpretations of the GDPR offered by the Working Party threaten to hinder important HHS-supported multi-site, trans-national research that includes sites located in the EEA, as well as clinical trials sponsored by U.S.-based industry entities. To forestall these looming problems, HHS should encourage its EU, EEA, and EU member state counterparts to promulgate guidance clarifying that the GDPR should be interpreted not to apply to the incidental collection and transmission of personal data from those enrolled in research studies at U.S. sites when they happen to be traveling in EU member states. Further, HHS should encourage its EU, EEA, and EU member state counterparts to issue additional guidance clarifying that, consistent with (i) the text of GDPR Recital 33, (ii) customary practice in the scientific community, and (iii) the requirements of the EMA, data subjects’ consent may be obtained under the GDPR based on a description of the “areas of scientific research” for which personal data will be processed. Additionally, EU, EEA, and EU member state officials should be encouraged to issue guidance clarifying that, if a data subject withdraws his or her consent to processing, another basis may be relied upon for storing and posting personal data to preserve the integrity of the research and to fulfill regulatory obligations. These clarifications would align the GDPR more closely with requirements of HIPAA, the Common Rule and FDA, thereby promoting an EU privacy framework that is workable for multi-site, trans-national clinical research while respecting individuals’ privacy rights.