With sponsors looking for more ways to increase patient numbers and patient diversity, multi-country clinical trials can be a vital part of that puzzle.

Of course, when a patient consents to participate in a clinical trial, they do so knowing and agreeing that data will be shared amongst parties for that purpose. There are however laws in place that protect each patient’s data.

The sponsor or biotech holds the responsibility of ensuring compliance with any data protection laws in the areas where they are operating trials. When sponsors are planning multi-country trials, they will want to collect the same data on every patient enrolled, but this may not be possible. As a result, this can make it difficult to conduct global trials, especially for biotech startups who may not fully grasp global laws.

Individual country laws may supersede wider laws

Although the General Data Protection Regulation (GDPR) exists in the EU, this can be superseded by laws set by individual countries, making it even more of a minefield as to what regulation sponsors should abide by.

Dr Tim Schwarz, a digital health lawyer for Taylor Wessing in Germany, says this is when difficulties arise.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

“This is the tricky thing. The GDPR has general rules but you have to look into national laws too. The approaches across Europe are quite different in terms of how they’re interpreted and applied. Some countries rely on research privilege,” he explains.

“In Germany, for example, the law requires that you have obtained informed consent when you have processed personal health data in the context of clinical trials. There are also different requirements for the informed consent form between patients.”

Even within the US, different states have passed varying data privacy laws, with a total of 13 states passing comprehensive data privacy legislation by the end of last year. These states are California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Montana, Oregon, and Delaware.

Catherine Gregor, chief clinical trial officer at Florence Healthcare

Chief clinical trial officer at Florence Healthcare, Catherine Gregor says lack of consistency, even within the US, makes it difficult for sponsors to scale trials. According to Gregor, Florence Healthcare advises sponsors and biotechs about what they can and cannot do on a country-by-country and state-by-state basis due to how confusing it can be.

“In the absence of a federal position, we go state by state, which makes it hard to run a trial and scale across multiple states in the US. This makes it similar to the EU,” Gregor says. “It’s not always consistent so you still have to look at each location as to what you can and cannot do.”

Foley & Lardner’s LLP Medical Device and Equipment group co-chair Kyle Faget says that for US biotech startups, it can be difficult enough to understand the US legal frameworks, let alone being able to understand how this differs in the EU.

“It becomes a question of whether these biotech companies want to conduct clinical trials in these jurisdictions as the risk is significant and the penalties are large,” Faget says. “This is a huge undertaking for companies to take on all these additional laws, particularly when they’re more aggressive than in the US.”

Planning is key

Patient data is anonymised before being provided to a sponsor, but that does not mean that a sponsor can collect any data they want, especially with EU patients where the laws are generally stricter. 

Heather Delgado, a partner for the healthcare department at US law company Barnes & Thornburg, says due to how stringent GDPR laws, it is potentially easier for an EU sponsor to ensure compliance in global trials compared to US sponsors.

“Most of those forms are fairly uniform. If you are US-based and running trials in the UK, which has its own laws, or France, where GDPR applies, that’s probably where you would see more issues rather than the other way around,” Delgado explains.

Delgado adds that sites in the US are bound by HIPAA privacy protections that include the personal health information (PHI) that can be disclosed, even in a clinical trial setting, which needs to be considered by sponsors when planning trials and compiling patient consent forms.

“When a patient consents, the sponsors need to realise that there needs to be verbiage in there that allows that PHI to be disclosed to the sponsors for research purposes and verbiage that the PHI will be protected,” Delgado says.

Rohit Nambisan, CEO of Lokavant

Rohit Nambisan, CEO of Lokavant, a clinical trial intelligence platform that supports data collection, says that due to different laws which govern what data can be collected, considerations must be made early on in the planning process to ensure a smooth study start-up.

“It affects more from a planning side than an execution because pseudo anonymisation of patient data has been in place for quite some time,” Nambisan says. “It can affect trial launch timelines, especially study start-up, because it can be very hard to target and identify sites with eligible patients.”

According to Faget, it can sometimes be easier to consider the strictest legislation in the planning process, but it is not always the best plan. “You have to think of scalability so when you’re trying to build and scale a clinical trial, the easiest thing to do is to take the most conservative standard and adhere to it across the board, that operationally makes it easier but can also be much more expensive and can tie your hands in some jurisdictions where your hands wouldn’t normally be tied,” Faget explains.

“So you have to do an analysis whether you take the easiest approach and comply with the most rigorous standard across the board but then question, are you cutting your nose off to spite your face in some jurisdictions? You need to ask – what are the outputs that you’re looking for? And how do you best get them?”

However, Gregor says that adopting the one-size-fits-all approach may not be well received by some sites that are not under such stringent laws.

“When GDPR first came out, the regulations were much more stringent than the US and I was at a site when that happened,” Gregor recalls. “The sponsor was trying to get us in the US to adhere to GDPR requirements and our position was we were not subject to these so did not need to.”

Pain points with remote monitoring and decentralised global trials

As decentralisation is widely incorporated in clinical trials, it is adding more complexity due to the number of parties involved.

Nambisan says decentralising does not always allow physicians to fully review and monitor data being sent about their patients.

“The challenge comes when a physician becomes an investigator in a study and is asked to work with multiple different remote companies and professionals like a remote phlebotomist, remote nurse services, home care,” Nambisan comments. “Now the physician is working with a variety of new data sources which they can’t always easily review and monitor.”

Co-chair of Foley & Lardner’s LLP Medical Device and Equipment group, Kyle Faget

Faget explains that there is more risk as data is not coming from just one source like in traditional trial models. “The decentralised clinical trial model is asking us to rethink privacy and security because now you have data inputs coming from all different places and PHI coming from all different places,” says Faget.

Another relatively new development in the clinical trial landscape is remote monitoring, adding a possibility that data being held by site in the EU is monitored by someone in the US.

“One of the biggest pain points is not so much the data privacy but the data localisation, where data is collected and who can review that data. That becomes an issue when you’re talking about monitoring, especially remote monitoring,” says Gregor.

“If the monitor is based somewhere outside of the country where the site is located then you’ve got data crossing country borders, which is even more complex.”

Consistency may appear in the future

With time and experience, it will become easier for sponsors and biotechs to know what data laws they must abide by.  Nambisan says that as more data laws are introduced in the US, consistency will appear.

In the US, Nambisan says: “Some similarity is taking shape with the California privacy laws and I think we’re going to see more similarity over time.”

In the EU, Schwarz says that there is a need to lobby for consistency. “The aim is to make the data more accessible all over Europe, for research purposes and treatment purposes. Laws have changed fundamentally – in particular in Germany, and are under interpretation by data protection authorities.”

Dr Tim Schwarz, a digital health lawyer for Taylor Wessing in Germany

“I feel that it’s the right time to lobby now to streamline data protection laws across Europe that actually allow the data processing in a harmonised way, which was the intention by the GDPR but currently, it’s not like that,” Schwarz concludes.

Data laws will likely never be identical across the world, but Faget says the easiest method for sponsors is to just ensure that patients in all jurisdictions know exactly where their data is going and allow patients to make an informed decision.

“There has to be some meaningful consent and that the patient has to consent to exactly where their information is going, whether it’s to CROs, sites, sponsors, a local lab, that has to be disclosed in the informed consent,” Faget concludes.