Data Protection regulation – The need to have clear frameworks in the EU

3rd September 2015 (Last Updated August 23rd, 2018 09:22)

CTA interviews Anastassia Negrouk, Head of International Regulatory and Intergroup Unit, EORTC about data protection laws

Anastassia Negrouk, Head of International Regulatory and Intergroup Unit at EORTC in Belgium, explores how unclear laws related to data protection can cause penalties and delays in trial activation. She suggests that companies and academic partners should closely monitor the implementation of coming regulations.

Clinical Trials Arena: What are the problems related to data protection?

Anastassia Negrouk: Data protection frameworks are poorly adapted to the needs of research and have a lot of problems. I will just mention two of them. One of the problems is that it is not easy to understand which law should be applied to a given project. Data protection originated from a data protection directive, which has been implemented in different states in a slightly different way. There is actually an ongoing debate around the question of who is the controller of the data in the scope of clinical trials. It is unclear whether the sponsor is actually the controller or whether there is some kind of co-responsibility with investigators who actually treat patients, receive patient data and then pass it to the sponsors in a pseudo-anonymous (or coded) form. So why is this debate important? Because it relates to understanding what, when and whom the law is applicable to. If it were clear that the controller is the sponsor, it would be easy. In the case of a company in Belgium, for example, this would mean that the company would have to comply under the Belgian law. However, for international trials, there is ambiguity with the law related to investigators who could be based in any European country. This means you may potentially be obliged to comply with the law of different EU countries.

Also, in some countries data protection authorities have a much stronger role and in some others the data protection authorities are not necessarily directly involved. In these cases, it is quite a challenge to understand what formalities are applicable to a given project and even harder to determine who is supposed to comply (sponsor or investigator). This means you would have to use a significant amount of your time to talk to ethical committees (as they may have different interpretations from your own).

CTA: What are the consequences of this problem?

AN: It is a waste of time and it can be dangerous when it is unclear what obligations the sponsor needs to comply with in terms of processes and tasks to be performed. Some countries may put penalties in place or sponsors might have delays in trial activation. This problem can also decrease the attractiveness of Europe as a research area for external investors.

CTA: How could this be solved?

AN: There should be more clarity about the law applicable as well as clear coordination processes, all of which should have a clear timeline. There has been a data protection regulation under discussion since 2012, which might end by the end of this year. However, I am not very optimistic that this problem of having only one law applicable will be solved, specifically in regards to clinical trials, as they refer to specific rules for scientific research where member state autonomy in the capacity to set-up national rules is reinforced. Various stakeholders are lobbying but it is not easy.

Maybe a way out is to put a mechanism in place for stakeholders, which would include companies and academic partners, to carefully monitor the implementation of this regulation for the first few years, advise regulators about the best way to proceed and suggest the necessary adjustments to avoid delays and having projects blocked. To have an ongoing mechanism to monitor the implementation of the regulation to come is essential. Otherwise, important research could be stopped.

CTA: Are there any other problems related to data protection?

AN: The other problem is related to data transfers. Health and clinical research is done with pseudo-anonymous data, which is not recognised in the given framework even though it is valuable data. This data cannot be transferred to third countries like the US, which is very active in research, unless patients give a specific consent or we put in place specific, very cumbersome and lengthy clauses, or we do both. These clauses use many pages and ¾ of them are not applicable to the reality of clinical studies nor are they possible to implement with some partners (such as governmental bodies, e.g. US National Cancer Institute).

Europe has been debating about transparency and the need to share data results for the last few years. To share anonymous data has no use, linked data is needed. So, if ethical committees or data protection authorities are prohibiting sharing data (and we have already had first warning signs of this trend) that would be the full stop of the fight. Sharing data is easier and cheaper than exposing new patients to risk in order to confirm results.