8 February 2021
Clinical trials often involve the transfer of large amounts of personal data across borders. For example, in multi-country trials, laboratories processing samples, trial sites, contract research organisations and the sponsor of the trial may all be in different jurisdictions.
Where this personal data is flowing from the EEA or the UK, the GDPR and the UK GDPR (the post-Brexit version of the GDPR) will apply respectively.
Under the GDPR, personal data may not be transferred outside the EEA (including to the UK) unless there are protections in place to guarantee individuals equivalent rights and protections to those they enjoy in the EU.
Those countries which are considered to have a data protection regime which provides an adequate level of protection equivalent to that in the EU, may benefit from a Commission Adequacy Decision which allows the free flow of personal data from the EU. To date, 12 jurisdictions (including the Channel Islands) have full Adequacy Decisions and South Korea and the UK are currently in the final stages of the adequacy process.
The partial (and controversial) Adequacy Decision in relation to transfers under the EU-US Privacy Shield was struck down by the CJEU in July 2020, in the Schrems II decision which cast doubt on the future of data transfers between the EEA and the US, and, potentially, to other jurisdictions.
In the absence of an Adequacy Decision, a number of other data transfer mechanisms can be used: principally, the European Commission’s standard contractual clauses (SCCs) – a pre-approved set of clauses to be included in the contract to help protect the personal data; or Binding Corporate Rules (BCRs) – regulator-approved rules which can be used for intra-group transfers. There are also other limited options which may be available.
The Commission recently published drafts of revised and additional sets of SCCs to allow for greater flexibility including with regard to roles (for example, they now cover processor to processor situations) and in terms of the number of parties who can sign up to them. The fact that more than two parties will be able to sign up to a single set of SCCs will be extremely helpful to controllers and processors dealing with cross-border clinical trial data and they will also welcome greater flexibility in what is currently a rigid system.
Following the Schrems II decision, both importers and exporters of personal clinical trial data need to make an assessment as to whether the importing country provides an adequate level of protection (ie one essentially equivalent to that in the EEA) and take steps to add on to SCCs or BCRs if they decide that it does not.
While the European Data Protection Board and some Member State regulators have published guidance, it remains unclear as to what these additional steps may be and when they might be effective, so advice should be taken as this is an evolving area.
Following the end of the Brexit transition period the UK GDPR has replaced the GDPR. It replicates the majority of the GDPR and contains restrictions on exporting personal data from the UK to third countries (including the EEA) which mirror the GDPR restrictions. Data transfer solutions also follow the same principles as those under the GDPR, and the effect of Schrems II applies.
The UK has committed to preserving the free flow of data to the EEA and to countries with existing EU Adequacy Decisions, and it has also negotiated agreements with all the countries benefitting from EU Adequacy Decisions, so that data flows from them to the UK will be uninterrupted as a result of Brexit.
The UK is now a 'third country' for GDPR purposes. This creates a potential problem in relation to data flows from the EEA to the UK. It had been hoped that the EU would give the UK adequacy before the end of the Brexit transition period. The European Commission has issued draft UK adequacy decisions, a major step in the right direction, but we are still waiting for the assessment to be completed.
In the meantime, the Trade and Cooperation Agreement which set out the foundations of the post-Brexit relationship between the EU and UK allowed for personal data to continue to be transferred from the EU (and by extension the EEA) to the UK, as if the UK were still a Member State, for at least four months from 1 January 2021 and potentially for a further two months, provided neither party objects. This also assumes that the UK does not amend aspects of its current data protection regime during that period.
The purpose of the data bridge is to allow the EU to complete its adequacy assessment of the UK. The response from the UK's regulator, the ICO, was to urge businesses reliant on EEA data imports to put transfer mechanisms in place to avoid future disruption. This suggests adequacy is far from assured although the UK government remains confident, at least publicly.
UK organisations involved in clinical trials which are reliant on receiving EEA personal data need to put mechanisms in place (most likely, SCCs) to avoid interruption. However, in the relatively unlikely event that the UK is not granted adequacy, then even when relying on SCCs, EEA businesses will need to make their own assessments of the adequacy of the UK regime and put in supplementary measures if required.
UK-based controllers and processors of clinical trial data without an EEA presence offering EEA individuals goods or services or monitoring their behaviour may have to appoint a representative in the EEA. Similarly, controllers and processors with no UK presence offering goods or services to UK individuals or monitoring their behaviour, may have to appoint a UK representative, even where they already have an EEA presence. This means organisations outside both the EU and UK could end up having to appoint representatives in both territories.
In addition to GDPR considerations, it may also be necessary, in the context of cross-border clinical trials, to consider other separate local country legal or regulatory obligations relevant to the processing or third-party hosting of health data.
The exit of the UK from the EU has not made things easier for cross-border clinical data flows. While at the moment, the situation is not very different from before the end of the transition period, if the UK is not granted an Adequacy Decision, the picture becomes complex, at least with regard to data flows from the EEA to the UK.
The fact that the European Commission has now said that the UK does provide an essentially equivalent level of data protection to the EU and has issued draft adequacy decisions paves the path for resolution. However, the adequacy decisions have not yet been finalised The draft decisions will now be scrutinised by the EDPB (whose opinion the Commission must take into account), and the Commission then needs to request the 'green light' from Member States' representatives under the comitology procedure. The European Parliament and Council can also ask to scrutinise the decisions and request the EC to maintain, amend or withdraw them.
The EU will be keen to avoid approving Adequacy Decisions which could be challenged in the CJEU and the various bodies involved in the approval process could still take issue with the UK's surveillance and law enforcement powers leading to the amendment or even withdrawal of the draft decisions. In the unlikely event the Adequacy Decisions are not approved before the expiry of the data bridge, or even at all, EEA organisations exporting clinical trial personal data to the UK will need to assess whether the data they are transferring can be accessed under those laws, and then take additional steps to protect it. They should already be doing this with respect to third countries without an EU adequacy decision.
Another issue comes if the UK diverges significantly from the EU on data protection, particularly with regard to onward transfers, as the Commission reserves the right to amend or withdraw the Adequacy Decisions in those circumstances.
As this is a largely untested area, it will be important to follow ongoing developments.