On 31 January 2022, the EU Clinical Trial Regulation (CTR) will come into application, almost 8 years after its adoption by the European Parliament and the Council of the EU. The CTR will radically change the regulatory framework for conducting clinical trials in the EU Member States as well as European Economic Area (EEA) countries Iceland, Liechtenstein, and Norway.
The new framework aims to harmonize the submission, assessment and supervision processes for clinical trials conducted in any of the EU/EEA Member States. Its objective is to strengthen Europe’s position as an attractive location for clinical research, by obviating the need to comply with different regulatory requirements at country level. In the past, companies and organizations acting as clinical trial sponsors had to submit applications to national competent authorities and ethics committee in each country where they wanted to conduct a clinical trial, with a view to obtaining regulatory approval. Registration and posting of clinical trial results also involved separate processes in each of the relevant countries.
Under the CTR, sponsors can now apply for authorizations in up to 30 EU/EEA countries at the same time, using the same documentation. The backbone of this centralized registration approach is a new Clinical Trials Information System (CTIS), which provides a single entry point for the submission and assessment of clinical trial data, and which also includes a public searchable database for healthcare professionals, patients and the general public.
From a privacy and data protection perspective, the CTR provides that all clinical trial information must be recorded, processed, handled, and stored in accordance with the applicable law on personal data protection, which includes the EU General Data Protection Regulation (GDPR). To that effect, sponsors submitting a clinical trial application will have to include proof that data will be processed in compliance with EU data protection law, by means of a statement by the sponsor (or its representative in the EU/EEA) that data will be collected and processed in accordance with the GDPR.
To further foster compliance with data protection law, the European Commission, the European Medicines Agency (EMA), as well as the EU Member States have agreed on a joint controllership arrangement with regard to the processing of personal data in CTIS. Various actors may need to enter personal data into CTIS as part of the clinical trial authorization and supervision process, including clinical trial sponsors and marketing authorization applicants/holders, in addition to the European Commission, EMA, and EU/EEA countries. The CTIS joint controllership arrangement sets out the different roles and responsibilities of these actors, explains for which data processing activities they are considered joint controllers, and in which cases they are acting as controllers in their own right. The CTIS joint controllership arrangement also includes detailed provisions on how to handle data subject requests and how to manage security incidents (including personal data breaches), as well as a data protection notice (for clinical trial participants) regarding personal data processing in CTIS.
It is noteworthy that, since the CTR was adopted prior to GDPR, some of the CTR’s provisions relating to privacy and data protection are not fully aligned with the provisions of the GDPR and, in particular, the data protection authorities’ interpretation of how those provisions should be applied in practice. A prime example is the reliance on consent to process a clinical trial participant’s data. According to the CTR, sponsors may ask clinical trial participants to consent to the use of their data outside’s the protocol of the clinical trial exclusively for scientific purposes. In several EU/EEA countries, however, data protection authorities are taking the view that generally consent is not an appropriate legal basis for collecting and processing clinical trial participants’ personal data (as they are not in a position to consent ‘freely’).
With the CTR finally becoming applicable, the harmonization of clinical trial rules across the EU/EEA countries will hopefully inspire the European Data Protection Board (EDPB) to issue consistent guidance on critical topics, such as the controller/processor qualification of sponsors and sites, the legal bases for processing clinical trial data, and the use of clinical trial data for secondary purposes.