Privacy & Information Security Law Blog

On October 22, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP co-hosted a workshop in Brussels on “Can GDPR Work for Health Scientific Research?” (the “Workshop”) with the European Federation of Pharmaceutical Industries and Associations (“EFPIA”) and the Future of Privacy Forum (“FPF”) to address the challenges raised by the EU General Data Protection Regulation (“GDPR”) in conducting scientific health research.

Over 100 EFPIA members, policymakers, regulators and representatives from companies participated in the full day workshop.

Cecilia Álvarez, European Data Protection Officer Lead at Pfizer, and Brendan Barnes, Director of Data Protection at EFPIA set the scene for the day’s discussions by emphasizing the importance of health research in advancing science, patient welfare and public good, as well as opportunities for digital health activities in Europe. Challenges to such advancement, including the consistent application of the GDPR in the medical research sector, were also highlighted.

Two extensive sessions followed these opening remarks. The first session focused on clinical trials and featured several presentations by industry experts and a panel discussion, moderated by CIPL President Bojana Bellamy. The panel discussed, in particular, the complex regulatory framework surrounding clinical trials, the interaction between the GDPR and the Clinical Trial Regulation (“CTR”), the role of consent under both regulations and operational challenges.

The second session addressed the secondary use of data which is indispensable and of significant value for scientific research. The presentations and panel discussions underlined the current legal uncertainty surrounding the reuse of health data, including the lack of consistent interpretation around which legal processing bases are most appropriate for such reuse of data. In addition, the restrictive interpretation of the concept of scientific research by the Article 29 Working Party in its guidelines on consent under the GDPR and the need to rely on a risk-based approach where data already benefits from extensive safeguards were subjects of much discussion.

The lack of consistency between EU Member States regarding possible legal bases for scientific research and diverging views between national data protection authorities, health authorities and ethical committees were key recurring themes throughout the Workshop. Participants called for the EDPB to clarify the situation as well as for further multi-stakeholder dialogue on the topic to ensure the legal certainty necessary to foster scientific health research in Europe.

If you would like to read more about the Workshop and the key findings from the discussions, please see the Workshop report.