Privacy is Global

Multinational clinical trials with different privacy rules complicate data sharing and regulatory oversight

A brief, but very interesting report from the FDA dropped this week that highlights how different privacy rules in the US and EU affect clinical trials and the work of the FDA. I’ve always been fascinated by the patchwork of privacy rules for data in the US, and the more comprehensive rules that exist in the EU. But I had never really thought about the implications of these different rules for how differences in privacy rules could affect the important functions of organizations like the FDA.

The GDPR is a comprehensive regulation that applies to how organizations handle personal information (including health data) of EU data subjects — regardless of where those organizations are located. The GDPR is not limited to health data, but includes all data classified as personal. The GDPR empowers EU residents with rights to know what that data is, requires consent from individuals for many cases of data collection, and gives individuals “the right to be forgotten” and their digital data deleted.

In the U.S., HIPAA rules allow health data to be used for research purposes without patient consent, as long as the data is either limited to a specific non-identifiable data, or the data sets have been certified through expert determination to have a negligible risk or re-identification. For clinical trials and data that is to be used for regulatory decision making, the FDA has not such exclusion. It requires investigators to submit patient-level data (which is considered identifiable) to ensure the integrity of the data and the safety of the participants.

However, the GDPR limits the sharing of personal data to third-parties — including the FDA. According to the FDA report, this restriction can complicate or delay the ability of the FDA to assess the results of multi-national studies. In an effort to increase the diversity of clinical trials participants, the FDA requires many clinical trials to collect race, ethnicity and other demographic data. However, the GDPR regulations prohibits the collection and processing of race or ethnicity data except in specific cases for scientific or research purposes — and this again can delay or complicate the FDA review of clinical studies if that information is not routinely collected. Even critical factory inspections (like those that produce monkey pox vaccines) can also be delayed with significant impacts on the public.

And because GDPR applies to all entities that collect or hold data from EU data subjects, even US companies are subject to the rules. In a previous life, I worked to convert our entire US-based membership organization to be compliant with GDPR because it was easier to update our information systems for everyone, than it was to try to single out EU residents for separate treatment.

For the FDA, the requirement to accommodate EU data subjects affects their adverse event reporting systems — while there is implicit consent when a patient enters information on their own, adverse events on EU data subjects reported by a third party are subject to the GDPR rules.

Finally, these rules are not static — and within the EU, even privacy rules are evolving. For example, in addition to the GDPR, the European Health Data Space specifies how both primary and secondary data is protected:

1) empowering individuals through increased digital access to and control of their electronic personal health data, at national level and EU-wide, and support to their free movement, as well as fostering a genuine single market for electronic health record systems, relevant medical devices and high risk AI systems (primary use of data )

2) providing a consistent, trustworthy and efficient set-up for the use of health data for research, innovation, policy-making and regulatory activities (secondary use of data)

A “single market for electronic health record systems, relevant medical devices and high risk AI systems” could have remarkable effects on EU-US collaborations or data sharing.

As more clinical trials become multi-national, and we increase the diversity of populations (and geographies that we study, we can expect that privacy rules will continue to impact the work of US organizations like the FDA, and NIH. We should continue to monitor these changes and work to create frameworks that reduce the barriers to multi-national clinical research, preserves patient privacy, and reduces data fragmentation.