FROM A GLOBAL PERSPECTIVE
By Heather Messick, J.D.
August 9, 2022
In 2018, the European Union (EU) enacted a law requiring that organizations put in place certain measures if they collect, use, or store personal data originating from persons in the European Economic Area (the 27 EU member states plus Iceland, Norway and Lichtenstein) to ensure that the data is protected, even if transferred out of the area.
The General Data Protection Regulation (GDPR) defines “personal data” as: “[A]ny information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.” In addition, coded data, referred to as “pseudonymised data,” is considered to be “personal data” subject to the protections of the GDPR. These protections also apply for any data transferred outside the EEA.
FDA’s Europe Office has been closely following the potential impact of the GDPR on the agency’s public health activities. So far, FDA’s bioresearch monitoring program (BIMO), which oversees the conduct and reporting of FDA-regulated research, has been most impacted by the law.
Under BIMO, FDA investigators conduct inspections and remote regulatory assessments (RRAs), a tool often used when onsite inspection is not possible, in countries where patients have been enrolled in clinical trials supporting marketing applications. Some of those countries involved in FDA-regulated research include the nations of the EEA. The purpose of this inspectional oversight is to help ensure the quality and integrity of the study data and to protect the rights and welfare of the human subjects. These operations involve review and photocopying of patients’ clinical health data (e.g., medical records, laboratory test results, etc.) as well as review and copying of consent forms. There have been instances in which FDA investigators have been unable to complete either in-person BIMO inspections or conduct virtual reviews of study data (i.e., RRAs) due to technology challenges, resource constraints, or data sharing policies, such as GDPR. While EU data sharing policies are only one challenge in conducting inspections or RRAs, lack of clarity around GDPR has impeded our ability to review data remotely during the pandemic.
The GDPR poses other potential concerns for the FDA:
- Clinical trial data- The FDA’s regulatory process requires companies to submit participant level data from clinical trials to support the safety and effectiveness of investigational medical products. The data often come from multi-national clinical trial sites, and any sites in the EU would include clinical trial participants who are EU citizens. Inability to transfer such data from the EU could negatively impact the robustness of data submitted to the FDA and impact investigational product reviews and approvals.
- New Drug Application/Biologic License Application (NDA/BLAs)- As part of its review of NDAs and BLAs, the FDA requires certain information (e.g., demographic information) from industry which may be protected under the GDPR. Inability to receive, or delays in receiving, this information may impact FDA’s ability to complete reviews.
- Adverse event reporting- the FDA has several adverse event and safety reporting systems for different FDA regulated products, including MedWatch, FDA Adverse Event Reporting System (FAERS), the Safety Reporting Portal (SRP), and the Vaccine Adverse Event Reporting System (VAERS). These reporting systems involve ‘personal data’ as broadly defined by the GDPR.
The GDPR also poses substantial implications for medical research. The National Institutes of Health has been working directly with its counterparts in the EU member states to address any GDPR impediments to specific research collaborations. There is also strong interest in this topic across other U.S. agencies. The U.S. Mission to the EU is conducting outreach at the EU-level because GDPR has significant implications for data sharing in security, defense, transportation, and commerce. This concern has been heightened since the 2020 European Court of Justice decision invalidating the EU-U.S. Privacy Shield, which was an agreement that had functioned as the primary mechanism allowing companies to transfer personal data from the EU to the U.S. for commercial purposes.
In March 2022, the EU and the U.S. agreed “in principle” on a new data agreement for cross-border transfers of personal privacy data for commercial purposes.
The overall EU data protection landscape is also evolving. As part of its 2020 European Strategy for Data, the EU has sought to create a ‘single market for data’ through the creation of EU-wide common, interoperable, data spaces in strategic sectors. This effort has resulted in several new legislative proposals, including the EU Health Data Space, the Data Governance Act, and the Data Act. All these proposals are intended to form a coherent EU data framework which works in concert with, and even strengthens, the GDPR.
The impact of these new developments on the FDA’s future ability to receive non-public health information from the EU is still unknown.
GDPR is an ongoing area of concern, and the situation will no doubt continue to change as the U.S. and EU continue negotiations on a new data agreement, and as the overall legal and policy landscape in the EU continues to evolve. The Europe Office will be closely tracking developments in the months and years ahead.
Heather Messick, J.D., was the lead on the GDPR as an international policy analyst in FDA’s Europe Office. She recently left the EO to serve as a regulatory counsel in the Center for Drug Evaluation’s Office of Compounding Quality and Compliance.