Clinical Trial Data Transfer In The Aftermath Of No Deal Brexit

Quick Refresher: As established by the EU GDPR when it first took effect in May 2018, any company that handles the data of any EU citizens – whether or not that company is based in the EU – must adhere to stringent GDPR regulations regarding data privacy and protection.  Data can include anything from name, email address, medical information or biospecimens. But now that the UK is withdrawing from the EU and no longer covered by the GDPR as an EU Member State, what does that mean for data privacy and the flow of clinical study data, such as adverse events reports, samples and central lab data?

What Happens to Data Protection Services and Appointment of UK Entities as Sponsor Representatives under GDPR?

Amidst the many uncertainties raised by a hard Brexit, questions exist as to what steps US sponsors should take to ensure their study data continues to move across borders without interruption – in particular, whether the current data representative services agreements with their CROs will be, well, moot or functional after Brexit. We at CA have noticed that many of the CROs party to our client’s data representative services agreements (agreements by which one engages a CRO to perform a sponsor’s EU data controller obligations and appoints the CRO to be its EU DPR under the GDPR) enter into them using their UK entities. Questions about the validity of these agreements will not be definitively answered until after the UK strikes a deal with the EU, or, alternatively, the UK crashes out of the EU with no deal. For now, the sponsor can only attempt to prepare and plan for any possible Brexit outcome as the future is unknown.  It is clear that no US sponsor study data can be processed in the EU without a validly appointed data protection representative (again, this appointment is a longstanding EU and now a GDPR requirement for US sponsors with no EU presence), but it is not clear whether or not the remaining EU member states will accept or recognize the appointment of a UK CRO.

Remember, the UK will still need to comply with GDPR, even though it’s no longer a member state of the EU due to GDPR’s extraterritorial reach. However, in the absence of a Brexit deal, the UK will become a “third country” and will be tasked with proving to the EU that its data protection laws (the UK Data Protection Act, more below) are “adequate”, or compliant with GDPR standards to allow for seamless data transfers to the UK from the EU.

A best practice for companies would be to carefully track the impact of Brexit on processing data of EU citizens in the next 50 or so days. The UK Information Commissioner’s office has published some helpful information. If it seems like the company’s data flows might be negatively impacted by a no-deal Brexit or the UK’s status as a third country with no adequacy rating, then the company should consider implementing contract-based mechanisms that would help mitigate any interruptions in data sharing. In some instances – but not all – certain contractual clauses could be drafted to allow data transfers from the EU to the UK. The EU model contact clauses, which can be used to amend existing agreements to ensure adequate, can be found on the European Commission website.

How does the UK Data Protection Act Differ from the EU GDPR?

The EU GDPR expressly allowed/encouraged the member states to pass local data protection legislation that augmented and worked in tandem with GDPR standards. Germany and the UK were two of the member states that had their local legislation at the ready and right away, the UK Data Protection Act of 2018 was passed. The UK DPA of 2018 Chapter 2 expressly adopts all GDPR definitions and supplements it, and Chapter 3 applies to certain types of “…personal data to which the GDPR does not apply (see Section 21), and makes provision for a regime broadly equivalent to the GDPR for such processing.”

Is the UK ready to amend its legislation to allow uninterrupted transfer of personal data after March 29, 2019?

Yes. The UK government has an existing Department for Digital, Culture, Media and Sport (we have nothing like this in the US, but we should!) and they have a legislative amendment ready to go. It seems as if the UK domestic law will preserve GDPR standards, by amending the UK DPA of 2018 so that “obligations and rights that organisations and data subjects have become familiar with will stay the same”.  It also appears likely that the UK will deem all EU Member States and EEA countries as “adequate” – a rating meaning that the territory employs an appropriate or “adequate” level of data protection safeguards – with the hope that the data flows between the UK and the EU and EEA countries will continue with minimal disruption.

The new legislation is called the “EU (Withdrawal) Act of 2018 (EUWA) and it will retain the GDPR in UK law and make changes necessary to ensure that the UK obtains the “adequacy decisions” its businesses and its government (law enforcement and security agencies need to transfer data too) will need to continue to function after March 29, 2018. EUWA is not final but the technical notice it filed in September 2018 was encouraging in that it anticipates “no deal” and therefore could actually be functioning on Day 1. See, “Data Protection if there’s no Brexit deal”.

Contracts Associates is prepared to help your company successfully navigate the possibility of a no deal Brexit. Our team of attorneys will work to help your company uphold its legal duties and obligations to EU sites and vendors by drafting new contract template terms as needed. We encourage you to contact our office with any questions at 781-598-8000 or by emailing our CEO, Colleen Sproul, at cms@contractsassociates.com

 

No Successor Yet Named For Head of UK Medicines Agency

As the deadline date for the UK withdrawal from the EU rapidly approaches, no successor has yet been named to take the place of the head of the UK Medicines and Healthcare Regulatory Agency (MHRA).

Late last fall, Dr. Ian Hudson announced that he will resign his position as CEO of the MHRA. Dr. Hudson has served as CEO of the watchdog agency since 2013 with much of his current role including serving as the UK delegate to the Committee on Human Medicinal Products (CHMP) at the European Medicines Agency (EMA). Indeed, Dr. Hudson has been the Vice-Chairman of CHMP since October 2012.

Dr. Hudson does not appear to be leaving for a particular employment alternative, rather, he stated, “I feel the time is right for a new person to guide the agency and our work through its next phase, following the UK’s departure from the European Union next year.” The resignation will take effect in September 2019, about six months after the UK leaves the EU.

With only two months to go before the March 29, 2019 Brexit date, there remains no deal in sight. According to its long-term Brexit plan, MHRA is moving forward with preparing for the possibility of a hard Brexit.

MHRA Post-Brexit

If the UK exits the EU without a deal which includes provisions for a relationship with the European Medicines Agency, the MHRA will lose access to all EU regulatory networks and will serve as a standalone drug regulator – handling all responsibilities that are currently overseen by the EMA, such as drug approvals, general oversight of medicines, and clinical trials. The MHRA has released some proposed arrangements for regulation in the case of a no-deal scenario.

The resignation of Dr. Hudson and the search for a successor to guide the agency adds a yet another layer of uncertainty as to the future of the MHRA in the aftermath of Brexit.

As the March 2019 UK withdrawal date approaches, we at Contracts Associates will continue to provide updates on our blog in relation to the impact of Brexit on existing appointments of UK entities as EU legal representatives as well as recommended revisions to UK informed consents, once the UK is no longer subject to the EU GDPR.

How EU GDPR Affects Collection of Biometric and Genetic Data

As we look toward the new European Union General Data Protection Regulation (GDPR) which takes effect this week, we expect some of its provisions to affect U.S-based life sciences companies conducting clinical trials at EU sites, particularly related to the collection of genetic and biometric data.

GDPR governs how data controllers and processors are permitted to engage with the personal data of EU citizens.  The new legislation differs from the former controlling legislation, the Data Protection Act, in some key ways. GDPR is broader in scope than the previous directive meaning that, as of May 25, 2018, even non-EU based companies will be subject to more extensive regulation.

GDPR implements a new extra-territorial rule, so that no matter if a company is based in the EU or not, it is still bound by GDPR if certain criteria are met. For example, even if a data controller (i.e., a sponsor) or processor is not established in EU, they will be bound by GDPR if they’re processing the data of individuals within the EU. Sponsors in the U.S. may now find themselves obligated by the GDPR privacy protections where they were not bound before. Member States are also free to impose further restrictions on the processing of health-related data.

The life sciences industry and clinical studies are clearly reliant upon the data that are collected from participants within clinical trials. GDPR introduces new, explicit privacy protections for such health-related data.

GDPR specifically categorizes genetic and biometric data—which is the type of health data upon which clinical trials largely rely—as “sensitive personal data”. Under GDPR, the processing of genetic or biometric data is prohibited unless an exception applies. In the clinical trials context, an exception that might commonly apply is gaining the consent of the data subject.

In an effort to protect the interests of individuals where an imbalance of power could occur or the possibility of serious data protection risks exist, GDPR has heightened the standard of consent to mean “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data related to him or her.”

This definition will provide the framework for sponsors gaining the necessary explicit consent from individuals who are considering joining a clinical study, such as via a written statement or informed consent contract.

As we approach May 25, 2018, sponsors must ensure that all informed consent contracts are compliant with GDPR and meet explicit consent standards as well as all other contractual obligations so that all prospective participants are protected and the sponsor is in compliance.

Contracts Associates has been working to help our clients navigate this new regulatory framework. Our team of attorneys has the deep experience and expertise necessary ensure that all of your informed consent agreements meet the higher bar that GDPR has introduced. We help our clients minimize the risk of penalties by updating contracts and providing reviews to ensure that all informed consent language is GDPR-compliant. If you haven’t yet contemplated how GDPR might change affect your study, please contact our CEO, Colleen Sproul, at cms@contractsassociates.com or call 781-598-8000 so that we can help guide you.