Clinical Trial Data Transfer In The Aftermath Of No Deal Brexit

Quick Refresher: As established by the EU GDPR when it first took effect in May 2018, any company that handles the data of any EU citizens – whether or not that company is based in the EU – must adhere to stringent GDPR regulations regarding data privacy and protection.  Data can include anything from name, email address, medical information or biospecimens. But now that the UK is withdrawing from the EU and no longer covered by the GDPR as an EU Member State, what does that mean for data privacy and the flow of clinical study data, such as adverse events reports, samples and central lab data?

What Happens to Data Protection Services and Appointment of UK Entities as Sponsor Representatives under GDPR?

Amidst the many uncertainties raised by a hard Brexit, questions exist as to what steps US sponsors should take to ensure their study data continues to move across borders without interruption – in particular, whether the current data representative services agreements with their CROs will be, well, moot or functional after Brexit. We at CA have noticed that many of the CROs party to our client’s data representative services agreements (agreements by which one engages a CRO to perform a sponsor’s EU data controller obligations and appoints the CRO to be its EU DPR under the GDPR) enter into them using their UK entities. Questions about the validity of these agreements will not be definitively answered until after the UK strikes a deal with the EU, or, alternatively, the UK crashes out of the EU with no deal. For now, the sponsor can only attempt to prepare and plan for any possible Brexit outcome as the future is unknown.  It is clear that no US sponsor study data can be processed in the EU without a validly appointed data protection representative (again, this appointment is a longstanding EU and now a GDPR requirement for US sponsors with no EU presence), but it is not clear whether or not the remaining EU member states will accept or recognize the appointment of a UK CRO.

Remember, the UK will still need to comply with GDPR, even though it’s no longer a member state of the EU due to GDPR’s extraterritorial reach. However, in the absence of a Brexit deal, the UK will become a “third country” and will be tasked with proving to the EU that its data protection laws (the UK Data Protection Act, more below) are “adequate”, or compliant with GDPR standards to allow for seamless data transfers to the UK from the EU.

A best practice for companies would be to carefully track the impact of Brexit on processing data of EU citizens in the next 50 or so days. The UK Information Commissioner’s office has published some helpful information. If it seems like the company’s data flows might be negatively impacted by a no-deal Brexit or the UK’s status as a third country with no adequacy rating, then the company should consider implementing contract-based mechanisms that would help mitigate any interruptions in data sharing. In some instances – but not all – certain contractual clauses could be drafted to allow data transfers from the EU to the UK. The EU model contact clauses, which can be used to amend existing agreements to ensure adequate, can be found on the European Commission website.

How does the UK Data Protection Act Differ from the EU GDPR?

The EU GDPR expressly allowed/encouraged the member states to pass local data protection legislation that augmented and worked in tandem with GDPR standards. Germany and the UK were two of the member states that had their local legislation at the ready and right away, the UK Data Protection Act of 2018 was passed. The UK DPA of 2018 Chapter 2 expressly adopts all GDPR definitions and supplements it, and Chapter 3 applies to certain types of “…personal data to which the GDPR does not apply (see Section 21), and makes provision for a regime broadly equivalent to the GDPR for such processing.”

Is the UK ready to amend its legislation to allow uninterrupted transfer of personal data after March 29, 2019?

Yes. The UK government has an existing Department for Digital, Culture, Media and Sport (we have nothing like this in the US, but we should!) and they have a legislative amendment ready to go. It seems as if the UK domestic law will preserve GDPR standards, by amending the UK DPA of 2018 so that “obligations and rights that organisations and data subjects have become familiar with will stay the same”.  It also appears likely that the UK will deem all EU Member States and EEA countries as “adequate” – a rating meaning that the territory employs an appropriate or “adequate” level of data protection safeguards – with the hope that the data flows between the UK and the EU and EEA countries will continue with minimal disruption.

The new legislation is called the “EU (Withdrawal) Act of 2018 (EUWA) and it will retain the GDPR in UK law and make changes necessary to ensure that the UK obtains the “adequacy decisions” its businesses and its government (law enforcement and security agencies need to transfer data too) will need to continue to function after March 29, 2018. EUWA is not final but the technical notice it filed in September 2018 was encouraging in that it anticipates “no deal” and therefore could actually be functioning on Day 1. See, “Data Protection if there’s no Brexit deal”.

Contracts Associates is prepared to help your company successfully navigate the possibility of a no deal Brexit. Our team of attorneys will work to help your company uphold its legal duties and obligations to EU sites and vendors by drafting new contract template terms as needed. We encourage you to contact our office with any questions at 781-598-8000 or by emailing our CEO, Colleen Sproul, at cms@contractsassociates.com

 

No Successor Yet Named For Head of UK Medicines Agency

As the deadline date for the UK withdrawal from the EU rapidly approaches, no successor has yet been named to take the place of the head of the UK Medicines and Healthcare Regulatory Agency (MHRA).

Late last fall, Dr. Ian Hudson announced that he will resign his position as CEO of the MHRA. Dr. Hudson has served as CEO of the watchdog agency since 2013 with much of his current role including serving as the UK delegate to the Committee on Human Medicinal Products (CHMP) at the European Medicines Agency (EMA). Indeed, Dr. Hudson has been the Vice-Chairman of CHMP since October 2012.

Dr. Hudson does not appear to be leaving for a particular employment alternative, rather, he stated, “I feel the time is right for a new person to guide the agency and our work through its next phase, following the UK’s departure from the European Union next year.” The resignation will take effect in September 2019, about six months after the UK leaves the EU.

With only two months to go before the March 29, 2019 Brexit date, there remains no deal in sight. According to its long-term Brexit plan, MHRA is moving forward with preparing for the possibility of a hard Brexit.

MHRA Post-Brexit

If the UK exits the EU without a deal which includes provisions for a relationship with the European Medicines Agency, the MHRA will lose access to all EU regulatory networks and will serve as a standalone drug regulator – handling all responsibilities that are currently overseen by the EMA, such as drug approvals, general oversight of medicines, and clinical trials. The MHRA has released some proposed arrangements for regulation in the case of a no-deal scenario.

The resignation of Dr. Hudson and the search for a successor to guide the agency adds a yet another layer of uncertainty as to the future of the MHRA in the aftermath of Brexit.

As the March 2019 UK withdrawal date approaches, we at Contracts Associates will continue to provide updates on our blog in relation to the impact of Brexit on existing appointments of UK entities as EU legal representatives as well as recommended revisions to UK informed consents, once the UK is no longer subject to the EU GDPR.

U.S. Clinical Trial Sponsors Are Unprepared for New EU GDPR Regulation

As of May 25, 2018, U.S. sponsors of clinical studies conducted in the European Union must be in compliance with the EU’s new General Data Protection Regulation (“GDPR”) or risk the possibility of significant fines.

U.S. sponsor companies must contend with this new EU regulation and the learning curve will likely be steep—especially as the GDPR requirements contrast sharply with the U.S.’s lack of any meaningful privacy regulation.

Companies found to be in non-compliance with the GDPR risk significant fines – possibly up to 4% of total worldwide annual turnover of the preceding financial year or 20 000 000 EUR, whichever is larger. The GDPR applies to the processing of personal data which includes subjects’ names, addresses, medical information, and more—regardless of whether the processing takes place in the EU or not.

We expect that our clients will be particularly impacted by the provisions related to the stringent, new contractual Informed Consent requirements for terms concerning use of bio specimens.

The GDPR also mandates the appointment of a senior-level Data Protection Officer with expertise in data protection law. This DPO will report directly to a C-suite executive. The law also requires companies to comply with certain processes for data protection and data management.

Contracts Associates is prepared to help your company successfully navigate this new regulatory framework. Our team of attorneys can help minimize the risk of penalties by updating your contracts to ensure that all informed consent language is GDPR-compliant with regard to sample and data usage. We will help your company uphold its legal duties and obligations to EU sites and vendors by drafting new contract template terms as needed. We encourage you to start your GDPR-compliance planning by contacting our office at 781-598-8000 or emailing our CEO, Colleen Sproul, at cms@contractsassociates.com