Cross-Border Considerations for Privacy in Clinical Trials

Following the recent publication of DLA Piper’s Cross-border Guide to Clinical Trials and Privacy, James Clark, Paula Gonzalez de Castejón and David Kopans of DLA Piper discuss ongoing and developing EU and US perspectives on privacy considerations with respect to cross-border clinical trials.

Published on 15 February 2023
Paula Gonzalez, DLA Piper, Chambers Expert Focus contributor
Paula Gonzalez de Castejón
Ranked in 2 practice areas in Chambers Europe
View profile
James Clark, DLA Piper, Chambers Expert Focus contributor
James Clark
David Kopans, DLA Piper, Chambers Expert Focus contributor
David Kopans

Privacy matters in relation to clinical trials have become a hot topic, especially with the EU’s General Data Protection Regulation (GDPR) and US regulation such as the California Consumer Privacy Act (CCPA).

To what extent does the GDPR offer a truly harmonised regulatory regime?

While Europe has a theoretically harmonised data privacy regime, in practice, the way it is applied to clinical trials varies greatly. This is partly a result of local laws but also due to historical and cultural differences between countries leading to different interpretations of the GDPR.

As a result, when conducting a multi-site clinical trial across several European countries, the privacy requirements and the rules and regulations that need to be complied with vary significantly – something that clients often struggle with.

US state data protection laws

The United States lacks a comprehensive, national data protection law similar to the GDPR. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) largely  remains the primary law governing clinical research but it has limited application; especially if the trial is not conducted by a HIPPA-covered entity or the records being used do not belong to a HIPPA-covered entity.

“The law applying to a specific trial must be carefully assessed.”

A number of states have passed comprehensive data protection laws, but most specifically exclude data covered by HIPPA or clinical trial data.

Cross-border data protection and deidentifed data

Extraterritorial application of privacy laws is another big issue facing life sciences companies operating internationally. HIPPA and other data protection laws continue to protect data transferred overseas.

A US pharma company conducting a trial in Europe will have to comply with the GDPR, which has extraterritorial effect both where products or services are offered in the EU and where the behaviour of EU citizens is being monitored.

Laws applicable to clinical trials in the US tend not to distinguish between deidentified data, key-coded data or other pseudonymous data. The GDPR distinguishes between personal data (information linked to an identifiable individual), fully anonymised data and pseudonymised data (information that can only be linked to an individual with the use of additional information kept separately). This has important implications for transferring data across borders.

DLA Piper

DLA Piper, Chambers Expert Focus contributor
188 ranked departments and 147 ranked lawyers
Learn more about the firm’s ranking in Chambers Global
View firm profile

Chambers Global Practice Guides Data Protection & Privacy 2022

Learn more about global developments in personal data protection.