Webinar Follow-Up: EU General Data Protection Regulations – What US Research Institutions Need to Know

On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) became effective in the 28 member states of the EU and the three additional countries (Iceland, Liechtenstein, and Norway) that, together with the EU member states, constitute the European Economic Area (EEA). (It replaces the Data Protection Directive 95/46/EC.) The GDPR affects US-based life science and academic research communities engaged in various arrangements, such as US-sponsored clinical trials occurring in the EEA, or studies that involve transferring personal data from the EEA to the US. To comply with the GDPR, all institutions need to be equipped with strategies for determining whether the GDPR will apply to them and, if it applies, how to process and transfer personal data to the US lawfully.

PRIM&R hosted a webinar to explain the potential application of the GDPR to the US-based research community, the implications for individuals and institutions to which the GDPR applies, and recommended next-steps for research entities. Nick Wallace, JD, an attorney at Ropes & Gray LLP, served as speaker. After the webinar, Mr. Wallace responded to some of the attendee questions time did not permit us to address live. We’re pleased to share those responses with the readers of Ampersand.*

Can you give an example regarding how the GDPR might affect academic researchers conducting qualitative interviews with individuals in EEA?
The GPDR applies to the processing of “personal data,” which is defined broadly to include “any information relating to an identified or identifiable natural person.” GDPR, Art. 4(1). Many qualitative interviews, therefore, could involve gathering personal data. 

A US-based researcher conducting qualitative interviews should ask whether the GDPR will apply to their processing of personal data—either (i) if he or she is offering goods or services to individuals in the EEA or (ii) if he or she is monitoring the behavior of individuals in the EEA. Additional facts would be necessary to determine how likely the GDPR would be to apply in either case.

Many or most of the GDPR requirements apply to or are controlled by institutions rather than individuals.
Oftentimes an institution, rather than the individual persons who are employed by it, will be considered the data controller or processor under the GDPR. The GDPR applies to “controllers” and “processors” of personal data, which are defined under the GDPR as follows:

  • Controller: Alone or jointly with others determines the purposes and means of processing personal data.
  • Processor: Processes personal data on behalf of the controller.

Both controllers and processors are regulated directly under GDPR. Controllers have more responsibilities, for example, providing notices to data subjects, responding to exercise of subject rights, appointing a representative in the EEA, notifying supervisory authorities and data subjects of data breaches, and maintaining records of processing.

How long is the Data Controller and Processor involved—i.e., only until data is transferred to the US sponsor’s data center, or longer?
The roles of data controller and processor do not disappear when data are transferred abroad. The data controller is defined in the GDPR as the person or entity who, alone or jointly with others, determines the purposes and means of processing personal data, while the processor is the person or entity who processes personal data on behalf of the controller. Thus, in the case of a US-based research sponsor that collects personal data from a clinical trial with sites in the EEA, it is likely that the sponsor would be a controller of the data (and would remain a controller of the data that are subject to the GDPR even upon transfer of the data to the US).

 With regard to consent being revoked: if the data collected is video data of a public place with individuals in that location, can individuals subsequently revoke consent and require them to be removed from the video data?
A threshold question in this instance is whether the GDPR would apply. Personal data is data that relates to an identified or identifiable individual. Therefore, if the video contains images of a person’s face, it would likely be considered identified or identifiable information. However, it is worth noting that the GDPR does not apply to the processing of personal data “by a natural person in the course of a purely personal or household activity.” GDPR, Art. 2(2)(c). The GDPR would not likely apply to a video filmed by a person for purely personal purposes such as amateur videography.

Assuming that the video is considered personal data, and an exception to the GDPR’s application (such as the personal or household activity exception) is not met, a subject would be able to subsequently revoke any consent they provided to the processing of their personal data. Further, even if another basis were being relied upon to process the data, the subject could exercise his or her right to erasure.

 Is current collected data grandfathered in?
Personal data can be subject to the GDPR even if the personal data were collected prior to the effective date, assuming the controller or processor is subject to the GDPR through one of the jurisdictional hooks. Therefore, controllers and processors require a lawful basis to process and transfer even personal data that were collected prior to May 25, 2018. 

With respect to data collected before May 25, it is worth noting, however, that where consent is relied upon as the basis for processing or transfer, “it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation….” GDPR, Recital 171. In other words, if the consent to process personal data that was obtained before May 25 satisfied the requirements of the GDPR, the controller would not be required to obtain a fresh consent.

Does the [Data Protection] Directive end when the GDPR becomes effective?
Yes—the GDPR has repealed and replaced the Directive.

Hypothetical: For a social science research study based in the US, conducted by a researcher in the US, there is a solicitation on the internet to participate. The study is social science based (not clinical/public health), the researcher collects demographic data (personal data), as well as survey/preference data. An EU participant enrolls in the research study, provides online consent (click consent), and participates in the study via the internet. Does the GDPR apply? What obligations does the US researcher have—is s/he the “processor”?
As noted, the personal data collected in a social science based study would likely be personal data under the GDPR as they likely relate to an identified or identifiable natural person. See GDPR, Art. 4(1). The GDPR would apply if the US-based researcher is processing (including collecting) the data in connection with (i) offering goods or services to data subjects in the EEA or (ii) monitoring the behavior of data subjects in the EEA. 

To determine whether the US researcher would be considered to be offering goods or services to data subjects in the EEA, more facts would be required. For example, if there is compensation paid for participation (although payment is not necessary for the GDPR to apply), or if the study survey itself might be considered a “good or service,” (for example, if study results are made available to participants) there would be greater risk that the GDPR could be found to apply. In addition, one would want to consider whether the researcher “envisages” offering goods or services to persons located in the EEA, such as through translating the survey into languages used in the EU or providing testimonials of EEA residents who took the survey. Additional facts would also be required to assess whether the survey could be considered monitoring of behavior. For example, if the survey uses cookies to follow subjects following participation, regulators might consider that the study involves tracking natural persons on the internet, a core indicator of monitoring.

If the GDPR applies, the US researcher would likely be considered the “controller” because he or she determines the purposes and means of processing personal data. Controllers have a variety of obligations under the GPDR—for example, to enter into agreements with processors who process personal data on their behalf, providing notice to data subjects, and vindicating the data subject rights set forth under the GPDR.

What is the IRB’s responsibility for assuring GDPR consent? We are recommending separate consent and strongly discouraging combined forms. What does the IRB need to know about legitimacy of process compliance and transfer compliance as it may have no idea where, for example, the sponsor’s primary office is?
IRBs are charged with ensuring the ethical conduct of research, one dimension of which is respect for the privacy of subjects and the confidentiality of data. However, the GDPR itself does not directly impose privacy oversight obligations on IRBs (or their European equivalents, research ethics committees) with respect to the research they oversee, and an IRB would not likely be a controller of personal data in its capacity of reviewing research. It is worth flagging, however, that an IRB could be a controller of personal data subject to the GDPR in other capacities—for example, if it is also an employer of persons in the EEA. Also, an IRB could be a processor of subjects’ personal data if, for example, it reviews “personal data” from EEA data subjects in its capacity of monitoring the conduct of the study.

First, a combined consent form covering research participation and consent to processing personal data under the GDPR is permissible. However, the Article 29 Data Protection Working Party (the “Working Party”) notes that “[w]hen consent is the legal basis for conducting research in accordance with the GDPR, this consent for the use of personal data should be distinguished from other consent requirements that serve as an ethical standard or procedural obligation.” Working Party Guidelines on Consent under Regulation 2016/679 p. 28 (Apr. 10, 2018). The consent form should, therefore, be clear regarding the separate nature of the consent to participate in the research study and the consent to process personal data. This is similar to the practice in the US today in instances in which a HIPAA authorization is combined with an informed consent form, as the authorization typically appears under a separate heading.

Second, the IRB should ensure that an adequate basis for processing personal data is described to subjects in the notice of processing (the elements of which will likely be folded into the consent form, assuming that consent is used as the basis for processing). Further, the notice should describe the transfer of the personal data out of the EEA, where applicable. Thus, the burden will be on the controller to provide this information to the data subject in the notice, which the IRB should review. The sponsor’s primary office will not be relevant to the determination of the basis for processing or transfer. Rather, it is important to track the actual flow of the data, and if the data are being transferred outside of the EEA (even if the sponsor’s primary office is located in the EEA), then an appropriate basis for the transfer of personal data outside the EEA will be required under the GDPR.

Can any of the obligations of a sponsor or coordinating center as controller or processor be contracted to a CRO in the manner of a transfer of obligations under FDA regulations?
The sponsor of a study or a coordinating center will not be able to contract away any obligations as a controller or processor if the sponsor meets the definition of a controller or processor under the GDPR. However, it is worth noting that CROs may be willing to serve as an EEA representative of the controller, which is required “unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offenses.” See GDPR Recital 80, Art. 27(2). Moreover, in instances in which there are “joint controllers,” the GDPR permits the joint controllers to decide via contract which controller has primary responsibility for responding to subjects’ exercise of their rights under the GDPR. See GDPR Art. 26. In addition, under Article 28 of the GDPR, a processor is required to assist the controller in responding to subject access requests, satisfying breach notification obligations, and certain other requirements imposed on controllers by the GDPR. This is similar to the obligations of a business associate in the US to assist a covered entity with certain elements of HIPAA compliance.

Will an electronic representation of a hand-written signature suffice? We would appreciate your guidance on electronic, digital, and affirmative checkboxes.
Yes, the Guidance of the Working Party recognizes that consent can be given by electronic means. Working Party Guidelines on Consent under Regulation 2016/679 p. 16 (Apr. 10, 2018) (“Consent can be collected through a written or (a recorded) oral statement, including by electronic means”).

Of course, the GDPR requires that consent for the processing of special categories of personal data (such as health data) be “explicit,” and this is typically regarded as being in writing. Here too, however, the guidance recognizes that explicit consent may be collected by electronic means: 

However, such a signed statement is not the only way to obtain explicit consent and, it cannot be said that the GDPR prescribes written and signed statements in all circumstances that require valid explicit consent. For example, in the digital or online context, a data subject may be able to issue the required statement by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature. In theory, the use of oral statements can also be sufficiently express to obtain valid explicit consent, however, it may be difficult to prove for the controller that all conditions for valid explicit consent were met when the statement was recorded.

Id. at 18 (emphasis added).

The Working Party has also noted that, while “[t]he use of pre-ticked opt-in boxes is invalid under the GDPR,” on the other hand, [b]y actively ticking the optional box stating, ‘I consent’, the user is able to validly perform a ‘clear affirmative act’ to consent to processing.” Id. at 16 (emphasis added).

With regard to explicit consent for the processing of special categories of personal data, the Working Party guidance also provides that “[a] data controller may also obtain explicit consent from a visitor to its website by offering an explicit consent screen that contains Yes and No check boxes, provided that the text clearly indicates the consent, for instance ‘I, hereby, consent to the processing of my data,’ and not for instance, ‘It is clear to me that my data will be processed.’” Id. at 19 (emphasis added).

What if the investigator does not know at the start of the study that a participant may travel to an EEA country during a study, and is still being monitored while in the EEA country, and the GDPR-required elements of consent were not included at the time of initial consent?
If personal data are being collected from a data subject while the data subject is physically within the EEA (for example, collection through a mobile phone application), then technically speaking the GDPR would apply to the collection of that personal data, if the participation in the study were considered to be offering a good or a service to persons located in the EEA, or monitoring the behavior of persons located in the EEA. Thus, the sponsor would need the data subject’s consent to process the data (and transfer it from the EEA to the US)—or some other lawful basis for the processing and transfer. While a single, one-off case would not likely be an enforcement priority for EU regulators, if it is anticipated that a reasonable number of persons might travel to the EEA during the course of the study, then the site may wish prospectively to comply with the GDPR.

What if someone uses a VPN from the US that appears to come up in an EEA jurisdiction and then accesses an electronic data capture form on a US-based server. How are we supposed to know where the user is really located?
If a person located in the US sends his or her personal data to a controller or processor in the US, then the GDPR does not apply, as a legal matter, to that transfer. Interestingly here, the controller or processor, however, would be unaware that the data were really coming from the US, and would instead believe that the data were coming from an EEA jurisdiction. Under the controller’s limited knowledge, therefore, the controller might therefore analyze whether the GDPR would apply to the processing of the personal data under the same test applied to any other processing of personal data.

Assuming the US-based controller is not “established in” the EEA, one would analyze whether the GDPR would apply by looking to whether the processing of the personal data was “related to” either (i) “the offering of goods or services” to data subjects in the EEA or (ii) “the monitoring of their behavior as far as their behavior takes place in” the EEA. See GDPR, Art. 3(2). 

During the Q&A, someone asked if a one-time online survey would be subject to GDPR, and it sounded like the presenter said, because there is no ongoing monitoring of behavior, that it wouldn’t be subject to GDPR as long as none of the other legal bases were met (such as offering goods or services). Can you confirm that this is indeed true—that one-time US based surveys that include EU based participants are not subject to GDPR (assuming no incentives or other legal bases for GDPR) because there is no monitoring of behavior?
As always, if personal data are collected from data subjects in the EEA by a US-based controller or processor that is not established in the EEA, then one would determine whether the GDPR would apply by looking to whether the processing of the personal data was “related to” either (i) “the offering of goods or services” to data subjects in the EEA or (ii) “the monitoring of their behavior as far as their behavior takes place in” the EEA. See GDPR, Art. 3(2).

If an online survey collects data at a single point in time, then it would tend to be less likely that the behavior of the data subjects would be considered as being “monitored.” The GDPR’s recitals provide that the determination as to whether behavior is monitored should look to “whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques, which consist of profiling a natural person, particularly in order to take decisions concerning them or for analysing or predicting their personal preferences, behaviors and attitudes.” GDPR, Art. 24. In a one-time collection, it is less likely that the data subject would be considered “tracked.” 

The controller in this case should also consider whether the survey is related to “offering of goods or services.” For example, a one-time survey that is offered upon the purchase of a product or service would likely be considered to be related to the offering a good or service. In the research context, however, it will more typically be the case that controllers will need to consider whether the research itself, or any ancillary goods or services provided in the research, constitutes offering a good or service. This is a fact-specific test that would require additional information, such as whether any results are returned to the research subject that would constitute a “good,” or whether the webpage is translated into the languages of the member states such that the organization could be seen as “envisaging” offering goods or services to persons located in the EEA. It is worth noting that the GDPR’s recitals provide that whether payment is collected in connection with the survey would not be dispositive, and free goods or services can still be considered goods or services under the GDPR. See GDPR, Recital 23.

A US-based researcher goes to France on sabbatical. While there, she manipulates and analyzes an existing data set she brought with her from the US, (i.e., none of the data was obtained in France). If she emails this data set back to her collaborator in the US while she is in France, is this data set subject to GDPR?
The risk in such an instance is that a regulator could argue that the researcher is “established in” France during her sabbatical, and therefore her processing of personal data there on sabbatical is subject to the GDPR. There is also some risk that the GDPR could be viewed to technically apply to the transfer of the personal data back to the US, through email to her collaborator and, presumably, by carrying the data back to the US at the end of her sabbatical.

This scenario would likely not present a high-risk area for enforcement under the GDPR. The researcher arguably is not a controller or processor “established in” the EU during sabbatical, which is typically of a fixed duration. Assuming, then, that the personal data were gathered from US persons, the GDPR would not have applied extraterritorially to their collection. 

*The above questions were submitted by webinar attendees. The provided answers are meant to offer assistance to those involved in clinical trials where GDPR requirements apply. Do not rely on the information above as legal advice; you should consult your institution’s or company’s own in-house or external legal counsel. Also, IRB policies may vary; please contact your IRB regarding any specific questions. 

PRIM&R thanks Mr. Wallace for sharing his expertise.

The recording of this webinar is available for individuals to purchase in PRIM&R’s online store. If you would like to purchase the webinar for group viewing, please download the order form (PDF) and send it to registration@primr.org.