As biopharma and med-tech companies grapple with restrictive data privacy laws in the EU and China while trying to meet the demand for greater diversity reflective of the U.S. population, there’s been more of an interest in conducting clinical trials in the U.S., Stacy Amin, a partner at Morrison & Foerster LLP, told BioWorld.
And recently, she said, there’s also been a bit of a shift of trials to the U.K. Although the U.K. has a data privacy law similar to the EU’s General Data Protection Regulation, the U.K.’s version is more business friendly.
The GDPR, which went into effect in 2018 to protect the privacy of EU citizens, requires strict protections on any information relating to “an identified or identifiable natural person,” including data transferred outside the European Economic Area. Its definition of an identifiable person is so broad that it includes coded data, as well as “factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
During a panel discussion at the BIO International Convention in June, representatives from several drug companies spoke anecdotally about clinical trial challenges they were facing because of the data policies in Europe and Asia. The anecdotes included sites backing out of studies due to potential liability, not sharing data, and concerns over the sponsor’s ability to protect the data and U.S. data protections.
The problems go beyond choosing trial sites. A former U.S. FDA attorney who now counsels life science clients on regulatory issues, Amin said some companies have ongoing trials being disrupted by data privacy laws. The complexity of the issues can increase the cost of clinical trials, especially if trial sites have to be changed or a trial has to be repeated because of restrictions on the use of the data generated.
The FDA also is struggling with the impact of the privacy laws. The agency recently reported instances in which its investigators have not been able to complete in-person bioresearch monitoring (BIMO) inspections at trial sites or conduct virtual reviews of study data due to data-sharing policies such as the GDPR, along with other factors.
In an Aug. 9 blog, the FDA’s Heather Messick outlined three other regulatory processes that could be disrupted by the data policies of other countries:
- Submission of participant-level supporting clinical trial data – The inability to transfer such data from the EU could negatively impact the robustness of safety and efficacy data submitted to the FDA and impact investigational product reviews and approvals.
- Reviews of new applications – Since the agency requires the submission of certain information that may be protected under the GDPR, the inability to share that information, or delays in sharing it, may impact the FDA’s ability to complete reviews.
- Incomplete adverse event (AE) reporting – Postmarket monitoring could be affected, as the various FDA AE reporting systems involve “personal data” as defined by the GDPR.
As challenging as the EU data-sharing policies have been, it’s the lack of clarity around the GDPR that perhaps has had the most impact on other regulators. Messick blamed that lack for impeding the FDA’s ability to review data remotely during the height of the COVID-19 pandemic when data-sharing was critical.
Many countries weren’t sharing pandemic-related data at that time, Amin said. And much of the data that was shared with the FDA came from Israel, the U.K. and the World Health Organization – not the EU or China.
While the EU has issued guidance on the GDPR, the guidance doesn’t fill in all the holes or answer all the questions about applying the regulation, Morrison Foerster partner Marian Waldmann Agarwal told BioWorld. Consequently, different interpretations on the EU member state level can be as problematic as the GDPR itself. Waldmann Agarwal noted that some local data protection authorities are taking a hardline approach to data-sharing, while others are more flexible.
Negotiating against data islands
The irony is that the policies, which create islands of data, are emerging amidst a push for regulatory harmonization, greater reliance on data and recognition of the need for global pandemic preparedness. It’s as if restrictions on data-sharing have risen as an opposing force to the globalization efforts, Waldmann Agarwal said.
Those restrictions continue to evolve as the EU works to create a “‘single market for data’ through the creation of EU-wide common, interoperable, data spaces in strategic sectors,” Messick said. The intent is to form a coherent EU data framework that strengthens the GDPR.
It’s not clear yet where the EU is headed with all this, Waldmann Agarwal said, but it looks like it may be establishing an internal market that excludes data-sharing with other markets. At the same time, some U.S. lawmakers have expressed interest in passing an American data privacy law, but there’s no talk about prohibiting data transfers across borders, Waldmann Agarwal said. And for now, the U.S. focus is on showing the world the data protections the country already has as a way of easing restrictions on regulatory data-sharing.
While some data policies, such as the GDPR, stem from concerns about individual privacy, other governments are viewing health data as a strategic national resource to be protected as an element of technological and industrial advantage. China’s Regulation on Human Genetic Resources has been singled out as an example of that approach to data.
Amin said the differing views on data privacy and sharing have resulted in regulatory imbalances among the three major spheres of biopharma and med-tech development – Asia, the EU and the U.S. Negotiations are underway between the EU and U.S. on data-sharing across several sectors, including the life sciences. Since a lot of technical details will be involved, Amin said it’s hard to predict a timeline for a resolution.
She said she hopes the FDA may be able to reach a memorandum of understanding with European officials that would protect the agency’s ability to carry out critical BIMO activities in the EU. Data-sharing for postmarket monitoring also must be addressed, Amin said, as the negative impact on safety monitoring is an unintended consequence of the GDPR.
While biopharma and med-tech companies wait for negotiators to resolve some of the issues, they need to take the GDPR into consideration when setting up trials and working out agreements with EU sites and investigators, Waldmann Agarwal said. They also should ensure they have the appropriate agreements and that their data transfers and systems are secure.
All that needs to be done at an early stage, Amin added.