Life Sciences Horizons Brochure 2025 - Flipbook - Page 46
45
2025 Horizons Life Sciences and Health Care
GDPR creates privacy issues for EU sponsors at U.S. sites
When European Union sponsors conduct clinical trials
at U.S. sites, the General Data Protection Regulation
(GDPR) imposes privacy obligations that may be
unfamiliar to U.S. organizations. This often results in
significant pushback from U.S. sites, and protracted
contract negotiations with EU sponsors. U.S. sites are
also subject to domestic privacy laws – including the
Health Insurance Portability and Accountability Act
and its implementing regulations, (collectively,
“HIPAA”) and state privacy laws – which are not always
compatible with the GDPR, and thus may cause
further tension between the U.S. and EU parties.
One challenge is the inconsistent interpretation of GDPR within
the EU in the research context. In some EU countries, U.S. sites
are considered “vendors” (i.e., “processors”) of sponsors; while
in others, they are treated as “partners” (i.e., “controllers”).
This discrepancy triggers different privacy agreements
depending on the EU sponsor’s country, further confusing
U.S. site organizations.
HIPAA compliance adds another layer of complexity, as U.S. sites
may be “covered entities” (akin to a “controller”) under HIPAA
(and may not be able to be considered a “processor”) with regard
to their patient medical record data. In addition, GDPR rights
granted to data subjects differ from those offered under HIPAA.
This causes compliance challenges for U.S. sites when GDPR
transparency requirements affect the content of the informed
consent form (ICF) and are not necessarily compatible with U.S.
laws or understandable to U.S. data subjects, resulting in site
pushback and institutional review board (IRB) objections.
Another issue arises with the transfer of personal data from
the U.S. to the EU, which qualifies as an “international transfer”
under the GDPR. This requires specific safeguards, typically
implemented through the EU’s standard contractual clauses.
These clauses are lengthy and impose significant obligations on
U.S. sites, which may hesitate to accept them. Strategies that
sponsors have been employing to address these challenges
include the following:
Preparing an explanatory document for U.S. sites explaining
GDPR applicability and outlining the implications of GDPR
compliance.
Developing “light” template agreements and a negotiation
playbook with fallback options and alternative wording that
will likely be more palatable to U.S. sites in an effort to
streamline the negotiation process.
Preparing ICF templates that address GDPR requirements in
a manner more consistent with U.S. site and IRB expectations.
Engaging a legal team with expertise in both U.S. and EU
privacy laws to ensure robust compliance and alignment with
regulatory requirements, while minimizing potential conflict
during negotiation of clinical trial agreements and the content
of ICFs.
Melissa B. Levine
Partner
Washington, D.C.
Juan Ramón Robles
Senior Associate
Madrid
