FDA raises questions with European data law's restrictions on reviewing clinical data
In 2018, the EU signed off on a new law requiring organizations to protect how personal data is collected or used from those residing in the EU or its member states.
Known as the General Data Protection Regulation (GDPR), the law has changed how companies and online advertising work, but it has also been not-so-quietly affecting the FDA.
“So far, the FDA’s bioresearch monitoring program (BIMO), which oversees the conduct and reporting of FDA-regulated research, has been most impacted by the law,” Heather Messick, a former international policy analyst in FDA’s Europe Office, who’s now a regulatory counsel in the FDA’s Office of Compounding Quality and Compliance, wrote in a new blog post.
FDA investigators, for instance, have been unable to complete either in-person BIMO inspections or conduct virtual data reviews in some cases due to tech challenges, resource constraints, or GDPR-like data sharing policies, Messick writes, adding that “lack of clarity around GDPR has impeded our ability to review data remotely during the pandemic.”
And the agency’s concern with GDPR stretches beyond BIMO.
Biopharma companies are required to submit participant level data from clinical trials to support their medical product applications, and much of that data comes from multi-national sites, including EU citizens. Withholding the agency’s ability to transfer such data from the EU “could negatively impact the robustness of data submitted to the FDA and impact investigational product reviews and approvals,” Messick notes.
Certain demographic data also may be protected under the GDPR, she adds, and this information may impact the FDA’s ability to complete reviews of new drugs or biologics.
HHS raised other concerns when the GDPR took force in 2018, noting that if a researcher receives notice that a data subject has withdrawn consent to data processing, the EU guidelines conclude that the data controller “should delete or anonymise the personal data straight away.”
But HHS says that such deletion, “however, could seriously imperil the integrity of the research, thereby undermining the investment made by HHS in multi-site, trans-national studies with sites located in the EEA. It could also imperil the ability of U.S.-based research institutions, industry sponsors and researchers to respond to requests from FDA and/or from cognizant IRBs, as they would be hindered from using for their responses the personal data of the individual who has withdrawn consent.”
The NIH has been working directly with counterparts in the EU to assist with any GDPR impediments to research collaborations, Messick notes, particularly as the US and EU earlier this year agreed “in principle” on a new data agreement for transfers of personal privacy data for commercial purposes, but the situation is still not resolved.
“GDPR is an ongoing area of concern, and the situation will no doubt continue to change as the US and EU continue negotiations on a new data agreement, and as the overall legal and policy landscape in the EU continues to evolve. The Europe Office will be closely tracking developments in the months and years ahead,” the blog post said.