Data Protection: If It ain’t broke, don’t fix it?

  • Posted on 13.05.2019

Data Protection: If It ain’t broke, don’t fix it?


Peter Blenkinsop

Partner - Drinker Biddle & Reath LLP


On May 25, 2018, the GDPR became effective across the EU, simultaneously resulting in a ‘consistent and homogenous application’ of data protection rules across the Union (per Recital 10 of the Regulation). For data protection professionals at medical technology companies, the clarity brought by the GDPR has meant that resources can be redirected towards ensuring substantive privacy and security protections and away from more formalistic legal questions…. Okay, I’m just kidding.

No, seriously, let’s review what actually happened. After several decades of explaining to patients wishing to enrol in clinical investigations of experimental medical technology that by choosing to enrol, they are consenting to the collection of personal data about them for purposes of the research, data protection authorities decided that the GDPR doesn’t allow this.

Instead, they said, medical researchers should be relying on legal bases other than consent, like ‘legitimate interests’, for the processing of personal data in clinical investigations. Except, that is, in those member states where consent is still required for such data processing. In those member states, of course, you should still rely on consent. Clear enough?!

Oh, and by the way, said the data protection authorities, we recognise that Recital 33 of the GDPR suggests that it is permissible for research subjects to broadly give their consent to ‘certain areas of [future] scientific research’, but even though the legislators wrote that, we don’t think that’s what they really meant. So, don’t rely on that. Why? Because we said so.

Actually, I find the guidance provided by data protection authorities on this question of the legal basis for further processing of personal data for ‘secondary’ research purposes was helpful. They pointed out that Article 5(1)(b) of the GDPR declares such further processing to ‘not be considered to be incompatible with the initial purposes’, provided the processing accords with the requirements in GDPR Article 89 concerning processing of personal data for scientific research purposes.

While noting that the conditions of Article 89, ‘due to their horizontal and complex nature’, will require further guidance from data protection authorities, the European Data Protection Board gave an unequivocal endorsement of the application of Article 5(1)(b) to medical research: ‘For the time being, the presumption of compatibility, subject to the conditions set forth in Article 89, should not be excluded, in all circumstances, for the secondary use of clinical trial data outside the clinical trial protocol for other scientific purposes.’
Full disclosure: Most of the guidance provided to date by data protection authorities has been in the context of clinical trials of investigational medicines. So maybe none of this guidance actually applies to clinical investigations of medical technologies? In any event, all confusion will be cleared up in the MedTech Forum ‘Ask the Experts’ session next Wednesday, 15 May. I promise1.

1. All promises herein are subject to certain conditions of a horizontal and complex nature, to be further described at a later time.

This blog is part of the MedTech Forum blog series. Peter Blenkinsop will be speaking at the MedTech Forum and Global MedTech Compliance Conference 2019. You can follow the conversation under #MTF2019 and find more details at


The comments are closed.