A patient’s choice whether he will undergo a particular treatment or participate in a clinical trial constitutes an expression of his autonomy and human dignity. His consent ensures respect of his personality, dignity and free will. In the health sector, consent is necessary for every intervention on the human body, while a different consent is also required for further using in research personal health data. The moral value of consent is recognized internationally and it is enshrined in all the important texts as a fundamental condition for any biomedical intervention.
Due to the importance of protecting the participant’s personal data when conducting scientific research and the emerging legal questions, we focus on the following:
- Which are the conditions for a valid consent under the new Regulation 2016/679 on personal data protection (GDPR)?
- Where is the new legal framework applicable? Who is to be protected and who has to comply under the new provisions?
First, we observe that the new Regulation includes more detailed health data processing provisions than Directive 95/46. For the first time, the Regulation defines “health data” and even, “genetic data”.
In order to establish the new legal framework, the European legislator took into account observations and proposals made by the research community and promoted wide consent with the possibility of withdrawal and derogation from the obligation to consent in the case of disease research, as based in previous data registries(for example: cancer patients registries). As the explanatory memorandum clarifies, the legislator considered that “by coupling information from registries, researchers can obtain new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression. On the basis of registries, research results can be enhanced, as they draw on a larger population”.
Following the above, the legislator adopted the following provisions:
- Consent can be omitted when data are used for research purposes, anonymized or under a pseudonym and provided that they are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Furthermore, information can be omitted when the provision of such information is impossible or would involve a disproportionate effort. In particular, there is special reference to using data for scientific research or statistical purposes, where derogation from the obligation of information is justified when its application is likely to render impossible or seriously impair the achievement of the objectives of that processing, under the condition of the application of minimization and anonymization techniques.
- However, when consent is a necessary condition for lawful processing, this must be given in accordance to the following:
- By definition, consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (article 4 par.11). All the above conceptual elements of consent must be fulfilled in order for it to be valid. Additionally, consent is “informed” when the data subject knows the controller’s identity, purpose of processing as well as other fundamentals foreseen in articles 13 and 14 of the regulation.
- The legislator focuses on the clarity of consent and foresees in Article 7 par.2 that “if the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding”.
- In addition, the data subject has the right to withdraw his consent at any time. However, the withdrawal of consent shall apply only for the future and shall not affect the results of activities already carried out. A relevant provision exists also in the new regulation 536/2004 for clinical trials (article 28 par 2,3).
- According to the personal data protection rules, obligation to seek consent is incumbent on the controller, the person who defines the purposes of processing, who has the burden of proof as well.
But what is happening when data processing take place outside the EU?
- Firstly, the above obligations are binding on controllers established in the EU even if the data processing takes place outside the EU.
- Furthermore, this obligation applies also to controllers established outside the EU, if the processing activities are related to the offering of goods or services to subjects living in the EU, irrespective of whether a payment of the data subject is required. In this case, the controller (or processor) established outside the EU shall designate in writing a representative in the Union.
- When transferring data to third countries, the European legislator assigns the Commission to confirm the existence of an adequate level of data protection within a territory of a third country by delivering a relevant decision, like the recent Safe Harbour Decision concerning data exchange with United States. However, in the absence of a decision by the Commission, transfers outside the EU can take place legally under other safeguards, such as the adoption of binding corporate rules or standard data protection clauses issued by the Commission or a national supervisory authority of a Member State, or an approved certification mechanism.
- Additionally, if neither a Commission decision has been issued nor the above safeguards have been fulfilled, a transfer can be exceptionally permitted only if the data subject has given a clear consent to the proposed transfer, after being informed of the possible risks concerned.
- Furthermore, data transfer is permitted when it is necessary for the conclusion or performance of a contract which has been agreed in the interest of the data subject between the processing data controller and other legal or natural person, or when it is necessary for important reasons of public interest. Examples of the latter: cross-border threats for public health or when the transfer is necessary for the protection of vital interests of the data subject or others, if the data subject doesn’t have the legal or natural capacity to give consent.
Our law firm’s comment
Monitoring the scientific and medical breakthroughs makes soon clear that exchanging health data between the EU and third countries further promotes the development of science. Furthermore, judging from the conditions set in the GDPR, we ascertain that the legislator’s primary concern is the respect of the subjects’ rights, will and autonomy, when their data are being processed either inside or outside the EU.