Among the novelties introduced by the General Data Protection Regulation (“GDPR”), the right to erasure, best known as the “right to be forgotten”, is the one that has probably triggered the most attention in the news, and whereby the data subject is now entitled to request the controller the deletion of his/her personal data without undue delay.
However, its applicability in scientific research is arguable as the GDPR clearly strove to find a balance between data subjects’ rights to data protection and the competing interest of researchers for innovation. Thus, the impact of this right might actually be really limited in this field.
Art. 17 GDPR, when setting out the right to erasure also sets out various exemptions, among which three of them may be seen as impacting the application of this data subject’s right in clinical trials.
First in relevance is the exclusion of the right to be forgotten when the processing is necessary for scientific research purposes, to the extent that the exercise of the right would render impossible or seriously impair the achievement of the processing objective.
Thus, companies involved in clinical research and which are asked by patients to delete their clinical data, may decline the latter request if and as such deletion would seriously impair, if not render impossible, to achieve the clinical trial objective.
Nevertheless, the GDPR requires that in such case appropriate safeguards are taken, i.e. the implementation of technical and organizational measures aimed at ensuring data minimization, but also pseudonymization, or even anonymization, when these do not prevent the fulfillment of the purposes of the processing.
Secondly, the right to be forgotten will also be exempted when the processing is necessary for compliance of a legal obligation originating from EU or EU member states law, to which the controller is subject (i.e. EU national regulations imposing legal obligation to keep clinical trial data for audits, following the ICH GCP standard).
But what would happen when laws other than EU or member states law are at stake is not clear. As a matter of fact, the GDPR while it is applicable to companies based outside the EU as long as they target EU data subjects, it does not address what will happen when such companies are stuck between e.g. national non-EU regulations prohibiting to delete clinical trial data on one side, and patients asking for the erasure of their data on the other side.
Thirdly, the exercise of the right to erasure is further exempted when the processing is necessary for reasons of public interest in the area of public health.
Overall, the right to be forgotten in clinical trials appears to have a low reach, which actually makes sense since its exercise would invalidate trials’ outcome because deletion of individuals’ clinical data would provoke bias in the sample of data used. Thus, clinical trials data can still be retained based on both basis of the “scientific research” exemption and the “legal obligation” exemption, no matter patients’ requests to delete them.
Then, the possibility that would be left for patients unwilling for their data to be processed, is to prevent further data collection by stepping out from the trial itself.
Indeed, further guidance is still welcomed and expected and, in this regard, it should be mentioned that the Association of Clinical Research Organization (“ACRO”) is currently working on a code of conduct in order to give guidelines to CROs on how to implement the GDPR principles in the sector.