Michelle Grienauer

by Michelle Grienauer

The IRB’s Role in Reviewing GDPR Consent Language

The European Union’s General Data Protection Regulation (GDPR) went into effect last month and has global implications including the US research community.1 But this does not mean that the resulting obligations are all well-defined, and a lot of people are speculating. For example, despite a lack of explicit regulatory authority, there seems to be a widely adopted expectation that, in the research context, IRBs will serve as the oversight body for obtaining GDPR-compliant consent for the processing of personal data. Ultimately, this may be the most appropriate outcome, but how we get there warrants some discussion.

How is the research consent form used to meet GDPR requirements?

Under the GDPR, personal data may only be processed if there is a legal basis for that processing. One such basis is consent—a freely given, specific, informed, and unambiguous agreement to the processing. Given the existing regulatory and ethical requirements for obtaining informed consent for research participation, it is no surprise that sponsors and investigators may wish to leverage the research consent form to also obtain consent for the processing of a participant’s personal data.

Because much research will involve the processing of special categories of personal data (e.g. personal data revealing racial or ethnic origin, genetic data, and health data), investigators will often be required to meet the GDPR’s higher standard of “explicit consent.” While the GDPR does not define “explicit consent,” related guidance communicates that such consent will usually be indicated by a written statement signed by the individual whose data will be processed (the “data subject”) or by other robust online or digital processes (e.g. two-step verification). Again, the research consent process provides an existing framework that, in many cases, meets the explicit consent standard.

Related to the concept of informed consent, the GDPR requires that certain information be provided to individuals at the time their personal data is collected from them (typically referred to as “notice”). This information includes details such as who will have access to the personal data, how long that data will be stored, whether information will be transferred to another country, and the subject’s rights under the GDPR.

Depending on how personal data is collected from individuals, the required information may be provided in a number of ways. A common example is for a company to provide such information as part of their privacy statement. However, in the research context, because similar information is already provided in the consent document, it is predictable that many sponsors and investigators will seek to fulfill the notice requirements using the existing informed consent form.

Why would a US IRB be presented with an informed consent form containing GDPR references?

One reason a US IRB would be presented with GDPR references in an informed consent document is if the IRB is reviewing research for an EU-based sponsor that intends to enroll US participants. The territorial scope of the GDPR includes the processing of personal data by an EU business. It does not matter whether the personal data was collected inside or outside the EU or whether the data subject is an EU citizen. Thus, even if an EU-based sponsor intends to collect personal data from non-EU participants, the collection and processing of that data must comply with the GDPR. If the sponsor intends to use consent as the legal basis for the processing (and leverage the consent form to provide GDPR notice), then that consent must be obtained at the time the data is collected from the US subjects—hence, the GDPR language in the US version of the consent form.

The reverse scenario could likewise exist—i.e. if a US-based sponsor intends to enroll EU participants, it may seek IRB approval of GDPR consent language. This could occur because GDPR’s territorial scope also extends to the processing of personal data of data subjects in the EU by a controller or processor not in the EU, if the processing is related to (1) offering goods or services to an EU data subject (regardless of whether payment is required) or (2) the monitoring of the EU data subject’s behavior in the EU. If a US-based sponsor intends to collect the personal data of EU research subjects, e.g. through interactions at a physical EU site or online/remote monitoring, that sponsor will likely need to comply with the GDPR and may choose to utilize the consent form as the avenue for obtaining GDPR consent or providing GDPR notice.

Should IRBs review GDPR consent language?

This is certainly not the first example of IRBs being asked to ensure regulatory elements are present in the consent form that are, strictly speaking, outside those listed under federal human subject protection regulations. Perhaps the closest analogy to IRB review of GDPR language is the role IRBs traditionally play in the review of HIPAA authorizations. The HIPAA Privacy Rule grants the IRB with authority to approve requests for waivers of the authorization requirements for research uses and disclosures of protected health information (PHI). IRBs are not required to review and approve the research authorization itself. However, authorization language is often incorporated into the informed consent document and the use and disclosure of PHI is arguably relevant to the determination that adequate provisions are in place to protect privacy and confidentiality. As a result, IRBs have become the de facto oversight body for most institutions’ research authorization forms, whether standalone or incorporated into the consent document.

The IRB role under GDPR is similar, if more removed. The GDPR makes no mention of IRB/ethics committee authority other than clarifying that consent to clinical trials should comply with the EU Clinical Trial Regulation. Thus, the IRB would generally have no requirement to understand which legal basis was being utilized to process a participant’s personal data for research purposes, nor would it be obligated to ensure that GDPR notice requirements are provided to a research participant. Analogous to the HIPAA example, if a study investigator was to use a standalone document to obtain GDPR consent and provide notice, such a document would arguably fall outside an IRB’s purview.

In practice, it may be appropriate and advisable to seek IRB review and confirmation that the information provided regarding the use of personal data is understandable and not redundant with existing language regarding the use of study information. However, it is unclear how reasonable it is to expect a US IRB to understand and evaluate the sufficiency of GDPR elements, nor on what authority the IRB could assert that such language does or does not meet GDPR standards.

Are there other options?

Yes. Consent is not the only legal basis for processing personal data nor is it necessarily the most appropriate basis. For example, personal data may be processed on alternative grounds such as processing necessary for activities taken in the public interest or necessary for an entity’s own legitimate interests (if those interests are not overridden by the rights of the data subject). It is not clear to what extent these bases can be relied upon in the research context. However, at least one EU Member State has issued operational guidance clarifying that, for certain types of research, the public interest or legitimate interest basis should be relied upon. This does not mean that traditional “informed consent” for research is not required or that GDPR notice is exempted, only that GDPR consent is not the recommended legal basis for the processing of the personal data obtained for research purposes.

Similar to the higher standard of explicit consent, legal grounds for processing special categories of personal data include “substantial” public interest and, significantly, scientific or historical research purposes. However, the availability of the scientific research basis is subject to EU or Member State law and the regulation is not clear on whether the EU or Member States must first issue legislation allowing such a basis or whether there is simply authority to impose additional requirements.

Given the above uncertainties, it may seem that consent is still the best option. However, as mentioned previously, it is not completely decided that relying on GDPR consent is the most fitting framework for processing personal data necessary for research purposes. For example, much has been written on whether the GDPR allows for broad consent to future research uses or whether the GDPR right to withdraw consent conflicts with other regulatory requirements that data collected up until the point of withdrawal must be retained for scientific integrity purposes.

What now?

Because of the ambiguities discussed above, the Secretary’s Advisory Committee on Human Research Protections (SACHRP) has issued a recommendation to the US Department of Health and Human Services (HHS), encouraging the agency to coordinate with its European counterparts and issue guidance regarding the GDPR’s potential application to US-based research and to specifically address the ambiguities related to use of consent as the basis for data processing. As the GDPR plays out in real time, many ambiguities currently present in the regulations will hopefully be acknowledged and explicitly addressed by the relevant EU and Member State regulatory agencies.

Until such guidance is issued, the research community will continue wrestling with how to interpret the parameters of GDPR consent. And, as long as questions remain regarding the ability to rely on non-consent bases for processing personal data (e.g. public interest, legitimate interest), sponsors and investigators will have to choose between multiple uncertainties. Given the historic reliance upon informed consent for research, it is likely that GDPR language will continue to present itself in research consent forms submitted for review by US IRBs. Such IRBs should be aware of the limit of their purview under GDPR, while at the same time continuing to meet the overarching directive to protect participant rights and welfare.

 


Executive Insight

Mitchell Parrish, JD, RAC, CIP, VP of Legal and Regulatory Affairs

This article importantly provides context for why, and how, it is that US IRBs are now being asked to review GDPR-compliant consent language. While some research organizations may wish to leverage the informed consent document for GDPR purposes, remember that the IRB is not a GDPR oversight body and explicit consent intended to satisfy GDPR does not require US IRB review.


 

References

1 The GDPR is applicable to the EU and EEA. However, the text of the GDPR and related guidance tends to use the terms “Union” or “EU.” This article adopts the same terminology.

 

Tags: , , , , , , , , , , , ,