Trial by name, trial by nature: how lack of data protection harmonisation is hindering European clinical trials

This article is part of our Biotech Review of the Year - Issue 13 publication.

Europe’s ability to leverage its world-leading academic institutions, healthcare systems, access to funding and fiscal incentives have long positioned it as a powerhouse for clinical research. However, divergences in the interpretation and enforcement of data protection law within the EEA are undermining Europe’s position, with adverse consequences for patients and medical innovation in Europe.

Clinical trials are crucial in the development of new and improved ways to detect, prevent and treat health conditions. While Europe remains a global hub for clinical research, analysis of available evidence points to a geographical shift away: between 2013 and 2023, the number of clinical trials initiated worldwide rose by over 38%, yet the EEA’s share halved over the same period. This decline means fewer European patients are gaining early access to potentially life-saving treatments. 

According to the same research, data from clinical trial repositories indicates that 60,000 fewer people participated in clinical trials involving an EEA country in 2023 compared to 2018. The adverse consequences of this for patients, healthcare systems and the broader R&D ecosystem in Europe are substantial:

• participation in clinical trials can translate into better health outcomes for European patients, particularly for those with rare diseases for whom trials may be the only option for treatment;
• clinical trials are a revenue source for hospitals and centres that conduct them, generating funds that can be invested in healthcare provision; and
• clinical trials foster collaboration between academia, industry and healthcare providers, strengthening R&D and fast-tracking innovation in Europe. 

What is going wrong?

There is evidence to suggest that lack of regulatory harmonisation, rather than the overall weight of regulation, is a key factor. Over two-thirds of clinical trials in the EEA involve sites in multiple countries. As a result, divergence in interpretation and enforcement of data protection rules matter. National healthcare laws and data governance practices (including with respect to ethics committees) means sponsors are faced with the prospect of implementing different operational processes between EU Member States to comply with different national approaches. 

This creates challenges for processing clinical data in relation to both:

• the specific clinical trial and any subsequent regulatory approval of the medicine or medical device (primary use); and
• purposes outside of the clinical trial protocol (secondary use). 

All collection and use of personal data requires a valid legal ground under Article 6 GDPR (lawful basis). Additionally, any processing of health data and genetic data can be undertaken only if one of the pre-defined conditions under Article 9 GDPR (Article 9 condition) applies. 

The appropriate lawful basis and Article 9 condition typically depend on the data in question and the purpose for which it is processed. For example, some processing within a clinical trial is required to obtain pharmacovigilance data as part of the sponsor’s safety-related obligations under the EU’s Clinical Trials Regulation (CTR). This processing is therefore carried out under the lawful basis of ‘compliance with a legal obligation’ (Article 6(1)(c) GDPR), an approach endorsed by the European Data Protection Board (EDPB), the independent body responsible for consistent application of the GDPR. 

Conversely, processing of clinical trial data for other purposes typically requires different lawful bases and Article 9 conditions. Processing for the same purposes should be carried out under the same lawful basis regardless of whether it is taking place in one Member State or another. In reality, however, different lawful bases are used between Member States as a result of continuing divergences in law and interpretation across the EEA. 

The EDPB sought to achieve harmonisation with respect to primary use of clinical trial data in its Opinion issued in 2019. Save for clinical trials conducted in the public interest pursuant to a legal mandate, sponsors are encouraged to rely on: 

• the lawful basis of ‘legitimate interests’ (Article 6(1)(f) GDPR) – that is, to undertake the processing on the basis that it is necessary for the objectives of the clinical trial, and these purposes are sufficiently legitimate to override the privacy interests and fundamental rights and freedoms of the trial participants; and
• the Article 9 condition that provides for processing that is necessary for ‘scientific research purposes’ (Article 9(2)(j) GDPR). 

In the EDPB’s view, this approach is both pragmatic and provides an appropriate level of data protection. This is because reliance on the ‘legitimate interests’ lawful basis requires the sponsor to perform a balancing test to ensure that the processing is justified, with the implementation of additional safeguards where the test indicates these are necessary for the processing to be lawful. The EDPB Opinion is not binding, but it is highly persuasive on Member States. 

However, not all Member States adopt this approach, notably Austria, Germany, the Netherlands, Hungary, Ireland, Italy and Portugal. Instead, these countries typically rely on:

• the lawful basis of ‘consent’ (Article 6(1)(a) GDPR) – that is, the processing is carried out on the basis of participants’ consent to the use of their personal data; and
• the corresponding Article 9 condition of participants’ ‘explicit consent’ to the processing (Article 9(2)(a) GDPR). 

This divergence is due to:

• national laws or mandatory Informed Consent Form (ICF) and Participant Information Sheet (PIS) templates in some Member States that require the sponsor to rely on consent, such as in Germany and Belgium;
• national regulatory guidance in some Member States that strongly favour consent; and
• ethics committees in some Member States that effectively make ethics approval of a clinical trial conditional on reliance on consent - despite the fact that it is for the sponsor (and sometimes the trial site) as the controller of the processing to determine the lawful basis, not a third party. 

The EDPB considers that consent obtained in the context of a clinical trial is typically not valid under the GDPR due to the pressure that participants may face to take part, stemming from their health status, institutional expectation, or social and economic factors. 

Matters are complicated further by the lack of a single EU-wide interpretation of the concept of secondary use of clinical trial data. Some Member States interpret it to constitute use of the data for an entirely new purpose; others take the more narrow view that it means any purpose that is not compatible with the original purpose of data collection per Article 5(1)(b) GDPR, which could include use of the data for other clinical research, for example. There is also variation in whether secondary use warrants its own lawful basis or if the lawful basis for the primary use can be relied upon. The European Commission takes the former approach, but has stated that the lawful basis may be the same as that of the primary use. Some Member States, such as Spain, allow sponsors to obtain ‘broad consent’ for processing for scientific research generally. Others, including Italy, require fresh consent for secondary use, which can be tricky to obtain in practice, particularly if the secondary use takes place years or decades after the primary use, or is by a different controller. 

Why does all this matter?

As things stand, if sponsors adopt the position endorsed by the EDPB, they may struggle to obtain ethics approval and may breach national laws that mandate consent. However, if they rely on consent instead, they may be considered to be in breach of the GDPR in some Member States. Attempts to reconcile these conflicting requirements often require sponsors to modify the trial protocol, ICF and PIS, and can impede trial progression. 

The differing national requirements also mean that clinical trial data cannot necessarily be co-mingled, depriving the data of its full value both for primary use and secondary use. For example:

• reuse of the data, which may otherwise avoid the need for further clinical studies, is hampered;
• opportunities to improve the methodology for future clinical trials may be lost; and
• there is a risk of blocking other avenues for innovation, such as use of the data for training AI models for predictive modelling and drug discovery. 

What can be done?

The European Federation of Pharmaceutical Industries and Associations (EFPIA) has sought to tackle some of the issues highlighted in this article by developing a GDPR Code of Conduct on Clinical Trials and Pharmacovigilance (Code). The objective of the Code is to provide greater certainty for stakeholders and reduce administrative burden by promoting a consistent interpretation of key GDPR provisions for application to pharmacovigilance and clinical research and clarify how the GDPR interacts with sectoral legislation such as the CTR. 

After nearly four years, however, the Code has still not been approved. In January 2022, EFPIA announced that the Code had reached the final review phase by data protection authorities before submission to the EDPB for approval. The most recent official update before this article was published was in July 2025, confirming that the Code has now been submitted to the Belgian Data Protection Authority for formal assessment. While it is hoped that the EDPB will be relatively quick to approve the Code on receipt due to prior review by multiple data protection authorities, this is by no means assured. 

This seemingly leaves us, for now, at an impasse. In November 2025, the European Commission introduced a proposal for simplification of EU digital regulation in the form of the Digital Omnibus. Early indications are that key aspects of the Digital Omnibus proposal will be hotly debated between the European Commission, European Parliament, and Council of the European Union. This will likely occupy a substantial portion of the legislative agenda at the EU level in 2026. Meanwhile, and erroneously in our view, a more targeted fix to harmonise data protection rules for clinical trial data in the life sciences sector appears to have been sidelined.