On December 1, 2024, the European non-profit organization noyb (None of Your Business), co-founded by privacy advocate Max Schrems, achieved a significant milestone by becoming a “Qualified Entity” under the EU’s Collective Redress Directive in Austria. Since 10 October 2024, noyb is a qualified entity under the Irish “Representative Actions for the Protection of the Collective Interests of Consumers Act 2023” for national and cross-country procedures, and this month achieved this status also in Austria, where the main establishment of noyb is located. This status empowers noyb to bring collective legal actions on behalf of individuals whose consumer’s rights under European laws, including data protection laws such as the General Data Protection Regulation (GDPR), have been violated.
This development marks a pivotal moment for data protection across all sectors, including clinical trials. As clinical trials rely heavily on the processing of sensitive personal data, the implications of this news for sponsors, Contract Research Organizations (CROs), and other stakeholders are profound.
Understanding Collective Redress Under the EU Directive
The EU’s Collective Redress Directive, adopted in 2020, aims to facilitate access to justice for individuals and enhance enforcement of EU laws. It allows for collective actions to be brought by designated Qualified Entities, such as consumer organizations or non-profits like noyb. The directive covers a broad range of sectors, including healthcare and data protection.
Collective redress actions enable individuals to address systemic breaches of their rights, reducing the burden of pursuing individual claims. Under this framework, organizations like noyb can initiate legal proceedings against entities for GDPR violations, without requiring affected individuals to take action themselves.
Why noyb’s Qualification Matters
noyb has been a prominent voice in enforcing GDPR compliance, having successfully challenged major corporations for non-compliance. Its designation as a Qualified Entity significantly amplifies its ability to enforce privacy rights. With this status, noyb can now:
- Represent Affected Groups Collectively: noyb can represent groups of individuals without requiring their direct involvement, making it easier to address widespread privacy violations.
- Initiate Legal Proceedings in Multiple EU Member States: Collective redress actions can span across borders, holding entities accountable on a broader scale.
- Focus on Systemic Violations: noyb’s efforts will likely target organizations with consistent non-compliance issues, potentially including those operating in sensitive fields like healthcare.
The Relevance for Clinical Trials
Clinical trials involve the collection, storage, and processing of sensitive personal data, including health data, genetic information, and biometric identifiers. As such, the industry is already under stringent GDPR requirements. noyb’s qualification adds an additional layer of scrutiny and potential liability for organizations involved in clinical research. Here’s how this development might impact the clinical trials industry:
1. Increased Risk of Legal Challenges
Clinical trial sponsors are responsible for ensuring compliance with GDPR, including relying on a lawful legal basis to process the data, implementing robust security measures, and respecting data subject rights. Any gaps in compliance—such as inadequate consent processes or improper pseudonymization of personal data —could now result in collective legal actions initiated by noyb.
2. Greater Scrutiny on Transparency and Anonymization
The European Medicines Agency (EMA) and GDPR emphasize the importance of transparency in how participant data is processed. Sponsors must clearly communicate their data use practices. Additionally, the anonymization of trial data for publication is critical. Collective actions could target failures in these areas, pushing the industry to adopt stricter measures.
3. Heightened Focus on Cross-Border Data Transfers
Many clinical trials involve the transfer of data outside the EU, often to countries without equivalent data protection laws. noyb has historically targeted organizations for non-compliance with EU rules on international data transfers. With its new powers, noyb may initiate collective actions against sponsors and other stakeholders failing to implement adequate safeguards for cross-border data transfers.
4. Increased Pressure on Smaller Sponsors
While larger sponsors often have dedicated compliance teams, smaller sponsors and biotech’s may lack resources to ensure full compliance. The risk of collective actions could disproportionately impact these organizations, highlighting the need for implementing adequate privacy programs, even for smaller players.
5. Amplified Role of Data Protection Officers (DPOs)
The role of DPOs in clinical trials will become even more critical. Sponsors must ensure their DPOs are actively involved in overseeing data protection practices, conducting regular audits, and addressing potential vulnerabilities. The presence of a competent DPO could be a mitigating factor in the event of a collective action.
Best Practices for Clinical Trial Stakeholders
To mitigate the risks associated with collective redress actions, clinical trial sponsors should adopt the following best practices:
- Strengthen Informed Consent Processes: Ensure consent forms are transparent, easy to understand, and specific about data use, including for secondary purposes.
- Enhance Data Security: Implement robust security measures to protect personal data from breaches and unauthorized access.
- Improve Data Anonymization: Ensure that data shared for publication is effectively anonymized to prevent re-identification.
- Review Cross-Border Transfers: Verify compliance with GDPR requirements for international data transfers, including the use of Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
- Invest in Privacy Training: Provide ongoing GDPR training for all employees involved in clinical trials to minimize risks.
Conclusion
noyb’s new role as a Qualified Entity significantly raises the stakes for GDPR compliance across industries, including pharma and biotech companies conducting clinical trials. While this development strengthens the enforcement of privacy rights, it also introduces new challenges for clinical trial stakeholders. Sponsors, CROs, and others involved in clinical research must proactively address potential vulnerabilities in their data protection practices to avoid collective actions and ensure the trust of trial participants. This is a wake-up call for the industry to elevate its compliance efforts and safeguard the sensitive personal data at the heart of clinical research. By doing so, stakeholders can not only avoid legal challenges but also contribute to the ethical advancement of medical science.
Diana is the Founder & Managing Director at RD Privacy and a contributing columnist, specializing in privacy for the pharmaceuticals and life science sectors, particularly small biopharma companies, with extensive experience as a European qualified privacy attorney and Data Protection Officer (DPO).