QUALITY AND TRANSPARENCY
Our Work
Home|Our Work|Impact of Privacy Laws on Clinical Research

Impact of Privacy Laws on Clinical Research

Impact of Privacy Laws on Clinical Research

The MRCT Center remains at the forefront of analyzing and understanding the impact of privacy laws that impact clinical research data and biospecimen sharing. The patchwork of data privacy laws that apply to the processing of personal data, including clinical trial data, often restricts the transfer of such data across national boundaries, impeding the progress of science and public health, as well as the use of personal data for secondary research.

Since 2013, we have convened experts in the field to assess the ongoing and evolving impact of privacy laws on clinical research and data sharing. The Research, Regulatory, and Development Roundtable (R3) has been and continues to be a forum to explore and discuss strategies to help the research community comply with these laws.

The focus of the MRCT Center has been both ex-U.S. privacy laws (e.g., EU General Data Protection Regulation [GDPR], People’s Republic of China’s Personal Information Protection Law, and others) and U.S. laws (e.g., California’s Consumer Privacy Act, the DOJ Final Rule Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, National Institutes of Health Policy (“NIH”) on Enhancing Security of Human Biospecimens, state laws restricting data sharing with certain foreign countries).

The recent DOJ Final Rule and its implications for the biomedical research enterprise were addressed at the April 2025 R3 meeting. In the context of differing and evolving state laws, a drive toward integrating medical records across providers and U.S. states, and new technologies that facilitate the identification of individuals, we are also considering how these developments impact participants’ privacy.

Contact Information: mrct@bwh.harvard.edu

objectives

  • Identify, explain, and discuss key problems that the GDPR and other privacy laws have introduced for the for the domestic and global research community on clinical research, biobanking, and data banking, as well as big data research.
  • Highlight the major challenges and ambiguities that privacy laws present for regulators, industry, academia, IRBs/research ethics committees, and researchers.
  • Engage with the European Commission and EDPB to explore potential solutions.
  • Share preferred operational practices in each of these areas.
  • Identify where further guidance or explanations (e.g., FAQs) would be helpful.

key milestones

  • November 2024: MRCT Center submitted public comments to the U.S. Department of Justice’s proposed rule “Provisions pertaining to preventing access to U.S. sensitive personal data and government-related data by countries of concern or covered persons”
  • October 2024: MRCT Center Research, Development, & Regulatory Roundtable discussed limitations on sharing data with China and other countries of concern
  • December 2023: MRCT Center Research, Development, & Regulatory Roundtable discussed developments over the past year, including adoption of the EU-US Data Privacy Framework
  • During 2023: Convened experts in the field to assess the ongoing and evolving impact of privacy laws on clinical research and data sharing
  • December 2022: MRCT Center Research, Development, & Regulatory Roundtable hosted a one-day conference on GDPR and privacy laws in other geographies (China, India, Japan, and South Africa). Dr. Francis Collins, Senior Advisor to the President (Acting) and Former Director of the National Institutes of Health, delivered the keynote address. The five sessions included panelists from academia, pharmaceutical companies, and regulatory bodies.
  • February 2022: MRCT Center submitted public comments to the National Institutes of Health (NIH) “Request for Information on Proposed Updates and Long-Term Considerations for the NIH Genomic Data Sharing Policy”
  • October 2021: Co-authored “Demystifying Schrems II for the Cross-Border Transfer of Clinical Research Data,” Journal of Law and the Biosciences
  • September 2021: MRCT Center comments on European Data Protection Board Guidelines 04/2021 on Codes of Conduct as Tools for Transfers
  • April 2021: MRCT Center comments in response to European Data Protection Board questions on research and GDPR.
  • October 2020:  Co-authored an article in Science Magazine entitled “How to Fix the GDPR’s Frustration of Global Biomedical Research.”  The article received significant attention and has been provided as a briefing material to members of the Biden administration seeking to understand international data sharing issues.
  • May 2020: David Peloquin participated in a webinar organized by ISC that was a follow-up to the November 2019 Brussels conference and discussed the MRCT Center’s comments submitted to the European Commission in April 2020.
  • April 2020: MRCT Center submitted comments to the European Commission outlining the challenges that GDPR has created for the research community along with potential solutions in response to the European Commission’s call for comments on GDPR.
  • March 2020: Co-authored an article in the European Journal of Human Genetics entitled “Disruptive and Avoidable: GDPR Challenges to Secondary Research Uses of Data” discussing the challenges of GDPR for secondary research and biobanking activities.
  • November 2019: MRCT Center and Ropes & Gray LLP co-organized ISC Seminar on Challenges for Health Research arising from GDPR in Brussels, Belgium.
  • May 2019: Mark Barnes attended a meeting with the Irish Data Protection Commission to discuss the challenges the GDPR poses to the research community.
  • February 2019: Mark Barnes and colleagues at Ropes & Gray co-authored an article discussing the challenges in the EDPB’s February 2019 opinion on the intersection of the GDPR and the EU Clinical Trials Regulation.
  • January 2019: MRCT Center sent a letter to the EDPB commenting on the EDPB’s November 2018 draft guidance on the territorial scope of the GDPR.
  • July 30, 2018: Application of the GDPR to Research: Legal, Practical and Strategic Implications: The MRCT Center convened over 110 representatives from academia, industry, and government. The conference explored the impact of the EU GDPR on human subjects’ research, biobanking and data banking, and big data research. A letter summarizing the findings was sent to the European Commission Directorate-General for Research and Innovation with a copy to EMA, NIH, and others.

PRoject leadership & Staff

  • Mark Barnes, JD, LLM, Faculty Co-Director, MRCT Center
  • Barbara E. Bierer, MD, Faculty Director, MRCT Center
  • David Peloquin, JD, Ropes & Gray LLP

Project Resources

  • Publication

February 24, 2026

Disclosure of Pregnancy-Related Privacy Risks in Clinical Research Post-Dobbs ›
  • Public Comments

January 15, 2025

Public Comments submitted: “Ethical Guidelines for Research Using Pervasive Data” ›
  • Public Comments

November 29, 2024

Public Comments submitted: “Proposed Rule: Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” ›
  • Public Comments

February 24, 2022

The MRCT Center Submitted Public Comments to the National Institutes of Health (NIH) ›
  • Publication

October 23, 2021

Demystifying Schrems II for the cross-border transfer of clinical research data ›
  • Public Comments

April 30, 2021

EDPB Stakeholder event on the application of the GDPR to the processing of personal data for scientific research purposes ›
  • Annual Report

December 20, 2020

2020 MRCT Center Impact Report ›
  • Presentation

December 3, 2020

MRCT Center 2020 Annual Meeting Slides Part 1 ›
  • Presentation

December 3, 2020

MRCT Center 2020 Annual Meeting Slides Part 2 ›
  • Publication

October 2, 2020

How to fix the GDPR’s frustration of global biomedical research ›
  • Public Comments

September 28, 2020

Comments to European Data Protection Board Guidelines 04/2021 on Codes of Conduct as Tools for Transfers ›
  • Public Comments

April 29, 2020

Response to European Commission’s request for feedback regarding the General Data Protection Regulation (GDPR) ›
  • Publication

March 2, 2020

Disruptive and Avoidable: GDPR Challenges to Secondary Use of Data ›
  • Annual Report

December 4, 2019

2019 MRCT Center Impact Report ›
  • Publication

February 1, 2019

Guidance Regarding Interaction Between GDPR and EU Clinical Trials Regulation Leaves Several Questions Unanswered ›
  • MRCT Sponsor Resource

December 5, 2018

MRCT Center 2018 Annual Meeting Slides ›