Our Work

Impact of Privacy Laws on Clinical Research

Impact of Privacy Laws on Clinical Research

The MRCT Center remains at the forefront of analyzing and understanding the impact of the GDPR and other privacy laws that impact clinical research data and biospecimen sharing. The patchwork of privacy laws that apply to the processing of personal data and in some cases restrict the transfer of such data across national boundaries impedes the progress of science and public health and the use of personal data for secondary research.

The European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018. The regulation governs the processing of personal data of individuals located in any member state of the European Economic Area (EEA) or personal data processed in the context of an entity’s establishment located in an EEA member state. Following “Brexit,” the United Kingdom has enacted national legislation, commonly referred to as the UK GDPR, that is substantially similar to GDPR.  Under both GDPR and UK GDPR, personal data are defined broadly as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. The GDPR had an immediate impact on clinical research generally and multi-regional clinical trials specifically.

In addition to the GDPR, recent years have seen a growing number of sector-specific and omnibus state privacy laws in the U.S., such as the CCPA/CPRA and recently-passed data privacy legislation in Colorado, Utah and Virginia, as well as Florida’s Protecting DNA Privacy Act.  Also of note, China enacted an omnibus data privacy law known as the Personal Information Protection Law (“PIPL”), which took effect in 2021, Brazil’s General Data Protection Law (“LGPD”) became subject to enforcement in 2021, and India’s Digital Personal Data Protection Act (“DPDP Act”) was enacted in 2023. The MRCT Center continues to monitor the development of these laws and suggests strategies to help the research community comply with such laws, including through advocacy with relevant public authorities and industry stakeholders.

Contact Information: mrct@bwh.harvard.edu


  • Identify, explain, and discuss key problems that the GDPR and other privacy laws have introduced for the for the domestic and global research community on clinical research, biobanking, and data banking, as well as big data research.
  • Highlight the major challenges and ambiguities that privacy laws present for regulators, industry, academia, IRBs/research ethics committees, and researchers.
  • Engage with the European Commission and EDPB to explore potential solutions.
  • Share preferred operational practices in each of these areas.
  • Identify where further guidance or explanations (e.g., FAQs) would be helpful.

key milestones

  • December 2023: MRCT Center Research, Development & Regulatory Roundtable discussed developments over the past year, including adoption of the EU-US Data Privacy Framework
  • During 2023: Convened experts in the field to assess the ongoing and evolving impact of privacy laws on clinical research and data sharing
  • December 2022: MRCT Center Research, Development, & Regulatory Roundtable hosted a one-day conference on GDPR and privacy laws in other geographies (China, India, Japan, and South Africa). Dr. Francis Collins, Senior Advisor to the President (Acting) and Former Director of the National Institutes of Health, delivered the keynote address. The five sessions included panelists from academia, pharmaceutical companies, and regulatory bodies.
  • February 2022: MRCT Center submitted public comments to the National Institutes of Health (NIH) “Request for Information on Proposed Updates and Long-Term Considerations for the NIH Genomic Data Sharing Policy”
  • October 2021: Co-authored “Demystifying Schrems II for the Cross-Border Transfer of Clinical Research Data,” Journal of Law and the Biosciences
  • September 2021: MRCT Center comments on European Data Protection Board Guidelines 04/2021 on Codes of Conduct as Tools for Transfers
  • April 2021: MRCT Center comments in response to European Data Protection Board questions on research and GDPR.
  • October 2020:  Co-authored an article in Science Magazine entitled “How to Fix the GDPR’s Frustration of Global Biomedical Research.”  The article received significant attention and has been provided as a briefing material to members of the Biden administration seeking to understand international data sharing issues.
  • May 2020: David Peloquin participated in a webinar organized by ISC that was a follow-up to the November 2019 Brussels conference and discussed the MRCT Center’s comments submitted to the European Commission in April 2020.
  • April 2020: MRCT Center submitted comments to the European Commission outlining the challenges that GDPR has created for the research community along with potential solutions in response to the European Commission’s call for comments on GDPR.
  • March 2020: Co-authored an article in the European Journal of Human Genetics entitled “Disruptive and Avoidable: GDPR Challenges to Secondary Research Uses of Data” discussing the challenges of GDPR for secondary research and biobanking activities.
  • November 2019: MRCT Center and Ropes & Gray LLP co-organized ISC Seminar on Challenges for Health Research arising from GDPR in Brussels, Belgium.
  • May 2019: Mark Barnes attended a meeting with the Irish Data Protection Commission to discuss the challenges the GDPR poses to the research community.
  • February 2019: Mark Barnes and colleagues at Ropes & Gray co-authored an article discussing the challenges in the EDPB’s February 2019 opinion on the intersection of the GDPR and the EU Clinical Trials Regulation.
  • January 2019: MRCT Center sent a letter to the EDPB commenting on the EDPB’s November 2018 draft guidance on the territorial scope of the GDPR.
  • July 30, 2018: Application of the GDPR to Research: Legal, Practical and Strategic Implications: The MRCT Center convened over 110 representatives from academia, industry, and government. The conference explored the impact of the EU GDPR on human subjects’ research, biobanking and data banking, and big data research. A letter summarizing the findings was sent to the European Commission Directorate-General for Research and Innovation with a copy to EMA, NIH, and others.

PRoject leadership & Staff

  • Mark Barnes, JD, LLM, Faculty Co-Director, MRCT Center
  • Barbara E. Bierer, MD, Faculty Director, MRCT Center
  • David Peloquin, JD, Ropes & Gray LLP

Project Resources