FDA Official: EU privacy regulations impede BIMO inspections, application reviews

Regulatory NewsRegulatory News | 10 August 2022 |  By 

According to a US Food and Drug Administration (FDA) lawyer, the European Union’s privacy regulations are a headache for researchers and regulators trying to share data. Heather Messick, the former lead policy analyst on the EU’s General Data Protection Regulation (GDPR) at FDA’s Europe Office, says the regulation has created major roadblocks to sharing patient data needed to review premarket applications and reporting adverse events.
The EU GDPR went into effect in 2018 to ensure personal data of people in the 27 EU member states, and those from Iceland, Norway and Lichtenstein, also known as the European Economic Area (EEA), are protected including when they are shared out of those countries.
In particular, Messick says that FDA’s bioresearch monitoring program (BIMO), which oversees the conduct and reporting of FDA-regulated research, has been the most affected by the law in a new agency blog post.
“There have been instances in which FDA investigators have been unable to complete either in-person BIMO inspections or conduct virtual reviews of study data due to technology challenges, resource constraints, or data sharing policies, such as GDPR,” Messick said. “While EU data sharing policies are only one challenge in conducting inspections or [remote regulatory assessments] RRAs, lack of clarity around GDPR has impeded our ability to review data remotely during the pandemic.”
BIMO allows FDA investigators to conduct RRAs of FDA-regulated research in countries where onsite inspections are not possible for a variety of reasons including travel restrictions due to the COVID-19 pandemic. The objective of such remote assessments, according to the agency, is to ensure research subjects are treated according to FDA regulations but it involves reviewing and sharing patient health data which may run afoul of GDPR requirements.
FDA reviewers need sponsors to submit participant-level data from clinical trials to support their claims of safety and effectiveness which often means sharing information from multi-national clinical trial sites, including from the EEA. However, the GDPR makes sharing that data easier said than done, according to Messick, who now serves as regulatory counsel at FDA’s Center for Drug Evaluation’s Office of Compounding Quality and Compliance.
“Inability to transfer such data from the EU could negatively impact the robustness of data submitted to the FDA and impact investigational product reviews and approvals,” she added.
Besides hampering the FDA’s ability to get clinical trial data from sponsors, Messick also says the GDPR has been a burden on the agency’s ability to review new drug applications (NDA) and biologic license applications (BLA) and get adverse event reporting data.
“As part of its review of NDAs and BLAs, the FDA requires certain information (e.g., demographic information) from industry which may be protected under the GDPR,” said Messick. “Inability to receive, or delays in receiving, this information may impact FDA’s ability to complete reviews.”
The agency has several adverse event and safety reporting systems for different products, including MedWatch, FDA Adverse Event Reporting System (FAERS), the Safety Reporting Portal (SRP) and the Vaccine Adverse Event Reporting System (VAERS).
Messick notes that the GDPR’s definition of personal data is very broad and sharing data from the adverse reporting systems could fall afoul of the regulation.
Over the past few years, the US and the EU have tried to work out data agreements that allow cross-border-border sharing of personal data for commercial use but it’s been an ongoing challenge not just for FDA but for other federal agencies that need such sensitive information. One such initiative, the EU-US Privacy Shield was invalidated by the European Court of Justice in 2020 which sent the two sides back to the drawing board to come up with a new agreement.
“GDPR is an ongoing area of concern, and the situation will no doubt continue to change as the U.S. and EU continue negotiations on a new data agreement, and as the overall legal and policy landscape in the EU continues to evolve,” Messick said. “The Europe Office will be closely tracking developments in the months and years ahead.”


© 2023 Regulatory Affairs Professionals Society.

Discover more of what matters to you