MR-001 in France & Clinical Trials

The French Data Protection Authority (the, "CNIL") has issued in July 2018 a new methodology (MR-001) to replace previous MR-001 from 2016. These methodologies are used to simplify the authorization process for the processing of personal data in France. In line with this, if Controllers in the field of clinical research comply with the requirements of the reference methodology, they are able to process personal data, for such specific purposes, by self-declared compliant to the CNIL.

Compliance with the MR-001 is not straight forward and we cannot forget that the same Controller may process personal data for several different purposes, in some cases being able to declare self-compliant and in other cases required to ask for an authorization.

Being compliant with the MR-001 allows Controllers to process personal data without the need of an authorization from the CNIL, which may take up to two months to be granted. In the field of clinical research this might be very relevant as timelines are very strict and there’s much pressure to start patient’s recruitment as soon as possible.

In line with this, Controllers of Clinical Trials must evaluate if the processing of personal data is compliant with the requirements of MR-001. A self-declaration of compliance needs to be performed only once while an authorization to the CNIL needs to be requested for each specific project where processing of personal data falls outside the scope of the reference methodology.

It is important to clarify that, even though a self-declaration of compliance shall only be completed once, compliance checks must be performed for every processing activities performed for a specific purpose (clinical trial) and if while checking study requirements, before any processing of personal data, Controller realizes that processing will be outside of the scope of the methodology, then an authorization to the CNIL for that specific project is required.

Most relevant changes from MR-001 (v.2016) and MR-001 (v.2018) relate to subcontractors with access to named data, requirements on specific consent for collecting genetic data, more flexibility in the collection of vital status, as well as other requirements imposed by the GDPR, which were missing from previous methodology.

In addition to this, new MR-001, not only includes GDPR requirements under its provisions but it also, in some cases, exceeds such requirements to impose stricter obligations to Controllers, as the need to audit new subcontractors, identification of some security measures as mandatory, limitations to transfers of personal data based on data subject’s consent and limitation of transfer of patient’s named data to third countries outside the EU.

It’s an interesting tool however it leaves some open questions. Shall it apply retroactively to clinical trials? What are the corrective actions if upon confirmation of compliance Controller realizes that the processing is not compliant with MR-001 after all?

In my personal opinion, considering that the new reference methodology is more flexible than the previous one, except for the new requirements of the GDPR, I tend to say that a study that is compliant with MR-001 (2016) will be by default compliant with MR-001 (2018) if Controller updates its processing activities to be compliant with the GDPR as well.

As for the corrective actions, upon confirmation that previous processing declared compliant with the methodology is in fact outside the scope of the methodology, I would say that either Controllers ensure that the processing becomes compliant (if possible according to applicable regulations) or would need to notify the CNIL of the findings and proceed as confirmed by the authority.

It’s not a question of whether or not controllers need to ask for an authorization to the CNIL, to process the data after realizing processing is outside of the scope of the methodology, because if the processing is on-going, an authorization to initiate processing is not applicable. However, the CNIL might need to evaluate whether or not the Controller provides enough guarantees to ensure the security of the data even though the processing falls outside the scope of the MR-001, in order to approve an exemption to such MR-001 requirement(s). 

Such corrective process is not clear and should be clarified by the authority in order to avoid speculation. The CNIL should also clarify that if a Controller proactively notifies the issue, it should not be subject to penalties, otherwise accountability principle of the GDPR might be in jeopardy.

DCA