FDA official: EU privacy regulations hamper BIMO inspections and review of claims

Regulatory news

| August 10, 2022 | By Ferdous Al-Faruque

According to a lawyer for the US Food and Drug Administration (FDA), European Union privacy regulations are a headache for researchers and regulators trying to share data. Heather Messick, former senior policy analyst on the EU’s General Data Protection Regulation (GDPR) at the FDA’s European office, says the regulation has created major hurdles for sharing the patient data needed to review patient data. premarketing requests and report adverse events.

The EU GDPR came into force in 2018 to ensure the protection of personal data for individuals in the 27 EU member states, as well as those in Iceland, Norway and Lichtenstein, also known as European Economic Area (EEA), including when shared outside of those countries.

In particular, Messick says the FDA’s Bioresearch Oversight Program (BIMO), which oversees the conduct and reporting of FDA-regulated research, has been most affected by the law in a new blog post from the agency. ‘agency.

“There have been instances where FDA investigators have been unable to perform in-person BIMO inspections or conduct virtual reviews of study data due to technology challenges, resource constraints or data sharing policies, such as GDPR,” Messick said. “While EU data sharing policies are only a challenge in conducting inspections or [remote regulatory assessments] RRA, the lack of clarity around GDPR has hampered our ability to review data remotely during the pandemic. »

BIMO enables FDA investigators to conduct FDA-regulated research RRAs in countries where on-site inspections are not possible for a variety of reasons, including travel restrictions due to the COVID-19 pandemic. The goal of these remote assessments, according to the agency, is to ensure that research subjects are treated according to FDA regulations, but it involves reviewing and sharing patient health data that may violate GDPR requirements.

FDA reviewers need sponsors to submit participant-level data from clinical trials to support their safety and efficacy claims, which often means sharing information from clinical trial sites multinationals, including from the EEA. However, the GDPR makes sharing this data easier said than done, according to Messick, who is now a regulatory advisor in the Office of Compositional Quality and Compliance at the FDA’s Center for Drug Evaluation. .

“The inability to transfer this data from the EU could negatively impact the robustness of data submitted to the FDA and impact investigational product reviews and approvals,” she added.

In addition to hampering the FDA’s ability to obtain clinical trial data from sponsors, Messick also claims that the GDPR has weighed on the agency’s ability to review new drug applications (NDAs) and applications. Biological Licensing (BLA) and obtaining adverse event reporting data.

“As part of its review of NDAs and BLAs, the FDA requires certain information (for example, demographic information) from industry that may be protected by GDPR,” Messick said. “Failure to receive or delays in receiving this information may impact the FDA’s ability to conduct reviews.”

The agency has several adverse event and safety reporting systems for different products, including MedWatch, the FDA Adverse Event Reporting System (FAERS), the Safety Reporting Portal (SRP), and the Vaccine Adverse Event Reporting System (VAERS).

Messick notes that the GDPR definition of personal data is very broad and that sharing data from adverse reporting systems could run counter to the regulations.

Over the past few years, the US and EU have attempted to reach data agreements that allow cross-border sharing of personal data for commercial purposes, but this has been an ongoing challenge for not only the FDA, but for other federal agencies that need such sensitive information. One such initiative, the EU-US Privacy Shield, was struck down by the European Court of Justice in 2020, which sent the two sides back to the drawing board to find a new deal.

“GDPR is an ongoing topic of concern, and that will no doubt continue to change as the US and EU continue negotiations on a new data agreement, and the overall legal and policy landscape of the GDPR. EU continues to evolve,” said Messick. “The Europe Office will closely monitor developments in the months and years to come.”

© 2022 Society of Regulatory Affairs Professionals.

Comments are closed.