EU privacy regulators adopt a single data-processing lawful basis for clinical trials

Europe's data protection authorities have backed the EU's proposed European Biotech Act but warned that the drive for regulatory simplification must not come at the cost of weakening the rights of clinical-trial participants. The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) set out their position in Joint Opinion 3/2026, adopted on 10 March.

Biotech in the EU

The biotechnology landscape in the European Union has embarked on an unprecedented structural transformation following the publication, on 16 December 2025, of the proposal for a regulation of the European Parliament and of the Council establishing a framework of measures to strengthen the Union’s biotechnology and biomanufacturing sectors. The proposed European Biotech Act has arisen in response to the urgent need to position Europe as a global leader in scientific innovation by 2030 and to stem the historic migration of talent and capital towards more agile markets such as the US and Asia.

Regulatory fragmentation, high administrative costs and barriers to industrial scaling have been identified as the main obstacles that the European Commission aims to overcome with this new regulatory framework. The European Biotech Act not only focuses on drug development, but also extends its scope to biomanufacturing, food safety, organ processing and environmental protection.

Joint Opinion

The implementation of this European Biotech Act has significant implications for the protection of personal data. Consequently, following the European Commission’s formal consultation on 18 December 2025, the EDPB and the EDPS adopted the Joint Opinion 3/2026 on 10 March. The opinion is non-binding but sets out the official technical and legal position of the highest data protection authorities in the European Union regarding the draft act presented. Although both bodies support the proposed legislation’s objectives of competitiveness and harmonisation, they emphasise that administrative efficiency cannot justify lowering protection standards for clinical-trial participants. Both authorities emphasise that health and genetic data, categorised as specially protected data under article 9 of the General Data Protection Regulation (GDPR), require an enhanced level of protection, particularly in trial settings.

The opinion is published at a time of digital convergence, as other regulations – such as the AI Act and the European Health Data Space – redefine the rules. The recommendations of the EDPB and the EDPS therefore seek to create systemic consistency so that biotechnology companies do not face conflicting requirements depending on whether their product is classified as a medicinal product, a medical device or an AI system.

Single legal basis

One of the most significant proposals in the European Biotech Act, and endorsed by the Joint Opinion 3/2026, is the amendment of article 93 of the Clinical Trials Regulation to establish a harmonised legal basis across the EU for the processing of health data. Until now, the disparity among national data protection authorities has forced sponsors of international multicentre clinical trials to manage different legal bases, such as consent in some countries or public interest in others, which creates a degree of legal uncertainty and delays scientific results.

The EDPB and the EDPS support the transition towards legal obligation as the primary legal basis for the processing of data required for the conduct of a clinical trial. This change reinforces the distinction between informed consent required as an ethical prerequisite for participation in the clinical trial and consent as the legal basis for processing of personal data.

If legal obligation is established as the basis for processing for certain safety and regulatory oversight purposes, the withdrawal of informed consent to participate in the trial does not necessarily mean data already collected must cease to be used. The EDPB and the EDPS insist, however, that the European Biotech Act expressly set out the applicable conditions and additional safeguards, so that scientific results already obtained are not unduly affected and the rights of participants are adequately protected. Both authorities point out that, as health-related data is involved, EU law must rely on the exceptions set forth in article 9(2) of the GDPR, particularly those concerning public interest in the areas of public health and scientific research (article 9(2)(i) and (j) of the GDPR).

Additional safeguards

In Joint Opinion 3/2026, the EDPB and the EDPS set out a series of recommendations to deliver greater legal certainty and safeguards for data subjects.

On the definition of roles between sponsors and researchers, the complexity of modern clinical trials, which often involve multiple sponsors, contract research organisations and hospitals in various countries, has historically made it difficult to clearly assign responsibilities under the GDPR. The opinion pays particular attention to the need to clarify whether these actors act as independent controllers, processors or joint controllers. Both bodies recommend that sector-specific legislation clarifies the respective roles of sponsors and investigators as sole or joint controllers, noting that, to the extent that they jointly determine the purposes and means of the processing, they should be considered joint controllers.

For the retention period for personal data, the EDPB and the EDPS recommend that the mandatory 25-year retention period be applied restrictively only to the clinical trial master file, rather than to all personal data processed within the framework of the trial.

Recommendations are also set out for secondary use. The ability to reuse health data for future research drives modern scientific discovery. The act proposes to allow data controllers to carry out further processing of data collected in a trial for other scientific studies or research. The EDPB and the EDPS consider that this provision aims to provide a specific legal basis under EU law for such further processing, and recommend that the legislation sets this out more clearly, specifying expressly that the legal basis is the public interest under article 6(1)(e) of the GDPR. They also criticise the fact that the purpose of fostering the innovative capacity of European medical research is excessively broad and open to divergent interpretations; they call for a more precise and restrictive definition, together with specific safeguards – such as pseudonymisation, enhanced transparency and confidentiality obligations – given the particular sensitivity of the health and genetic data involved.

AI and clinical trials

The convergence of biology and computing lies at the heart of the European Biotech Act, which promotes an approach to biotechnology and biofabrication based primarily on AI. The use of generative models to design proteins or deep learning algorithms to predict treatment responses is already a reality.

The legislation proposes to require sponsors to assess the benefits and risks to patient safety and data robustness when using AI systems in a clinical trial. Joint Opinion 3/2026 warns, however, that it is unclear whether these obligations operate in addition to those of the AI Regulation. The two authorities recommend that this be expressly clarified in the text itself, as well as ensuring cooperation between the European Medicines Agency and the EDPB in the development of the relevant guidelines.

Osborne Clarke Comment

The European Biotech Act offers an opportunity to simplify the regulation of clinical trials in the EU, aiming for harmonisation that would replace the current regulatory fragmentation. However, as the Joint Opinion 3/2026 highlights, this ambition for simplification cannot be pursued at the expense of undermining the fundamental rights of data subjects.

For companies in the sector, the key is to anticipate the regulatory developments that will accompany the proposed legislation. European biotechnology faces a major opportunity to lead the global market. Integrating privacy as a factor of trust and not merely as a legal requirement will be the distinguishing feature for those companies aspiring to transform science into sustainable healthcare.