On 16 December 2025, the European Commission published its Proposal for a Regulation establishing a framework of measures for strengthening the EU’s biotechnology and biomanufacturing sectors, particularly in the area of health (the “European Biotech Act” or the “Proposal”). The Proposal is ambitious in scope: it amends several major pieces of EU health legislation, including the Clinical Trials Regulation (“CTR”), the Veterinary Medicines Regulation, the Food Law Regulation and the Substances of Human Origin Regulation (“SoHO”), while also introducing a new framework for EU strategic projects, AI-enabled biotechnology, and biodefence.
On 10 March 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted Joint Opinion 3/2026 on the Proposal (the “Joint Opinion”). While broadly supportive of the Proposal’s objectives, the EDPB and EDPS identified a number of significant data protection concerns, and issued recommendations. Although not legally binding, the Joint Opinion carries significant weight as it reflects the views of the EU’s primary data protection authorities and will directly shape the legislative debate ahead.
In this blog we examine the key data protection implications of the Proposal and the Joint Opinion for pharma and life sciences companies.
Clinical Trials: Harmonising the Data Protection Framework
The most consequential set of amendments from a data protection perspective concerns the Clinical Trials Regulation. The Proposal rewrites Article 93 CTR (‘Data Protection’), aiming to provide a single, harmonised legal basis for the processing of personal data by sponsors and investigators across the EEA.
Harmonised Legal Basis Under the GDPR
The Proposal establishes a legal obligation within the meaning of Article 6(1)(c) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) for sponsors and investigators to process personal data for the purposes of conducting clinical trials (including safety monitoring, regulatory compliance, and scientific research under the authorised protocol). This replaces the current patchwork of legal bases applied across the EU Member States, which has been a persistent source of fragmentation and legal uncertainty.
The EDPB and EDPS broadly welcome this harmonisation. However, they make several recommendations to strengthen clarity and foreseeability, including:
- Necessity requirement: Adding the words “where such processing is necessary” to the relevant provisions to reinforce the principle of data minimisation.
- Terminology alignment: Replacing “perform research activities” with “conducting scientific research” to align with GDPR terminology. Notably, the European Commission has separately proposed introducing a harmonised definition of “scientific research” in the GDPR as part of the Digital Omnibus Proposal (see our blog on the Digital Omnibus Proposal).
- Protocol specificity: Ensuring that the authorised protocol explicitly identifies the “description of the arrangement” for data protection compliance, by including inter alia, the processing operations, categories of personal data to be processed and data subjects, the purposes of disclosure, and the entities to which it will disclose and the retention period. These are elements that are currently not explicitly required by the relevant Annex of the CTR.
- Withdrawal of informed consent to participate in the clinical trial: Clarifying the conditions under which data collected before the patient withdraws their consent to participate in the clinical trial may continue to be used, an issue with particular relevance for vulnerable populations (minors, incapacitated subjects, emergency situations), and providing additional safeguards where data is retained despite withdrawal.
Practical impact: Sponsors and investigators should expect greater consistency in the legal basis applied to clinical trial data processing across Member States, but should also anticipate more granular requirements at the protocol level. Should the Proposal be adopted in its current form, clinical trial protocols will need to set out a more detailed description of personal data processing arrangements as described above.
It is also worth noting that, given that clinical trials almost invariably involve health data and genetic data, both special categories of personal data under Article 9(1) GDPR subject to heightened protection, sponsors and investigators will need to ensure that an appropriate condition under Article 9(2) GDPR is met (in particular Article 9(2)(i) or (j) GDPR) and that suitable safeguards are in place. The EDPB and EDPS confirm that the proposed Article 93(8) CTR is intended to provide those safeguards. This dual layer of compliance, being a legal basis under Article 6 GDPR and a specific condition under Article 9 GDPR, should be reflected in data protection impact assessments and protocol documentation from the outset.
Controller Qualification: Sponsors, Investigators and Co-Sponsors
The Proposal designates both sponsors and investigators as controllers under the GDPR. The EDPB and EDPS welcome this explicit designation but flag two gaps:
- First, the Proposal does not clarify whether sponsors and investigators are independent or joint controllers, a distinction with significant implications for the allocation of responsibilities. The EDPB and EDPS therefore recommend that the respective roles of the sponsors and investigators be clarified. In particular, where sponsors and investigators jointly determine the purposes and means of processing, they should be designated as joint controllers. Likewise, co-sponsors should be treated as joint controllers.
- Second, the EDPB and EDPS note that the term “investigator” refers to an individual rather than an institution. They recommend that, where the investigator acts as an independent controller or joint controller, controllership should be attributed to the clinical trial site (i.e., the organisation) rather than the individual investigator, to avoid placing direct GDPR liability on individual physicians or researchers.
Practical impact: This is an area of significant practical importance for pharmaceutical and life sciences companies. If adopted, it may require the review of contractual arrangements (e.g., Clinical Trial Agreements, Data Processing Agreements) allocating responsibilities appropriately to reflect the clarified roles of sponsors, investigators and co-sponsors.
Data Retention: Clarifying the 25-Year Rule
The Proposal provides that personal data, including genetic data and data concerning health, are subject to the 25-years data retention period applicable to the clinical trial master file under the current Article 58 CTR.
The EDPB and EDPS recommend clarifying that this 25-year data retention period applies only to personal data in the clinical trial master file, not to all personal data processed in the context of the clinical trial, in line with the current wording of Article 58 CTR. After this period is over, data should be retained only as long as necessary for the purposes for which it was collected.
Practical impact: As currently drafted, the Proposal may create uncertainty as to whether the 25-year retention period applies only to the clinical trial master file, as is the case under Article 58 CTR, or more broadly to personal data processed in the context of a clinical trial. This may affect how companies structure their data retention policies, particularly in multi-country trials. Clarification in line with the Joint Opinion would provide greater certainty and help to avoid unnecessary, long-term retention of personal data.
Further Processing for Scientific Research
The Proposal permits the further processing of clinical trial data by the same controller for the purposes of other clinical trials conducted under the CTR or for scientific research aimed at protecting public health, improving the standard of care, or fostering innovation in European medical research.
The EDPB and EDPS acknowledge that this is intended to provide a legal basis for such further processing, but recommend clarifying that Article 93(6) CTR would constitute a legal basis for this further processing under Article 6(1)(e) GDPR (performance of a task carried out in the public interest or in the exercise of official authority vested in the controller). They also make several recommendations, including:
- Explicit identification of the applicable legal basis: In the interest of legal certainty, the EDPB and EDPS recommend stating more explicitly in the recitals of the Proposal that the objective of Article 93(6) CTR is to provide a legal basis for further processing.
- Adoption of specific safeguards: Given that the further processing could involve special categories of personal data (health and genetic data), the EDPB and EDPS recommend defining specific safeguards such as pseudonymisation, governance structures, and confidentiality obligations that would apply to the further processing conducted by the same controller.
Specification of purpose: The purpose of “fostering the innovation capacity of European medical research” is considered too vague and should be more precisely defined.
Practical impact: If the possibility to further process clinical trial data is retained in the final text, this would be significant for clinical trial sponsors, as it would provide greater clarity on the ability to make further use of clinical trial data in certain cases. It remains to be seen, however, whether the proposed writing of article 93(6) CTR would be sufficient to constitute a proper legal basis for the processing of personal data, and what specific safeguards may be required.
Electronic Informed Consent
The Proposal introduces the possibility for participants to provide informed consent remotely through the use of electronic systems, methods and processes, including by means of electronic signatures using the European Digital Identity Wallet (“EDIW”) (i.e., an electronic identification solution created under Regulation (EU) No 910/2014 (the “eIDAS Regulation”)) or equivalent standards.
The EDPB and EDPS welcome this development but stress that the use of the EDIW must remain voluntary. They also stress that informed consent must remain accessible through existing identification and authentication means for those who do not use or cannot access electronic systems.
Practical impact: This development offers greater flexibility in the collection of informed consent, potentially reducing administrative burden and facilitating cross-border recruitment. However, sponsors will need to maintain parallel consent pathways to accommodate participants who do not use or cannot access electronic means, which may limit the operational simplification intended by this change.
Regulatory Sandboxes and AI in Clinical Trials
The Proposal introduces the possibility for the European Commission to establish regulatorysandboxes for clinical trials involving innovative approaches where compliance with certain requirements of the CTR is not possible or appropriate. Within those regulatory sandboxes, certain requirements of the CTR may be temporarily adapted or derogated from, subject to certain conditions.
The Proposal also introduces additional obligations for sponsors using AI in clinical trials. In particular, sponsors must assess the benefits and risks of their AI models or systemsin relation to patient safety and data robustness, and provide information in the protocol on the specific purpose of the use of AI models or systems.
The EDPB and EDPS recommend:
- With regard to regulatory sandboxes: To clarify that the GDPR would remain fully applicable in this context. They also recommend that implementing acts specify the applicable legal basis as well as the derogation under Article 9(2) GDPR that would apply for the processing of personal data when the regulatory sandboxes apply.
- With regard to the use of AI: To expressly clarify that these obligations apply in addition to (and not instead of) the obligations under the EU AI Act, and that the European Medicines Agency (“EMA”) be required to cooperate with the EDPB when developing relevant guidelines on clinical trial data processing when using AI.
Practical impact: While regulatory sandboxes may introduce a degree of flexibility in clinical trial design, the EDPB and EDPS make clear that this does not extend to data protection obligations. Sponsors should therefore not assume any relaxation of GDPR requirements and should ensure alignment with overlapping obligations under the CTR, GDPR and EU AI Act when deploying AI in clinical trials.
AI and Data as Biotechnology Enablers
The Proposal introduces certain provisions aimed at leveraging AI and data in health biotechnology.
The European Commission may recognise high-impact biotechnology projects located in the EU as trusted testing environments for advanced health biotechnology innovations, where such innovations are enabled, enhanced or significantly supported by AI or other advanced computational methods, and that certain criteria are met (Article 32 Proposal).
Additionally, the European Commission would designate certain EU-based projects as high-impact initiatives supporting the development of high-quality datasets for AI in health biotechnology. Recognised projects would benefit from accelerated procedures and targeted administrative, financial and technical support. From a data protection perspective, the European Commission would, through implementing acts, define the modalities of the processing of personal data necessary to achieve the purpose of the project. This includes specifying the categories of personal data to be processed, the roles of participating entities, the categories of entities that may access the curated data, and the applicable safeguards. The processing of personal data in this context is framed as being carried out in the public interest (Article 33(4) of the Proposal).
The EDPB and EDPS recommend:
- For biotechnology testing environments: That, where such projects involve the processing of personal data, the authority for assessing compliance with applicable legislation (whether the national competent authority or the European Commission) should be able to consult data protection authorities as part of that assessment.
- For biotechnology data quality accelerators: Ensuring compliance with GDPR principles, including the implementation of appropriate safeguards, particularly where special categories of personal data are involved. The EDPB and EDPS also recommend clarifying that Article 33(4) of the Proposal is intended to provide a legal basis for the further processing of personal data by the biotechnology data quality accelerators only for data quality purposes, rather than for the initial collection of such data.
Practical impact: The EDPB and EDPS position suggests that these frameworks will be accompanied by structured data governance requirements and continued regulatory oversight. Companies should therefore anticipate that participation to such initiatives will require careful alignment with GDPR principles and applicable safeguards, particularly when handling health data.
Biodefence: Verification of Legitimate Need
The Proposal requires economic operators to verify the identity and the legitimate need of prospective customers (whether natural or legal persons) before supplying biotechnology products of concern (as will be listed in Annex I of the CTR). Economic operators are also required to report suspicious transactions involving biotechnology products of concern to national contact points.
The EDPB and EDPS recommend that guidance be provided on the categories of personal data that may be collected for identity verification purposes, in line with the GDPR principle of data minimisation. They also recommend clarifying the factors that should be taken into account when determining whether a transaction should be considered suspicious.
Practical impact: Companies supplying biotechnology products of concern may need to review their identity verification and transaction monitoring processes to ensure that only data necessary for those purposes is collected in line with GDPR requirements, and that criteria for identifying and reporting suspicious transactions are clearly defined and documented.
Transition Periods and Next Steps
As currently drafted, the Biotech Act would apply without a transitional period, except for certain provisions regarding the CTR which are not mentioned in this blog. The EDPB and EDPS note that this timeline may be insufficient for clinical trial sponsors to adapt to the amended data protection provisions under Article 93 CTR, and recommend either introducing transition periods or clarifying that ongoing clinical trials would not be subject to the amendments.
The Proposal is now being discussed by the European Parliament and the Council of the European Union. The legislative process is expected to take more than one year, with application anticipated for 2028, although the exact timing will depend on the progress of the legislative procedure. Further amendments to the Proposal remain possible, and the final implications for pharma and life sciences companies will depend on the outcome of those negotiations.
Key Takeaways
- The EDPB and EDPS make clear that innovation-focused measures under the Proposal, including AI use and regulatory sandboxes, do not reduce or displace existing data protection obligations under the GDPR.
- The Joint Opinion points towards more detailed and prescriptive requirements, including clearer allocation of controllership roles and more specific requirements as to the elements that clinical trial documentation should contain.
- While the Proposal seeks to facilitate secondary use, the EDPB and EDPS emphasise the need for clearly defined legal bases, narrowly specified purposes and appropriate safeguards.
- Throughout the Joint Opinion, the EDPB and EDPS underscore the need for robust technical and organisational measures, particularly where special category data are involved.
- The Proposal is still under negotiation, but the Joint Opinion provides a strong indication of the data protection expectations likely to shape the final framework.