Recognizing that the fragmentation and complexity of the EU regulatory framework hinder Europe's competitiveness in clinical research, the European Commission's draft EU Biotech Act proposes a major step toward harmonization of the data protection requirements for clinical trials. Central to this initiative is a substantial revision of Article 93 of the Clinical Trials Regulation (CTR), aimed at unifying the legal basis, scope and safeguards governing the processing of personal data in clinical trials across the EU.

A core feature of the proposal is the explicit clarification of the GDPR legal bases applicable to clinical trials. The draft provides that the CTR itself serves as the legal basis in combination with Article 6(1)(c) GDPR ("legal obligation") for all processing activities required under the CTR. At the level of special-category data, it further clarifies that processing health and genetic data in the context of clinical trials is justified for reasons of public interest in the area of public health pursuant to Article 9(2)(i) GDPR, in particular to ensure high standards of quality and safety of medicinal products.

These clarifications address long-standing national inconsistencies across the EU and reduce reliance on GDPR consent as a legal basis. Informed consent under Article 29 CTR remains an ethical and organizational safeguard, not a GDPR legal basis.

The revised Article 93 sets out an exhaustive list of processing operations that sponsors or investigators must perform, as applicable, including activities such as application submissions, performance of research, safety reporting, record keeping, archiving, and submission of results or raw data to the EU Portal. For all such operations, sponsors and investigators are qualified as "controllers." While the draft does not specify whether their roles are those of joint or separate controllers, explicitly designating both parties as controllers aims to harmonize divergent Member State practices, as some jurisdictions have historically favored a controller-processor model between sponsors and clinical trial sites.

The draft clarifies that personal data collected under an authorized protocol may be further processed by the same controller for additional clinical trials under the CTR, or for broader scientific research purposes linked to public health, improved care, and innovation. While the appropriate legal impact and prerequisites remain unclear, in particular with respect to Articles 6(4) and 9(2)(j) of the GDPR, this is an important step toward greater legal certainty for secondary or future research use, subject to compliance with GDPR principles, including transparency.

As the Biotech Act is still at an early stage, its text may evolve, but the overall trajectory points toward a more coherent and harmonized data protection framework for clinical trials, reducing EU fragmentation while maintaining strong protections for trial participants. If adopted in its current form, it would make pan-EU clinical research more predictable and consistent from a data-protection perspective.