1. Concept: Clinical Trial AI Participant Selection in Denmark

In Denmark, AI-based participant selection in clinical trials typically involves:

• Machine learning models screening EHR (electronic health records)
• Risk scoring for eligibility (age, disease, biomarkers)
• Automated exclusion/inclusion decisions
• Data linkage across hospitals (e.g., region-wide registries)

This raises legal issues under:

• GDPR (Art. 5, 6, 9, 22)
• Danish Health Act (Sundhedsloven)
• Data Protection Act (Databeskyttelsesloven)
• EU Clinical Trials Regulation (CTR 536/2014)
• Ethical review requirements (National Videnskabsetisk Komité system)

2. Core Legal Issues in AI Participant Selection

(A) Lawful basis for processing health data

Clinical trial AI often processes special category data (health data) → requires:

• GDPR Art. 6 (lawfulness)
• GDPR Art. 9(2)(j) (scientific research)
• National safeguards (Denmark: Data Protection Act + Health Act)

(B) Automated decision-making risk (GDPR Art. 22)

If AI:

• decides eligibility automatically OR
• significantly influences inclusion/exclusion

→ triggers restrictions under automated decision-making rules

(C) Bias and discrimination risk

AI models may exclude:

• elderly patients
• minority ethnic groups
• rare disease patients

This raises issues under:

• EU Charter of Fundamental Rights (Arts. 21 & 35)
• Danish equal treatment principles

(D) Controller liability chain

Liability may fall on:

• Trial sponsor (pharma company)
• Hospital (data controller)
• AI vendor (processor or joint controller)
• CRO (clinical research organization)

3. Key Case Law (Denmark + EU applied in Denmark)

CASE 1: Datatilsynet – STAR “Asta AI profiling system” (2022)

• AI system predicted long-term unemployment risk (profiling logic similar to trial selection tools)
• Used public authority data profiling

Holding:

• GDPR Art. 6(1)(e) allowed processing only with strict statutory basis
• Sensitive profiling requires clear national legal authority

Principle:

✔ AI profiling of individuals is lawful only if:

• purpose is clearly defined by law
• safeguards against misuse exist

➡ Directly relevant to clinical trial recruitment AI models.

CASE 2: Datatilsynet – Københavns Kommune AI rehabilitation model (2023)

• AI predicted patients needing rehabilitation services
• Used health data + predictive modeling

Holding:

• Development allowed under GDPR Art. 6(1)(e), 9(2)(g)
• BUT operational use required strong legal clarity due to intrusiveness

Principle:

✔ Predictive AI in healthcare = “highly intrusive processing”
✔ Requires strict necessity + proportionality test

CASE 3: ECtHR – Z v. Finland (1997)

• Case involved disclosure of medical records in judicial context

Holding:

• Medical data enjoys strong Article 8 protection (privacy)
• Interference must be strictly justified

Principle:

✔ Health data processing requires exceptionally strong justification

➡ Directly relevant to AI trial screening using medical records.

CASE 4: ECtHR – I v. Finland (2008)

• Hospital failed to protect HIV patient records

Holding:

• Violation of Article 8
• Weak safeguards for sensitive medical data

Principle:

✔ Hospitals have positive obligation to protect health data
✔ Applies to AI systems handling clinical trial data

CASE 5: ECJ – Breyer v. Germany (C-582/14)

• Concerned identification of users via indirect data

Holding:

• Data becomes personal if reasonable means of identification exist

Principle:

✔ Even pseudonymised clinical trial datasets remain personal data
✔ AI models trained on such data are fully subject to GDPR

CASE 6: ECJ – Nowak v. Data Protection Commissioner (C-434/16)

• Examined what counts as “personal data”

Holding:

• Any information linked to identifiable evaluation of a person is personal data

Principle:

✔ AI-generated eligibility scores = personal data
✔ Clinical trial scoring systems fall under GDPR fully

CASE 7: ECJ – SCHUFA Holding (C-634/21)

• Credit scoring algorithm case (strong analogy to clinical trial scoring)

Holding:

• Automated scoring = “profiling”
• If used to make decisions → Article 22 GDPR applies

Principle:

✔ Algorithmic scoring systems that influence outcomes are legally regulated automated decision-making

➡ Direct parallel to AI trial participant selection tools

4. Combined Legal Doctrine in Denmark

From Danish + EU case law, the following rules apply:

(1) AI clinical selection = profiling under GDPR

Any AI system that:

• scores patients
• ranks eligibility
• predicts suitability

→ is profiling under GDPR Article 4(4)

(2) Special category data strictness

Health data requires:

• explicit scientific research exemption (Art. 9(2)(j))
• ethics approval in Denmark
• strict pseudonymisation safeguards

(3) Automated exclusion risk (Article 22 GDPR)

If AI:

• automatically excludes patients OR
• strongly determines eligibility

→ may be prohibited unless:

• explicit consent OR
• statutory authorization + safeguards

(4) Joint controllership risk

Under EU case law:

• hospitals + pharma sponsors + AI vendors
  may all be joint controllers

→ shared liability for errors in participant selection

(5) Bias liability risk

If AI model causes:

• systematic exclusion of protected groups

→ potential breach of:

• GDPR fairness principle (Art. 5(1)(a))
• Danish anti-discrimination norms

5. Liability Structure in Denmark (Practical Model)

A. Hospital (Data Controller)

Responsible for:

• lawful access to patient data
• ethics approval compliance
• transparency to patients

B. Pharma Sponsor / Research Institution

Responsible for:

• trial design
• algorithm use justification
• compliance with Clinical Trials Regulation

C. AI Vendor

Liable if:

• model is unsafe or biased
• insufficient safeguards
• unlawful training data usage

D. Ethical Committee Liability Layer

Denmark requires:

• approval before trial start
• oversight of AI recruitment tools

6. Key Legal Conclusion

In Denmark, AI-based clinical trial participant selection is legal but heavily constrained:

✔ Allowed under GDPR research exemptions
✔ Allowed with ethics approval
✔ Allowed with strict pseudonymisation

BUT:

✖ Fully automated exclusion decisions are high-risk
✖ Health data AI models face strict proportionality review
✖ Liability is shared across multiple actors
✖ Bias or lack of transparency can invalidate processing