A recent expert report by the European academy networks, ALLEA (the European Federation of Academies of Sciences and Humanities), EASAC (the European Academies’ Science Advisory Council), and FEAM (the Federation of European Academies of Medicine), underscores the importance of international sharing of health data for research, especially between Europe and the United States. However, the report finds that the European data protection framework, the General Data Protection Regulation (GDPR), imposes legal barriers to international data-sharing, thereby impeding current and future health research projects, undermining international collaboration, and putting EU leadership in the field at risk. To overcome this issue, European policymakers should take steps to fosters data-sharing in health research.
Personal health data is a vital resource to health research, and health professionals use data to understand, prevent, and treat diseases. For example, during the COVID-19 pandemic, public and private institutions came together to share data for research purposes concerning the virus. Researchers need large datasets to conduct studies and ensure the accuracy of results, and to create these datasets, researchers need to share health data between countries. For example, the U.S. National Cancer Institute Cohort Consortium pools data and biospecimens from around the world to allow researchers to collaborate on cancer research.
While the GDPR imposes high compliance costs on public and private entities to collect, process, and store personal data, it is supposed to enable the transfer of personal data outside the EU. However, in practice, the GDPR hampers international data-sharing with research-intensive non-EU countries, including Australia, South Africa, and the United States for two reasons.
First, under the GDPR, data controllers in the EU do not have the right to transfer data to a non-EU country unless the European Commission has made a determination that this other country has an adequate level of data protection, and to date, the European Commission has not made an adequacy decision for many countries.
Second, data controllers can sometimes use other legal mechanisms to transfer data. For example, Standard Contractual Clauses (SCCs) establish safeguards approved by the Commission to ensure individuals have enforceable rights and effective legal remedies for the use of their data abroad. However, as the expert report notes, while SCCs could be a solution to international data-sharing, it does not work well with public research institutions such as the United Nations and the U.S. National Institutes of Health (NIH) because SCCs are inflexible and not compatible with other nations’ laws. The European Commission recently proposed updates to the SCCs but in its initial proposal did not address key issues relating to judicial redress, indemnification, and archiving requirements for certain research records in non-EU countries. Addressing these points would make SCCs more viable.
Failing to address this issue could put at risk important international medical research projects that increasingly require data sharing. For example, these restrictions could hamper progress on the more than 5,000 health research collaborations that occurred between the United States and Europe in 2019. Given that the U.S. health data privacy law—the Health Insurance Portability and Accountability Act (HIPAA)—mirrors many of the same provisions of the GDPR for the healthcare sector, restricting EU health data flows to the United States achieves little at great cost.
Ideally, EU policymakers would redesign the GDPR to foster health data-sharing. However, given strong opposition among EU policymakers to revise the GDPR, despite calls to address its known problems, the main short-term opportunities are to work within the existing GDPR framework. To that end, policymakers should take five steps.
First, EU policymakers should recognize more non-EU countries as having adequate data protection principles, and establish new bilateral agreements to foster data sharing, to replace the recently invalidated EU-US Privacy Shield. Indeed, MEPs have recently urged the European Commission to define a workable data-sharing agreement with the United States.
Second, in its recent update of SCCs, the Commission did not modify the provisions that have created conflict with international research partners, such as around the issue of redress and indemnification. The European Commission should update the SCCs to address these points.
Third, the EDPB should work with the health research community to clarify when the transfer of personal health data is permissible under the GDPR as an “important public interest.”
Fourth, EU policymakers should work with international counterparts in the context of international fora, such as G20, to establish common principles on the free flow of health data for research purposes, building off of the proposed “data free flow with trust.”
Finally, the EU should push back on efforts by other nations to restrict health data sharing. For example, China has pursued strict controls on genomic data, significantly limiting foreign researchers from independently collecting genetic health data in China.
By following these recommendations, European policymakers will facilitate health data exchange, thereby allowing more effective health research.
Image credit: National Cancer Institute