GDPR represents an “urgent threat” to the EU’s research leadership role

Views & Analysis
abstract image Light traces. visualization of hacker attacks on information data server

More than 5,000 collaborative studies were thwarted by GDPR rules in 2019 – but is there a way to protect sensitive data while still allowing international health research to thrive? 

A coalition of European academy networks has called upon European Union (EU) leaders to rethink how General Data Protection Regulation (GDPR) rules are applied to health data.

In a report by the European Federation of Academies of Sciences and Humanities (ALLEA), the European Academies’ Science Advisory Council (EASAC), and the Federation of European Academies of Medicine (FEAM), the bodies said the rules represented an “urgent threat” to research.

Said the authors: “Health research is crucial for all. It benefits individual patients and populations, supports development of healthcare systems, and underpins social cohesion and stability.

“Collecting and combining health data is fundamental for the advancement of medical research, reducing health inequalities, and improving disease diagnosis and treatment.”

Sharing pseudonymised personal health data for public sector research, they went on, is also essential to making most effective use of limited resources.

“It is still unclear if the post-Brexit UK will receive an adequacy decision when it finally exits the GDPR framework in June" 

Leadership at risk

While anonymised data falls outside of the remit of GDPR, pseudonymised data, in which identifiable information fields are replaced by artificial codes or identifiers which can only be unlocked with a secure key, does not.

The authors said there was a “statutory conflict between EU fundamental rights and other countries’ regulation”. It affects both the transfer of data to foreign institutions and the remote access of data from outside the EU/EEA – both of which are essential for international collaborative research.

“When institutions in other countries have statutory conflicts that prevent them from signing the required contracts under the GDPR, there is currently no workable legal mechanism for sharing health data outside the EU/EEA for public sector research,” said the report.

“The EU/EEA has had a great history of collaborative health research and has been a world leader in many of the areas of critical importance for addressing societal priorities.”

This leadership position, they say, is now at risk.

Multiple and complex mechanisms

The mechanisms by which GDPR endangers research are multiple and complex.

Original drafts of the regulation recognised the potential impact on research and attempted to mitigate it. While it included a requirement for specific and explicit consent for the use and storage of personal data, it also provided exemptions for research.

Article 46, for example, allows for the transfer of data when appropriate safeguards are in place. In the case of health research, this can include approval by an ethics committee and the existence of good clinical practice frameworks.

However, there is a lack of clarity for researchers who work within a multiplicity of laws, from GDPR to clinical trials regulation and medical treatment legislation, on the intricacies of this exemption.

Free movement of data from the EEA is also mandated when the EU has deemed the receiving country has adequate protections in place. However, “adequacy decisions” for major research partner countries, including China, South Africa, and, crucially, the USA, are lacking.

The consequences are striking. The report estimates that more than 5,000 projects involving the US National Institutes of Health and EEA countries were affected in 2019 alone.

Examples include the EU/EEA contribution to the US National Cancer Institute Cohort consortium, which collects data on rare disorders, including rare cancers and subtypes of common cancer, coming to a standstill. The Psychiatric Genomics Consortium has also experienced problems in sharing EU–US data for rare subtypes of psychosis, bipolar and eating disorders.

What’s more, it is still unclear if the post-Brexit UK will receive an adequacy decision when it finally exits the GDPR framework in June.

Safeguard Article 46

In its recommendations, the report said finding a way to share data safely and efficiently, and in a way that takes account of privacy concerns, was urgent.

“Sharing pseudonymised personal health data for research makes best use of limited resources and must be encouraged to maximise the individual and societal benefits to be obtained from the contribution of patients and volunteers to research,” it said.

“This is an important contributor to sustaining well-founded public trust and confidence, grounded in a broadly agreed social contract.”

The academies’ preferred solution is making Article 46, which allows for the transfer of data when appropriate safeguards are in place, “workable, adequate, and safe”. They call for the European Data Protection Board to develop operational guidance “as a matter of urgency”.

“Moreover, given the diversity of data transfers governed by the GDPR, it would be very helpful if guidelines were accompanied by tangible examples from the health sector for good practice, including guidelines on how existing transfers and ongoing collaborative research can continue,” said the report.

“For appropriate safeguards, a solution must be identified that is not in conflict with US or other laws outside the EU/EEA and that provides a redress mechanism for EU/EEA countries.”

About the author 

Amanda Barrell

Amanda Barrell is a freelance health and medical education journalist, editor and copywriter. She has worked on projects for pharma, charities and agencies, and has written extensively for patients, healthcare professionals and the general public.