By Hakon Heimer
15 October 2020
In the wake of the recent decision by the Court of Justice of the European Union striking down the Privacy Shield framework (see NSHG-PM news), Nordic biomedical researchers have been anxious to learn the fate of their collaborations with groups in countries that are not governed by the General Data Protection Regulation (GDPR).
The ruling can have significant implications for any project in which personal health or genetic data are or would be transferred to the United States or where researchers in the United States are given remote access to databases in the European Union, Iceland, Liechtenstein, and Norway (the European Economic Area, EEA).
The legal working group of the Nordic Society of Human Genetics and Precision Medicine (NSHG-PM) has taken this issue on, and will publish recommendations that they hope will be considered by the European Data Protection Board (EDPB).
The EDPB has written that they will provide guidance on the topic, and have already posted an FAQ on the judgment.
“We think it is important that the EDPB hear from scientists whose research requires large-scale international data processing,” said Heidi B. Bentzen, a lawyer and researcher at the University of Oslo in Norway, and one of the leaders of the NSHG-PM working group.
One concern, according to Bentzen, is that the eventual EDPB guidelines are too high level and do not discuss specific measures that both protect research participants and allow for secure data transfers. It is then possible that national data protection authorities and local data controllers, out of a lack of harmonized understanding, could severely curtail Nordic participation in and contributions to international health research.
A memo with the initial NSHG-PM draft suggestions was sent to the Data Protection Authorities of Denmark, Estonia, Finland, Iceland, Norway, and Sweden on 4 October 2020, and the legal working group is currently preparing a final version that will be submitted for publication.
Drawing on the extensive experience of Nordic researchers in securing and sharing data, the NSHG-PM working group has proposed a list of supplementary measures that should always be in place for transferring personal data for scientific research to collaborators outside the EEA, and other measures that may be appropriate within specific study designs.
These fall into the categories of technical measures (e.g., to mask identities and encrypt data), organizational measures (e.g, controlling access), and legal measures in the form of specific contractual clauses.
The group suggests that these measures, already commonly used in Nordic research, will provide the required “essential equivalence” to EU standards of protection.
The suggestions will have to be relevant beyond European-United States collaborations. Although the Schrems II ruling specifically addresses the EU-US use of standard contractual clauses, the supplementary measures will be necessary for all non-EEC country collaborations. For example, scientists collaborating with colleagues or using services in Asian and African countries will also need to have sufficient supplementary measures in place to protect personal data.
It should also be noted that scientific research data are dwarfed by the large quantities of data in commercial activity, and the EDPB will have to issue guidelines that cover all arenas. However, NSHG-PM recommendations may be suitable not only for scientific research, but more generally to protect any data transfers to non-EEA countries.