By Carol Cruzan Morton and Hakon Heimer
19 October 2021. International collaborations are essential for health research, but legal obstacles continue to block effective and protected data sharing, with potentially damaging effects on people who could benefit from the discoveries.
These obstacles need to be removed, says Heidi Beate Bentzen, a researcher in law and medical ethics at the University of Oslo, Norway. Bentzen also helps lead the legal working group of the Nordic Society of Human Genetics and Precision Medicine (NSHG-PM).
In a recent paper in Nature Medicine, Bentzen and her UK, US, Norwegian, and German co-authors explain why it is so difficult to transfer privacy-protected personal data outside the European Economic Area (EEA), as well as the serious implications for medical research, citizens, and patients.
For example, there are about 5,000 collaborative projects between the US National Institutes of Health (NIH) and EEA countries. At least 40 clinical and observational studies on risk factors and exposures for cancer have been suspended or delayed because of the current legal challenges.
We asked Bentzen for an update of efforts to overcome legal obstacles to global data sharing and privacy protection.
NSHG-PM: What's new in this article? Have you tried to frame the problems or solutions in a new way?
Bentzen: There has been significant activity in this field the previous year: New guidance from the European Data Protection Board (EDPB), comprising all the data protection authorities in the European Economic Area, EEA); new Standard Contractual Clauses (SCCs) from the European Commission; high-level political discussions (e.g., during President Biden's visit to the EU in June 2021); and establishment of an EU-US Trade and Technology Council.
However, so far, and despite all these efforts, a solution to the data transfer challenge has not been found. Our paper builds on the April 2021 report by three European academy networks: ALLEA, EASAC, and FEAM. It also builds on the NSHG-PM public consultation comments to the EDPB, in which scientists and lawyers in the six Nordic countries collaborated to develop recommendations for suitable legal, technical, and organizational measures suitable for medical research that can supplement a General Data Protection Regulation (GDPR) transfer mechanism and ensure a high level of data protection.
In our Nature Medicine paper, we included an up-to-date overview of all the EU GDPR data transfer mechanisms and available guidance for each. It clearly shows there is currently no appropriate safeguard available that can function as a data transfer mechanism for data transfers to, for instance, US federal institutions, such as the US National Institutes of Health. This is because enforceable data subject rights and effective legal remedies for non-US data subjects are unavailable.
NSHG-PM: Are there any examples of solutions that you would call low-hanging fruit? Would they form a foundation for more change?
Bentzen: The EU GDPR provides a high standard of protection of personal data. It builds on the Council of Europe Convention 108, which is legally binding in 55 countries worldwide, so many countries share the same data protection foundation.
Several countries have also been inspired by the GDPR to raise their data protection standards, for instance, Brazil's General Data Protection Law (LGPD), and also a US state – the California Consumer Privacy Act (CCPA). We are seeing a move toward raised data protection standards around the world, and the more harmonization we see in this field, the easier it will be to transfer data globally. In the US, it would be preferable with a federal law rather than the prospect of each state making its own law, which may lead to up to 50 different US data protection laws.
Statutory conflicts between EU fundamental rights and US federal law create the main challenge to EEA data transfer to US federal institutions. Meaningful progress in easing data transfers requires US legal reform.
We have suggested a sovereign immunity waiver, which would give non-US research participants enforceable data subject rights and effective legal remedies when data about them are processed by US federal institutions, such as the NIH or the Food and Drug Administration (FDA). Such a waiver already exists for US citizens and US permanent residents, and should be feasible to expand.
There are also actions that ought to be taken on the EU side, however, and these do not require legislative changes. For instance, it would be helpful if the European Commission developed standard contractual clauses specifically for scientific research data transfers.
NSHG-PM: Does the main issue with international data sharing now rest on US legal reform? Can you point to any activity – whether editorials, commissions, or actual legislation – that is moving in this direction?
Bentzen: The EU and the US are collaborating to find a replacement for the now invalidated Privacy Shield, under which US companies used to be able to self-certify to provide adequate data protection, making it unproblematic to transfer data from the EU to those US companies.
The large US cloud providers were amongst the companies that were Privacy Shield certified. Following the Court of Justice of the European Union Schrems II judgment, in most cases it is now not possible to transfer data to US cloud providers, upon which data-intensive research projects often rely. A Privacy Shield replacement will require finding a solution that does not violate EU fundamental rights. The European Commission will want to ensure that the new framework will not be invalidated in court; no one wants a Schrems III case.
What about the situation with the United Kingdom [UK] – another significant partner?
Bentzen: The situation with the UK is very worrisome at the moment. The UK government has signaled a wish to diverge from EU data protection legislation to make itself more competitive in artificial intelligence and life sciences. I believe what the UK government fails to take into account is that these fields require data beyond what the UK itself has available, so to be successful in these fields, they must collaborate internationally.
The UK should therefore take great care not to lose their current adequacy decision from the European Commission. That is a decision that is up for renewal in four years, and it can also be withdrawn earlier if the UK changes its data protection legislation. Should the UK no longer be considered by the European Commission to offer an adequate level of data protection, it may become as difficult to transfer personal data from the EEA to the UK as it currently is to the US.
Remove obstacles to sharing health data with researchers outside of the European Union.
Bentzen HB, Castro R, Fears R, Griffin G, Ter Meulen V, Ursin G.
Nat Med. 2021 Aug;27(8):1329-1333.