Browse the corpus

Remove obstacles to sharing health data with researchers outside of the European Union. COVID-19 has shown that international collaborations and global data sharing are essential for health research, but legal obstacles are preventing data sharing for non–pandemic-related research among public researchers across the world, with potentially damaging effects for citizens and patients.

From identifying complex pathways to understanding and preventing diseases, to comparing determinants of disease outcomes across populations and improving health care, data sharing is essential for health research and for citizens and patients. At the same time, appropriate protection of personal health data, as envisaged by the GDPR1, is key to fulfilment of the fundamental right to protection of personal data as enshrined in the EU Charter of Fundamental Rights4, and is essential for fostering trust among citizens and patients. Although both aims—protection and sharing of data—should be addressed, it has become apparent that there are statutory conflicts between EU fundamental rights and data-protection legislation on the one hand, and the legislation of other countries on the other hand, that create considerable obstacles to the transfer of data outside the EEA. Counterintuitively, these problems are greater when data are shared with researchers at public institutions outside of Europe, despite the paramount importance of public institutions in advancing research in the interest of patients and the public at large.

onsiderable obstacles to the transfer of data outside the EEA. Counterintuitively, these problems are greater when data are shared with researchers at public institutions outside of Europe, despite the paramount importance of public institutions in advancing research in the interest of patients and the public at large. Scientific academies in Europe (the European Academies Science Advisory Council, the Federation of European Academies of Medicine, and the European Federation of Academies of Sciences and Humanities)3 have joined forces to call attention to the challenges that affect not only European scientists but collaborators worldwide. Science is and should be a truly global endeavor that requires that reliable data be made available to researchers across geographical borders5. The protection of research participants’ personal data is a potential concern with data transfer, but the joint report3 found strong support from patients for using data for scientific research6, including through a roundtable with stakeholders.

liable data be made available to researchers across geographical borders5. The protection of research participants’ personal data is a potential concern with data transfer, but the joint report3 found strong support from patients for using data for scientific research6, including through a roundtable with stakeholders. Issues about data sharing outside the EEA have been raised in the past7, but these have become even more urgent due to recent developments, such as the Court of Justice of the European Union’s 2020 Schrems II judgment8 and subsequent guidance from the European Data Protection Board (EDPB). The Schrems II judgment8 invalidated the EU–US Privacy Shield because US surveillance legislation, given priority over Privacy Shield, was found to be in violation of the EU Charter of Fundamental Rights4. The court decided that the European Commission’s standard contractual clauses (SCCs) are still valid as a transfer mechanism, but these must be accompanied by thorough legal assessments and supplementary measures, which complicates transfers. There is a growing need for collaborative research to address the long-term health effects of the COVID-19 pandemic, as well as research on cancer and other diseases, many of which have poor prognoses and require more health data (Fig. 1). New research and innovation opportunities can come from big data and artificial intelligence, but they require suitable mechanisms for sharing research data across borders9.Fig. 1Involvement of academies in the international sharing of health data for research.A timeline of European data-protection legislation and the involvement of European academies.

unities can come from big data and artificial intelligence, but they require suitable mechanisms for sharing research data across borders9.Fig. 1Involvement of academies in the international sharing of health data for research.A timeline of European data-protection legislation and the involvement of European academies. A timeline of European data-protection legislation and the involvement of European academies.

International data transfers—which comprise both transfer of data and provision of remote access to data10—are necessary for studying and comparing genetic and epidemiological risk factors for the optimization of prevention or treatment. Pooled analyses of data from many countries are particularly needed for sufficient statistical power to be obtained in studies of rare diseases or rare subgroups of common diseases. Additionally, sharing of samples and data from European citizens is essential for ensuring that findings from international studies apply to European populations, with their genetic composition and specific lifestyle factors. Increasingly, international researchers are provided temporary remote access to trusted research environments so data can be securely accessed without leaving the host country. GDPR requirements still apply, as remote access is also considered international data transfer10. Furthermore, if European data can only be accessed remotely, while the rest of the international data can be combined in one pooled analysis, this is cumbersome for researchers and could result in European studies’ being dropped.

quirements still apply, as remote access is also considered international data transfer10. Furthermore, if European data can only be accessed remotely, while the rest of the international data can be combined in one pooled analysis, this is cumbersome for researchers and could result in European studies’ being dropped. Privacy-enhancing technologies such as homomorphic encryption, differential privacy, federated analyses and use of synthetic data offer new ways for protecting the privacy of individuals11. These technologies can be helpful, but they have limitations, such as the extent to which they can be applied to real-world challenges, the noise level, or how well they protect privacy when the number of data points from each country or study is small. Combining multiple technologies may be key to reducing risk12. Moreover, the use of privacy-enhancing technologies did not circumvent the need to transfer data in some studies.

An operational mechanism for sharing pseudonymized health data with public-sector institutions is currently lacking for many countries outside of the EEA7. This is the case for several research-intensive countries and key partners for European researchers, as the European Commission has so far recognized only a few countries as providing ‘adequate’ protection of personal data13. After Brexit, the transfer of health data for research collaborations with the UK has also been at risk. An ‘adequacy decision’ for transfers of personal data from the EU to the UK has been issued by the European Commission and has recently been approved by EU Member States’ representatives14, but it includes a ‘sunset clause’ that limits its duration to four years, at which time the adoption process needs to start again if the commission decides to renew the adequacy finding.

om the EU to the UK has been issued by the European Commission and has recently been approved by EU Member States’ representatives14, but it includes a ‘sunset clause’ that limits its duration to four years, at which time the adoption process needs to start again if the commission decides to renew the adequacy finding. There are about 5,000 collaborative projects between the US National Institutes of Health (NIH) and EEA countries15. At least 40 clinical and observational studies on risk factors and exposures for cancer have been suspended or delayed because of the current legal challenges16. Multiple research projects within the National Cancer Institute Cohort Consortium, where cohort studies from all over the world participate, have also been suspended or delayed, as the European participating studies cannot proceed with data transfers7. Statens Serum Institut in Denmark halted transfers of personal data to the NIH as part of a long-standing collaboration on diabetes due to the lack of an operational data-transfer mechanism3,17. The World Health Organization’s International Agency for Research on Cancer has been negatively affected, as it cannot receive research data from collaborating European studies2,18.

rsonal data to the NIH as part of a long-standing collaboration on diabetes due to the lack of an operational data-transfer mechanism3,17. The World Health Organization’s International Agency for Research on Cancer has been negatively affected, as it cannot receive research data from collaborating European studies2,18. Without an adequacy decision, the GDPR requires appropriate safeguards (Article 46) or, when such safeguards are unavailable, resorts to derogations for specific situations (Article 49). The use of derogations is considered an exceptional measure, as it places increased risk on the research participants, and the EDPB has reiterated that whereas initial transfers using Article 49 derogations were justified for initial COVID-19 research activities, other repetitive transfers and long-lasting research related to the ongoing pandemic still need to rely on appropriate safeguards under Article 46 (refs. 19,20) (Table 2).Table 2GDPR data-transfer mechanismsInternational transfers: options under the GDPRData-transfer mechanismLimitations(1) Best option: adequacyAdequacy: the European Commission has decided that an adequate level of protection is ensured (Article 45, GDPR)• This is available only for Andorra, Argentina, Canada (only commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, the UK and Uruguay.

quacyAdequacy: the European Commission has decided that an adequate level of protection is ensured (Article 45, GDPR)• This is available only for Andorra, Argentina, Canada (only commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, the UK and Uruguay. The European Commission has also launched the procedure to adopt adequacy decisions for South Korea.• No adequacy decision are in place for the United States (or other countries not mentioned above).• The EU–US Privacy Shield Framework (applying to self-certified US businesses) has been invalidated by the Court of Justice of the EU.(2) Second-best option: appropriate safeguardsAppropriate safeguard: bespoke contract between public bodies (Article 46(2)(a), GDPR)• EDPB guidelines exist but introduce statutory conflicts with US federal law.Appropriate safeguard: authorized administrative arrangement between public bodies (Article 46(3)(b), GDPR)• EDPB guidelines exist but introduce statutory conflicts with US federal law.• There is a lengthy authorization process.Appropriate safeguard: SCCs adopted by the European Commission (Article 46(2)(c), GDPR)• SCCs are operational and valid but include clauses in statutory conflict with US federal law.• Sstatutory conflicts remain in the newly revised SCCs and scientific research exceptions that mirror the GDPR are not included.Appropriate safeguard: SCCs adopted by a supervisory authority and approved by the European Commission (Article 46(2)(d), GDPR)Appropriate safeguard: approved code of conduct (Article 46(2)(e), GDPR)Appropriate safeguard: approved certification (Article 46(2)(f), GDPR)Appropriate safeguard: authorized bespoke contract in which one or both parties are not a public body (Article 46(3)(a), GDPR)• There is a lack of EDPB guidelines (these are included in the 2021/2022 EDPB work program).• There is a lengthy approval process.Supplementary measuresSupplementary measures to be used in addition to the appropriate safeguard if necessary to achieve an adequate level of data protection(CJEU Schrems II judgment and EDPB recommendations 01/2020 and 02/2020)• These require an assessment of the law in the country to which the data is transferred.• Supplementary measures are to be added if the law in the country to which the data is transferred impinges on the effectiveness of the appropriate safeguard.• EDPB recommendations exist, and although they are non-exhaustive, they do not offer feasible options for scientif

the country to which the data is transferred.• Supplementary measures are to be added if the law in the country to which the data is transferred impinges on the effectiveness of the appropriate safeguard.• EDPB recommendations exist, and although they are non-exhaustive, they do not offer feasible options for scientif ic health research.(3) Last resort: derogations for specific situationsDerogation: explicit consent following information about the possible risks of the transfer (Article 49(1)(a), GDPR)• This can be used only exceptionally; e.g., for initial transfer of pandemic data.• This cannot be used for repetitive transfers that are part of a long-lasting research project, even in a pandemic, per EDPB guidance.• Consent can be withdrawn any time.• Blanket consent for non-EEA transfer is not valid.• Use of this derogation entails increased risk for the research participant.Derogation: public interest (Article 49(1)(d), GDPR)• This requires a basis in EU or Member State law.• This can only be used exceptionally; e.g., for initial transfer of pandemic data.• This cannot be used for repetitive transfers that are part of a long-lasting research project, even in a pandemic, per EDPB guidance.• Use of this derogation entails increased risk for the research participant.Derogation: vital interests (Article 49(1)(f), GDPR)• This is to be used in situations in which transfers are necessary to protect vital interests, and the research participant is physically or legally incapable of providing consent.• It must be to provide essential healthcare to an individual person, not for general medical research in which the advantages to people’s health are in the future.• Use of this derogation entails increased data-protection risk for the research participant.Derogation: where no other data-transfer mechanism can be used (Article 49(1)(2), GDPR)• This is a very narrow derogation that can be used only if no other transfer mechanism, including other derogations, can be used and a number of additional conditions are met.• The transfer cannot be repetitive.• The transfer must involve only a limited number of research participants.• The transfer must be necessary for the purposes of compelling legitimate interests pursued by the research institution that are not overridden by the interests and freedoms of the research participant.• The research institution must, on the basis of an assessment of all circumstances of the transfer, provide suitable safeguards for protection of personal data.• The

of compelling legitimate interests pursued by the research institution that are not overridden by the interests and freedoms of the research participant.• The research institution must, on the basis of an assessment of all circumstances of the transfer, provide suitable safeguards for protection of personal data.• The supervisory authority must be informed of the transfer.• The research participants must be informed of the transfer and the compelling legitimate interests pursued.• Use of this derogation entails increased risk for the research participant.Overview of available GDPR data-transfer mechanisms for sharing personal data from the EEA to a non-EEA country for scientific research purposes, with data transfers from the EEA to the Unites States as an example. CJEU, Court of Justice of the EU. GDPR data-transfer mechanisms • This is available only for Andorra, Argentina, Canada (only commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, the UK and Uruguay. The European Commission has also launched the procedure to adopt adequacy decisions for South Korea. • No adequacy decision are in place for the United States (or other countries not mentioned above). • The EU–US Privacy Shield Framework (applying to self-certified US businesses) has been invalidated by the Court of Justice of the EU. • EDPB guidelines exist but introduce statutory conflicts with US federal law. • There is a lengthy authorization process. • SCCs are operational and valid but include clauses in statutory conflict with US federal law.

• The EU–US Privacy Shield Framework (applying to self-certified US businesses) has been invalidated by the Court of Justice of the EU. • EDPB guidelines exist but introduce statutory conflicts with US federal law. • There is a lengthy authorization process. • SCCs are operational and valid but include clauses in statutory conflict with US federal law. • Sstatutory conflicts remain in the newly revised SCCs and scientific research exceptions that mirror the GDPR are not included. Appropriate safeguard: SCCs adopted by a supervisory authority and approved by the European Commission (Article 46(2)(d), GDPR) Appropriate safeguard: approved code of conduct (Article 46(2)(e), GDPR) Appropriate safeguard: approved certification (Article 46(2)(f), GDPR) Appropriate safeguard: authorized bespoke contract in which one or both parties are not a public body (Article 46(3)(a), GDPR) • There is a lack of EDPB guidelines (these are included in the 2021/2022 EDPB work program). • There is a lengthy approval process. Supplementary measures to be used in addition to the appropriate safeguard if necessary to achieve an adequate level of data protection (CJEU Schrems II judgment and EDPB recommendations 01/2020 and 02/2020) • These require an assessment of the law in the country to which the data is transferred. • Supplementary measures are to be added if the law in the country to which the data is transferred impinges on the effectiveness of the appropriate safeguard. • EDPB recommendations exist, and although they are non-exhaustive, they do not offer feasible options for scientific health research.

• These require an assessment of the law in the country to which the data is transferred. • Supplementary measures are to be added if the law in the country to which the data is transferred impinges on the effectiveness of the appropriate safeguard. • EDPB recommendations exist, and although they are non-exhaustive, they do not offer feasible options for scientific health research. • This can be used only exceptionally; e.g., for initial transfer of pandemic data. • This cannot be used for repetitive transfers that are part of a long-lasting research project, even in a pandemic, per EDPB guidance. • Consent can be withdrawn any time. • Blanket consent for non-EEA transfer is not valid. • Use of this derogation entails increased risk for the research participant. • This requires a basis in EU or Member State law. • This can only be used exceptionally; e.g., for initial transfer of pandemic data. • This cannot be used for repetitive transfers that are part of a long-lasting research project, even in a pandemic, per EDPB guidance. • Use of this derogation entails increased risk for the research participant. • This is to be used in situations in which transfers are necessary to protect vital interests, and the research participant is physically or legally incapable of providing consent. • It must be to provide essential healthcare to an individual person, not for general medical research in which the advantages to people’s health are in the future. • Use of this derogation entails increased data-protection risk for the research participant.

• This is to be used in situations in which transfers are necessary to protect vital interests, and the research participant is physically or legally incapable of providing consent. • It must be to provide essential healthcare to an individual person, not for general medical research in which the advantages to people’s health are in the future. • Use of this derogation entails increased data-protection risk for the research participant. • This is a very narrow derogation that can be used only if no other transfer mechanism, including other derogations, can be used and a number of additional conditions are met. • The transfer cannot be repetitive. • The transfer must involve only a limited number of research participants. • The transfer must be necessary for the purposes of compelling legitimate interests pursued by the research institution that are not overridden by the interests and freedoms of the research participant. • The research institution must, on the basis of an assessment of all circumstances of the transfer, provide suitable safeguards for protection of personal data. • The supervisory authority must be informed of the transfer. • The research participants must be informed of the transfer and the compelling legitimate interests pursued. • Use of this derogation entails increased risk for the research participant. Overview of available GDPR data-transfer mechanisms for sharing personal data from the EEA to a non-EEA country for scientific research purposes, with data transfers from the EEA to the Unites States as an example. CJEU, Court of Justice of the EU.

The appropriate safeguards envisaged by Article 46 of the GDPR include SSCs, administrative arrangements between public bodies, bespoke contracts, and codes of conduct. These safeguards could potentially provide the best options for workable international transfers with public-sector researchers. However, due to conflicts with US laws, the European Commission’s SCCs are unavailable for key public research partners, such as the NIH21. EDPB guidance for the use of other mechanisms envisaged under Article 46 (e.g., administrative arrangements and bespoke contracts) are also in contradiction of US or other foreign laws22, with the main difficulty in the United States being that federal institutions are protected by sovereign immunity. Furthermore, some of the appropriate safeguard mechanisms require lengthy approval processes or lack guidance from the EDPB.

and bespoke contracts) are also in contradiction of US or other foreign laws22, with the main difficulty in the United States being that federal institutions are protected by sovereign immunity. Furthermore, some of the appropriate safeguard mechanisms require lengthy approval processes or lack guidance from the EDPB. Supplementary measures may be needed, in addition to the chosen Article 46 mechanism, to achieve an adequate level of data protection8,10, but it should be possible to tailor these measures to enable health research with a wide range of scientific methods23. The EDPB considers pseudonymization a sufficient supplementary measure for data protection, but it describes pseudonymization in a manner that is not possible to achieve for health-research datasets that contain many variables or unique identifiers10,23. A range of complementary supplementary measures, including encryption and other privacy-enhancing technologies and legal and organizational measures, would provide better protection for research participants while being practically feasible for health research23.

Previous attempts to solve international transfers of data outside of the EEA, such as the EU–US Privacy Shield Framework, in which entities could certify to provide an adequate level of data protection, focused on the private sector, despite the importance of public-sector research. Privacy Shield has now been invalidated by the Schrems II judgment8. In this decision, the court reiterated that although SCCs are a valid data-transfer mechanism, a complex legal analysis should be undertaken to exclude conflicts between the laws of the recipient country and the requirements of the SCCs. This is the case with US federal law, which, among other legal conflicts, blocks individual judicial redress for non-US citizens and residents24.

GDPR has become a privacy standard other countries seek to follow, which gives the EU an important role in the global discussion on privacy and the necessity of data sharing for health research for the benefit of society. This places the EU in a position to exert pressure on other countries to reform their regulations to enable reciprocity in privacy-enhanced data sharing. For this data sharing to happen, the EU must now work with other countries to resolve statutory conflicts, but this will also require cooperation from those countries. The European Parliament has urged the European Commission not to adopt any new adequacy decision in relation to the United States unless meaningful legal reform is first introduced in the United States25 The United States should be encouraged to establish enforceable data subject rights and effective legal remedies for European and other non-US research participants whose data are processed by US researchers. The voice of the health-research community must be heard by decision-makers at the national level, at the EDPB, and within the EU Commission Directorates-General involved, such as in the areas of justice, health and research. Without a quick resolution, European research potential will not be realized, and European citizens will fall behind.