DUBLIN – The ongoing legal uncertainty surrounding the transfer of data from European research institutions or companies to international partners shows little sign of resolution, despite the urgency of the COVID-19 pandemic, which has engendered an extraordinary collaborative response from the global scientific community.
A transatlantic group of legal and policy experts has published a commentary in the current issue of Science, in which they urge the European Commission and the European Data Protection Board (EDPB), which oversees and coordinates data protection in Europe, to reform the current General Data Protection Regulation (GDPR) framework to take account of the specific needs of biomedical researchers and to recognize the important public-interest dimensions of biomedical research. The piece, titled “How to fix the GDPR’s frustration of global biomedical research,” was published online Oct. 1.
Back in July, the Court of Justice for the European Union (CJEU) tightened the existing data-sharing regime in a judgment that ostensibly addressed a set of issues arising from a long-running case taken by an Austrian Facebook user – Max Schrems – against Ireland’s Data Protection Commissioner. Schrems had objected to the transfer of his data from Facebook servers located in Ireland to U.S.-based systems.
The court’s wide-ranging decision has ramifications that extend far beyond those concerns. It has led to the abandonment of the EU-U.S. Privacy Shield, which provided a general mechanism to enable commercial companies to comply with data protection provisions in either jurisdiction. Multiple biotech, pharma and life sciences companies had signed up to the scheme, including Merck & Co. Inc., Adaptive Biotechnologies Corp., Allergan plc, Illumina Corp., Incyte Corp. and Sarepta Therapeutics Inc., among many others.
Not-for-profit research institutes were never able to avail of that facility, however, as it extended to commercial entities only. For the purposes of COVID-19 research, scientists and their institutions have been required to follow guidelines issued in April by the EDPB, which, the commentators state, “lack both any sense of urgency and any consideration of the public good, and fail to take into account other fundamental rights, societal interests, and scientific considerations.”
At the heart of the GDPR – which came into force in May 2018 – has been the concept that the protections afforded an individual’s data travel with their data. The EU has recognized a number of jurisdictions whose safeguards it deems to be consistent with those of the GDPR. These countries include Argentina, Canada (for commercial entities only), Israel, Japan, New Zealand, Switzerland, and Uruguay, as well as several other smaller territories. However, some of the terms of the EU’s standard contractual clauses that cover data-sharing are at odds with the national legislation of other countries – particularly, the authors state, those that address the auditing of data systems by a foreign entity and the submission to the jurisdiction of foreign courts.
“The thing is you end up with the EU as an island,” Jasper Bovenberg, corresponding author on the commentary, told BioWorld. Bovenberg is founder and CEO at Legal Pathways Life Sciences Law, a legal practice located in Haarlem, the Netherlands. His clients include life sciences companies, tissue banks and universities involved in international data-sharing.
The present data-sharing regime imposes a heavy administrative burden on individual researchers entering into data-sharing agreements with international partners, as they are required to verify whether the level of data protection in the recipient’s jurisdiction is on a par with that enshrined in EU law. They are also required to monitor the legal situation and to ensure that the data are either returned or destroyed should a change in the data protection laws of the recipient’s country occur. “Such an assessment on a case-by-case basis (and its monitoring on an ongoing basis) will probably be beyond the capabilities of most, if not all, EU researchers and their institutions,” Bovenberg and his co-authors wrote.
Some European institutions may, he said, be currently in breach of their legal obligations, because of the complexity of the present requirements. But many projects have also either been put on hold or have had to adopt cumbersome workarounds. Bovenberg and his co-authors offer two examples. European research centers are no longer able to send genotype data to the Michigan Imputation Server, for genotype imputation, even though data are not accessible to the server administrators. The International Genomics of Alzheimer’s Consortium, a transatlantic effort with European and U.S. participants, and the Alzheimer’s Disease Sequencing Project, based at the University of Pennsylvania, are unable to pool data on a single server as the European researchers feel constrained from sharing data with their U.S. partners. The geographical location of the server may be irrelevant. “GDPR has a very broad, if not overly broad, interpretation of the concept of personal data,” Bovenberg said. “When the algorithm goes to the data, that could also be interpreted as processing personal data.”
The U.S. NIH offered a corroborating view: “Many U.S. public institutions are unable to comply with GDPR-required contractual clauses due to federal and state statutory conflicts – including requirements for indemnification, auditing of data systems by a foreign entity, and submitting to the jurisdiction of foreign courts,” the NIH stated via email. “As an outcome, a significant number of NIH’s joint research enterprises with universities and research institutions in the EEA are experiencing blockages and delays in international data transfers. In our view, this is an unintended consequence of GDPR, since the final regulation was drafted to facilitate research and research collaborations, in a manner that protects the fundamental privacy rights of individuals.”
At the same time, it had some progress to report on a long-running collaborative project with Finland on the genetics in type 2 diabetes, which had been stalled for some time. “We are encouraged that we now have been able successfully to conclude a formal data use agreement under GDPR for a long-standing partnership with the Finnish National Institute of Health and Welfare (THL) to identify susceptibility genes for type 2 diabetes and associated traits. Following many months of negotiation, the general counsel of THL determined that data transfers could resume under GDPR’s derogation to the prohibition on international data transfers for transfers that are necessary for important reasons of public interest.” This agreement could form a template for some other collaborations at least.
The NIH has also been working with the Cancer Registry of Norway and the Norwegian Institute of Public Health to propose changes to the EU standard contractual clauses that would satisfy the institutional requirements on either side of the Atlantic. “We understand that the Norwegian Data Protection Authority now has forwarded our proposed changes to the European Commission for review, and hope this may contribute to a workable solution for our scientific communities,” the NIH stated.
Bovenberg and his co-authors – who include David Peloquin, of the Boston-based law firm Ropes & Gray LLP; Barbara Bierer, of Harvard University and Brigham and Women’s Hospital; Mark Barnes, of Ropes & Gray and Yale Law School, New Haven, Conn.; and Bartha Maria Knoppers, of McGill University, Montreal – propose several reforms that would alleviate the present difficulties. Those build on a general recognition already implicit within the GDPR that processing personal data for the purposes of scientific research is not the same thing as processing personal data for the purposes of building social media user profiles, in order to target individuals with personalized ads. “It’s riddled with exceptions for scientific use,” Bovenberg said.
Their recommendations include expanding GDPR transfer mechanisms “by adding processing necessary for scientific research as an express public interest,” which could include safeguards such as data pseudonymization and other data protection measures; a recognition that pseudonymized data are not considered personal data in the hands of an organization that does not possess the key to unlock them; and the adoption of specific standard contractual clauses for data transfer within scientific biomedical research, which should “reflect the specific context, purposes, and practices of such transfers.” They also call on the EDPB to issue appropriate guidance for competent authorities within and outside of the EU. And they call on the same body to “reaffirm the validity of broad consent and to clarify that the exemption for transfers of research data for important reasons of public interest is not restricted to time-limited, occasional, and nonrepetitive transfers with respect to COVID-19 research.”
There is an additional paradox that underlines the inconsistency of the regulation. The European Union is itself open to a charge of hypocrisy given that the protections afforded to its citizens’ data in third countries do not universally apply within the EU’s member states. “GDPR, within Europe, does not protect you against all sorts of surveillance laws,” Bovenberg said. “The GDPR itself can be subject to national surveillance laws.” Only four the EU’s 27 member states have provisions in place to allow their citizens to mount a legal challenge to their state’s surveillance laws. But that’s of little comfort to researchers working on any number of urgent biomedical problems, COVID-19 among them.