Like most of you, my personal email last summer was filled with fun invitations, the latest news….and tens to hundreds of emails from companies highlighting new privacy policies, notices, and updates. Behind the immense number of notifications that “we’ve updated our privacy policy” was a new regulation and one of the defining science policy issues of the last decade: the tension between participant privacy and open data sharing.
When it comes to data sharing and biomedical research, most of us have a horse in both races. We want to know and have some control over how our personal data is accessed and shared, and we understand that open science—where researchers share data as freely as possible with other researchers—can skyrocket our ability to find better treatments and cures for patients, which helps us all. Balancing and respecting these different values is complicated. NIH has spent a lot of time and resources staying attuned to participant interests in privacy and autonomy while charting a path that allows for responsible open science and data sharing.
The European General Data Protection Regulation (GDPR) enacted in May last year is the latest regulation on the privacy and data policy block, As Europe’s answer to navigating today’s data-filled, breach-full and not-always-regulated online and business world, GDPR mandates a high level of personal data protection and autonomy for people in the European Economic Area (EEA). GDPR defines personal data broadly—from name and email address to special categories such as health and genetic data—and provides people in the EEA with control over when and how their personal data is collected, retained, passed along, and used. So, given that GDPR was written to protect people in the EEA from data and privacy breaches, and not intended to target biomedical research—where significant protections for individual privacy and the concept of explicit consent already exist—why has the onset of GDPR created barriers for critical research collaborations between NIH grantees and their European research partners?
Not surprisingly, the answer has to do with both GDPR itself and with individual reactions to GDPR. GDPR is not directed at biomedical research, but it does regulate the use, processing, and transfer of personal data collected in the EEA for clinical and observational research. There are legal pathways under GDPR for data collected in the EEA to be transferred to, used and processed in other countries. Unfortunately, understanding how to translate the legalese of these pathways into practice has been confusing, and the costs for non-compliance are high—most recently €50 million for Google in France. As a result, risk-adverse interpretations of GDPR have dominated collaboration discussions between EEA and U.S. research partners and led to delays in EEA-U.S. collaboration. In the absence of an official recognition that U.S. laws ensure an adequate level of protection (an “adequacy decision”), and with the NIH unable to use standard, GDPR-approved data protection clauses (as they conflict with U.S. law for federal agencies), the NIH is exploring GDPR’s other legal options for data sharing. These include relying on explicit consent from participants, defining data transfer as being in the “public interest,” and adherence to an approved, sector-specific code of conduct (to date unwritten). A code of conduct is particularly compelling, as it should serve as an implementation manual, providing clear, concise guidance to EEA and non-EEA researchers and research institutions on how to ensure GDPR protections for personal data when collaborating.
Given the current uncertainty, and the likelihood that any “solutions” to GDPR for biomedical research will take time, what does all this mean for NIH-funded researchers now? Fundamentally, it means that it is never too early to begin the time-consuming but necessary data privacy and data sharing discussion with potential collaborators in the EEA. While such discussions are leading to glimmers of light at the end of tunnels for currently halted collaborations, it sure would be preferable to resolve issues before research is scheduled to begin. We are interested in hearing from you about any GDPR-related problems or resolved issues and will certainly keep you updated on our experiences. In the midst of all this work, I am reminded that GDPR presents us with great opportunities as well as challenges. If we can harmonize consent and data sharing between U.S. and EEA researchers, we will be able to pool analysis of genomic and other health data and tissue samples, powering new and innovative trials and advancing the science of the future.