How to fix the GDPR's frustration of global biomedical research

doi:10.1126/science.abd2499

GSTDTAP > 气候变化

DOI	10.1126/science.abd2499
	How to fix the GDPR's frustration of global biomedical research
	Jasper Bovenberg; David Peloquin; Barbara Bierer; Mark Barnes; Bartha Maria Knoppers
	2020-10-02
发表期刊	Science
出版年	2020
英文摘要	Since the advent of the European Union (EU) General Data Protection Regulation (GDPR) in 2018, the biomedical research community has struggled to share data with colleagues and consortia outside the EU, as the GDPR limits international transfers of personal data. A July 2020 ruling of the Court of Justice of the European Union (CJEU) reinforced obstacles to sharing, and even data transfer to enable essential research into coronavirus disease 2019 (COVID-19) has been restricted in a recent Guidance of the European Data Protection Board (EDPB). We acknowledge the valid concerns that gave rise to the GDPR, but we are concerned that the GDPR's limitations on data transfers will hamper science globally in general and biomedical science in particular (see the text box) ([ 1 ][1])—even though one stated objective of the GDPR is that processing of personal data should serve humankind, and even though the GDPR explicitly acknowledges that the right to the protection of personal data is not absolute and must be considered in relation to its function in society and be balanced against other fundamental rights. We examine whether there is room under the GDPR for EU biomedical researchers to share data from the EU with the rest of the world to facilitate biomedical research. We then propose solutions for consideration by either the EU legislature, the EU Commission, or the EDPB in its planned Guidance on the processing of health data for scientific research. Finally, we urge the EDPB to revisit its recent Guidance on COVID-19 research. Concerns that gave rise to the GDPR include that data subjects be informed of use of their personal data and be afforded appropriate rights with respect to the use of their data, and that data users be required to follow certain standards in processing those data. But balancing these concerns against the concerns over research should be informed by the generally scientific research– friendly approach of the GDPR. Current interpretations of the GDPR fail to recognize how research uses of personal data differ from other uses, particularly because data used for research purposes are often pseudonymized, used to derive generalizable knowledge that can benefit society, and can be used in this way without identification of, or perceptible harm to, data subjects. Thus, the balance between privacy of the individual and the benefit to society in the research context is different than in other contexts, such as many commercial contexts in which data are used to construct a profile of an individual to permit targeted advertising with demonstrable impact on the individual. The rationale behind the GDPR's limitations on transfers of data outside the EU is simple: When personal data are transferred to non-EU countries, the level of protection ensured in the EU should not be undermined. The limitations aim to ensure that the “GDPR travels with the data.” Several routes for valid transfer of research data have been proposed, which we discuss below. Data may be transferred on the basis of “an adequacy decision.” This means that the European Commission has decided that the third country or international organization in question ensures an “adequate level of protection.” Such a transnational data transfer does not require any specific authorization. However, to date, adequacy decisions are in place for only a limited number of countries worldwide: Andorra, Argentina, Canada (commercial organizations), Israel, Japan, New Zealand, Switzerland, Uruguay, and the self-governing dependencies of the Isle of Man, Guernsey, Jersey, and the Faroe Islands. The adequacy decision that was in place for the United States, the EU-U.S. “Privacy Shield” framework, was available only to for-profit organizations and today can no longer be used, as it has been invalidated by the recent decision of the CJEU ([ 2 ][2]). Standard contractual clauses, which bind data transferees to comply with certain data protection standards when they receive and process personal data, are commonly used for cross-border transfer in the commercial context, but they pose particular difficulties for transfers to certain types of data recipients, including governmental agencies such as the U.S. National Institutes of Health or universities outside the EU. Such entities are often barred by their own national laws from agreeing to certain terms required to be included in the standard contractual clauses, including those specifying auditing of data systems by a foreign entity and submission to the jurisdiction of foreign courts ([ 3 ][3]). Many research entities that are arms of sovereign governments either lack authorization to waive their sovereign immunity or have a long-standing policy not to waive such immunity. Moreover, because the EU data transferors are often private universities or research institutes and transferees are governmental or parastatal entities, the individually negotiated interstate transfer agreements contemplated by the GDPR for transfers between two public bodies are not routinely available as an alternative to the standard contractual clauses ([ 4 ][4]). Although the CJEU has upheld the validity of at least one set of the standard contractual clauses to permit cross-border data transfer, it has also ruled that a data exporter and the recipient of personal data using the clauses are required to verify, prior to any transfer, whether the level of protection required by EU law is respected in the importing country ([ 2 ][2]). It also made clear that recipients outside the EU must return any received data or destroy them “in their entirety” when their domestic laws no longer allow them to comply with the EU clauses ([ 2 ][2]). The verification must consider, as regards any access by public authorities of the importing country to the personal data transferred, the relevant aspects of the legal system of the importing country ([ 2 ][2]). Such an assessment on a case-by-case basis (and its monitoring on an ongoing basis) will probably be beyond the capabilities of most, if not all, EU researchers and their institutions. In essence, this requires resource-limited private parties to undertake the adequacy assessment process that would typically be done by the European Commission. Even if researchers would somehow be able to complete such an assessment (and to monitor it on a going-forward basis), the standard contractual clauses present complications for multi-party research collaborations, when the recipient organization needs to share the data with other organizations in their own country or in another “third country” in order to complete the research. Unfortunately, the standard contractual clauses are not clear regarding such “onward transfers” and the mechanisms they offer; unambiguous consent by the data subject to the onward transfer, or adherence to the clauses by the onward transferee(s), are often not viable options. Although the GDPR provides that entities may enter into bespoke clauses that are tailored to the circumstances, such bespoke clauses must be approved by the national competent supervisory authority ([ 5 ][5]). Yet in many EU jurisdictions, the lack of guidance from the EDPB on the requirements for bespoke clauses means that the competent authorities have not yet established a process for the review of bespoke clauses [e.g., ([ 6 ][6])]. For prospective research, such as interventional clinical trials, in which data subjects provide informed consent at the time they enroll in the study, researchers have often relied on the explicit consent of the data subject as the means to legitimize data transfer. However, under the GDPR, this “transfer consent” is subject to a number of requirements and limitations. The researcher must inform data subjects about the possible risk that their personal data will be transferred to a country for which there is no adequacy decision or appropriate safeguards. Pursuant to Guidance from the EDPB, invoking data subjects' consent as a basis for transfer is limited to occasional and “not repetitive” transfers. Consent therefore is not a viable option for research consortia, data repositories, and legacy collections that store data for the global research community. Also, the general GDPR requirements for a valid consent continue to apply, including that it must be free, informed, specific and explicit, and subject to immediate withdrawal by the data subject at any time (withdrawal of consent should be as easy as giving consent). Upon withdrawal of consent, processing must be stopped, unless there is another legal basis to continue. In addition, since the advent of the GDPR, ethics committees have asked researchers to provide a detailed list of all countries that will receive data collected as part of the study ([ 7 ][7]). Yet at the outset of a data-intensive research study, it is usually not possible to know all of the countries to which data may be sent, given the large number of collaborating parties and service providers involved in multinational collaborative studies. Moreover, with respect to data gathered in an interventional clinical trial of a medicinal product, EDPB Guidance disfavors the use of consent as a legal basis and condition for the use of the data for research processing, as it does not believe that such consent can be freely given, and this logic might also be extended to consent asked for transfer of data out of the EU. Recently, in at least one long-standing research collaboration involving the NIH, an EU research institute agreed to permit the transfer of genetic data from Finland to the United States on the basis that the transfer is necessary “for important reasons of public interest” ([ 8 ][8]). This recognized GDPR derogation to the prohibition on cross-border transfer of personal data requires that the “public interest … shall be recognized in Union law or in the law of the Member State to which the controller is subject” ([ 9 ][9]). Some examples of when this public interest provision may be relied upon include international data exchange between competition authorities, tax or customs administrations, financial supervisory authorities, services competent for social security matters, or for public health, such as tracing for contagious diseases and/or elimination of doping in sport ([ 10 ][10]). The EDPB, however, fails to provide clear guidelines and only complicates matters by stating that “the derogation only applies when it can also be deduced from EU law or the law of the Member State to which the controller is subject, that such data transfers are possible for important public interest purposes including in the spirit of reciprocity for international cooperation” ([ 7 ][7]). The EDPB claims that this transfer mechanism, as an exception to the requirement of an adequacy decision or appropriate safeguards, although not expressly limited to “occasional” or “not repetitive” transfers, must be interpreted restrictively. In sum, the inability to find a suitable mechanism amid the above legal bases for transfer has stymied research collaborations between the EU and the rest of the world, resulting in the cessation or harmful delays of critical data flows (see the text box) ([ 1 ][1]). Sadly, the EDPB Guidelines published on 21 April 2020 regarding data for COVID-19 research ([ 11 ][11]) lack both any sense of urgency and any consideration of the public good, and fail to take into account other fundamental rights, societal interests, and scientific considerations. They stress that consent must be “specific,” the “derogations and limitations in relation to the protection of data used in research must apply only in so far as is strictly necessary,” and that “the current COVID-19 outbreak does not suspend or restrict the possibility of data subjects to exercise their rights.” The Guidelines go so far as to state that “storage periods ” (timelines) must be set for COVID data. This is an inexplicable limitation, and arguably even violates the GDPR's exemption to the storage limitation for data processed for scientific purposes. Pandemic researchers need access to past, present, and future collections of human biospecimens and associated personal data, to anticipate new waves of infections and any new mutations. Guidance on the “compatibility presumption” for research, announced in January 2019, is simply being postponed, leaving the research community in the dark. Luckily, the EDPB does consider COVID research as qualifying as an “important public interest” to allow international transfer of data. However, the EDPB also notes that this derogation may only be justified for “initial transfers,” as a “temporary measure,” and that repetitive transfers as part of a long-lasting research project cannot proceed under this derogation. Thus, even in the important context of COVID-19 research when the ability to transfer personal data across international borders for research purposes is urgently needed, the EDPB minimizes the ability of the research community to rely on derogations that are included in the very text of the GDPR. The above limitations for transfer of research data outside the EU appear to be at odds with the generally research-friendly intent of the GDPR. During its drafting and negotiation, the European Parliament and the European Council paid extensive attention to research issues, which has resulted in several provisions that may facilitate the processing of personal data for scientific research. Processing data for research is deemed compatible with the initial purpose of data collection, and data may be stored longer if for research purposes. The GDPR explicitly allows data subjects to give general consent rather than specific consent for processing for research purposes. The GDPR also allows for an exception to the notice requirement when providing notice proves impossible or would involve a disproportionate effort—in particular, processing for scientific research purposes. The GDPR further exempts from the right of erasure personal data processed for scientific research purposes if erasure is likely to render impossible or seriously impair the achievement of the objectives of the processing. Furthermore, the GDPR explicitly provides for an exemption to the right to object when personal data are processed for scientific research purposes, and permits member states to enact derogations from various data subject rights in the research context. Notably, all exemptions are subject to appropriate safeguards for the rights and freedoms of the data subject, such as technical and organizational measures, including pseudonymization. The common rationale behind these exceptions and exemptions is the notion that scientific research is a “public interest” and the notion that the GDPR should facilitate processing of personal data in the public interest. Likewise, the conduct of science has been acknowledged by EDPB as a legitimate interest. Missing, however, from the GDPR list of research-friendly provisions is an appreciation of the international dimensions of research and, consequently, a corresponding appropriate provision to enable scientific research data transfers across the globe. As the conduct of science is a global affair, research-friendly provisions for the sharing of data for science beyond the borders of Europe should be part and parcel of the GDPR. The GDPR legislature has failed to take this crucial aspect of sharing data with scientific collaborators around the globe into account when drafting the research provisions. We suggest a number of solutions, in the form of GDPR reform per se, dialogue between the Commission and the EDPB and the Commission's global counterparts, or as part of the Guidance planned by the EDPB on the processing of health data for the purpose of scientific research. First, we recommend that the GDPR transfer mechanisms be expanded by adding processing necessary for scientific research as an express public interest, subject to appropriate safeguards, such as pseudonymization (coding), data protection by design and default, and the requirements of notice and choice [e.g., ([ 12 ][12])]. This basis for global sharing of research data should also extend to onward transfers. Second, it should be clarified that pseudonymized data should not be considered personal data in the hands of an entity that does not possess the key needed to re-identify such data, as was understood by many researchers and institutions under the law preceding the GDPR ([ 1 ][1], [ 13 ][13], [ 14 ][14]) . Third, as part of its ongoing modernization of the standard contractual clauses, the EU Commission should adopt specific standard contractual clauses for scientific biomedical research. These clauses should reflect the specific context, purposes, and practices of such transfers—for example, review of sharing or access requests by independent Data Access Committees. Fourth, the EDPB should (i) issue guidance for the approval by the competent supervisory authorities of bespoke clauses for specific research studies and (ii) issue guidance identifying when data processing for scientific research, if carried out outside of the EU by a non-EU entity, would fall under GDPR standards. Finally, with respect to COVID-19 research, we recommend that the EDPB revisit its Guidance on processing of health data for scientific research, to reaffirm the validity of broad consent and to clarify that the exemption for transfers of research data for important reasons of public interest is not restricted to time-limited, occasional, and nonrepetitive transfers with respect to COVID-19 research. We believe that our recommendations can help to redress the unfortunate consequences created by the existing GDPR approach to international transfers of research data and will enable the biomedical research community to share data beyond the EU for scientific research, while ensuring a high level of protection for data subjects. #### Examples of biomedical research frustrated by the GDPR ##### Inefficient distributed analysis of international data The International Genomics of Alzheimer's Consortium and the U.S.-based Alzheimer's Disease Sequencing Project based at the University of Pennsylvania have been unable to pool personal data on a single server because EU investigators believe that the GDPR prevents them from sharing the European personal data with U.S.-based researchers. This creates a scientifically compromised, inefficient, and more expensive distributed analysis of international Alzheimer's disease data because investigators must run identical analyses on segregated pools of data in different locations. This distributed analysis model both slows research and limits the scope of research projects in which they can engage. ##### Protections in place, but struggling to identify a transfer mechanism European research centers used to send de-identified human genetic data to the Imputation Server hosted by the University of Michigan. The server has been certified by an outside auditor for conformance with recognized information technology security and privacy standards [National Institute of Standards and Technology (NIST)]. Measures are in place to secure physical security of the location, space, and equipment and for identification and authentication (logging in). Users upload their private data, which is not accessed by server administrators. Once imputation is complete, the results are encrypted and uploaded files are deleted. Server administrators do not have access to users' private encryption passwords. Measures are also in place for encryption of data during storage and transmission. Server administrators cannot access completed imputation data. Despite the measures and protections in place, EU centers are now unable to send their data for imputation to the Michigan Imputation Server, as they struggle to identify a viable transfer mechanism under the GDPR. 1. [↵][15]1. R. Eiss , Nature 584, 498 (2020). [OpenUrl][16] 2. [↵][17]CJEU Case C-311/18, 16 July 2020 (“Schrems II”), specifically paragraphs 104–105, 135–143, and 203. 3. [↵][18]European Commission, Standard Contractual Clauses; . 4. [↵][19]GDPR, Articles 46(2)(a), 46(3)(b); see also EDPB, Guidelines 2/2020 on Articles 46(2)(a) and 46(3)(b) of Regulation 2016/679 for Transfers of Personal Data Between EEA and non-EEA Public Authorities and Bodies version 1 (18 January 2020). 5. [↵][20]GDPR, Article 46(3). 6. [↵][21]United Kingdom, Information Commissioner's Office, Guide to the GDPR: International Transfers; . 7. [↵][22]GDPR, Recital 42, EDPB 2/2018 Guidelines on Derogations of Article 49 of Regulation 2016/679 (adopted 25 May 2018). 8. [↵][23]GDPR, Article 49(1)(d). 9. [↵][24]GDPR, Article 49(4). 10. [↵][25]GDPR, Recital 112. 11. [↵][26]EDPB, Guidelines 03/2020 on the Processing of Data Concerning Health for the Purpose of Scientific Research in the Context of the COVID-19 Outbreak (21 April 2020). 12. [↵][27]PHG Foundation of the University of Cambridge, The GDPR and Genomic Data: The Impact of the GDPR and DPA 2018 on Genomic Healthcare and Research (May 2020); [www.phgfoundation.org/documents/gdpr-andgenomic-data-report.pdf][28]. 13. [↵][29]United Kingdom, Information Commissioner's Office, Anonymisation: Managing Data Protection Risk: Code of Practice (November 2012); . 14. [↵][30]CJEU Case C-582/14 of 19 October 2016 (“Breyer”). ACKNOWLEDGMENTS: J.B., D.P., and M.B. provide legal counsel to the biomedical research community, inter alia on issues of data protection and data transfers. B.M.K. received funding from Genome Canada/Genome Quebec and under EU-CIHR grant agreements No. 825903 euCanSHare and No. 160202 EUCANCan. [1]: #ref-1 [2]: #ref-2 [3]: #ref-3 [4]: #ref-4 [5]: #ref-5 [6]: #ref-6 [7]: #ref-7 [8]: #ref-8 [9]: #ref-9 [10]: #ref-10 [11]: #ref-11 [12]: #ref-12 [13]: #ref-13 [14]: #ref-14 [15]: #xref-ref-1-1 "View reference 1 in text" [16]: {openurl}?query=rft.jtitle%253DNature%26rft.volume%253D584%26rft.spage%253D498%26rft.genre%253Darticle%26rft_val_fmt%253Dinfo%253Aofi%252Ffmt%253Akev%253Amtx%253Ajournal%26ctx_ver%253DZ39.88-2004%26url_ver%253DZ39.88-2004%26url_ctx_fmt%253Dinfo%253Aofi%252Ffmt%253Akev%253Amtx%253Actx [17]: #xref-ref-2-1 "View reference 2 in text" [18]: #xref-ref-3-1 "View reference 3 in text" [19]: #xref-ref-4-1 "View reference 4 in text" [20]: #xref-ref-5-1 "View reference 5 in text" [21]: #xref-ref-6-1 "View reference 6 in text" [22]: #xref-ref-7-1 "View reference 7 in text" [23]: #xref-ref-8-1 "View reference 8 in text" [24]: #xref-ref-9-1 "View reference 9 in text" [25]: #xref-ref-10-1 "View reference 10 in text" [26]: #xref-ref-11-1 "View reference 11 in text" [27]: #xref-ref-12-1 "View reference 12 in text" [28]: http://www.phgfoundation.org/documents/gdpr-and-genomic-data-report.pdf [29]: #xref-ref-13-1 "View reference 13 in text" [30]: #xref-ref-14-1 "View reference 14 in text"
领域	气候变化 ; 资源环境
URL	查看原文
引用统计	被引频次：31[WOS] [WOS记录] [WOS相关记录]
文献类型	期刊论文
条目标识符	http://119.78.100.173/C666/handle/2XK7JSWQ/298047
专题	气候变化资源环境科学
推荐引用方式 GB/T 7714	Jasper Bovenberg,David Peloquin,Barbara Bierer,et al. How to fix the GDPR's frustration of global biomedical research[J]. Science,2020.
APA	Jasper Bovenberg,David Peloquin,Barbara Bierer,Mark Barnes,&Bartha Maria Knoppers.(2020).How to fix the GDPR's frustration of global biomedical research.Science.
MLA	Jasper Bovenberg,et al."How to fix the GDPR's frustration of global biomedical research".Science (2020).