Confusion over GDPR is blocking scientific progress, throwing up barriers with US researchers in particular. More than 5,000 projects were affected in 2019 and the problem is ‘escalating’
Europe’s status as a health research leader “is at risk” because of barriers to sharing data introduced by the bloc’s data protection rules, a joint report by three academy networks says.
“It has become apparent that implementation of the EU’s General Data Protection Regulation has contributed to barriers in sharing health data with researchers outside the EU/EEA [European Economic Area],” the report says.
It estimates that more than 5,000 international health projects were affected by GDPR requirements in 2019 alone.
The joint study comes from three academy networks, the European Federation of Academies of Sciences and Humanities, the European Academies’ Science Advisory Council and the Federation of European Academies of Medicine (FEAM).
GDPR was implemented in May 2018 to protect Europeans from data and privacy breaches, and was not intended to target biomedical research, but in practice the rules have thrown up data-sharing restrictions for foreign institutions.
“The transfer of data is really quite difficult with the US in particular,” said George Griffin, professor of medicine and infectious diseases at St. George's, the University of London, and president of FEAM. GDPR rules have stalled or derailed at least 40 cancer studies funded by the US National Institutes of Health (NIH), the report claims.
The academic networks, which gathered evidence for almost two years, call attention to the value of health research that is in danger of being lost, as they push for clarifications on GDPR to resolve the “escalating problem”.
“There is pressing need to find a simple solution,” the report states, which Griffin says should be a “common sense solution.”
When other countries do not have GDPR equivalent procedures for data protection – which the EU calls adequacy procedures – there is currently no workable mechanism for sharing health data for public sector research.
“Researchers are faced with a lot of complexity and uncertainty here. The big universities can find lawyers – the little ones may not have the resources to navigate all this,” said Rosa Castro, senior scientific policy officer at FEAM.
She said the report calls on Brussels officials to come up with new model contract clauses for NIH researchers that don’t conflict with US law for federal agencies, and updated “operational guidance” for researchers more generally.
Disrupted data streams
Lobbying by the European scientific community ensured that the GDPR incorporated multiple exemptions for research. But the legalese of GDPR-compliant pathways to data sharing has proved devilishly confusing for labs, and with costs for non-compliance extremely high, many have played it safe and delayed projects with would-be collaborators.
Brokering international data sharing arrangements has become a time consuming job for university administrators and lawyers. What’s more, EU member states diverge in how they interpret GDPR requirements — as do individual institutions in the same member state.
For some researchers, GDPR has turned out to be a serious impediment to their studies.
Researchers at University College Dublin, for example, had to split one research study into two separate parts, one within the EU and one outside the EU, to comply with GDPR standards. This allowed the research team to maintain separate data sets without any cross-border transfers, comparing only the meta-analyses of each study.
While the researchers could conduct their study and comply with the law, the modifications “may increase costs, affect statistical analysis and sample size, and increase the possibility of inaccuracy,” the report says.
Meanwhile, researchers involved in the EU-based International Genomics of Alzheimer’s Consortium and the US-based Alzheimer’s Disease Sequencing Project have not been able to pool and process data sets with personal data. “Processing these data sets together would have allowed a more streamlined research process for novel drug targets for Alzheimer’s disease,” the report says.
Statens Serum Institut (SSI) in Copenhagen, meanwhile, has been forced by GDPR requirements to recall its samples from American-led projects. The government research lab provides donor samples to the NIH to identify risk factors for type 2 diabetes. Following the enactment of GDPR, SSI claimed that these samples were no longer legally allowed in the US and asked the NIH to return the data, the report says.
The lab has refused to provide additional data required under the original contract, preventing the research from continuing. The Copenhagen lab, which also houses the Danish National Biobank, has also frozen data streams to the World Health Organisation’s International Agency for Research on Cancer, which is based in France.