The proposed European Data Protection Regulation will rightly preserve people’s privacy — but, without exceptions for scientific research, it could hinder or prevent medical discoveries.
Some commercial efforts to mine and exploit data come across as creepy. The US retailer Target got so good at identifying expectant parents that it started to post them coupons for deals on baby clothes. Many people dislike Google’s practice of targeting advertisements based on analysis of private e-mails and web searches.
The European Parliament is discussing data-privacy legislation that would limit such efforts by curtailing customer profiling and providing a ‘right to be forgotten’. But in its well-intentioned zeal, the European Union (EU) law could slow and even prevent the discovery of life-saving medical interventions.
The EU’s draft Data Protection Regulation is a much-needed update to the Data Protection Directive, a law passed in 1995 — when ‘Amazon’ was best known as the name of a river. The first draft of the rewrite contained exemptions for personal data used by scientists, as long as identifiable data were used only when necessary and with measures to protect privacy and limit access. Such protections are already common in research using patient data, and are an important component of biobanks, genetic databases and other scientific resources established for the common good.
The latest news from Brussels has European scientists and funders understandably on edge. The European Parliament’s Committee for Civil Liberties, Justice and Home Affairs (LIBE) has provisionally removed many of the exemptions for research, essentially treating scientific institutions in the same way as e-mail spammers.
Under the proposed amendments, a person’s identifiable health data could be used only with “specific, informed and explicit consent”. It sounds reasonable that people should be asked before researchers use their information. But the wording of the amendment is vastly out of step with how people consent to research and how science is done.
Increasingly, volunteers make their DNA, tissue samples and health information available under ‘broad consent’. That means that researchers do not need to get permission for every single use of a patient’s records — for instance, to validate a newly discovered genetic biomarker for cancer risk. Biobanks typically obtain broad consent from donors, and the proposed amendments could make it nearly impossible for them to operate.
The wording of the amendment is vastly out of step with how people consent to research.
It is not always possible to get a person’s permission to use their personal data for important health research. High numbers of participants can make such an exercise impractical: for example, a 2005 study linking preterm birth with high blood pressure later in life used medical data from more than 300,000 Swedish men involved in a cohort study (S. Johansson et al. Circulation 112, 3430–3436; 2005). Such unconsented research is done under the strictest ethical safeguards, yet the draft law would create an even higher hurdle — and much research would founder as a result.
Most under threat is the next generation of biomedical research, in which scientists hope to make discoveries by mining medical records from health systems such as the UK National Health Service. Last month, the UK Medical Research Council opened four health-informatics centres to lay the groundwork for such efforts.
The new law will offer some opportunities to researchers. It will be the same across all states in the EU, offering the potential to ease international collaborations by streamlining complex data-protection rules. And the requirement that data holders provide a means for people to access and withdraw their personal data offers researchers a chance to engage study participants through online portals. In addition to allowing individuals to drop out with the click of a button, these portals could keep participants abreast of research findings and allow both participants and researchers to request new information. Earlier this year, the Netherlands Twin Register created the MyBiobank mobile app, which has been well received by participants.
The Data Protection Regulation is still taking shape, and the European Parliament will consider more than 3,000 amendments when the LIBE committee convenes. Whatever law the parliament passes must be reconciled with a version taking shape in the Council of the European Union, which is made up of national ministers. There is ample time for the legislation to evolve to be more friendly to research, before it is finalized in 2014. Nature’s readers will be affected by this law and they still have the chance to influence how it is written. The UK biomedical charity the Wellcome Trust is encouraging scientists in Europe to draw the attention of their local Member of the European Parliament to its statement of concerns (go.nature.com/meb4pm). Join them, and do a little targeted advertising of your own.
Related links in Nature Research
Related external links
About this article
Cite this article
Privacy in the digital age. Nature 497, 287 (2013). https://doi.org/10.1038/497287a