International sharing of pseudonymized personal data among researchers is key to the advancement of health research and is an essential prerequisite for studies of rare diseases or subgroups of common diseases to obtain adequate statistical power.

Pseudonymized personal data are data on which identifiers such as names are replaced by codes. Research institutions keep the ‘code key’ that can link an individual person to the data securely and separately from the research data and thereby protect privacy while preserving the usefulness of data for research. Pseudonymized data are still considered personal data under the General Data Protection Regulation (GDPR) 2016/679 of the European Union (EU)1 and, therefore, international transfers of such data need to comply with GDPR requirements. Although the GDPR does not apply to transfers of anonymized data, the threshold for anonymity under the GDPR is very high; hence, rendering data anonymous to the level required for exemption from the GDPR can diminish the usefulness of the data for research and is often not even possible.

The GDPR requires that transfers of personal data to international organizations or countries outside the European Economic Area (EEA)—which comprises the EU Member States plus Iceland, Liechtenstein and Norway—be adequately protected. Over the past two years, it has become apparent that challenges emerge for the sharing of data with public-sector researchers in a majority of countries outside of the EEA, as only a few decisions stating that a country offers an adequate level of data protection have so far been issued by the European Commission. This is a problem, for example, with researchers at federal research institutions in the United States. Transfers to international organizations such as the World Health Organization are similarly affected2. Because these obstacles ultimately affect patients as beneficiaries of research, solutions are urgently needed. The European scientific academies have recently published a report explaining the consequences of stalled data transfers and pushing for responsible solutions3 (Table 1).

Table 1 Key messages from International Sharing of Personal Health Data for Research3
Full size table

A balancing act

From identifying complex pathways to understanding and preventing diseases, to comparing determinants of disease outcomes across populations and improving health care, data sharing is essential for health research and for citizens and patients. At the same time, appropriate protection of personal health data, as envisaged by the GDPR1, is key to fulfilment of the fundamental right to protection of personal data as enshrined in the EU Charter of Fundamental Rights4, and is essential for fostering trust among citizens and patients.

Although both aims—protection and sharing of data—should be addressed, it has become apparent that there are statutory conflicts between EU fundamental rights and data-protection legislation on the one hand, and the legislation of other countries on the other hand, that create considerable obstacles to the transfer of data outside the EEA. Counterintuitively, these problems are greater when data are shared with researchers at public institutions outside of Europe, despite the paramount importance of public institutions in advancing research in the interest of patients and the public at large.

Scientific academies in Europe (the European Academies Science Advisory Council, the Federation of European Academies of Medicine, and the European Federation of Academies of Sciences and Humanities)3 have joined forces to call attention to the challenges that affect not only European scientists but collaborators worldwide. Science is and should be a truly global endeavor that requires that reliable data be made available to researchers across geographical borders5. The protection of research participants’ personal data is a potential concern with data transfer, but the joint report3 found strong support from patients for using data for scientific research6, including through a roundtable with stakeholders.

Issues about data sharing outside the EEA have been raised in the past7, but these have become even more urgent due to recent developments, such as the Court of Justice of the European Union’s 2020 Schrems II judgment8 and subsequent guidance from the European Data Protection Board (EDPB). The Schrems II judgment8 invalidated the EU–US Privacy Shield because US surveillance legislation, given priority over Privacy Shield, was found to be in violation of the EU Charter of Fundamental Rights4. The court decided that the European Commission’s standard contractual clauses (SCCs) are still valid as a transfer mechanism, but these must be accompanied by thorough legal assessments and supplementary measures, which complicates transfers. There is a growing need for collaborative research to address the long-term health effects of the COVID-19 pandemic, as well as research on cancer and other diseases, many of which have poor prognoses and require more health data (Fig. 1). New research and innovation opportunities can come from big data and artificial intelligence, but they require suitable mechanisms for sharing research data across borders9.

Fig. 1: Involvement of academies in the international sharing of health data for research.
figure 1

A timeline of European data-protection legislation and the involvement of European academies.

Full size image

Sharing is fundamental

International data transfers—which comprise both transfer of data and provision of remote access to data10—are necessary for studying and comparing genetic and epidemiological risk factors for the optimization of prevention or treatment. Pooled analyses of data from many countries are particularly needed for sufficient statistical power to be obtained in studies of rare diseases or rare subgroups of common diseases. Additionally, sharing of samples and data from European citizens is essential for ensuring that findings from international studies apply to European populations, with their genetic composition and specific lifestyle factors.

Increasingly, international researchers are provided temporary remote access to trusted research environments so data can be securely accessed without leaving the host country. GDPR requirements still apply, as remote access is also considered international data transfer10. Furthermore, if European data can only be accessed remotely, while the rest of the international data can be combined in one pooled analysis, this is cumbersome for researchers and could result in European studies’ being dropped.

Privacy-enhancing technologies such as homomorphic encryption, differential privacy, federated analyses and use of synthetic data offer new ways for protecting the privacy of individuals11. These technologies can be helpful, but they have limitations, such as the extent to which they can be applied to real-world challenges, the noise level, or how well they protect privacy when the number of data points from each country or study is small. Combining multiple technologies may be key to reducing risk12. Moreover, the use of privacy-enhancing technologies did not circumvent the need to transfer data in some studies.

Legal obstacles

An operational mechanism for sharing pseudonymized health data with public-sector institutions is currently lacking for many countries outside of the EEA7. This is the case for several research-intensive countries and key partners for European researchers, as the European Commission has so far recognized only a few countries as providing ‘adequate’ protection of personal data13. After Brexit, the transfer of health data for research collaborations with the UK has also been at risk. An ‘adequacy decision’ for transfers of personal data from the EU to the UK has been issued by the European Commission and has recently been approved by EU Member States’ representatives14, but it includes a ‘sunset clause’ that limits its duration to four years, at which time the adoption process needs to start again if the commission decides to renew the adequacy finding.

There are about 5,000 collaborative projects between the US National Institutes of Health (NIH) and EEA countries15. At least 40 clinical and observational studies on risk factors and exposures for cancer have been suspended or delayed because of the current legal challenges16. Multiple research projects within the National Cancer Institute Cohort Consortium, where cohort studies from all over the world participate, have also been suspended or delayed, as the European participating studies cannot proceed with data transfers7. Statens Serum Institut in Denmark halted transfers of personal data to the NIH as part of a long-standing collaboration on diabetes due to the lack of an operational data-transfer mechanism3,17. The World Health Organization’s International Agency for Research on Cancer has been negatively affected, as it cannot receive research data from collaborating European studies2,18.

Without an adequacy decision, the GDPR requires appropriate safeguards (Article 46) or, when such safeguards are unavailable, resorts to derogations for specific situations (Article 49). The use of derogations is considered an exceptional measure, as it places increased risk on the research participants, and the EDPB has reiterated that whereas initial transfers using Article 49 derogations were justified for initial COVID-19 research activities, other repetitive transfers and long-lasting research related to the ongoing pandemic still need to rely on appropriate safeguards under Article 46 (refs. 19,20) (Table 2).

Table 2 GDPR data-transfer mechanisms
Full size table

Safeguards

The appropriate safeguards envisaged by Article 46 of the GDPR include SSCs, administrative arrangements between public bodies, bespoke contracts, and codes of conduct. These safeguards could potentially provide the best options for workable international transfers with public-sector researchers. However, due to conflicts with US laws, the European Commission’s SCCs are unavailable for key public research partners, such as the NIH21. EDPB guidance for the use of other mechanisms envisaged under Article 46 (e.g., administrative arrangements and bespoke contracts) are also in contradiction of US or other foreign laws22, with the main difficulty in the United States being that federal institutions are protected by sovereign immunity. Furthermore, some of the appropriate safeguard mechanisms require lengthy approval processes or lack guidance from the EDPB.

Supplementary measures may be needed, in addition to the chosen Article 46 mechanism, to achieve an adequate level of data protection8,10, but it should be possible to tailor these measures to enable health research with a wide range of scientific methods23. The EDPB considers pseudonymization a sufficient supplementary measure for data protection, but it describes pseudonymization in a manner that is not possible to achieve for health-research datasets that contain many variables or unique identifiers10,23. A range of complementary supplementary measures, including encryption and other privacy-enhancing technologies and legal and organizational measures, would provide better protection for research participants while being practically feasible for health research23.

Implications for researchers

Previous attempts to solve international transfers of data outside of the EEA, such as the EU–US Privacy Shield Framework, in which entities could certify to provide an adequate level of data protection, focused on the private sector, despite the importance of public-sector research. Privacy Shield has now been invalidated by the Schrems II judgment8. In this decision, the court reiterated that although SCCs are a valid data-transfer mechanism, a complex legal analysis should be undertaken to exclude conflicts between the laws of the recipient country and the requirements of the SCCs. This is the case with US federal law, which, among other legal conflicts, blocks individual judicial redress for non-US citizens and residents24.

The way forward

GDPR has become a privacy standard other countries seek to follow, which gives the EU an important role in the global discussion on privacy and the necessity of data sharing for health research for the benefit of society. This places the EU in a position to exert pressure on other countries to reform their regulations to enable reciprocity in privacy-enhanced data sharing. For this data sharing to happen, the EU must now work with other countries to resolve statutory conflicts, but this will also require cooperation from those countries. The European Parliament has urged the European Commission not to adopt any new adequacy decision in relation to the United States unless meaningful legal reform is first introduced in the United States25 The United States should be encouraged to establish enforceable data subject rights and effective legal remedies for European and other non-US research participants whose data are processed by US researchers. The voice of the health-research community must be heard by decision-makers at the national level, at the EDPB, and within the EU Commission Directorates-General involved, such as in the areas of justice, health and research. Without a quick resolution, European research potential will not be realized, and European citizens will fall behind.