Sharing scientific research across borders

Extensive research is underway worldwide, in pursuit of treatment options for COVID-19. At the same time, legal questions concerning the use and sharing of health data for research purposes continue to arise.

In his essay last week on the value of Internet openness at the time of COVID-19, American Internet pioneer and vice-president of Google, Vint Cerf, observed that:

Variations of the European Union’s General Data Protection Regulation (GDPR) are propagating around the world with good intent although implementation has shown some unintended consequences, not least of which may be the ability to share health information that would assist in finding a vaccine against SARS-COV-2 [known to many as COVID-19].

Mr Cerf said no more on the matter in his speech to explain his concerns. However, the European Data Protection Board (EDPB), which is charged with ensuring the consistent application of the General Data Protection Regulation (GDPR), has previously considered the need for institutions to share personal data in light of the pandemic. Indeed, it published guidance late last month to address some recurring concerns.

Its guidelines build on the board’s recognition that, for effective research of the disease, there will “probably be a need for international cooperation that may also imply international transfers of health data”. For example, the need to share patient information relating to drug efficacy between institutions, including those inside and outside of EEA countries.

As the EDPB’s guidelines note, when an EEA institution wants to transfer personal data outside the EEA, the data exporter must comply with GDPR Chapter V on data transfers.

For personal data transfers outside of the EEA to be lawful, they must generally be based on:

  • an adequacy decision of the European Commission made pursuant to GDPR Article 45, wherein the Commission has determined that there is an adequate level of protection of personal data within the country or organisation that the data is to be exported to;
  • the data controller or processor providing appropriate safeguards under Article 46 to ensure that enforceable data subject rights and effective legal remedies are available for data subjects; or
  • a derogation under Article 49.

The Chapter V requirements may initially appear onerous, but adequacy decisions already exist for a number of countries, while Article 46 gives data controllers and processors the power to ensure personal data is protected by standard data protection clauses. Moreover, Article 49 includes derogation on the basis of explicit consent by the data subject and also for “important reasons of public interest”. The latter is subject to Union or Member State law recognising the public interest concerned. However, the EDPB notes that the fight against COVID-19 has been recognised by the EU and most of its Member States as an important public interest.

As such, and as the EDPB sets out in its guidelines, “Not only public authorities, but also private entities playing a role in pursuing such public interest (for example, a university’s research institute cooperating on the development of a vaccine in the context of an international partnership) could, under the current pandemic context, rely upon [this] derogation.” Its guidance continues by noting that, “where transfers are performed by private entities for the purpose of medical research aiming at fighting the COVID-19 pandemic, such transfers of personal data could alternatively take place on the basis of the explicit consent of the data subjects.”, although, per Article 49(1)(a), derogation based on explicit consent requires that the data subject is informed of the possible transfer risks.

While the use and sharing of health data has the potential to yield scientific benefits, the misuse or unregulated sharing of these data could result in significant adverse impacts for the individuals from which it is obtained. It is for this reason that health data is afforded higher protection under the GDPR. Yet the higher protection it is afforded does not eliminate the possibility of institutions sharing health information between themselves and across borders. Rather, it forces institutions to consider (and where necessary address) their data collation and data sharing procedures, so as to reduce the possibility of harm to the individuals from whom it is taken.

Paul Schwartfeger on 18 May 2020