Health experts are urging EU policymakers and legislators to review the EU’s legal data protection framework, the GDPR, which is hampering the sharing of pseudonymised health data outside the EU and the European Economic Area (EEA).
According to a new report, released on 8 April, the sharing of health data with researchers outside the EU/EEA is sorely needed to enhance international research collaboration in the public sector, thereby maximising health benefits for European citizens.
However, it is currently hindered by a restrictive legal framework, authors warn.
The General Data Protection Regulation (GDPR) provides the legal framework for sharing pseudonymised health data with researchers outside the EU/EEA, including within the public sector.
The report calls for adapting or expanding the existing legal framework to overcome challenges imposed by data protection regulations.
“EU/EEA citizens strongly benefit from international sharing of health data by allowing researchers to make the best use of limited resources and to ensure that research conducted elsewhere is also relevant for patients in Europe,” stressed George Griffin, co-author of the report.
Sharing of data beyond the EU, he added, should be encouraged to maximise the individual and societal benefits to be obtained from the contribution of research participants.
EP missed a chance to call for GDPR revisions
Questioned about the report conclusions, German MEP Axel Voss told EURACTIV that while any alterations must take care not to endanger citizens’ privacy, there is an “urgent need” to carefully clarify and adapt certain provisions in the GDPR that increase access to urgently needed data sets.
“The provisions in the GDPR of data minimisation and purpose limitation as well as on data transfer to third countries make it extremely difficult to share health data,” he added.
“Otherwise we will not only lose our position in the global digital competition but also jeopardise digital solutions for the good of everyone, like for scientific purposes and in the health sector,” he concluded.
Highlighting that the “flaws and practical problems” in the GDPR are relatively simple to address, Voss pointed to the lack of political will as the main issue to overcome.
“Unfortunately, the European Parliament missed its opportunity to call for such limited and specific revisions of the GDPR in its resolution in March,” Voss said.
An EU official told EURACTIV the GDPR offers different tools that can be used by EU research bodies to exchange personal data with partners in third countries, including for scientific research.
The official added that the relevant rules have further been explained by the European Data Protection Board in multiple guidance documents, citing an example from the last year when the Board specifically addressed international cooperation in its guidance on research in the context of the COVID-19 crisis.
These guidelines recognised that, in the context of the current pandemic, the “public interest derogation” may be available for international data exchanges for research purposes.
National rules make data sharing difficult
However, as health is a national competence, the multiple and conflicting national rules make health data sharing, both within and outside the EU/EEA, challenging, says the report.
It is estimated that in 2019 more than 5,000 collaborative projects were affected between EEA countries and the US National Institutes of Health alone.
This affects the direct transfer of public sector health data to foreign institutions and the possibility for external researchers to remotely access data at its original location.
When institutions in other countries have statutory conflicts that prevent them from signing the required contracts under the GDPR, there is currently no workable legal mechanism for sharing health data for public sector research.
The authors of the research stressed that a solution is urgently needed, both for ongoing research collaborations as well as for new studies.
Volker ter Meulen, co-author of the report, said collecting and combining health data is fundamental for advancing medical research and improving disease diagnosis and treatment.
“For research to thrive, pseudonymised personal data often needs to be shared internationally between research groups in a straightforward and timely fashion, whilst securing the protection of personal data”, he added.
In contrast, the EU official said the Commission has looked into several cases where data protection was allegedly creating obstacles to research.
In many of these cases, data protection was not an issue, but there were broader contractual matters or technical requirements related to the specific projects. In the cases where there was a question related to data protection, the Commission clarified the relevant rules and facilitated solutions by bringing the involved actors around the table.
The Data Governance Act, which is part of the European data Strategy, is another instrument aiming at supporting health research.
EU grapples with building a ‘house’ for health data
Having drilled the first bolts of its ambitious EU health agenda, the European Commission is now called to the challenging task of creating a trustworthy, patient-centred European health data space.
EU building a house for health data
As outlined in the European Commission’s Pharmaceutical Strategy, the Commission aims to create a trustworthy, patient-centred European health data space, designed to serve as a cornerstone of health digitalisation.
This is envisaged to ensure easier access to health data through an “interlinked system that gives access to comparable and interoperable health data from across the EU,” the pharmaceutical strategy states, pointing to the upcoming legislative proposal on a European health data space.