Bridging the European Data Sharing Divide in Genomic Science
Genomic research relies on the availability of large sets of genetic health data, which is why it is important for researchers to be able to share data internationally. Since genetic data is especially sensitive, there are a number of safety measures in place to ensure safe data sharing. However, compliance with the applicable data protection law provisions can also make it difficult for researchers to share any data at all.
Sharing data with third countries outside the European Union / European Economic Area is possible, if they uphold an adequate standard of data protection. As of now, there are only 13 countries and territories worldwide which are deemed adequate by the European Commission. A new publication by scientists from the University of Heidelberg, the Toronto University, the McGill University in Montreal and the University of Basque Country in Bilbao now argues the importance of creating safe spaces for genomic data sharing in the European Union / European Economic Area allowing data sharing with researchers in third countries. The authors, including GHGA member Fruzsina Molnár-Gábor, express the need for these data spaces to be detached from contexts where fundamental rights concerns related to surveillance measures override a purpose-specific balancing of fundamental rights, in order to make data for genomic research more accessible.
The adequacy of a third country’s data regulations is determined by their adherence to the European Union’s General Data Protection Regulation (GDPR) standards. Even though their protective precautions do not need to be the same, they should be on an “essentially equivalent” level. Molnár-Gábor et al explore how this regulation, while it has been implemented to ensure safe data sharing, actually hinders data sharing in general, because there are so few countries that match the strict conditions of being adequate. In cases where a country hasn’t received an adequacy decision from the EU Commissions, data sharing can be made possible by so-called Standard Contractual Clauses, whereby the same standard, that of adequacy, applies. This, however, places the burden of ensuring safe data sharing on the data exporters, who have to consider local laws of a third country.This has proven troublesome. Most researchers do not have the means to make this assessment and navigate the legalities themselves. Oftentimes researchers in third countries are legally prevented from signing Standard Contractual Clauses as in the case of the USA.
Molnár-Gábor et al argue that “there is still no helpful guidance on how data controllers, responsible for defining the purposes and essential means of data processing, are supposed to perform a task that the European Commission has failed to tackle on more than one occasion, as evidenced by the annulment of its adequacy decisions by the Court of Justice of the EU. Shifting the burden of an all-encompassing assessment of a third country’s legal system to exporters of data might lead to quasi-arbitrary evaluations, as well as to divergences in the application of the adequacy criteria from one another. If these evaluative exercises are carried out poorly, it could lead to the erosion of the fundamental rights of the affected EU citizens. This could take a long time to remedy, because the Court of Justice of the EU is the only body competent to do so, and it requires more than a year for it to decide cases”.
To combat these problems, Molnár-Gábor et al highlight possible supplementary measures as means to raise the data protection standard for international data transfers, provide sector-specific codes of conduct and formulate ideas on how to shape safe data spaces within Europe, that could enable non-EU data users to safely process data.
The following paragraph will explore some of these measures in a bit more detail. As stated in this article, Surveillance, such as the surreptitious use of health data by authorities and law enforcement agencies, is one of the key contributors as to why a country is not deemed adequate for Data Sharing by the European Commission. One supplementary measure in this case could be to obligate the data importers to regularly provide specific information about requests received from authorities regarding personal data processed under the relevant contract. Additionally, data importers should “take legal action to challenge an order to disclose personal data until all pathways to do so have been extinguished”. Another way to hinder surreptitious data use could be to prevent the download of data entirely and to provide a searchable metadata basis without actually moving any data at all. This indirect approach to using and sharing data could help prevent wrongful access by third parties. Data would therefore remain in a safe and controlled environment.
Moreover, the EU is currently working on the establishment of a European Health Data Space (EHDS). EU member states will appoint so-called Health Data Access Bodies which will receive and review data users’ requests for access to data that are retained in the EHDS for secondary use, including scientific research use.
Even though this seems like a step in the right direction, enabling third countries and international organizations to integrate their own national point of contact into the EHDS infrastructure will leave data exporters with much of the same problems. Since the legal framework of the EHDS reprises numerous restrictive and limitative elements of the GDPR Molnár-Gábor et al propose improvements such as the implementation of data analysis services and reducing member states’ individual rules for data sharing.
These are just a few examples of what could be done to circumvent the problem of Data Sharing between countries within the European Union / European Economic Area and third countries.
Molnár-Gábor F, Beauvais MJS, Bernier A, Jimenez MPN, Recuero M, Knoppers BM
Bridging the European Data Sharing Divide in Genomic Science
J Med Internet Res 2022;24(10):e37236