The European Union (EU) General Data Protection Regulation (GDPR) was designed to give EU citizens greater protection and control of their personal data, particularly when transferred to entities outside the EU. However, in a Policy Forum, Jasper Bovenberg and colleagues argue that current interpretations of the GDPR overly limit data sharing outside of the EU, which has hampered global biomedical research, including essential efforts to address COVID-19. To remedy this, Bovenberg and his team propose amendments for consideration by the EU Commission in its upcoming review of GDPR and urge the European Data Protection Board (EDPB) – the GDPR’s governing body – to reevaluate recent guidance on COVID-19 related research.
According to the authors, current interpretations of the GDPR fail to recognize how personal data is used in biomedical research; typically, it’s used to derive generalized knowledge that benefits society and is applied in ways that pose negligible privacy risks to data subjects. Thus, the balance between an individual’s privacy and the benefit to society in research contexts is quite different from others, such as commercial and marketing endeavors that seek to create profiles of individuals and their behaviors. As a result, the GDPR has frustrated data sharing in global biomedical research since its advent in 2018. Unfortunately, say the authors, recent EDPB guidelines concerning COVID-19 lack both urgency and consideration for the greater public good and fail to account for scientific considerations.
“We believe that our recommendations can help to redress the unfortunate consequences created by the existing GDPR approach to international transfers of research data and will enable the biomedical research community to share data beyond the EU for scientific research, while ensuring a high level of protection for data subjects,” write the authors.