The writer is a senior adviser at the US National Institutes of Health
The lifesaving work of the biomedical science community is caught in an unsettling — and unintended — crossfire over global data sharing. Last year, Joe Biden and Ursula von der Leyen committed to a transatlantic framework to restore commercial data flows, which were abruptly halted in 2020 by the European Court of Justice. But the US and EU must now take a further pivotal step to dismantle the data-sharing silos in medicine and public health that arose from Europe’s General Data Protection Regulation.
The GDPR represents the most progressive measure in decades when it comes to giving individuals greater control over their personal data. Its territorial reach arguably demonstrates what has been coined the Brussels effect — the capacity of the EU to forge sectoral standards as a condition of market access, that are then adopted by international firms.
But unintended — and problematic — consequences come when general principles that apply to marketing industries and other forms of data processing are also applied to publicly funded biomedical research. Applications and interpretations of GDPR fail to consider adequately how research uses of personal data differ from other types, particularly as the data are pseudonymised.
The present state of play is unsettling. Scientists are struggling to find a legal basis for sharing data under the regulation. US federal agencies such as the National Institutes of Health, the largest global funder of biomedical research, and its sister public agencies have no pathway available to receive pseudonymised data collected by research partners in the EU. Without an adequacy decision, US agencies and many publicly supported research universities are legally barred from agreeing to GDPR data-transfer requirements.
Longstanding research collaborations that included appropriate consent are stalled. Forty-seven clinical research sites in the EU could not enrol in NIH-sponsored Covid therapeutic trials. Thirty-five projects in the EU assessing genetic and environmental influences on cancer risk cannot progress. Moreover, GDPR is having direct effects on patient care in a research setting. Colleagues at NIH’s Clinical Center were unable to secure matched donor samples from Europe to offer stem-cell transplantation treatment to some cancer patients, despite donor consent.
The implications for European clinical research are consequential. When data collected from patients cannot be exported, EU-based trial sponsors cannot submit evidence to third-country regulatory agencies, including the US Food and Drug Administration. As a result, they may be compelled to relocate clinical sites outside the EU to access more markets. One estimate indicates that this may lead to €8.9bn less a year spent by companies within the EU on trials.
Building on the emerging US-EU framework to restore legal certainty for commercial data flows is a chance to forge a compact that both keeps GDPR’s robust privacy safeguards, and allows science to deliver vital medicines and preventive care. Remedies could take the form of an international agreement, amendments to the GDPR to recognise scientific data sharing as a public interest or expanded guidelines on GDPR transfer mechanisms.
There is an urgency to this. Genomics and other potent tools create extraordinary opportunities to advance curative treatments based on precise molecular knowledge and to intervene to pre-empt disease. Resolving these frustrating barriers to data sharing will enable scientists to power clinical trials, identify promising drug targets and realise the potential of precision or personalised medicine as well as fulfilling a solemn social contract with those who volunteer for clinical trials expecting their data to help propel the development of innovative medicines.
