SCIENCE sciencemag.orgILLUSTRATION: MIXMAGIC/ISTOCK.COM
in their own country or in another “third
country” in order to complete the research.
Unfortunately, the standard contractual
clauses are not clear regarding such “onward
transfers” and the mechanisms they offer;
unambiguous consent by the data subject
to the onward transfer, or adherence to the
clauses by the onward transferee(s), are of-
ten not viable options.
Although the GDPR provides that enti-
ties may enter into bespoke clauses that
are tailored to the circumstances, such
bespoke clauses must be approved by the
national competent supervisory authority
( 5 ). Yet in many EU jurisdictions, the lack
of guidance from the EDPB on the require-
ments for bespoke clauses means that the
competent authorities have not yet estab-
lished a process for the review of bespoke
clauses [e.g., ( 6 )].
For prospective research, such
as interventional clinical trials, in
which data subjects provide in-
formed consent at the time they
enroll in the study, researchers have
often relied on the explicit consent of
the data subject as the means to legit-
imize data transfer. However, under
the GDPR, this “transfer consent” is
subject to a number of requirements
and limitations. The researcher must
inform data subjects about the pos-
sible risk that their personal data
will be transferred to a country for
which there is no adequacy decision
or appropriate safeguards. Pursuant
to Guidance from the EDPB, invoking data
subjects’ consent as a basis for transfer is
limited to occasional and “not repetitive”
transfers. Consent therefore is not a viable
option for research consortia, data reposi-
tories, and legacy collections that store data
for the global research community. Also, the
general GDPR requirements for a valid con-
sent continue to apply, including that it must
be free, informed, specific and explicit, and
subject to immediate withdrawal by the data
subject at any time (withdrawal of consent
should be as easy as giving consent). Upon
withdrawal of consent, processing must be
stopped, unless there is another legal basis
to continue.
In addition, since the advent of the GDPR,
ethics committees have asked researchers to
provide a detailed list of all countries that will
receive data collected as part of the study ( 7 ).
Yet at the outset of a data-intensive research
study, it is usually not possible to know all of
the countries to which data may be sent, given
the large number of collaborating parties and
service providers involved in multinational
collaborative studies. Moreover, with respect
to data gathered in an interventional clinical
trial of a medicinal product, EDPB Guidancedisfavors the use of consent as a legal basis
and condition for the use of the data for re-
search processing, as it does not believe that
such consent can be freely given, and this
logic might also be extended to consent
asked for transfer of data out of the EU.
Recently, in at least one long-standing re-
search collaboration involving the NIH, an
EU research institute agreed to permit the
transfer of genetic data from Finland to the
United States on the basis that the transfer
is necessary “for important reasons of public
interest” ( 8 ). This recognized GDPR deroga-
tion to the prohibition on cross-border trans-
fer of personal data requires that the “public
interest ... shall be recognized in Union law
or in the law of the Member State to which
the controller is subject” ( 9 ). Some examples
of when this public interest provision maybe relied upon include international data ex-
change between competition authorities, tax
or customs administrations, financial super-
visory authorities, services competent for so-
cial security matters, or for public health, such
as tracing for contagious diseases and/or
elimination of doping in sport ( 10 ). The
EDPB, however, fails to provide clear guide-
lines and only complicates matters by stat-
ing that “the derogation only applies when
it can also be deduced from EU law or the
law of the Member State to which the con-
troller is subject, that such data transfers
are possible for important public interest
purposes including in the spirit of reciproc-
ity for international cooperation” ( 7 ). The
EDPB claims that this transfer mechanism,
as an exception to the requirement of an ad-
equacy decision or appropriate safeguards,
although not expressly limited to “occa-
sional” or “not repetitive” transfers, must be
interpreted restrictively.
In sum, the inability to find a suitable
mechanism amid the above legal bases for
transfer has stymied research collaborations
between the EU and the rest of the world, re-
sulting in the cessation or harmful delays of
critical data flows (see the text box) ( 1 ).SHARING DATA FOR COVID-19 RESEARCH
Sadly, the EDPB Guidelines published on 21
April 2020 regarding data for COVID-19 re-
search ( 11 ) lack both any sense of urgency
and any consideration of the public good, and
fail to take into account other fundamental
rights, societal interests, and scientific con-
siderations. They stress that consent must be
“specific,” the “derogations and limitations in
relation to the protection of data used in re-
search must apply only in so far as is strictly
necessary,” and that “the current COVID-19
outbreak does not suspend or restrict the
possibility of data subjects to exercise their
rights.” The Guidelines go so far as to state
that “storage periods ” (timelines) must be
set for COVID data. This is an inexplicable
limitation, and arguably even violates the
GDPR’s exemption to the storage limitation
for data processed for scientific pur-
poses. Pandemic researchers need
access to past, present, and future
collections of human biospecimens
and associated personal data, to an-
ticipate new waves of infections and
any new mutations. Guidance on the
“compatibility presumption” for re-
search, announced in January 2019,
is simply being postponed, leaving
the research community in the dark.
Luckily, the EDPB does consider
COVID research as qualifying as an
‘‘important public interest” to al-
low international transfer of data.
However, the EDPB also notes that
this derogation may only be justified
for “initial transfers,” as a “temporary mea-
sure,” and that repetitive transfers as part of a
long-lasting research project cannot proceed
under this derogation. Thus, even in the im-
portant context of COVID-19 research when
the ability to transfer personal data across
international borders for research purposes
is urgently needed, the EDPB minimizes the
ability of the research community to rely on
derogations that are included in the very text
of the GDPR.BEYOND EUROPE IN THE PUBLIC INTEREST
The above limitations for transfer of rese-
arch data outside the EU appear to be at
odds with the generally research-friendly
intent of the GDPR. During its drafting and
negotiation, the European Parliament and
the European Council paid extensive atten-
tion to research issues, which has resulted
in several provisions that may facilitate the
processing of personal data for scientific re-
search. Processing data for research is deemed
compatible with the initial purpose of data
collection, and data may be stored longer if
for research purposes. The GDPR explicitly
allows data subjects to give general consent
rather than specific consent for processing2 OCTOBER 2020 • VOL 370 ISSUE 6512 41