INSIGHTS | POLICY FORUM
sciencemag.org SCIENCEfor research purposes. The GDPR also allows
for an exception to the notice requirement
when providing notice proves impossible or
would involve a disproportionate effort—in
particular, processing for scientific research
purposes. The GDPR further exempts from
the right of erasure personal data processed
for scientific research purposes if erasure is
likely to render impossible or seriously im-
pair the achievement of the objectives of the
processing. Furthermore, the GDPR explic-
itly provides for an exemption to the right
to object when personal data are processed
for scientific research purposes, and permits
member states to enact derogations from
various data subject rights in the research
context. Notably, all exemptions are subject
to appropriate safeguards for the rights and
freedoms of the data subject, such as techni-
cal and organizational measures, including
pseudonymization.
The common rationale behind these ex-
ceptions and exemptions is the notion that
scientific research is a “public interest” and
the notion that the GDPR should facilitate
processing of personal data in the public in-
terest. Likewise, the conduct of science has
been acknowledged by EDPB as a legitimate
interest. Missing, however, from the GDPR
list of research-friendly provisions is an ap-
preciation of the international dimensions of
research and, consequently, a corresponding
appropriate provision to enable scientific re-
search data transfers across the globe. As the
conduct of science is a global affair, research-
friendly provisions for the sharing of data for
science beyond the borders of Europe should
be part and parcel of the GDPR. The GDPR
legislature has failed to take this crucial as-
pect of sharing data with scientific collabo-
rators around the globe into account when
drafting the research provisions.REFORM AND GUIDANCE
We suggest a number of solutions, in the
form of GDPR reform per se, dialogue be-
tween the Commission and the EDPB and the
Commission’s global counterparts, or as part
of the Guidance planned by the EDPB on the
processing of health data for the purpose of
scientific research. First, we recommend that
the GDPR transfer mechanisms be expanded
by adding processing necessary for scientific
research as an express public interest, subject
to appropriate safeguards, such as pseudony-
mization (coding), data protection by design
and default, and the requirements of notice
and choice [e.g., ( 12 )]. This basis for global
sharing of research data should also extend to
onward transfers. Second, it should be clari-
fied that pseudonymized data should not be
considered personal data in the hands of an
entity that does not possess the key needed to
re-identify such data, as was understood by
many researchers and institutions under the
law preceding the GDPR ( 1 , 13 , 14 ). Third, as
part of its ongoing modernization of the stan-
dard contractual clauses, the EU Commission
should adopt specific standard contractual
clauses for scientific biomedical research.These clauses should reflect the specific con-
text, purposes, and practices of such trans-
fers—for example, review of sharing or access
requests by independent Data Access Com-
mittees. Fourth, the EDPB should (i) issue
guidance for the approval by the competent
supervisory authorities of bespoke clauses
for specific research studies and (ii) issue
guidance identifying when data processing
for scientific research, if carried out outside
of the EU by a non-EU entity, would fall un-
der GDPR standards. Finally, with respect to
COVID-19 research, we recommend that the
EDPB revisit its Guidance on processing of
health data for scientific research, to reaffirm
the validity of broad consent and to clarify
that the exemption for transfers of research
data for important reasons of public interest
is not restricted to time-limited, occasional,
and nonrepetitive transfers with respect to
COVID-19 research.
We believe that our recommendations can
help to redress the unfortunate consequences
created by the existing GDPR approach to
international transfers of research data and
will enable the biomedical research commu-
nity to share data beyond the EU for scien-
tific research, while ensuring a high level of
protection for data subjects. jREFERENCES AND NOTES- R. Eiss, Nature 584 , 498 (2020).
- CJEU Case C-311/18, 16 July 2020 (“Schrems II”),
specifically paragraphs 104–105, 135–143, and 203. - European Commission, Standard Contractual Clauses;
https://ec.europa.eu/info/law/law-topic/data-
protection/international-dimension-data-protection/
standard-contractual-clauses-scc_en. - GDPR, Articles 46(2)(a), 46(3)(b); see also EDPB,
Guidelines 2/2020 on Articles 46(2)(a) and 46(3)(b)
of Regulation 2016/679 for Transfers of Personal Data
Between EEA and non-EEA Public Authorities and Bodies
version 1 (18 January 2020). - GDPR, Article 46(3).
- United Kingdom, Information Commissioner’s Office,
Guide to the GDPR: International Transfers; https://ico.
org.uk/for-organisations/guide-to-data-protection/
guide-to-the-general-data-protection-regulation-gdpr/
international-transfers/. - GDPR, Recital 42, EDPB 2/2018 Guidelines on
Derogations of Article 49 of Regulation 2016/679
(adopted 25 May 2018). - GDPR, Article 49(1)(d).
- GDPR, Article 49(4).
- GDPR, Recital 112.
- EDPB, Guidelines 03/2020 on the Processing of Data
Concerning Health for the Purpose of Scientific Research
in the Context of the COVID-19 Outbreak (21 April 2020). - PHG Foundation of the University of Cambridge, The
GDPR and Genomic Data: The Impact of the GDPR and
DPA 2018 on Genomic Healthcare and Research (May
2020); http://www.phgfoundation.org/documents/gdpr-and-
genomic-data-report.pdf. - United Kingdom, Information Commissioner’s Office,
Anonymisation: Managing Data Protection Risk: Code
of Practice (November 2012); https://ico.org.uk/
media/1061/anonymisation-code.pdf. - CJEU Case C-582/14 of 19 October 2016 (“Breyer”).
ACKNOWLEDGMENTS
J.B., D.P., and M.B. provide legal counsel to the biomedical
research community, inter alia on issues of data protection
and data transfers. B.M.K. received funding from Genome
Canada/Genome Quebec and under EU-CIHR grant agree-
ments No. 825903 euCanSHare and No. 160202 EUCANCan.
10.1126/science.abd2499Inefficient distributed analysis of international data
The International Genomics of Alzheimer’s Consortium and the U.S.-based Alzheimer’s
Disease Sequencing Project based at the University of Pennsylvania have been unable to pool
personal data on a single server because EU investigators believe that the GDPR prevents
them from sharing the European personal data with U.S.-based researchers. This creates a
scientifically compromised, inefficient, and more expensive distributed analysis of interna-
tional Alzheimer’s disease data because investigators must run identical analyses on segre-
gated pools of data in different locations. This distributed analysis model both slows research
and limits the scope of research projects in which they can engage.Protections in place, but struggling to identify a transfer mechanism
European research centers used to send de-identified human genetic data to the Imputation
Server hosted by the University of Michigan. The server has been certified by an outside audi-
tor for conformance with recognized information technology security and privacy standards
[National Institute of Standards and Technology (NIST)]. Measures are in place to secure
physical security of the location, space, and equipment and for identification and authentica-
tion (logging in). Users upload their private data, which is not accessed by server administra-
tors. Once imputation is complete, the results are encrypted and uploaded files are deleted.
Server administrators do not have access to users’ private encryption passwords. Measures
are also in place for encryption of data during storage and transmission. Server administrators
cannot access completed imputation data. Despite the measures and protections in place, EU
centers are now unable to send their data for imputation to the Michigan Imputation Server, as
they struggle to identify a viable transfer mechanism under the GDPR.Examples of biomedical research frustrated by the GDPR
42 2 OCTOBER 2020 • VOL 370 ISSUE 6512