The revelation by Edward Snowden that the US National Security Agency (NSA) and the UK Government Communications Headquarters (GCHQ) have been gathering the email and mobile phone metadata of millions of European citizens, including politicians, has drawn public attention to the inherent risks of a globally connected information society. The level of public concern and outrage risks triggering a political overreaction that could be detrimental to biomedical research that crucially relies on sharing data and samples, if the balance is tipped too far in favour of strict privacy regulation.
The discussion over spying has also drawn attention to the ongoing reform of the EU's legal framework to protect the private data of citizens. The law in the European Union is based on the Data Protection Directive 95/46/EC that was passed in 1995. In 2012, the European Commission presented the first draft of a Data Protection Regulation intended to supersede the former, and the latest amendments were released on October 21, 2013. The advantage of a Regulation is that it is directly applicable in its entirety by all member states, thereby guaranteeing uniform legislation across the EU. In contrast, a Directive has to be implemented into national law by member states, which is a slow process that may result in diversity in how the Directive is applied.
However, the latest draft of the Regulation could jeopardize research that crucially depends on genomic and health data by being either too strict or too generous in the wrong places. One potential problem is that it leaves member states a certain level of “freedom to operate” regarding possible exceptions for the use of personal health data for historical, statistical and research purposes. Article 81.2a states that “Member States” law may provide for exceptions to the requirement of consent for research, as referred to in paragraph 2, with regard to research that serves a high public interest, if that research cannot possibly be carried out in any other way. The data must be anonymised, or if that is not possible for the research purposes, it must be pseudonymised under the highest technical standards […].” This rule means that member states do not have to introduce a research exception; it just gives them the possibility to do it. However, if member states decide to introduce a research exemption, it could again lead to different legal requirements across the EU. This would affect international research consortia that need to share data. Last but not least, it is not clear under which criteria research is considered to serve a higher public interest, and it may also be difficult to demonstrate that it cannot possibly be carried out otherwise. This lack of certainty may discourage cross-border research and the sharing of information, which is particularly relevant for biomedical research. It is also in contrast with the EU's objective of achieving a European Research Area.
Other areas of concern with relevance for medical research are the requirement for explicit consent and the much-debated “right to erasure”. Under the previous Directive, exemptions allowed research to proceed without the need to obtain consent in all situations. The proposed Regulation would explicitly require consent, as “any freely given specific, informed and explicit indication of his/her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.” A “clear affirmative” action would involve ticking a box when visiting a website or any other action that could indicate the data subject's acceptance; “silence, mere use of a service or inactivity should therefore not constitute consent”. The new Article 81.1b of the most recent draft also states that “the consent may be given for one or more specific and similar research.” While it would not allow “for all research under the sun”, this provision would cover research that investigated a number of disease areas for example. Electronic patient interfaces such as “dynamic consent” could address these changes to the law.1
The previous drafts of the Regulation contained “a right to be forgotten”. The new draft replaced this with the right to erasure: participants can require the erasure of their personal data both from the controller and from any third parties in case the data are copied or replicated by others. The provisions are extensive and aim at giving individuals greater control over the use of their personal information. One of the most significant changes is that genetic information is now considered as personal data and so is firmly under the Data Protection regime.
Considering the growing importance of genomic and health data to identify health risks and to improve health care and public health, as well as the importance of international research collaboration, a stricter data protection regime in the EU, with such vague consideration for research activities, could be seriously detrimental to scientific progress that increasingly relies on access to data and samples across different countries. According to the conclusions of the EU Council agreed on October 25, 2013, the new Data Protection Regulation is to be adopted by 2015, which leaves space for further amendments to safeguard health research as a public good. Hopefully, the brouhaha over the spying scandal will have sufficiently cooled down by then to allow for a more rational and informed discussion.
Conflict of interest
The authors declare that they have no conflict of interest.