Reconciling the biomedical data commons and the GDPR: three lessons from the EUCAN ELSI collaboratory

Collapse authors list.
Bernier, Alexander, Molnar-Gabor, Fruzsina, Knoppers, Bartha M, Borry, Pascal, Cesar, Priscilla MDG, Devriendt, Thijs, Goisauf, Melanie, Murtagh, Madeleine, Jimenez, Pilar Nicolas, Recuero, Mikel et al (show 5 more authors) , Rial-Sebbag, Emmanuelle, Shabani, Mahsa, Wilson, Rebecca C ORCID: 0000-0003-2294-593X, Zaccagnini, Davide and Maxwell, Lauren (2023) Reconciling the biomedical data commons and the GDPR: three lessons from the EUCAN ELSI collaboratory. EUROPEAN JOURNAL OF HUMAN GENETICS, 32 (1). pp. 69-76.

Access the full-text of this item by clicking on the Open Access link.

Abstract

The coming-into-force of the EU General Data Protection Regulation (GDPR) is a watershed moment in the legal recognition of enforceable rights to informational self-determination. The rapid evolution of legal requirements applicable to data use, however, has the potential to outstrip the capabilities of networks of biomedical data users to respond to the shifting norms. It can also delegitimate established institutional bodies that are responsible for assessing and authorising the downstream use of data, including research ethics committees and institutional data custodians. These burdens are especially pronounced for clinical and research networks that are of transnational scale, because the legal compliance burden for outbound international data transfers from the EEA is especially high. Legislatures, courts, and regulators in the EU should therefore implement the following three legal changes. First, the responsibilities of particular actors in a data sharing network should be delimited through the contractual allocation of responsibilities between collaborators. Second, the use of data through secure data processing environments should not trigger the international transfer provisions of the GDPR. Third, the use of federated data analysis methodologies that do not provide analysis nodes or downstream users access to identifiable personal data as part of the outputs of those analyses should not be considered circumstances of joint controllership, nor lead to the users of non-identifiable data to be considered controllers or processors. These small clarifications of, or modifications to, the GDPR would facilitate the exchange of biomedical data amongst clinicians and researchers.

Item Type:	Article
Uncontrolled Keywords:	European Union, Computer Security
Divisions:	Faculty of Health and Life Sciences Faculty of Health and Life Sciences > Institute of Population Health
Depositing User:	Symplectic Admin
Date Deposited:	27 Jul 2023 13:02
Last Modified:	19 Jan 2024 09:19
DOI:	10.1038/s41431-023-01403-y
Open Access URL:	https://rdcu.be/dhSFg
Related URLs:	Author Publisher
URI:	https://livrepository.liverpool.ac.uk/id/eprint/3171953