For many people, the most apparent effect of the European privacy law called the General Data Protection Regulation (GDPR) has been a flourishing of website pop-ups, demanding your consent to store browsing behavior as cookies. An annoyance, perhaps, but hardly more than an inconvenience. For Francis Collins, director of the U.S. National Institutes of Health (NIH), however, the regulation has turned out to be a serious impediment to research.
Since 1993, Collins has been principal investigator for a project studying type 2 diabetes in Finnish people, who have relatively homogenous genetics and detailed health records. Finland's National Institute for Health and Welfare has sent 32,000 DNA samples to Collins's laboratory. He and his U.S. collaborators used the data to discover more than 200 places in the genome where variants increase the risk of illness. But in May 2018, when GDPR came into force, the Finnish institute stopped all data sharing on the project, because NIH could not provide guarantees that would satisfy the institute's interpretations of the law's requirements. Progress has since "slowed to a crawl," Collins says.
This week in Brussels, representatives from NIH, academia, industry, patient advocacy groups, the European Commission, and data protection authorities met to share their GDPR frustrations. They hope to highlight the obstacles it creates for some international collaborations and explore possible responses. "I hope this is only a temporary slowdown, and that the meeting in Brussels opens the way to a solution," Collins says.
The European Union's GDPR rules, which apply to the 28 EU member states plus Iceland, Liechtenstein, and Norway, include common sense principles, such as minimizing personal data used in research and using appropriate safeguards. Because "there's now teeth and liability attached," with steep penalties for rule breakers, the regulation has "scared everyone," says Cathal Ryan, assistant commissioner at Ireland's Data Protection Commission in Dublin, leading to scrutiny of projects that rely on personal data.
The European Union recognizes some countries—Argentina, Japan, New Zealand, and Switzerland, among others—as providing adequate data protection, which frees EU scientists to share data with researchers in those nations. But not in Canada and the United States. One way for research institutions there to collaborate with EU researchers is to sign contracts that guarantee data safeguards. However, standard contracts include requirements that institutions agree to European audits of their data systems or submit to the jurisdiction of its courts—which NIH, as a U.S. government agency, cannot accept. "That was a nonstarter," Collins says.
Some researchers are finding work-arounds, but they are less than ideal. Neuroscientist Sudha Seshadri of the University of Texas Health Science Center in San Antonio is one of the co-founders of the International Genomics of Alzheimer's Project, which has gathered DNA sequences from more than 90,000 people in Europe and the United States to find genetic variants associated with Alzheimer's disease. She says partners in some EU nations have restricted data sharing, so the consortium now runs separate analyses on each side of the Atlantic Ocean. But this limits analysis, particularly when searching for rare variants that require big data sets, Seshadri says.
Although GDPR lays out overarching principles, it leaves member states to spell out details of research exemptions in national laws. "There's a common joke among ourselves: If you ask 20 lawyers, they'll give you 20 different opinions" on how to comply with it, says Salvador Capella Gutierrez, who leads the Spanish National Bioinformatics Coordination Node at the Barcelona Supercomputing Center. For example, reusing data for secondary research is typically allowed in Spain without additional patient consent when this reuse is deemed in the "public interest." But in countries such as Italy, researchers often have to ask for consent again.
Another way to avoid the regulation and its uncertainties is to anonymize personal research data. But Mads Melbye, CEO of the Statens Serum Institute in Copenhagen, says countries also have different interpretations of what constitutes appropriate anonymization. Even if subjects are not identified, their biological samples contain what some officials consider personally identifiable information, he says. After GDPR was enacted, his institute, which houses the Danish National Biobank, froze data streams to important partners, including NIH and the World Health Organization's International Agency for Research on Cancer in Lyon, France. "We're talking about high-value data collections that have been costly to establish," he says. "It's a disaster for international collaboration if we can't find a solution."
NIH and its Finnish counterpart are close to resuming data transfers, under a deal defining them as "necessary for important reasons of public interest," Collins says. "We're trying to come up with a template that would be consistent with GDPR, but would resolve ambiguities that lead legal experts to take a conservative view for fear of financial penalties," he explains.
Seshadri is confident that clarity and best practices will emerge over time. "I'm hopeful that over the next few years we will find ways to do this efficiently," she says. In the meantime, researchers aren't alone in being frustrated, she says. "As a patient, you want solutions yesterday."
*Correction, 21 November, 2:20 p.m.: This story has been updated to correct Sudha Seshadri's affiliation.