Europe’s new law on data privacy could stifle science
A new law’s increased protections on privacy are likely to make research projects involving big data less efficient, more complex and more difficult to reproduce.
The sharing of data is crucial to uncovering some of the mysteries of autism1,2. For example, understanding the genetics of autism requires large sample sizes to obtain enough individuals with the same rare variants. Likewise, sharing brain imaging data using resources such as the Autism Brain Imaging Data Exchange (ABIDE) can provide important clues to the neurobiology of the condition3,4.
A new European Union (EU) data-protection law, scheduled to take effect on 25 May, could hinder these and other data-sharing initiatives.
Until now, each of the EU countries had its own data protection laws, some offering individuals more security than others. The new law, called the General Data Protection Regulation, harmonizes regulations throughout the EU. It gives people better privacy protection and greater control over their personal data; it also changes the way companies and other organizations, including universities, handle data about people.
Much of this is welcome, and intended to be in people’s best interests. But it may have unintended consequences for research.
The new law will compel researchers to work differently. It will modify the way researchers design studies, enroll participants and obtain consent, and how they collect, share and store data. It requires researchers to consider data-protection protocols, termed ‘privacy by design,’ during the design and inception of their studies.
Although many aspects of this law are good, I worry that these increased protections on privacy will make research projects involving data sharing and collaborative work less efficient, more expensive and more complex. The law is likely to impede reproducibility in science by limiting the data available to other research groups. I am also concerned that the law will hamper collaborations between researchers in Europe and those in the United States and elsewhere.
We scientists should be proactive and propose ways to limit any harmful effects on science.
Special protections:
Under the new law, consent forms must clearly define the goal of the research, how the data will be used and who will have access to the information. For example, will the information be accessible only to university researchers, or can industry researchers also retrieve it? Will the data be shared in a de-identified manner — that is, without any details that can be used to identify the individual — outside of the university, country or EU?
The study participants must have the ‘right to be forgotten’: That is, participants can withdraw consent at any time, at which point their data must be deleted, not only from the repository, but also by anyone who has downloaded the information, even if they are still working with the data.
The law also compels researchers to use personal data only for the purposes set out in the consent form. In a strict interpretation, this means that if the person is enrolled in a study to evaluate the development of social interactions in autism, their data cannot be used in a future study looking at inattention.
This restriction is likely to make research less efficient and more costly — to participants, researchers, funders and taxpayers.
What’s more, researchers are allowed to keep the data for only as long as it takes to complete the stated purpose. This stipulation runs counter to ethical research codes that require the data to be available to verify the results.
The task of data storage and sharing is also likely to become more complex. Some categories of personal data, including race, ethnicity, sexual behavior, religious background and health conditions, will require special levels of protection when shared among researchers. They may need to be pooled with other categories and recoded to prevent attempts to reveal an individual’s identity.
Genetic data, which can directly identify an individual, also carries special protections. Participants will need to provide specific consent for sharing genetic data; alternatively, researchers may need to analyze the data at their own location and share only the group results, rather than sharing the individual data5. Researchers and institutions must take steps to ensure the data are securely stored, and are encrypted if they are transported from one research facility to another.
Common ground:
Finally, the new regulations place the responsibility to adhere to the law with the organizations holding the data. This includes appointing an officer with expertise in data protection and law. Those who fail to comply with the law could face fines of up to 20 million euros.
For researchers, this is an anxiety-provoking sum. It is not surprising, then, that the law is creating uneasiness among researchers taking part in data-sharing initiatives, and that others are reluctant to participate in these initiatives.
With these changes, the data protection laws within the EU will be stricter than those in the U.S. When it comes to international data-sharing initiatives, the most protective laws will take precedence. This means that in U.S.-EU research collaborations, such as my own, U.S. research institutions will have to comply with the new EU regulation. The same goes for other countries whose laws are less restrictive than the new EU standards.
Although the new EU law creates novel challenges for data sharing, these challenges are not insurmountable. I am convinced that non-EU countries with somewhat different data privacy laws can find a common ground to allow for large data-sharing initiatives.
Neuroscientists could take the lead in ensuring these new — and necessary — data privacy laws don’t impede collaborative research. One solution would be to bring together experts to create standard templates for consent, data transfer and data-use agreements to foster data sharing within — and between — countries. These templates could be used for data sharing for all 28 EU countries with countries outside the EU. With input from global experts in the fields of medicine, neuroscience, epidemiology, bioinformatics, ethics and law, we can ensure a future in which data sharing benefits all of humanity.
Tonya White is associate professor of child and adolescent psychiatry and radiology at the Erasmus University Medical Center in Rotterdam, the Netherlands.