Following the last two years of living through a global pandemic, many governments and businesses have re-committed to investing heavily in understanding and treating disease. The devastation brought by the COVID-19 pandemic has served as a signal lesson in the need for better disease detection and treatment preparedness.
One of the strengths of the last two years has been the way scientists were able to act promptly to research and design suitable vaccines and treatments. None of this could have taken place without researchers and innovators being able to share ideas and data. So why, in light of the significant public benefit that such data sharing for research purposes can bring, isn't it easier to transfer health personal data across borders in line with data protection rules?
Why are the available solutions challenging?
Many organisations are concerned about the rigidness of the law in this area. In its submission to the UK Parliament's Science and Technology Committee, Health Data Research UK (HDR UK), the UK's national institute for health data science highlighted a central issue: the nature of research is necessarily global but the additional steps required under EU/UK data protection law, including complex Transfer Impact Assessments (TIAs) and the lack of suitable transfer tools, can lead research projects to be delayed or cancelled.
UK and EU international data transfer rules start with the position that it's better to transfer health data to countries that are considered to have data protection regimes which provide an equivalent or adequate level of protection under applicable EU or UK law. However, the list of adequate countries is fairly limited and countries have historically only been added after rigorous scrutiny.
Public bodies that UK/EU researchers want to partner with in countries which do not benefit from an adequacy decision have to enter into a recognised data transfer solution. They may well object to entering into the Standard Contractual Clauses (SCCs) (the most widely used tool for cross-border transfers from the EU) given the specific assurances that they would have to agree to or for conflict of law reasons. The SCCs' very inflexibility - they were conceived and drafted mostly with the private sector in mind - can be unsuitable for arrangements with third country public or non-profit bodies. While the European Commission has the power to adopt further standard contractual clauses so could choose to draft a set of clauses more suitable for exporters transferring data to third country public sector bodies, this outcome seems unlikely.
A handful of life sciences and healthcare companies have embraced Binding Corporate Rules (BCRs) to make data exports lawful. BCRs provide a reliable long-term solution but require time and resource investment and are not an overnight solution.
With drawbacks to reliance on both SCCs and BCRs, many businesses involved in health research (especially small and medium sized companies), find identifying a suitable lawful solution for data transfers from the EU or UK to third countries frustratingly difficult.
In post-Brexit UK we may soon begin to see elements of divergence from the EU list of adequate countries approved by the European Commission. The UK government's announcements in late August 2021, set out a priority list of destinations for future adequacy findings (including the USA, India and Korea). So, while we are still waiting for a replacement for the Privacy Shield (which was ruled invalid in July 2020) to cover data exports from the EU to the USA, we may see progress towards a UK-US data transfer agreement sooner. It's noteworthy that one of the specific case studies cited by the UK government in its paper related to facilitating health research since "international agreements on data will make it easier for UK scientists to conduct trials with diverse, global patient data sets".
The Schrems II curveball
Even if reliance on SCCs or BCRs as a transfer tool is possible, due to the Schrems II requirements, the parties intending to transfer health data must also carry out a TIA to consider whether the transfer will benefit from an essentially equivalent level of protection. There's no specific TIA template produced by European regulators but a number of factors need to be considered.
Unfortunately there are currently differing views as to whether the TIA can be considered to take sufficient account of risk and how much weight can be given to the likelihood of a third country public authority requesting access to the data. The French administrative supreme court, the Conseil d'Etat, in the Health Data Hub case (October 2020) did accept that the actual risk of a US court/public authority requesting access to health data was low because health data is not considered useful for criminal or anti-terrorism purposes. But many EU data protection authorities seem to be taking a more absolutist approach to the transfer of (any) data to the US - witness the recent decisions concerning the transfer of data to the US using Google Analytics.
Other approaches to transfers
If transfers of health data cannot rely on an adequacy decision, and if the parties do not have BCRs in place and SCCs are not appropriate, what alternatives are available to export health data?
One option could be to not transfer personal data at all – instead, to effectively anonymise the data so that its use falls outside data protection law. Easier said than done, of course. Many life sciences companies and health researchers need to be able to clearly link data to an identity (even if coded) to ensure full utilisation of the data. And even if the data used is pseudonymised, it remains personal data under data protection law. Other transfer tools theoretically exist under the (UK) GDPR – Codes of Conduct, for instance – but so far no life sciences or healthcare industry sector has successfully obtained approval of a code for data transfers.
This leaves parties falling back on the permitted derogations to the restrictions on data transfers. Derogations are considered a last resort and are designed for one-off transfers since they do not guarantee the protections provided by adequacy, SCCs and BCRs. It therefore seems unlikely that a data protection authority or court would consider a derogation (such as the transfer of health data being necessary for important reasons of public interest) to be available for bulk, regular transfers of health data.
Of course, if data protection and judicial authorities decided to interpret this derogation more broadly – agreeing transfers for health research are transfers for important reasons of public interest – that would provide greater certainty. And here we come to a complication. While the (UK) GDPR allows for the use of health data for scientific research purposes or for reasons of public interest in the area of public health (under Article 9), those lawful bases are not mirrored in the context of grounds (or derogations) for data transfers under Chapter V. Those in charge of drafting the derogations did not consider a derogation specifically for data transfers for scientific research in the public interest to be a necessary or suitable addition.
UK adequacy findings
If the UK government decides to grant adequacy regulations (the UK's version of EU adequacy decisions) to a number of the key countries in the life sciences space – such as the USA and India – the regulatory environment will shift dramatically in the UK so that such transfers of health data can be made without reliance on a transfer tool under the UK GDPR and without the need to complete a TIA. However, if the UK does go this way, it needs to be confident it can demonstrate to the EU that such adequacy assessments of these third countries are robust.
In its January 2022 paper 'The Benefits of Brexit', the UK government makes much of the freedom it now has to strike new data adequacy partnerships to provide new data flow deals which will allow services to be provided more reliably, securely, faster and cheaper. However, as organisations are already underlining, this must be balanced against the imperative of retaining the UK's own adequacy status from the EU which could be in peril if the UK deviates substantially from EU standards.
A risk-based approach
Of course, it's plausible to argue that transferring health data across borders shouldn't be easy since such data deserves greater protection. In other words, it is because the misuse of this data can lead to greater harm for individuals that transfers of such data should be subject to stricter rules.
It's certainly the case that hackers regularly target health data rich organisations. But that's principally a data security consideration and not linked to the cross-border transfer regime under Chapter V of the (UK) GDPR. Indeed, the most recent complication concerning data exports – the fallout from the Schrems II decision - isn't particularly targeted at sensitive data like health data. The focus of the Court of Justice of the European Union in Schrems II was on the powers of foreign public authorities to access any personal data protected by EU data protection law. So, if there is widespread acceptance that public authorities dealing with serious criminal and terrorist threats are highly unlikely to target the life sciences sector with data requests (since health data is rarely used for these purposes), then this would logically lead to the conclusion that there is a comparatively low risk attached to the transfer of health data to importers outside the EU/UK.
Medical researchers make the powerful argument that global shared analysis of data from a variety of countries is often necessary for sufficient statistical weight to be achieved in the study of rare diseases and the development of new treatments. If scientists cannot obtain enough data for analysis, this can reduce the effectiveness of their research and ultimately impoverish all of us due to the missed opportunities for medical breakthroughs.
It is unfortunate that there isn't greater certainty from regulators that those using health data, and especially those operating in life sciences research, can lawfully transfer health data cross-border to pursue their research-related purposes when they can demonstrate there are robust security measures in place and a lack of interest from third country public authorities in accessing this data.