Reconciling the biomedical data commons and the GDPR: three lessons from the EUCAN ELSI collaboratory

The coming-into-force of the EU General Data Protection Regulation (GDPR) is a watershed moment in the legal recognition of enforceable rights to informational self-determination. The rapid evolution of legal requirements applicable to data use, however, has the potential to outstrip the capabilitie...

Descripción completa

Detalles Bibliográficos
Autores principales: Bernier, Alexander, Molnár-Gábor, Fruzsina, Knoppers, Bartha M., Borry, Pascal, Cesar, Priscilla M. D. G., Devriendt, Thijs, Goisauf, Melanie, Murtagh, Madeleine, Jiménez, Pilar Nicolás, Recuero, Mikel, Rial-Sebbag, Emmanuelle, Shabani, Mahsa, Wilson, Rebecca C., Zaccagnini, Davide, Maxwell, Lauren
Formato: Online Artículo Texto
Lenguaje:English
Publicado: Springer International Publishing 2023
Materias:
Article
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10267538/
https://www.ncbi.nlm.nih.gov/pubmed/37322132
http://dx.doi.org/10.1038/s41431-023-01403-y
_version_ 1785058949015273472
author Bernier, Alexander
Molnár-Gábor, Fruzsina
Knoppers, Bartha M.
Borry, Pascal
Cesar, Priscilla M. D. G.
Devriendt, Thijs
Goisauf, Melanie
Murtagh, Madeleine
Jiménez, Pilar Nicolás
Recuero, Mikel
Rial-Sebbag, Emmanuelle
Shabani, Mahsa
Wilson, Rebecca C.
Zaccagnini, Davide
Maxwell, Lauren
author_facet Bernier, Alexander
Molnár-Gábor, Fruzsina
Knoppers, Bartha M.
Borry, Pascal
Cesar, Priscilla M. D. G.
Devriendt, Thijs
Goisauf, Melanie
Murtagh, Madeleine
Jiménez, Pilar Nicolás
Recuero, Mikel
Rial-Sebbag, Emmanuelle
Shabani, Mahsa
Wilson, Rebecca C.
Zaccagnini, Davide
Maxwell, Lauren
author_sort Bernier, Alexander
collection PubMed
description The coming-into-force of the EU General Data Protection Regulation (GDPR) is a watershed moment in the legal recognition of enforceable rights to informational self-determination. The rapid evolution of legal requirements applicable to data use, however, has the potential to outstrip the capabilities of networks of biomedical data users to respond to the shifting norms. It can also delegitimate established institutional bodies that are responsible for assessing and authorising the downstream use of data, including research ethics committees and institutional data custodians. These burdens are especially pronounced for clinical and research networks that are of transnational scale, because the legal compliance burden for outbound international data transfers from the EEA is especially high. Legislatures, courts, and regulators in the EU should therefore implement the following three legal changes. First, the responsibilities of particular actors in a data sharing network should be delimited through the contractual allocation of responsibilities between collaborators. Second, the use of data through secure data processing environments should not trigger the international transfer provisions of the GDPR. Third, the use of federated data analysis methodologies that do not provide analysis nodes or downstream users access to identifiable personal data as part of the outputs of those analyses should not be considered circumstances of joint controllership, nor lead to the users of non-identifiable data to be considered controllers or processors. These small clarifications of, or modifications to, the GDPR would facilitate the exchange of biomedical data amongst clinicians and researchers.
format Online
Article
Text
id pubmed-10267538
institution National Center for Biotechnology Information
language English
publishDate 2023
publisher Springer International Publishing
record_format MEDLINE/PubMed
spelling pubmed-102675382023-06-20 Reconciling the biomedical data commons and the GDPR: three lessons from the EUCAN ELSI collaboratory Bernier, Alexander Molnár-Gábor, Fruzsina Knoppers, Bartha M. Borry, Pascal Cesar, Priscilla M. D. G. Devriendt, Thijs Goisauf, Melanie Murtagh, Madeleine Jiménez, Pilar Nicolás Recuero, Mikel Rial-Sebbag, Emmanuelle Shabani, Mahsa Wilson, Rebecca C. Zaccagnini, Davide Maxwell, Lauren Eur J Hum Genet Article The coming-into-force of the EU General Data Protection Regulation (GDPR) is a watershed moment in the legal recognition of enforceable rights to informational self-determination. The rapid evolution of legal requirements applicable to data use, however, has the potential to outstrip the capabilities of networks of biomedical data users to respond to the shifting norms. It can also delegitimate established institutional bodies that are responsible for assessing and authorising the downstream use of data, including research ethics committees and institutional data custodians. These burdens are especially pronounced for clinical and research networks that are of transnational scale, because the legal compliance burden for outbound international data transfers from the EEA is especially high. Legislatures, courts, and regulators in the EU should therefore implement the following three legal changes. First, the responsibilities of particular actors in a data sharing network should be delimited through the contractual allocation of responsibilities between collaborators. Second, the use of data through secure data processing environments should not trigger the international transfer provisions of the GDPR. Third, the use of federated data analysis methodologies that do not provide analysis nodes or downstream users access to identifiable personal data as part of the outputs of those analyses should not be considered circumstances of joint controllership, nor lead to the users of non-identifiable data to be considered controllers or processors. These small clarifications of, or modifications to, the GDPR would facilitate the exchange of biomedical data amongst clinicians and researchers. Springer International Publishing 2023-06-15 /pmc/articles/PMC10267538/ /pubmed/37322132 http://dx.doi.org/10.1038/s41431-023-01403-y Text en © The Author(s) 2023 https://creativecommons.org/licenses/by/4.0/Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/ (https://creativecommons.org/licenses/by/4.0/) .
spellingShingle Article
Bernier, Alexander
Molnár-Gábor, Fruzsina
Knoppers, Bartha M.
Borry, Pascal
Cesar, Priscilla M. D. G.
Devriendt, Thijs
Goisauf, Melanie
Murtagh, Madeleine
Jiménez, Pilar Nicolás
Recuero, Mikel
Rial-Sebbag, Emmanuelle
Shabani, Mahsa
Wilson, Rebecca C.
Zaccagnini, Davide
Maxwell, Lauren
Reconciling the biomedical data commons and the GDPR: three lessons from the EUCAN ELSI collaboratory
title Reconciling the biomedical data commons and the GDPR: three lessons from the EUCAN ELSI collaboratory
title_full Reconciling the biomedical data commons and the GDPR: three lessons from the EUCAN ELSI collaboratory
title_fullStr Reconciling the biomedical data commons and the GDPR: three lessons from the EUCAN ELSI collaboratory
title_full_unstemmed Reconciling the biomedical data commons and the GDPR: three lessons from the EUCAN ELSI collaboratory
title_short Reconciling the biomedical data commons and the GDPR: three lessons from the EUCAN ELSI collaboratory
title_sort reconciling the biomedical data commons and the gdpr: three lessons from the eucan elsi collaboratory
topic Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10267538/
https://www.ncbi.nlm.nih.gov/pubmed/37322132
http://dx.doi.org/10.1038/s41431-023-01403-y
work_keys_str_mv AT bernieralexander reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory
AT molnargaborfruzsina reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory
AT knoppersbartham reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory
AT borrypascal reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory
AT cesarpriscillamdg reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory
AT devriendtthijs reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory
AT goisaufmelanie reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory
AT murtaghmadeleine reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory
AT jimenezpilarnicolas reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory
AT recueromikel reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory
AT rialsebbagemmanuelle reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory
AT shabanimahsa reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory
AT wilsonrebeccac reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory
AT zaccagninidavide reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory
AT maxwelllauren reconcilingthebiomedicaldatacommonsandthegdprthreelessonsfromtheeucanelsicollaboratory

Ejemplares similares