GDPR Brief: GDPR going forward — prospects of resuming transatlantic data sharing

27 Apr 2023

Creative options exist to address the consequences of the GDPR’s approach to international transfers of research data — whether these take the form of an adequacy decision, international agreement or expanded use of derogations.

In March of last year, President Joseph Biden and European Union President Ursula von der Leyen committed to a transatlantic framework to restore commercial data flows, halted in 2020 with the invalidation of the U.S.-E.U. Privacy Shield by the European Court of Justice. This is a positive and long-anticipated step forward. Negotiations are progressing to frame a new adequacy decision, recognizing the essential equivalence of U.S. and E.U. data protection standards. Hopefully, a concluded agreement might create shared political resolve to find solutions to current data transfer impediments in the public and non-commercial sectors that arose from the General Data Protection Regulation (GDPR).

As outlined in prior Forum commentary, the GDPR offers few available pathways for long-term data transfers for many governmental agencies and research universities outside the European Economic Area. In the U.S., this largely is due to intractable conflicts with statutes and regulations, as well as principles of sovereign immunity (e.g., GDPR provisions specifying indemnification, auditing of data systems by a foreign entity, submitting to the jurisdiction of foreign courts). For the genomics community and others, the resulting alternatives to present data sharing bottlenecks are remote access, federated systems, or distributed analysis. Rather than share pseudonymized data in real time, U.S. and E.U. colleagues run identical but isolated analyses, pooling results using summary meta-analysis. A representative case is the International Genomics of Alzheimer’s Project, where U.S. sites cannot receive E.U. data to an imputation server, nor pool data on a single server.

Creative options, however, do exist to address the consequences of the GDPR’s approach to international transfers of research data — whether these take the form of an adequacy decision, international agreement or expanded use of derogations.  Several may require amendments to the European Data Protection Board guidance.  Following are possible solutions to explore.

1. Negotiate a sectoral adequacy decision

The emerging U.S.-E.U. Transatlantic Data Sharing Framework may provide a suggestive model for data transfers in biomedical research and related regulatory activities.  Although U.S. and E.U. share similar protections enshrined in privacy law, realizing an adequacy decision for scientific data transfers may require extensions of U.S. privacy legislation, or alternative measures that ensure equivalency with the GDPR. This may include areas of access, rectification, and retention of data; judicial redress; powers and independence of oversight authorities; and safeguards with respect to sharing of personal data with non-federal authorities.

However, potential frameworks do exist which might be extended or adapted. For example, the U.S. enacted the Judicial Redress Act (JRA) in 2015 to implement the redress requirements of the Data Privacy and Protection Agreement (DPPA). The JRA established a right for citizens of designated countries to bring suit in federal courts for certain Privacy Act violations, in the context of criminal law enforcement.

2. Conclude an international agreement

Unlike adequacy decisions, international agreements with the E.U. become part of E.U. law, largely independent from GDPR requirements if consistent with the E.U. Charter of Fundamental Rights. Such a scheme, establishing mutually agreed safeguards, must be approved by the European Council and European Parliament.  An approved agreement would constitute a lengthy process, with layered political complexities. However, it may present the most stable solution. Formal endorsement by both Council and Parliament may insulate the arrangement from the type of judicial challenge which nullified Privacy Shield and its predecessor agreement “Safe Harbor.” Active U.S.-E.U. data sharing agreements include an umbrella agreement under the DPPA, noted above.

3. Expand Article 46 transfer mechanisms, with appropriate safeguards

Alternatives to agreements could include adoption of standard contractual clauses for scientific research conducted by governmental and non-commercial entities, or a scalable non-binding administrative arrangement (AA) among public institutions.  One prospect may be to explore the feasibility of a blanket AA for EDPB review.  If a positive opinion is secured, other public bodies and affiliates could join as signatories to the AA. Establishing an AA with a broad “docking” function would help resolve the often-varying interpretations of AA requirements among member states and offer legal assurances.

As with an adequacy decision, a sovereign immunity waiver providing data rights and redress for non-U.S. research participants likely may be a threshold requirement. To date, the use of AA’s is uncommon. However, the Public Company Accounting Board, which regulates auditors of publicly traded companies, successfully established two administrative arrangements with European authorities.

4. Expand use of Article 49 derogations

These exceptions allow for transfers of E.U. personal data in the absence of an adequacy decision, agreement or Article 46 transfer mechanism.  Expanded use of derogations may provide an expedient solution for many transfers. Although the EDPB requires that derogations “must be interpreted restrictively” and allow only “occasional” and “not repetitive” transfers, the Schrems II judgment signaled that a broader, more permissive interpretation of derogations may be appropriate.  Moreover, in an amicus brief before the U.S. Supreme Court, the European Commission suggested that both the “public interest” and “legitimate interest” derogations may have broader application.

EU institutions are unlikely to accept derogations as a long-term remedy for routine transfers of personal data but may be willing to consider this prospect as an interim measure while other legally available solutions are jointly explored.

The GDPR represents the most comprehensive data privacy regulation in two decades. Many countries are aligning with or adopting the requirements of the GDPR in national legislation. Achieving a durable legal basis for transatlantic data transfers will set an important global precedent.

Further Reading

• Fact sheet: United States and European Commission announce trans-atlantic data privacy framework
• Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
• Brief of the European Commission on behalf of the European Union as amicus curiae in support of neither party
• Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offenses
• Judicial Redress Act of 2015, 5 U.S.C. § 552a note

Relevant GDPR Provisions

• Article 44 – general principles for transfers
• Article 45 – transfer pursuant to an adequacy decision
• Article 46 – transfer subject to appropriate safeguards (e.g., Code of Conduct)
• Article 49 – derogations for transfers

This commentary is solely the responsibility of the author and does not necessarily represent the official views of the U.S. Department of Health and Human Services and the National Institutes of Health.

Robert Eiss serves as Senior Adviser, Fogarty International Center, US National Institutes of Health, in Bethesda, Maryland.

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.